Researchers have discovered a large ad fraud campaign on Google Play Store.

Researchers have discovered a large ad fraud campaign on Google Play Store.

The Satori Threat Intelligence and Research team found 224 malicious apps which were downloaded over 38 million times and generated up to 2.3 billion ad requests per day. They named the campaign “SlopAds.”

Ad fraud is a type of fraud that lets advertisers pay for ads even though the number of impressions (the times that the ad has been seen) is enormously exaggerated.

While the main victims of ad fraud are the advertisers, there are consequences for the users that had these apps installed as well, such as slowed-down devices and connections due to the apps executing their malicious activity in the background without the user even being aware.

At first, to stay under the radar of Google’s app review process and security software, the downloaded app will behave as advertised, if a user has installed it directly from the Play Store.

_Image courtesy of HUMAN Satori_

But if the installation has been initiated by one of the campaign’s ads, the user will receive some extra files in the form of a steganographically encrypted payload.

If the app passes the first check it will receive four .png images that, when decrypted and reassembled, are actually an .apk file. The malicious file uses WebView (essentially a very basic browser) to send collected device and browser information to a Control & Command (C2) server which determines, based on that information, what domains to visit in further hidden WebViews.

The researchers found evidence of an AI (Artificial Intelligence) tool training on the same domain as the C2 server (ad2\[.\]cc). It is unclear whether this tool actively managed the ad fraud campaign.

Based on similarities in the C2 domain, the researchers found over 300 related domains promoting SlopAds-associated apps, suggesting that the collection of 224 SlopAds-associated apps was only the beginning.

Google removed all of the identified apps listed in this report from Google Play. Users are automatically protected by Google Play Protect, which warns users and blocks apps known to exhibit SlopAds associated behavior at install time on certified Android devices, even when apps come from sources outside of the Play Store.

You can find a complete list of the removed apps here: SlopAds app list

**How to avoid installing malicious apps**

While the official Google Play Store is the safest place to get your apps from, there is no guarantee that it will remain a non-malicious app just because it is in the Google Play Store. So here are a few extra measures you can take:

*   Always check what permissions an app is requesting, and don’t just trust an app because it’s in the official Play Store. Ask questions such as: Do the permissions make sense for what the app is supposed to do? Why did necessary permissions change after an update? Do these changes make sense?
*   Occasionally go over your installed apps and remove any you no longer need.
*   Make sure you have the latest available updates for your device, and all your important apps (banking, security, etc.)
*   Protect your Android with security software. Your phone needs it just as much as your computer.

Another precaution you can take if you’re looking for an app, do your research about the app before you go to the app store. As you can see from the screenshot above, many of the apps are made to look exactly the same as very popular legitimate ones (e.g. ChatGPT).

So, it’s important to know in advance who the official developer is of the app you want and if it’s even available from the app store.

As researcher Jim Nielsen demonstrated for the Mac App Store, there are a lot of apps trying to look like ChatGPT, but they are not the real thing. ChatGPT is not even in the Mac App Store, it is available in the Google Play Store for Android, but make sure to check that OpenAI is listed as the developer.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 224 malicious apps removed from the Google Play Store after ad fraud campaign discovered 

A China-aligned threat actor known as TA415 has been attributed to spear-phishing campaigns targeting the U.S. government, think tanks, and academic organizations utilizing U.S.-China economic-themed lures.
"In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the

Cyber Espionage / Malware

A China-aligned threat actor known as **TA415** has been attributed to spear-phishing campaigns targeting the U.S. government, think tanks, and academic organizations utilizing U.S.-China economic-themed lures.

"In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the U.S.-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy," Proofpoint said in an analysis.

The enterprise security company said the activity, observed throughout July and August 2025, is likely an effort on part of Chinese state-sponsored threat actors to facilitate intelligence gathering amid ongoing U.S.-China trade talks, adding the hacking group shares overlaps with a threat cluster tracked broadly under the names APT41 and Brass Typhoon (formerly Barium).

The findings come days after the U.S. House Select Committee on China issued an advisory warning of an "ongoing" series of highly targeted cyber espionage campaigns linked to Chinese threat actors, including a campaign that impersonated the Republican Party Congressman John Robert Moolenaar in phishing emails designed to deliver data-stealing malware.

