Miami, Florida, 18th June 2025, CyberNewsWire

**Miami, Florida, June 18th, 2025, CyberNewsWire**

**Halo Security’s Attack Surface Management Platform Honored for Exceptional Innovation and Successful Deployment Through The Channel**

Halo Security today announced that its attack surface management solution has been named a 2025 MSP Today Product of the Year Award winner by TMC, a leading global media company recognized for building communities in technology and business through live events and digital marketing platforms. 

The MSP Today Product of the Year Award honors standout products and services that are reshaping the managed services landscape—delivered through the Channel and purpose-built to meet the evolving needs of end users. The Halo Security platform was selected for its innovation, performance, and its measurable impact on customers and partners alike.

The Halo Security Attack Surface Management Platform enables organizations and managed service providers (MSPs) to discover, monitor, and secure their internet-facing assets. The platform combines attacker-like discovery methods with ongoing security monitoring, vulnerability scanning, and expert-led penetration testing services to help organizations of all sizes identify and remediate security risks before they can be exploited.

Designed with the Channel in mind, the platform offers easy-to-use client management and reporting, along with seamless integrations into tools like Slack, Jira, and major cloud providers. The platform empowers MSPs to deliver scalable, high-impact security services with minimal setup and configuration. With built-in PCI compliance reporting, dark web monitoring, and dynamic application security testing (DAST), Halo Security gives partners and clients alike the visibility needed to stay ahead of evolving threats and meet their compliance goals.

> “Our mission has always been to give organizations and our channel partners deep visibility into their digital presence,” said Lisa Dowling, CEO of Halo Security. “This award is a testament to the innovation behind our platform, the dedication of our team, and the success our MSP partners are driving for their clients every day.”

> “It gives me great pleasure to recognize Halo Security as a 2025 recipient of TMC’s MSP Today Product of the Year Award for their innovative attack surface management solution,” said Rich Tehrani, CEO of TMC. “Our judges were thoroughly impressed not only by the strength and features of the product, but by Halo Security’s commitment to the Channel—empowering partners to deliver exceptional service and drive meaningful results for their clients.” 

Winners of the 2025 MSP Today Product of the Year Award will be featured on MSP Today, the definitive resource for managed service providers, as well as across TMCnet’s media platforms.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

**About MSP Today**

MSP Today is the premier online destination for MSPs (Managed Service Providers) and IT service providers worldwide. As the industry’s leading web portal, we are committed to delivering timely and relevant news, cutting-edge product information, and invaluable insights to empower MSPs and IT professionals to thrive in today’s rapidly evolving technology landscape. Whether you’re seeking in-depth articles on emerging technologies, comprehensive product reviews, or actionable tips to optimize your IT services, MSP Today is your go-to resource for all things MSP-related. Users can learn more at www.msptoday.com.

**About TMC**

For more than 20 years, TMC has been honoring technology companies with awards in various categories. These awards are regarded as some of the most prestigious and respected awards in the communications and technology sector worldwide. Winners represent prominent players in the market who consistently demonstrate the advancement of technologies. Each recipient is a verifiable leader in the marketplace. TMC also provides global buyers with valuable insights to make informed tech decisions through our editorial platforms, live events, webinars, and online advertising. Users can learn more at www.tmcnet.com.

**Contacts**

**Director of Partnerships**  
**Lauren Ladra**  
**Halo Security**  
**\[email protected\]**  
**415-799-4568**  
**Manager, TMC Awards**  
**Stephanie Thompson**  
**TMC**  
**\[email protected\]**  
**203-852-6800**

Halo Security Honored with 2025 MSP Today Product of the Year Award

After an attack on Iran’s Sepah bank, the hyper-aggressive Israel-linked hacker group has now destroyed more than $90 million held at Iranian crypto exchange Nobitex.

The Israel-linked hacker group known as Predatory Sparrow has carried out some of the most disruptive and destructive cyberattacks in history, twice disabling thousands of gas station payment systems across Iran and once even setting a steel mill in the country on fire. Now, in the midst of a new war unfolding between the two countries, they appear to be bent on burning Iran's financial system.

Predatory Sparrow, which often goes by its Farsi name, Gonjeshke Darande, in an effort to appear as a homegrown hacktivist organization, announced in a post on on its X account Wednesday that it had targeted the Iranian crypto exchange Nobitex, accusing the exchange of enabling sanctions violations and terrorist financing on behalf of the Iranian regime. According to cryptocurrency tracing firm Elliptic, the hackers destroyed more than $90 million in Nobitex holdings, a rare instance of hackers burning crypto assets rather than stealing them.

“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the hackers posted to X. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.”

The incident follows another Predatory Sparrow attack on Iran's finance system on Wednesday, in which the same group targeted Iran's Sepah bank, claiming to have destroyed “all” the bank's data in retaliation for its associations with Iran's Islamic Revolutionary Guard Corps, and posting documents that appeared to show agreements between the bank and the Iranian military. “Caution: Associating with the regime's instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” the hackers wrote. “Who's next?”

Sepah Bank's website was offline yesterday but appeared to be working again today. The bank didn't respond to WIRED's request for comment. Nobitex's website was offline today and the company couldn't be reached for comment.

As is often in the case in the fog of an unfolding war and its accompanying cyberattacks, what effects Predatory Sparrow's cyberattacks have had remain unclear. But Hamid Kashfi, an Iranian cybersecurity researcher living in Sweden and the founder of the cybersecurity firm DarkCell, says he has heard from contacts in Iran that Sepah's online banking and ATMs have been offline since the attacks began, causing widespread disruption to civilians' ability to access their funds. “There has been a lot of collateral damage,” Kashfi says. “It just seems to be straight up causing damage and chaos. I can't think of what other logic would be behind it. Yes, they provide services to the military. But they do for millions of regular joes and civilians as well.”