The campaign, per Proofpoint, mainly focused on individuals who specialized in international trade, economic policy, and U.S.-China relations, sending them emails spoofing the U.S.-China Business Council that invited them to a supposed closed-door briefing on U.S.-Taiwan and U.S.-China affairs.

The messages were sent using the email address "uschina@zohomail\[.\]com," while also relying on the Cloudflare WARP VPN service to obfuscate the source of the activity. They contain links to password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive, within which there exists a Windows shortcut (LNK) along with other files in a hidden folder.

The primary function of the LNK file is to execute a batch script within the hidden folder, and display a PDF document as a decoy to the user. In the background, the batch script executes an obfuscated Python loader named WhirlCoil that's also present in the archive.

"Earlier variations of this infection chain instead downloaded the WhirlCoil Python loader from a Paste site, such as Pastebin, and the Python package directly from the official Python website," Proofpoint noted.

The script is also designed to set up a scheduled task, typically named GoogleUpdate or MicrosoftHealthcareMonitorNode, to run the loader every two hours as a form of persistence. It also runs the task with SYSTEM privileges if the user has administrative access to the compromised host.

The Python loader subsequently establishes a Visual Studio Code remote tunnel to establish persistent backdoor access and harvests system information and the contents of various user directories. The data and the remote tunnel verification code are sent to a free request logging service (e.g., requestrepo\[.\]com) in the form of a base64-encoded blob within the body of an HTTP POST request.

"With this code, the threat actor is then able to authenticate the VS Code Remote Tunnel and remotely access the file system and execute arbitrary commands via the built-in Visual Studio terminal on the targeted host," Proofpoint said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts

At least five billion airline passenger records are being sold to government agencies via a searchable database—far more than was initially believed.

We already knew that the US airline industry gave the government access to passenger records. However, this week it emerged that at least five billion passenger records are being sold to government agencies via a searchable database—far more than was initially believed.

A few weeks ago, investigative research team 404 Media reported on a secretive relationship between many US airlines and the US government. That story showed that the airlines had sold US agencies access to around a billion records.

Now, researchers have found the data broker that collects flight data from the airline industry has made at least five billion records available to federal agencies.

The organization selling the data is the Airlines Reporting Corporation (ARC), which is owned and operated by at least eight US airlines. It sells the government this data under the Travel Intelligence Program (TIP), which was started after the 2001 attack on the World Trade Center.

ARC provides access to a searchable database of at least five billion records, updated daily with new ticketing information. At least one agency, the US Secret Service, has a contract to access this data, paying $885,000 for data through 2028, according to documents obtained by 404 Media.

**Known clients**

In June, 404 Media found that ARC had been making names, flight itineraries, and financial details available to US agencies, which were forbidden from revealing it as the source, under contract. The data included flights booked via 12,800 travel agencies, which submit ticket sales from over 270 carriers globally to ARC.

Originally developed as a financial clearing house, ARC provides payment settlement services for federal agencies and airlines. Known clients include Customs and Border Protection, and Immigration and Customs Enforcement. Travel dates and credit card numbers are available to federal customers, which also include the Securities and Exchange Commission, the Drug Enforcement Administration, and the US Marshals Service.

**A long history of sharing data**

The US airline industry has a long history of interacting with the US government. In 1996, Al Gore’s White House Commission on Aviation Safety and Security recommended automated screening for better flight security. A year later, most North American airlines voluntarily implemented what became known as the Computer Assisted Passenger Prescreening System (CAPPS). After the Transportation Security Administration (TSA) took over CAPPS, it built a system called CAPPS II, which used security color-coding for flight passengers. That system ran into trouble after several airlines admitted to giving the US government access to passenger data.

American Airlines reportedly confessed to making passengers’ records available in the early 2000s, as did United, while Northwest also gave NASA access to millions of passenger records. These relationships enabled data mining work at government agencies involving passenger records. A US General Accounting Office (GAO) report in 2004 found that CAPPS II was behind schedule, in part because it had failed to address privacy concerns.

“One air carrier initially agreed to provide passenger data for testing purposes, but adverse publicity resulted in its withdrawal from participation. Similar situations occurred for the other two potential data providers,” the report said. “TSA’s attempts to obtain test data are still ongoing, and privacy issues remain a stumbling block.”