In the Nobitex attack, blockchain analysis reveals some of the details of Predatory Sparrow's sabotage: According to Elliptic, the eight-figure sum stolen from the exchange was moved to a series of crypto addresses that all started with variations on the phrase “FuckIRGCterrorists.” Those so-called “vanity” addresses typically can't be created in any way that offers control or recovery of funds held there, so Elliptic concludes that moving funds to those addresses was instead a pointed method of destroying the money. “The hackers clearly have political rather than financial motivations,” says Tom Robinson, Elliptic's cofounder. “The crypto they stole has effectively been burned.”

Elliptic also confirmed in its blog post about the attack that crypto tracing shows Nobitex does in fact have links with sanctioned IRGC operatives, Hamas, Yemen's Houthi rebels, and the Palestinian Islamic Jihad group. “It's also an act of sabotage, by attacking a financial institution that was pivotal in Iran's use of cryptocurrency to evade sanctions,” Robinson says.

Predatory Sparrow has long been one of the most aggressive cyberwarfare-focused groups in the world. The hackers, who are widely believed to have links to Israel's military or intelligence agencies, have for years targeted Iran with an intermittent barrage of carefully planned attacks on the country's critical infrastructure. The group has targeted Iran's railways with data-destroying attacks and twice disabled payment systems at thousands of Iranian gas stations, triggering nationwide fuel shortages. In 2022, it carried out perhaps the most physically destructive cyberattack in history, hijacking industrial control systems at the Khouzestan steel mill to cause a massive vat of molten steel to spill onto the floor, setting the plant on fire and nearly burning staff there alive, as shown in the group's own video of the attack posted to its YouTube account.

Exactly why Predatory Sparrow has now turned its attention to Iran's financial sector—whether because it sees those financial institutions as the most consequential or merely because its banks and crypto exchanges were vulnerable enough to offer a target of opportunity—remains unclear for now, says John Hultquist, chief analyst on Google's threat intelligence group and a longtime tracker of Predatory Sparrow's attacks. Almost any conflict, he notes, now includes cyberattacks from hacktivists or state-sponsored hackers. But the entry of Predatory Sparrow in particular into this war suggests there may yet be more to come, with serious consequences.

“This actor is very serious and very capable, and that's what separates them from many of the operations that we'll probably see in the coming weeks or months,” Hultquist says. “A lot of actors are going to make threats. This is one that can follow through on those threats.”

_Updated June 18, 2025, at 10:52 am EDT: Added additional context and comments from cybersecurity researcher Hamid Kashfi._

Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System

Several Instagram ads have been found impersonating banks, including the usage of deepfake videos to defraud consumers.

Ads on Instagram—including deepfake videos—are impersonating trusted financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) in order to scam people, according to BleepingComputer.

There are some variations in how the scammers approach this. Some use Artificial Intelligence (AI) to create deepfake videos aimed at gathering personal information, while others link to typosquatted domains that not just look the same but also have very similar domain names as the impersonated bank.

BleepingComputer shows an example of an advertisement, which claims to be from “Eq Marketing” and closely mimics EQ Bank’s branding and color scheme, while promising a rather optimistic interest yield of “4.5%”.

_Image courtesy of BleepingComputer_

In this example, using the “Yes, continue with my account” button presents the user with a fraudulent “EQ Bank” login screen, prompting the visitor to provide their banking credentials. From there, it’s likely the scammers will empty the bank account and move on to their next victim.

Another fraudulent ad impersonates BMO bank’s Chief Investment Strategist and leader of the Investment Strategy Group Brian Belski. This may lead people to believe they are getting valuable financial advice, for example by luring them to a “private WhatsApp investment group”.

Impersonations of bank employees and authorities are increasing and can often sound very convincing. These scammers demand immediate payment or action to avoid further impacts, which can dupe individuals into inadvertently sending money to a fraudulent account.

It’s not just Instagram where WhatsApp investment groups are used as a lure by scammers. On X we see invites like these several times a week.

**Recommendations to stay safe**

As cyberthreats and financial scams become more sophisticated, it is increasingly difficult for individuals to determine if a request coming via social media, email, text, phone call or even video call is authentic.

By staying alert and proactive, you can outsmart even the most convincing deepfake scams. Remember, a healthy dose of skepticism is your best companion in the digital age.

*   **Verify before you trust:** Always double-check the legitimacy of any ad or message claiming to be from your bank. Visit your bank’s official website or contact them directly using verified contact details before taking any action.
*   **Doublecheck the advertiser account:** BleepingComputer found that the advertiser accounts running the fake ads on Instagram only had pages on Facebook, not on Instagram itself.
*   **Look for red flags:** Be wary of ads that create a sense of urgency, promise unrealistic rewards, or ask for sensitive information like passwords or PINs. Authentic banks will never request such details through social media or ads.
*   **Scrutinize visuals and language:** Deepfakes can be convincing, but subtle inconsistencies in video quality, unnatural facial movements, or awkward phrasing can be giveaways. Trust your instincts if something feels off.
*   **Enable Multi-Factor Authentication (MFA) :** Strengthen your account security by enabling two-factor authentication on your banking and social media accounts. This adds an extra layer of protection even if your credentials are compromised.
*   **Report suspicious content:** If you encounter a suspicious ad or message, report it to Instagram and notify your bank immediately. Your vigilance can help prevent others from falling victim.
*   **Use web protection:** This can range from programs that block known malicious sites, to browser extensions that can detect skimmers, to sophisticated assistants that you can ask if something is a scam.
*   **Stay informed:** Keep up to date with the latest scam tactics and security advice from your bank and reputable cybersecurity sources. Awareness is your best defense.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Fake bank ads on Instagram scam victims out of money 

Cato CTRL uncovers new WormGPT variants on Telegram powered by jailbroken Grok and Mixtral. Learn how cybercriminals jailbreak top LLMs for uncensored, illegal activities in this latest threat research.