The TSA canned CAPPS II that year, switching instead to a system called Secure Flight. This also implemented a color-coded security system for passengers and uses the US government’s No-Fly list.

The information that ARC funnels to the US government reportedly comes only from travel agencies, meaning that direct bookings with airlines hopefully won’t be logged in this way. Passengers might want to consider that when making travel plans.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Airline data broker selling 5 billion passenger records to US government 

With a Cisco Talos IR retainer, your organization can stay resilient and ahead of tomorrow's threats. Here's how.

**Why a Cisco Talos Incident Response Retainer is a game-changer**

Wednesday, September 17, 2025 06:00

In today’s hyper-connected world, cyber attacks are not a matter of if but when. Ransomware, phishing and data breaches dominate headlines. For any organization, the stakes are high and the impact can be wide. A cybersecurity breach can impact your organization’s ability to conduct normal business, damaging its reputation, reducing revenue, and disrupting operations. 

A Cisco Talos Incident Response (Talos IR) Retainer is a strategic investment that empowers your entire organization to stay resilient and ahead of tomorrow’s threats. Here’s how a Talos IR Retainer can strengthen your organization’s security and ensure peace of mind.

**What is a Cisco Talos IR Retainer? **

A Talos IR Retainer offers a direct line to Cisco’s top cybersecurity specialists, ensuring both proactive protection and swift response to cyber threats. Backed by Cisco Talos global threat intelligence and hundreds of threat intelligence researchers, it equips organizations to prevent, respond to, and recover from cyber incidents efficiently. From tailored incident response plans to 24/7 emergency support, the retainer is a lifeline in a threat landscape that never sleeps.

We have just released a series of short videos that explain the full range of Talos IR services. Check out the playlist here, or start by watching the Emergency Response video below:

**Benefits to the entire organization **

A Cisco Talos IR Retainer is not only designed to benefit your IT teams, but it’s a catalyst for building organization-wide resilience. Here is how Talos IR delivers value to clients’ stakeholders:  

1.  **Risk mitigation and cost savings**   
    Talos IR enables customers to respond swiftly to cyber threats and supports them through recovery efforts, minimizing downtime, costs, and regulatory risks 
2.  **Reputation protection**   
    A retainer equips leadership with strategic response plans and expert guidance, ensuring preparedness, demonstrating due diligence, and preserving stakeholder confidence during critical incidents. 
3.  **Organization-wide alignment**   
    A cybersecurity retainer ensures that your legal, human resources, information technology, and leadership teams are aligned before a threat strikes. Defined responsibilities and structured playbooks, plans, and tabletop exercises eliminate ambiguity and drive faster, more efficient incident response and recovery. Talos IR is there to create and review existing policies and make sure you are prepared at various levels.

**Bolstering organizational security **

A Talos IR Retainer transforms your organization’s security posture from reactive to proactive. Our job is to take you though the lifecycle of an incident and build up long-term resilience to cybersecurity attacks. We do this by delivering various engagements, such as: 

*   **Proactive Threat Hunting**   
    Using the PEAK Framework (Prepare, Execute, Act with Knowledge), Talos IR specialists proactively hunt for threats before they escalate, leveraging real-time intelligence to stay ahead of adversaries. 
*   **Customized preparedness**   
    Tailored IR plans, playbooks, and readiness assessments address your organization’s unique risks and evaluates the current state of its cybersecurity preparations.  
*   **Continuous improvement**   
    Post-incident reports and ongoing collaboration identify gaps and recommend long-term strategies, ensuring that security evolves with the threat landscape. 
*   **Vendor-agnostic integration**   
    Talos IR works with existing security tools, maximizing investments and enhancing detection and response capabilities in place. If needed, we can always deploy additional Cisco technology to help with an investigation. 
*   **Intelligence-driven defense**   
    Access to Talos’ global threat intelligence, updated in real time, ensures your organization is armed with the latest insights on adversary tactics, techniques, and procedures (TTPs). 

**What it means to have IR specialists on speed dial **

Having Talos IR specialists on call is like having an elite SWAT team for cybersecurity. Here is what Talos IR provides for your organization: 

*   **Rapid response, 24/7**   
    With a retainer, Cisco Talos IR specialists mobilize within hours of an incident, isolating threats and minimizing damage. This speed is critical, as every minute counts when containing ransomware or a data breach. 
*   **Expert guidance**   
    The Talos IR team brings unmatched expertise, analyzing adversary TTPs and providing actionable recommendations across many verticals and industries. 
*   **Tailored support**   
    Specialists collaborate with your teams, aligning response efforts with your business priorities. Whether coordinating with legal or PR, they ensure a cohesive strategy. 
*   **Peace of mind**   
    Knowing experts are a call away reduces stress for your executives and IT teams. Priority access means your organization is never left waiting during a crisis. 
*   **Post-Incident Review**   
    Talos IR delivers comprehensive reports that detail root causes, remediation steps, and preventive measures, turning incidents into opportunities for increased cybersecurity and prevention of future incidents.

**Real-world impact **

Our customers trust us to bring the expertise and knowledge they need to navigate their most challenging days with confidence.  Read about our work with Veradigm and how we made a difference during a Qakbot attack here. 

**Take the next step **

A Cisco Talos IR Retainer is a shield against cyber chaos. It strengthens your cybersecurity and ensures rapid recovery with specialists just a call away. Here’s how to get started: 

*   **Secure a Retainer**: Lock in priority access to proactive and emergency services. 
*   **Schedule a Tabletop Exercise**: Test your preparedness with tailored scenarios to fit your environment. 
*   **Explore** **our website****:** Access quarterly trends and learn more about Talos and what we do to secure our clients.

Why a Cisco Talos Incident Response Retainer is a game-changer

Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark."
Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains

Threat Intelligence / Cybercrime

Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark."

Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains potentially linked to the group that are geared towards the industry vertical, as well as a recently identified targeted intrusion against an unnamed U.S. banking organization.

"Scattered Spider gained initial access by socially engineering an executive's account and resetting their password via Azure Active Directory Self-Service Password Management," the company said.

"From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network."

To achieve privilege escalation, the attackers reset a Veeam service account password, assigned Azure Global Administrator permissions, and relocated virtual machines to evade detection. There are also signs that Scattered Spider attempted to exfiltrate data from Snowflake, Amazon Web Services (AWS), and other repositories.

**Exit or Smokescreen?**

The recent activity undercuts the group's claims that they were ceasing operations alongside 14 other criminal groups, such as LAPSUS$. Scattered Spider is the moniker assigned to a loose-knit hacking collective that's part of a broader online entity called The Com.

The group also shares a high degree of overlap with other cybercrime crews like ShinyHunters and LAPSUS$, so much so that the three clusters formed an overarching entity named "scattered LAPSUS$ hunters."

One of these clusters, notably ShinyHunters, has also engaged in extortion efforts after exfiltrating sensitive data from victims' Salesforce instances. In these cases, the activity took place months after the targets were compromised by another financially motivated hacking group tracked by Google-owned Mandiant as UNC6040.

The incident is a reminder not to be lulled into a false sense of security, ReliaQuest added, urging organizations to stay vigilant against the threat. As in the case of ransomware groups, there is no such thing as retirement, as it's very much possible for them to regroup or rebrand under a different alias in the future.

"The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism," Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, said. "Rather than a true disbanding, this announcement likely signals a strategic move to distance the group from increasing law enforcement pressure."

Sigler also pointed out that the farewell letter should be viewed as a strategic retreat, allowing the group to reassess its practices, refine its tradecraft, and evade ongoing efforts to put a lid on its activities, not to mention complicate attribution efforts by making it harder to tie future incidents to the same core actors.

"It's plausible that something within the group's operational infrastructure has been compromised. Whether through a breached system, an exposed communication channel, or the arrest of lower-tier affiliates, something has likely triggered the group to go dark, at least temporarily. Historically, when cybercriminal groups face heightened scrutiny or suffer internal disruption, they often 'retire' in name only, opting instead to pause, regroup, and eventually re-emerge under a new identity."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

Apple has released security updates for all platforms to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.

Apple has released security updates for iPhones, iPads, Apple Watches, Apple TVs, and Macs as well as for Safari, and Xcode to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.

****How to update your iPhone or iPad****

For iOS and iPadOS users, you can check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

****How to update macOS on any version****

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

*   Click the Apple menu in the upper-left corner of your screen.
*   Choose **System Settings** (or **System Preferences** on older versions).
*   Select **General** in the sidebar, then click **Software Update** on the right. On older macOS, just look for **Software Update** directly.
*   Your Mac will check for updates automatically. If updates are available, click **Update Now** (or **Upgrade Now** for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
*   Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
*   Make sure your Mac stays plugged in and connected to the internet until the update is done.