Despite its reported shutdown in 2023, the WormGPT a type of uncensored artificial intelligence (AI) tool for illegal acts, is making a comeback. New research from Cato CTRL, the threat intelligence team at Cato Networks, reveals that WormGPT is now exploiting powerful large language models (LLMs) from well-known AI companies, including xAI’s Grok and Mistral AI’s Mixtral.

This means cybercriminals are using jailbreaking techniques to bypass the built-in safety features of these advanced LLMs (AI systems that generate human-like text, like OpenAI’s ChatGPT). By jailbreaking them, criminals force the AI to produce “uncensored responses to a wide range of topics,” even if these are “unethical or illegal,” researchers noted in their blog post shared with Hackread.com.

****The Evolution of a Malicious Tool****

WormGPT first appeared in March 2023 on an underground online forum called Hack Forums, with its public release following later in mid-2023, as reported by Hackread.com. The creator, known by the alias Last, reportedly started developing the tool in February 2023.

WormGPT was initially based on GPT-J, an open-source LLM developed in 2021. It was offered for a subscription fee, typically between €60 to €100 per month, or €550 annually, with a private setup costing around €5,000.

However, the original WormGPT was shut down on August 8, 2023, after investigative reporter Brian Krebs published a story identifying the person behind Last as Rafael Morais, leading to widespread media attention.

Despite this, WormGPT has now become a recognized brand for a new group of such tools. Security researcher Vitaly Simonovich from Cato Networks stated, “WormGPT now serves as a recognizable brand for a new class of uncensored LLMs.”

He added that these new versions aren’t entirely new creations but are built by criminals cleverly changing existing LLMs. They do this by altering hidden instructions called system prompts and possibly by training the AI with illegal data.

****New Variants and Their Power****

Cato CTRL’s research found previously unreported WormGPT variants advertised on other cybercrime forums like BreachForums. For example, a variant named “xzin0vich-WormGPT” was posted on October 26, 2024, and “keanu-WormGPT” appeared on February 25, 2025. Access to these new versions is via Telegram chatbots, also on a subscription basis.

WormGPT Advert (Source: Cato CTRL)

Through their testing, Cato CTRL confirmed that keanu-WormGPT is powered by xAI’s Grok, while xzin0vich-WormGPT is based on Mistral AI’s Mixtral. This means criminals are successfully using top-tier commercial LLMs to generate malicious content like phishing emails and scripts for stealing information.

keanu-WormGPT reveals the malicious chatbot has been powered by Grok (Screenshot: CATO Networks)

The emergence of these tools, alongside other uncensored LLMs like FraudGPT and DarkBERT, shows a growing market for AI-powered crime tools and highlights the constant challenge of securing AI systems.

J Stephen Kowski, Field CTO at SlashNext Email Security+ commented on the latest development stating, _“_The WormGPT evolution shows how criminals are getting smarter about using AI tools – but let’s be honest, these are general-purpose tools and anyone building these tools without expecting malicious use in the long term was pretty naive._“_

_“_What’s really concerning is that these aren’t new AI models built from scratch – they’re taking trusted systems and breaking their safety rules to create weapons for cybercrime,_“_ he warned. _“_This means organizations need to think beyond just blocking known bad tools and start looking at how AI-generated content behaves, regardless of which platform created it._“_

WormGPT Makes a Comeback Using Jailbroken Grok and Mixtral Models

Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.

Wednesday, June 18, 2025 06:09

Late one Tuesday night, Elena’s phone buzzed with an alert from her company’s SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup—were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m.

Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller.

Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious.

This story is a compartmentalized version of something we’re seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose. 

**What exactly are LOLBins?**

A big part of this trend revolves around “living off the land binaries,” or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities.

They’re especially concerning because they’re already installed, trusted, and frequently used for normal IT tasks, making them difficult to detect or block without disrupting operations.

Defenders can reference the “Living Off The Land Binaries, Scripts and Libraries” or LOLBAS project, which maintains a list of known LOLBins on GitHub.

**But it’s not just LOLBins…**

LOLBins were used often across Talos IR engagements in 2024, but we actually saw a wider variety of commercial and open-source tools used as well. Threat actors likely gravitate towards these because they can choose which tools best suit their needs best (or which commercial tools will blend into the victim environment). 

Take DonPAPI, for example. This is an open-source tool observed in several recent Talos IR engagements that automates credential dumping remotely on multiple Windows computers. It locates and retrieves Windows Data Protection API (DPAPI) protected credentials, a process also known as “DPAPI dumping.” DonPAPI searches for certain files, including Wi-Fi keys, RDP passwords and credentials saved in web browsers, to help authenticate and move laterally to identify other assets in the environment.

From an identity perspective, open-source tools like DonPAPI pose a significant risk to organizations based on their wide availability on code repositories like GitHub and their ease of installation. 

Here’s how this plays out in the field, using the top three examples of most used tools as observed in Cisco Talos’ 2024 Year in Review:

These tools weren’t built for attackers, but they’ve become some of the most common ingredients in ransomware and advanced persistent threat (APT) campaigns.

In a recent episode of The Talos Threat Perspective, one of our senior Talos IR consultants spoke about tools that were created for legitimate purposes (e.g., HRSword, REMCOS RAT and Cobalt Strike), but played a large part in the ransomware engagements investigated by Talos IR in 2025.

Lately, Talos has seen an increase in the use of remote monitoring and management (RMM) tools during attacks — the same kind of software IT teams and managed service providers rely on to access systems remotely. These tools are designed for legitimate use, but in the wrong hands, they become a stealthy way to maintain persistence on compromised systems without raising alarms.

One colleague shared a story that stuck with me: In some incidents, the attackers showed up with an entire toolkit of RMM software, testing each one to see which would slip through unnoticed (or not get blocked). Often, they’d use exactly the same tools already trusted by the target or their service provider, such as ScreenConnect or AnyDesk.

It’s like they arrived at the front door with a ring full of keys, trying each one until something clicked. And when the tool they use is something the environment already knows — already trusts — the question becomes: how do you spot the intruder when they’re using your own keys?

**How do you detect something that looks normal?**

Let’s go back to Elena. Her team stopped the attack not just because of the alert, but because they knew what should be running on that workstation. They had clear asset inventories and network behavior baselines, and they conducted continuous anomaly monitoring.

That’s really the heart of what works best when it comes to detecting these types of attacks:

*   Asset management: Know what’s installed and where. Know who owns what assets and what high-privileged accounts are for.
*   Behavioral baselining: Understand what “normal” looks like.
*   Continuous monitoring: Configure detections to catch known TTPs and subtle deviations from baselines.
*   Threat intel alignment: Use current trends like the DonPAPI surge to inform what you log and watch for. Talos’ blog and IR reports are great resources to keep up with industry trends.

**Bottom line**

Whether it’s PsExec, DonPAPI or TeamViewer, attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations.

Detecting malicious use of legitimate tools isn’t just about recognizing what’s running. It’s about asking why it’s running.

Sometimes, the only difference between a routine operation and a breach is the analyst who stopped to ask: “Why was that tool running at 2:13 a.m.?”

When legitimate tools go rogue

Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

Wednesday, June 18, 2025 06:00

*   In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor. PylangGhost is functionally similar to the previously documented GolangGhost RAT, sharing many of the same capabilities. 
*   In recent campaigns, the threat actor Famous Chollima — potentially made up of multiple groups — has been using a Python-based version of their trojan to target Windows systems, while continuing to deploy a Golang-based version for MacOS users. Linux users are not targeted in these latest campaigns. 
*   The attacks are targeting employees with experience in cryptocurrency and blockchain technologies. 
*   Based on open-source intelligence, only a small number of users, predominantly in India, are affected. Cisco product telemetry does not indicate that there are any affected Cisco users. 

Since mid-2024, the threat actor group Famous Chollima (aka Wagemole), a North Korean-aligned threat actor, has been very active through several well-documented campaigns. These campaigns include using variants of Contagious Interview (aka DeceptiveDevelopment) and creating fake job advertisements and skill-testing pages. In the latter, users are instructed to copy and paste (ClickFix) a malicious command line in order to install drivers necessary to conduct the final skill-testing stage.  

Toward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns. 

In May 2025, Cisco Talos discovered threat actors starting to deploy a functionally equivalent Python variant of GolangGhost trojan, which we call “PylangGhost.” 

**Fake job interview sites mislead users to PylangGhost infection **

Famous Chollima seek financial benefit using a two-pronged approach: first, by creating fake employers for the purpose of jobseekers exposing their personal information, and second by deploying fake employees as workers in targeted victim companies.  

This blog focuses on the first method, where real software engineers, marketing employees, designers and other workers are targeted by fake recruiters and instructed to visit skill-testing pages in order to move forward with their application. 

Based on the advertised positions, it is clear that the Famous Chollima is broadly targeting individuals with previous experience in cryptocurrency and blockchain technologies. The skill-testing sites attempt to impersonate real companies such as Coinbase, Archblock, Robinhood, Parallel Studios, Uniswap and others, which helps with the targeting.  

Figure 1. Examples of initial fake job sites.

Each target is sent an invite code to visit a testing website where, depending on the position, they are instructed to enter their details and answer several questions to test their experience and skills. The sites are created using the React framework and have very similar visual designs, no matter the type of position.  

__Figure 2. Example of questions asked for an illegitimate Business Development Manager position at Robinhood.__

Once the user answers all the questions and provides personal details, the site displays an invitation to record a video for the interviewer, recommending that the user request camera access by pressing a button. 

__Figure 3. A camera setup page displayed once questions are answered.__

Finally, when the user requests camera, the site displays the instructions for the user to copy, paste and execute a command to allegedly install the required video drivers, if the OS is supported. When Talos used Windows and MacOS test systems, the instructions were shown as seen in Figure 4 and 5. The Linux test system led to another error message, without any instructions to download and install the payload.  

Figure 4. Windows instructions to copy, paste and execute a malicious command. 

Figure 5. MacOS instructions to copy, paste and execute a malicious command. 

Instructions for downloading the alleged fix are different based on the browser fingerprinting, and also given in appropriate shell language for the OS: PowerShell or Command Shell for Windows, and Bash for MacOS.

__Figure 6. Command Shell, PowerShell or Bash instructions to download a payload.__

**PylangGhost - Python variant of GolangGhost **

As the Golang variant of the RAT is already well-documented, this blog focuses on the Python version and the similarities between the two. The initial stage consists of a command line which the fake webpage tells the unsuspecting user to copy, paste and execute. 

The command line uses either PowerShell Invoke-Webrequest or curl to download a ZIP file containing the PylangGhost modules as well as Visual Basic Script file. This script is responsible for unzipping the Python library stored in the “lib.zip file” and launching the trojan by running a renamed Python interpreter using the file “nvidia.py” as the Python program to run. 

Figure 7. The first stage simply unzips a Python distribution library and launches the RAT. 

 PylangGhost consists of six well-structured Python modules. It is not clear to Talos why the threat actors decided to create two variants using a different programming language, or which was created first. Based on the comments in the code, it is unlikely that the threat actors used a large language model (LLM) to help rewrite the code for Python. One of the strings in the configuration module file (“config.py”) indicates that the Python version is 1.0, while the appropriate configuration variable in the Golang version indicates that the version is 2.0. However, Talos cannot definitively conclude that those two version numbers are comparable. 