****How to update Apple Watch****

*   Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
*   Keep your Apple Watch on its charger and close to your iPhone.
*   Open the Watch app on your iPhone.
*   Tap **General > Software Update**.
*   If an update appears, tap **Download and Install**.
*   Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

****How to update Apple TV****

*   Turn on your Apple TV and make sure it’s connected to the internet.
*   Open the Settings app on Apple TV.
*   Navigate **to System > Software Updates**.
*   Select **Update Software**.
*   If an update appears, select **Download and Install**.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

**Updates for your particular device**

Apple has today released version 26 for all its software platforms. This new version brings in a new “Liquid Glass” design, expanded Apple Intelligence, and new features. You can choose to update to that version, or just update to fix the vulnerabilities:

iOS 26 and iPadOS 26

iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later

iOS 18.7 and iPadOS 18.7

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

iOS 16.7.12 and iPadOS 16.7.12

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

iOS 15.8.5 and iPadOS 15.8.5

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Tahoe 26

Mac Studio (2022 and later), iMac (2020 and later), Mac Pro (2019 and later), Mac mini (2020 and later), MacBook Air with Apple silicon (2020 and later), MacBook Pro (16-inch, 2019), MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), and MacBook Pro with Apple silicon (2020 and later)

macOS Sequoia 15.7

macOS Sequoia

macOS Sonoma 14.8

macOS Sonoma

tvOS 26

Apple TV HD and Apple TV 4K (all models)

watchOS 26

Apple Watch Series 6 and later

visionOS 26

Apple Vision Pro

Safari 26

macOS Sonoma and macOS Sequoia

Xcode 26

macOS Sequoia 15.6 and later

**Technical details**

Apple did not mention any actively exploited vulnerabilities, but there are two that we would like to highlight.

A vulnerability tracked as CVE-2025-43357 in Call History was found that could be used to fingerprint the user. Apple addressed this issue with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26, iOS 26, and iPadOS 26.

A vulnerability in the Safari browser tracked as CVE-2025-43327 where visiting a malicious website could lead to address bar spoofing. The issue was fixed by adding additional logic.

Address bar spoofing is a trick cybercriminals might use to make you believe you’re on a trusted website when in reality you’re not. Instead of showing the real address, attackers exploit browser flaws or use clever coding so the address bar displays something like login.bank.com even though you’re not on your bank’s site at all. This would allow the criminals to harvest your login credentials when you enter them on what is really their website.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your Apple devices to fix dozens of vulnerabilities 

A misconfigured platform used by the Department of Homeland Security left national security information—including some related to the surveillance of Americans—accessible to thousands of people.

The Department of Homeland Security's mandate to carry out domestic surveillance has been a concern for privacy advocates since the organization was first created in the wake of the September 11 attacks. Now a data leak affecting the DHS's intelligence arm has shed light not just on how the department gathers and stores that sensitive information—including about its surveillance of Americans—but on how it once left that data exposed to thousands of government and private sector workers and even foreign nationals who were never authorized to see it.

An internal DHS memo obtained by a Freedom of Information Act (FOIA) request and shared with WIRED reveals that from March to May of 2023, a DHS online platform used by the DHS Office of Intelligence and Analysis (I&A) to share sensitive but unclassified intelligence information and investigative leads among the DHS, the FBI, the National Counterterrorism Center, local law enforcement, and intelligence fusion centers across the US was misconfigured, accidentally exposing restricted intelligence information to all users of the platform.

Access to the data, according to a DHS inquiry described in the memo, was meant to be limited to users of the Homeland Security Information Network's intelligence section, known as HSIN-Intel. Instead it was set to grant access to “everyone,” exposing the information to HSIN's tens of thousands of users. The unauthorized users who had access included US government workers focused on fields unrelated to intelligence or law enforcement such as disaster response, as well as private sector contractors and foreign government staff with access to HSIN.

“DHS advertises HSIN as secure and says the information it holds is sensitive, critical national security information,” says Spencer Reynolds, an attorney for the Brennan Center for Justice who obtained the memo via FOIA and shared it with WIRED. “But this incident raises questions about how seriously they take information security. Thousands and thousands of users gained access to information they were never supposed to have.”

HSIN-Intel's data includes everything from law enforcement leads and tips to reports on foreign hacking and disinformation campaigns, to analysis of domestic protest movements. The memo about the HSIN-Intel breach specifically mentions, for instance, a report discussing “protests relating to a police training facility in Atlanta”—likely the Stop Cop City protests opposing the creation of the Atlanta Public Safety Training Center—noting that it focused on “media praising actions like throwing stones, fireworks and Molotov cocktails at police.”

In total, according to the memo about the DHS internal inquiry, 439 I&A “products” on the HSIN-Intel portion of the platform were improperly accessed 1,525 times. Of those unauthorized access instances, the report found that 518 were private sector users and another 46 were non-US citizens. The instances of foreign user accesses were “almost entirely” focused on cybersecurity information, the report notes, and 39 percent of all the improperly accessed intelligence products involved cybersecurity, such as foreign state-sponsored hacker groups and foreign targeting of government IT systems. The memo also noted that some of the unauthorized US users who viewed the information would have been eligible to have accessed the restricted information if they’d asked to be considered for authorization.

“When this coding error was discovered, I&A immediately fixed the problem and investigated any potential harm,” a DHS spokesperson told WIRED in a statement. “Following an extensive review, multiple oversight bodies determined there was no impactful or serious security breach. DHS takes all security and privacy measures seriously and is committed to ensuring its intelligence is shared with federal, state, local, tribal, territorial, and private sector partners to protect our homeland from the numerous adversarial threats we face."

The Office of the Director of National Intelligence, which oversees US intelligence agencies, didn’t respond to a request for comment.

Although the exposure occurred under the Biden administration, the memo highlights the risks of surveillance data collected on Americans that persists under the current administration, argues Jeramie Scott, the director of the Surveillance Oversight Program at the Electronic Privacy Information Center, a digital rights nonprofit. In fact, he argues, the relative lack of transparency of the Trump administration and DHS's hostility to oversight measures suggests that if a similar data breach occurred now, the public might never know. As an example, he points to the effective shuttering of the 150-person DHS oversight arm known as the Office for Civil Rights and Civil Liberties. “If this was occurring then, is this type of thing going to be captured now?” Scott asks. "Everyone should be concerned about the fact that things like this happen, and oversight has only deteriorated since this incident occurred."

According to the memo about the DHS's inquiry into its intelligence exposure, the DHS Office of Privacy initially considered the breach to have had “minimal to low impact." But the author of the memo, whose name has been redacted in the form released under FOIA, determined that the Office of Privacy hadn't fully considered the personally identifiable information (PII) exposed in the breach, particularly that of Americans, contradicting that “low impact” assessment. The memo recommended as one finding of the inquiry that I&A retrain staff on the definitions of PII.

Two pieces of legislation currently before Congress seek to reform or restrict DHS's surveillance powers, one called the Strengthening Oversight of DHS Intelligence Act and another that would amend the Intelligence Authorization Act of 2026 to place new restrictions on funding for some DHS domestic surveillance programs. The Brennan Center's Reynolds notes, however, that the amendments have specific exceptions for DHS's sharing of intelligence with other government agencies or contractors, so likely wouldn't affect HSIN-Intel.

The memo about the DHS's inquiry into the HSIN-Intel data exposure, Reynolds also points out, doesn't assess the effects of the breach on all of the other organizations whose data was leaked in the incident, or even mention that other agencies' troves of sensitive data were impacted. “Given the volume of data, it's highly likely they would have been,” Reynolds says. “This should raise alarm bells for the agencies nationwide who trust the Office of Intelligence and Analysis with their information.”

More broadly, EPIC's Scott argues that the breach should concern not just the DHS or its partner agencies, but everyone who potentially falls under the DHS's surveillance remit—in other words, every American. “It affects everyone in the US because of the broadness of the surveillance and intelligence programs that they conduct," says Scott. “We're talking about an agency that's doing domestic intelligence. This implicates all of us.”

A DHS Data Hub Exposed Sensitive Intel to Thousands of Unauthorized Users

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories.
"These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN’s Satori Threat Intelligence and

Ad Fraud / Mobile Security

A massive ad fraud and click fraud operation dubbed **SlopAds** ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories.