 The execution starts with the file “nvidia.py”, which performs several tasks: It creates a registry value to launch the RAT every time user logs onto the system, generates a GUID for the system to be used in communication with command and control (C2) server, connects to the C2 server and enters the command loop for communication with the server.  

__Figure 8. ”nvidia.py” executes the main loop for communication with the C2 server__

 The configuration file “config.py” specifies the commands that can be received from the server, which are identical to the commands previously documented in the Golang version of the RAT. These commands enable remote control the infected system and the theft of cookies and credentials from over 80 browser extensions, including password managers and cryptocurrency wallets, including Metamask, 1Password, NordPass, Phantom, Bitski, Initia, TronLink and MultiverseX. 

The command handling module, “command.py”, defines function handlers and handles the commands received from the C2 server.  

Command 

Functionality 

qwer 

COMMAND\_INFORMATION - collect information about the infected system, username, OS version etc 

asdf 

COMMAND\_FILE\_UPLOAD - file upload 

zxcv 

COMMAND\_FILE\_DOWNLOAD - file download 

vbcx 

COMMAND\_OS\_SHELL - launch an OS shell for remote access and control of the infected system 

ghdj 

COMMAND\_WAIT - sleep for a number of seconds specified by the C2 server 

r4ys 

COMMAND\_AUTO - browser information stealing command 

89io 

AUTO\_CHROME\_GATHER\_COMMAND - subcommand of the browser information stealer command 

gi%# 

AUTO\_CHROME\_COOKIE\_COMMAND - subcommand of the browser information stealer command 

dghh 

COMMAND\_EXIT 

_Table 1. Commands and functionalities._

The module “auto.py” contains the functionality for stealing the stored browser credentials and session cookies, as well as collecting data from various browser extensions.  

“Api.py” is responsible for implementing the communications protocol with the C2 server, using RC4 encryption to encrypt packets over otherwise unencrypted HTTP used while communicating with the C2 server. The data in a HTTP packet is encrypted with RC4 algorithm, but the encryption key is also sent within the packet structure. The packet begins with 16 bytes of MD5 checksum for the rest of the packet, for verification of data integrity, followed by 128 bytes containing the RC4 encryption key, followed by an encrypted data blob.  

Finally, “util.py” handles the compression and decompression of files. 

**Comparison of Python and Golang modules **

To assess the similarity between the two versions, Talos compares the names of the modules written in different languages as well as their functionality. The structure, the naming conventions and the function names are very similar, which indicates that the developers of the different versions either worked closely together or are the same person.   

Module 

Python name 

Golang name 

Main function module 

nvidia.py 

cloudfixer.go 

Configuration module 

config.py 

config/constans.go 

Main command loop 

nvidia.py 

core/loop.go 

Command handlers 

command.py 

core/loop.go 

Browser Stealer functionality 

auto.py 

auto/\* modules 

File compression 

util.py 

util/compress.go 

Base64 message encoding 

command.py 

command/stackcmd.go 

Duplicate process check 

nvidia.py 

instance/check.go 

Communications protocol 

api.py 

transport/htxp.go 

_Table 2. Comparison of Python and Golang RAT module names._ 

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

ClamAV detections available for this threat:

Win.Backdoor.PyChollima-10045389-0
Win.Backdoor.PyChollima-10045388-0
Win.Backdoor.PyChollima-10045387-0
Win.Backdoor.PyChollima-10045386-0
Win.Backdoor.PyChollima-10045385-0
Win.Backdoor.PyChollima-10045384-0

**IOCs **

The IOCs can also be found in our GitHub repository here.

**SHA256 **

a206ea9b415a0eafd731b4eec762a5b5e8df8d9007e93046029d83316989790a - auto.py  
c2137cd870de0af6662f56c97d27b86004f47b866ab27190a97bde7518a9ac1b - auto.py  
0d14960395a9d396d413c2160570116e835f8b3200033a0e4e150f5e50b68bec - api.py 
8ead05bb10e6ab0627fcb3dd5baa59cdaab79aa3522a38dad0b7f1bc0dada10a - api.py 
5273d68b3aef1f5ebf420b91d66a064e34c4d3495332fd492fecb7ef4b19624e - nvidia.py 
267009d555f59e9bf5d82be8a046427f04a16d15c63d9c7ecca749b11d8c8fc3 - nvidia.py 
7ac3ffb78ae1d2d9b5d3d336d2a2409bd8f2f15f5fb371a1337dd487bd471e32 - nvidia.py 
b7ab674c5ce421d9233577806343fc95602ba5385aa4624b42ebd3af6e97d3e5 - util.py 
fb5362c4540a3cbff8cb1c678c00cc39801dc38151edc4a953e66ade3e069225 - util.py 
d029be4142fca334af8fe0f5f467a0e0e1c89d3b881833ee53c1e804dc912cfd - command.py 
b8402db19371db55eebea08cf1c1af984c3786d03ff7eae954de98a5c1186cee - command.py 
1f482ce7e736a8541cc16e3e80c7890d13fb1f561ae38215a98a75dce1333cee - config.py 
ed170975e3fd03440360628f447110e016f176a44f951fcf6bc8cdb47fbd8e0e - config.py 
929c69827cd2b03e7b03f9a53c08268ab37c29ac4bd1b23425f66a62ad74a13b - config.py 
127406b838228c39b368faa9d6903e7e712105b5ad8f43a987a99f7b10c29780 - config.py 
0ec9d355f482a292990055a9074fdabdb75d72630b920a61bdf387f2826f5385 - update.vbs 
c2d2320ae43aaa0798cbcec163a0265cba511f8d42d90d45cd49a43fe1c40be6 - update.vbs 
e7c2b524f5cb0761a973accc9a4163294d678f5ce6aca73a94d4e106f4c8fea4 - nvidiaRelease.zip 
28198494f0ed5033085615a57573e3d748af19e4bd6ea215893ebeacf6e576df - vdriverWin.zip 
fc71a1df2bb4ac2a1cc3f306c3bdf0d754b9fab6d1ac78e4eceba5c6e7aee85d - nvidiaRelease.zip 
d3500266325555c9e777a4c585afc05dfd73b4cbe9dba741c5876593b78059fd - nvidiaRelease.zip 