"These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN's Satori Threat Intelligence and Research Team said in a report shared with The Hacker News.

The name "SlopAds" is a nod to the likely mass-produced nature of the apps and the use of artificial intelligence (AI)-themed services like StableDiffusion, AIGuide, and ChatGLM hosted by the threat actor on the command-and-control (C2) server.

The company said the campaign accounted for 2.3 billion bid requests a day at its peak, with traffic from SlopAds apps mainly originating from the U.S. (30%), India (10%), and Brazil (7%). Google has since removed all the offending apps from the Play Store, effectively disrupting the threat.

What makes the activity stand out is that when a SlopAds-associated app is downloaded, it queries a mobile marketing attribution SDK to check if it was downloaded directly from the Play Store (i.e., organically) or if it was the result of a user clicking on an ad that redirected them to the Play Store listing (i.e., non-organically).

The fraudulent behavior is initiated only in scenarios where the app was downloaded following an ad click, causing it to download the ad fraud module, FatModule, from the C2 server. On the other hand, if it was originally installed, the app behaves as advertised on the app store page.

"From developing and publishing apps that only commit fraud under certain circumstances to adding layer upon layer of obfuscation, SlopAds reinforces the notion that threats to the digital advertising ecosystem are only growing in sophistication," HUMAN researchers said.

"This tactic creates a more complete feedback loop for the threat actors, triggering fraud only if they have reason to believe the device isn't being examined by security researchers. It blends malicious traffic into legitimate campaign data, complicating detection."

The FatModule is delivered by means of four PNG image files that conceal the APK, which is then decrypted and reassembled to gather device and browser information, as well as conduct ad fraud using hidden WebViews.

"One cashout mechanism for SlopAds is through HTML5 (H5) game and news websites owned by the threat actors," HUMAN researchers said. "These game sites show ads frequently, and since the WebView in which the sites are loaded is hidden, the sites can monetize numerous ad impressions and clicks before the WebView closes."

Domains promoting SlopAds apps have been found to link back to another domain, ad2\[.\]cc, which serves as the Tier-2 C2 server. In all, an estimated 300 domains advertising such apps have been identified.

The development comes a little over two months after HUMAN flagged another set of 352 Android apps as part of an ad fraud scheme codenamed IconAds.

"SlopAds highlights the evolving sophistication of mobile ad fraud, including stealthy, conditional fraud execution and rapid scaling capabilities," Gavin Reid, CISO at HUMAN, said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

Las Vegas, United States, 16th September 2025, CyberNewsWire

**Las Vegas, United States, September 16th, 2025, CyberNewsWire**

Seraphic today announced at Fal.Con 2025 that its Secure Enterprise Browser (SEB) solution is now available for purchase in the CrowdStrike Marketplace, a one-stop destination for the world-class ecosystem of CrowdStrike-compatible security products. This availability enables customers to discover, buy, and implement Seraphic’s browser-native protection directly within the CrowdStrike Falcon platform.

With this release, Seraphic delivers a CrowdStrike Falcon Next-Gen SIEM integration that correlates Seraphic’s browser-layer telemetry with CrowdStrike threat intelligence and analytics. Adversaries are moving at the speed of AI, scaling attacks faster than defenders can respond. Legacy SIEMs, built for a different era, are too slow, noisy, and costly to stop today’s threats. Falcon Next-Gen SIEM delivers real-time speed, efficiency, and outcomes legacy platforms can’t match – now extended to the browser layer. Joint customers gain unified visibility into browser activity, risky extensions, and user behaviors, empowering faster detection, investigation, and response to advanced threats.

> “As organizations increasingly rely on cloud services, SaaS applications and AI-powered applications, the browser has become both the primary workspace for productivity and a critical target for cyberattacks,” said Iulia Stefoi-Silver, VP, Global Partnerships and Alliances at Seraphic. “Traditional security solutions often overlook this layer, leaving gaps that can be exploited through zero-days, phishing, and data loss. By integrating with the Falcon platform and becoming available in the CrowdStrike Marketplace, joint customers can easily transform any browser into a secure enterprise browser.”

> Jeff Farinich, CISO at New American Funding added: “Integrating Seraphic with the CrowdStrike Falcon platform has given our security team continuous visibility and control at the browser layer, without impacting user productivity.”

> “Browsers have become one of the most targeted and overlooked attack surfaces in the enterprise,” said Daniel Bernard, Chief Business Officer at CrowdStrike. “By bringing Seraphic into Falcon Next-Gen SIEM, we’re closing that gap with real-time visibility and intelligence. Together, we’re giving customers faster detection, better outcomes, and the ability to stop threats at the browser layer that legacy SIEMs would miss.”                                                                                    

The Seraphic integration with the CrowdStrike Falcon platform is available for purchase in the CrowdStrike Marketplace. Learn more at https://marketplace.crowdstrike.com/listings/seraphic-security/ and start your free Browser Assessment with one click.

Visit Seraphic at **Fal.Con Booth #1923** to see live demos, meet our experts, and learn how to protect your workforce.

**About Seraphic**

Seraphic is a leader in the rapidly growing Enterprise Browser Security market, powered by innovative technology that transforms any browser into a secure workspace with robust protection and detection capabilities. Seamlessly deployed, Seraphic enables secure access to SaaS and private web applications for employees and third parties on both managed and personal devices. Invisible to the end user, it supports all browsers and SaaS desktop applications such as Teams, Slack, Discord, WhatsApp and many more. Recognized with the Frost & Sullivan Global Zero Trust Enabling Technology Leadership Award, backed by investors including CrowdStrike Falcon Fund, Planven, Cota Capital, Storm Ventures, Eastlink, and Secure Octane, and trusted by Fortune 500 companies, Seraphic secures the enterprise browser for today’s modern, cloud-driven businesses. For more information, visit **www.seraphicsecurity.com**.

**Contact**

**Head of Communications**  
**Eric Wolkstein**  
**Seraphic**  
**\[email protected\]**

Seraphic Browser-Native Protection Now Available for Purchase on the CrowdStrike Marketplace

North Korea’s Kimsuky hackers use AI-generated fake military IDs in a new phishing campaign, GSC warns, marking a…

North Korea’s Kimsuky hackers use AI-generated fake military IDs in a new phishing campaign, GSC warns, marking a shift from past ClickFix tactics.

Kimsuky, a notorious North Korean hacking group, is now using fake military ID cards created with artificial intelligence (AI) tools to pull off its latest phishing campaign. According to cybersecurity firm Genians Security Center (GSC), this is a new step from the group’s past ClickFix tactics, which previously tricked victims into running malicious commands by presenting them with fake security pop-ups.

The new approach was first detected in July 2025 when attackers sent emails that looked like they were from a legitimate South Korean defence institution. These messages were designed to grab attention, usually pretending to be about a new ID card for military personnel.

The first image is the original phishing email sent by the threat actors (Source: GSC). The second image has been translated by Hackread.com with the help of an AI image translator

The bait is a ZIP file containing what appears to be a draft of a real military ID. But there’s a catch: the convincing photo on the ID isn’t real. It’s an AI-generated deepfake with a near-perfect 98% certainty of being fake, created using widely available AI tools like ChatGPT.

AI-generated fake military IDs (Source: GSC)

If an unsuspecting person opens the file, the real attack begins. A hidden malicious program immediately starts running in the background. To avoid detection, it waits a few seconds before secretly downloading a malicious file called LhUdPC3G.bat from a remote server at jiwooeng.co.kr.

Using both batch files and AutoIt scripts, the hackers then install a malicious task named HncAutoUpdateTaskMachine to run every seven minutes, disguised as an update for Hancom Office. Researchers noted that the hackers have used similar tactics in other attacks, with tell-tale strings like “Start_juice” and “Eextract_juice” appearing in their code.

This deepfake military ID campaign shows how the Kimsuky group is constantly changing its tactics, using a more socially engineered decoy to achieve the same goal by getting a victim to run a series of scripts that compromise their computer.

This is not the first time the group has used AI for malicious purposes. In June 2025, OpenAI reported that North Korean threat actors created fake identities with AI to pass technical job interviews. Hackers from China, Russia and Iran have also misused AI tools, particularly ChatGPT, for similar activities.

Ultimately, this latest campaign highlights the need for more advanced security. According to GSC, systems like Endpoint Detection and Response (EDR) are essential to detect and neutralise these types of attacks that rely on obfuscated scripts to hide their malicious activity.

Tag

#intel