**C2 servers **

hxxp\[://\]31\[.\]57\[.\]243\[.\]29:8080 
hxxp\[://\]154\[.\]58\[.\]204\[.\]15:8080 
hxxp\[://\]212\[.\]81\[.\]47\[.\]217:8080 
hxxp\[://\] 31\[.\]57\[.\]243\[.\]190:8080

**Download host names **

api\[.\]quickcamfix\[.\]online   
api\[.\]auto-fixer\[.\]online   
api\[.\]quickdriverupdate\[.\]online   
api\[.\]camtuneup\[.\]online   
api\[.\]driversofthub\[.\]online   
api\[.\]drive-release\[.\]cloud   
api\[.\]vcamfixer\[.\]online   
api\[.\]nvidia-drive\[.\]cloud   
api\[.\]nvidia-release\[.\]us   
api\[.\]autodriverfix\[.\]online   
api\[.\]camdriversupport\[.\]com   
api\[.\]smartdriverfix\[.\]cloud   
api\[.\]drivercams\[.\]cloud   
api\[.\]camtechdrivers\[.\]com   
api\[.\]web-cam\[.\]cloud   
api\[.\]camera-drive\[.\]org   
api\[.\]nvidia-release\[.\]org 
api\[.\]fixdiskpro\[.\]online 
api\[.\]autocamfixer\[.\]online

**Fake job interview host names **

krakenhire\[.\]com  
yuga\[.\]skillquestions\[.\]com  
uniswap\[.\]speakure\[.\]com  
doodles\[.\]skillquestions\[.\]com  
www\[.\]hireviavideo\[.\]com  
kraken\[.\]livehiringpro\[.\]com  
quiz-nest\[.\]com  
www\[.\]smartvideohire\[.\]com  
www\[.\]talent-hiringstep\[.\]com  
provevidskillcheck\[.\]com  
skill\[.\]vidintermaster\[.\]com  
digitaltalent\[.\]review  
robinhood\[.\]ecareerscan\[.\]com  
evalswift\[.\]com  
livetalentpro\[.\]com  
quantumnodespro\[.\]com  
evalassesso\[.\]com  
parallel\[.\]eskillora\[.\]com  
coinbase\[.\]talentmonitoringtool\[.\]com  
uniswap\[.\]testforhire\[.\]com  
coinbase\[.\]talenthiringtool\[.\]com  
crosstheages\[.\]skillence360\[.\]com 
parallel \[.\] eskillprov \[.\] com 
assesstrack \[.\] com 
coinbase \[.\] talentmonitoringtool \[.\] com 
talent-hiringtalk\[.\]com 
uniswap\[.\]prehireiq\[.\]com 
fast-video-recording\[.\]com

Famous Chollima deploying Python version of GolangGhost RAT

A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity.
Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of

Ex-CIA Analyst Sentenced to 37 Months for Leaking Top Secret National Defense Documents

Scattered Spider targets US insurance firms after UK retail attacks, using social engineering to breach help desks and disrupt services, Google warns.

A hacker group known for high-profile attacks on retail giants is now turning its attention to the insurance sector, according to a new warning from Google’s Threat Intelligence Group. The group, known as **Scattered Spider**, has been linked to a series of recent cyber attacks that disrupted access for insurance customers across the United States.

The alert follows a series of data breaches at major UK retailers earlier this year. After that wave of attacks, Google analysts noted that Scattered Spider had begun targeting US-based retailers. Now, researchers say the group is showing a clear interest in insurance firms and is actively exploiting their workforce through **social engineering**.

****Focused Targeting, Familiar Tactics****

“Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry, they have a habit of working their way through a sector,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group. In a **post** on X, he noted that Scattered Spider relies heavily on social engineering, especially schemes aimed at help desks and call centers.

> Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers.
> 
> — John Hultquist (@JohnHultquist) June 16, 2025

The tactic isn’t new, but it remains effective. Rather than relying on complex exploits or malware, the group frequently poses as employees or contractors to convince staff to reset passwords or share sensitive access credentials. This approach gives attackers a way in, without having to breach security

****Erie Insurance and Scania Affected****

While Google hasn’t publicly named the companies affected in this latest wave of attacks, Erie Insurance, a Pennsylvania-based provider, **reported** a breach on June 7. The company has not confirmed who was behind it, but the timing aligns with Google’s warning. Erie has been issuing updates to customers but has yet to share details about the full extent of the intrusion.

Meanwhile, Scania’s insurance division was also reportedly affected, adding weight to concerns that the group’s focus on insurers is well underway.

> 🚨Data Breach Alert‼️
> 
> 🇸🇪Sweden – Scania Financial Services
> 
> A threat actor using the alias "hensi" claims to have breached the subdomain insurance.scaniacom, allegedly gaining access to and exfiltrating a full set of files.
> 
> The actor states this is a first-time intrusion… pic.twitter.com/aPP09wSjhB
> 
> — Hackmanac (@H4ckmanac) June 12, 2025

****Expert View: Social Engineering Remains a Core Threat****

**Dave Gerry,** CEO at Bugcrowd, says the recent activity highlights long-standing risks in the way companies handle internal support systems.

“They’ve been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link,” Gerry said. “Incidents like the one at Erie Insurance show how important it is for the insurance sector to revisit its defenses and incident response strategies. These aren’t one-off events. This is targeted, and it’s ongoing.”

****Why Insurers?****

Insurers hold sensitive financial and personal data, a tempting target for attackers. But what makes them especially vulnerable is the combination of high-value information and complex customer support systems, which often require staff to handle urgent access requests or account changes.

When threat actors can impersonate staff or customers convincingly enough, help desk employees may unknowingly hand over access to internal tools or user accounts.

Organizations should review how support teams verify identity and manage account access. Multi-step verification, better training, and limiting permissions can help reduce the risk of a successful social engineering attack.

Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on…

Consider this: Berkshire Hathaway, Warren Buffett’s $700 billion conglomerate, operates one of the most influential investor websites on the planet, utilizing HTML that predates YouTube, employing table-based layouts and single-color backgrounds that Buffett personally insists on keeping “simple.”

Craigslist processes over 2 billion page views monthly through an interface that hasn’t changed since 2000, deliberately rejecting modern design because founder Craig Newmark believes complexity reduces functionality. Meanwhile, IRS.gov receives 1.4 billion visits annually during tax season through a navigation system so convoluted that TurboTax built a $3 billion business simply by making tax filing less painful.

Healthcare.gov’s initial launch disaster in 2013, where a $400 million website could handle only six users simultaneously, still echoes in government procurement today. The UK’s Gov.uk, conversely, became a global model by ruthlessly prioritizing user needs over departmental politics, saving an estimated £4.1 billion annually through better digital design.

These contrasts reveal a fundamental truth: interface design isn’t cosmetic, it’s economic infrastructure that can make or break trillion-dollar markets.

The Rapid Rebuild Hackathon 2025, organized by Hackathon Raptors, challenged developers to tackle exactly these kinds of functional but frustrating digital experiences. Over 72 hours, twelve teams transformed everything from Berkshire Hathaway’s deliberately minimalist investor portal to revolutionary reimaginings of system-level BIOS interfaces, proving that sometimes the most impactful innovation comes not from building something new, but from fixing what already works, just barely.

****The Art of Digital Resurrection****

“The most impactful solutions don’t always come from building something entirely new,” explains the hackathon’s core philosophy. “Sometimes breakthrough innovation emerges from reimagining what already exists, using modern tools to transform crucial but neglected digital spaces.”

This approach proved prescient when examining the winning submissions. BIOSage, the grand prize winner, didn’t just modernize a website, it completely reimagined how users interact with system-level interfaces. The project integrated a locally hosted LLaMA 3.2 language model to provide offline diagnostics, transforming the traditionally static BIOS experience into an intelligent, multilingual system assistant.

“What sets BIOSage apart is its recognition that even the most fundamental computing interfaces can benefit from modern AI integration,” notes Anand Singh, Technical Lead at Meta and hackathon judge.

Singh’s extensive background in embedded systems and wireless communications, including work on OpenRAN and high-altitude platform systems, provided a unique perspective on the technical challenges of bringing AI to firmware-level interfaces.

Singh’s experience with low-power IoT networks and embedded optimization proved particularly relevant when evaluating BIOSage’s achievement in running complex language models locally without compromising system performance.

“The ability to provide intelligent diagnostics without internet connectivity addresses a critical gap in system administration,” he observed. “This isn’t just a UI improvement, it’s a fundamental advancement in how we approach system-level troubleshooting.”

****Quality Assurance in Rapid Development****

The compressed 72-hour timeline presented unique challenges for maintaining code quality while pushing innovation boundaries. This tension between speed and reliability became a crucial evaluation criterion, drawing heavily on the expertise of Yulia Drogunova, Senior QA Engineer at Raiffeisen Bank.

With over eight years of experience building effective testing processes for major financial institutions, including Raiffeisen Bank and VTB Bank, and her work with international companies such as Luxoft and Lineate, Drogunova brought a critical perspective to evaluating how teams managed quality under extreme time pressure.

“The most impressive projects weren’t just those with flashy features,” Drogunova explained during the evaluation process. “They were the ones that implemented proper testing methodologies even within hackathon constraints.”

Her experience implementing automated tests into CI/CD processes, which has increased development speed and reduced defects in production banking applications, informed her assessment of how teams structured their rapid development cycles.

Drogunova particularly highlighted the Smart Builders team’s approach to their Hacker News reimagining. “They demonstrated an understanding that accessibility testing isn’t an afterthought, it’s integral to the development process,” she noted, referencing their implementation of voice reader capabilities and keyboard navigation. This aligned with her experience in ensuring mobile banking applications meet accessibility standards across diverse user needs.

The winning projects consistently showed evidence of systematic testing approaches. Refreshify, the second-place winner, implemented comprehensive error handling for its AI-powered website transformation engine.

“Sanjay Sah’s team understood that when you’re processing arbitrary URLs and generating real-time previews, robust error handling isn’t optional,” Drogunova observed. Her background in both manual and automated testing for web-based applications informed her appreciation for the defensive programming techniques employed.

****Frontend Architecture Under Pressure****

The hackathon’s focus on user experience transformation highlighted the critical role of frontend architecture in delivering compelling user interfaces rapidly. Vladislav Krushenitskii, a senior front-end developer with over a decade of experience spanning complex management systems and international client projects, evaluated how teams leveraged modern frameworks to achieve maximum impact in the shortest time possible.

Krushenitskii’s background with the Russian Hack Team, a network of 30 elite developers known for exceptional hackathon performance, provided valuable context for assessing rapid development strategies. His experience implementing micro-frontend architectures at EPAM Systems and reducing page load times by 30% through optimized React and Redux implementations informed his evaluation criteria.

“The most successful teams understood that hackathon development isn’t about shortcuts, it’s about intelligent architectural decisions,” Krushenitskii explained. His assessment focused particularly on how teams balanced feature richness with maintainable code structure.

The Delbyte team’s BetterShire Hathaway project caught his attention for its thoughtful component architecture. “They implemented a modular design system that could scale beyond the hackathon scope,” he noted, drawing parallels to his work developing sophisticated management systems with complex components like dynamic trees and filters. “The subsidiary showcase section demonstrated an advanced understanding of data presentation patterns that I’ve seen take weeks to perfect in commercial projects.”

Krushenitskii’s experience with React Native and cross-platform development proved relevant when evaluating mobile-first approaches. Several teams, including the WhaleMatch redesign, implemented responsive design patterns that he recognized from his work on cinema and startup interfaces for clients in the USA and Norway.

“The teams that truly understood modern web development didn’t just make things look better, they fundamentally improved how information flows through the interface,” he observed.

****The Innovation Spectrum: From Extensions to Complete Rebuilds****

The diversity of technical approaches reflected different philosophies about innovation and user experience improvement. Projects ranged from browser extensions enhancing existing platforms to complete ground-up rebuilds, each presenting unique technical challenges and user experience opportunities.

The ReStyle Chrome extension demonstrated how targeted interventions could transform user experiences without requiring comprehensive platform rebuilds. BuildWithKT.dev’s approach to enhancing Stack Overflow’s interface through real-time theme customization showed a sophisticated understanding of browser extension architecture while addressing genuine usability concerns.

At the opposite end of the spectrum, Level One’s Battle City Remastered represented a complete reconstruction of a classic gaming experience using pure Python and Pygame. The technical achievement of recreating complex game mechanics in just 72 hours showcased the team’s deep understanding of game development principles and efficient coding practices.

****Lessons in Scalable Innovation****

The hackathon results revealed consistent patterns among successful projects that extend beyond hackathon contexts into broader software development practices. Teams that achieved top rankings demonstrated several key characteristics that align with industry best practices for rapid innovation.

**Constraint-Driven Creativity**: The most innovative solutions emerged from teams that embraced technical limitations as creative catalysts rather than obstacles. BIOSage’s offline AI diagnostics capability, for instance, turned the constraint of no internet connectivity into a competitive advantage for system administration scenarios.

**User-Centered Problem Solving**: Winning teams consistently prioritized genuine user pain points over technical showcasing. The multiple Hacker News reimaginings each addressed specific usability issues, such as navigation complexity, information density, and accessibility barriers, rather than simply applying modern styling to existing interfaces.

**Architectural Thinking**: Even within hackathon timelines, successful teams implemented architectural patterns that could support future development. This forward-thinking approach distinguished projects with genuine commercial potential from purely demonstrative implementations.

****The Future of Digital Modernization****

The Rapid Rebuild concept addresses a pressing industry need as organizations struggle with legacy systems that serve critical functions, despite their outdated interfaces. The hackathon’s results suggest several emerging trends in how developers approach modernization challenges.

AI integration emerged as a transformative factor, with multiple projects incorporating intelligent features to enhance user experiences. Beyond BIOSage’s diagnostic capabilities, projects like HackerNews-Revamped integrated AI chatbots could discuss articles from the content’s perspective, demonstrating how artificial intelligence can add contextual value to information consumption.

Accessibility considerations became central rather than peripheral to design decisions. Teams consistently implemented features like voice navigation, customizable themes, and keyboard shortcuts as core functionality rather than afterthoughts. This shift reflects growing industry recognition that inclusive design benefits all users while expanding market reach.

The hybrid approach of extension-based enhancements alongside complete rebuilds suggests a pragmatic evolution in how organizations might approach legacy system modernization. Rather than requiring wholesale replacement, targeted improvements through browser extensions or API layers can provide immediate benefits to the user experience while maintaining the underlying system’s stability.

****Implications for Industry Practice****

The 72-hour timeframe compressed typical development cycles while maintaining quality standards, offering insights into rapid innovation methodologies. The most successful teams implemented practices that mirror emerging industry trends toward accelerated development cycles and continuous improvement.

Cross-disciplinary collaboration proved essential, with winning teams effectively combining frontend development, backend architecture, user experience design, and domain expertise. This integration reflects the industry movement toward full-stack competency and collaborative development practices.

The emphasis on immediate usability over feature completeness aligns with lean development principles and minimum viable product approaches. Teams that focused on solving specific user problems comprehensively outperformed those attempting to recreate entire feature sets superficially.

****Looking Forward****

The Rapid Rebuild Hackathon 2025 demonstrated that innovation often emerges not from creating entirely new solutions but from applying fresh perspectives and modern tools to existing challenges. As the digital landscape continues evolving, the ability to thoughtfully modernize legacy systems while preserving their essential value becomes increasingly critical.

The projects showcased techniques and approaches that extend far beyond hackathon contexts, offering roadmaps for organizations seeking to modernize user experiences without abandoning functional infrastructure. From AI-enhanced system interfaces to accessibility-first redesigns, the innovations demonstrated paths forward for digital transformation that prioritize user needs while respecting technical constraints.

The success of diverse approaches, from targeted browser extensions to complete system rebuilds, suggests that digital modernization isn’t a one-size-fits-all challenge. Instead, it requires careful assessment of user needs, technical constraints, and organizational capabilities to determine the most effective intervention strategy.

Most importantly, the hackathon reinforced that exceptional user experiences don’t require revolutionary technology, they require thoughtful application of existing tools, a deep understanding of user needs, and the courage to reimagine how digital interfaces can better serve their intended purposes. In an era of rapid technological change, the ability to bridge legacy functionality with modern expectations may prove more valuable than any individual technical skill.

Rapid Rebuild Hackathon 2025: When Legacy Meets Innovation

The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).
"Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity," John Hultquist, chief analyst

Tag

#intel