Employees at the Cybersecurity and Infrastructure Security Agency tell WIRED they’re struggling to protect the US while the administration dismisses their colleagues and poisons their partnerships.

Mass layoffs and weak leadership are taking a severe toll on the US government’s cyber defense agency, undermining its ability to protect America from foreign adversaries bent on crippling infrastructure and ransomware gangs that are bleeding small businesses dry.

Inside the Cybersecurity and Infrastructure Security Agency, vital support staff are gone, international partnerships have been strained, and workers are afraid to discuss threats to democracy that they’re now prohibited from countering. Employees are even more overworked than usual, and new assignments from the administration are interfering with important tasks. Meanwhile, CISA’s temporary leader is doing everything she can to appease President Donald Trump, infuriating employees who say she’s out of touch and refusing to protect them.

“You've got a lot of people who … are looking over their shoulder as opposed to looking at the enemy right now,” says one CISA employee.

As the Trump administration’s war on the federal bureaucracy throws key agencies into chaos, CISA’s turmoil could have underappreciated consequences for national security and economic prospects. The agency, part of the Department of Homeland Security, has steadily built a reputation as a nonpartisan source of funding, guidance, and even direct defensive support for cities, businesses, and nonprofits reeling from cyberattacks. That mission is now under threat, according to interviews with seven CISA employees and another person familiar with the matter, all of whom requested anonymity to avoid reprisals.

“Our enemies are not slowing their continuous assaults on our systems,” says Suzanne Spaulding, who led CISA’s predecessor during the Obama administration. “We need all hands on deck and focused, not traumatized and distracted.”

**Talent Exodus**

CISA’s mission has grown significantly since its creation in 2018. Established mainly to defend government networks, the agency increasingly embraced new roles supporting private companies and state governments, advocating for secure software, and cooperating with foreign partners. This helped CISA raise its profile and gain credibility. But now, following several rounds of layoffs and new restrictions from the Trump administration, the agency is struggling to sustain its momentum.

The extent of the cuts at CISA is still unclear—employees are only learning about the loss of colleagues through word of mouth—but multiple employees estimate that, between the layoffs and the Office of Personnel Management’s deferred-resignation program, CISA has lost between 300 and 400 staffers—roughly 10 percent of its 3,200-person workforce. Many of those people were hired through DHS’s Cybersecurity Talent Management System (CTMS), a program designed to recruit experts by competing with private-sector salaries. As a result, they were classified as probationary employees for three years, making them vulnerable to layoffs. These layoffs at CISA also hit longtime government workers who had become probationary by transferring into CTMS roles.

Key employees who have left include Kelly Shaw, who oversaw one of CISA’s marquee programs, a voluntary threat-detection service for critical infrastructure operators; David Carroll, who led the Mission Engineering Division, the agency’s technological backbone; and Carroll’s technical director, Duncan McCaskill. “We've had a very large brain drain,” an employee says.

The departures have strained a workforce that was already stretched thin. “We were running into \[a\] critical skills shortage previously,” says a second employee. “Most people are and have been doing the work of two or more full-time \[staffers\].”

The CISA team that helps critical infrastructure operators respond to hacks has been understaffed for years. The agency added support positions for that team after a Government Accountability Office audit, but “most of those people got terminated,” a third employee says.

CISA’s flagship programs have been mostly unscathed so far. That includes the threat-hunting branch, which analyzes threats, searches government networks for intruders, and responds to breaches. But some of the laid-off staffers provided crucial “backend” support for threat hunters and other analysts. “There's enhancements that could be made to the tools that they're using,” the first employee says. But with fewer people developing those improvements, “we're going to start having antiquated systems.”

In a statement, DHS spokesperson Tricia McLaughlin says CISA remains “committed to the safety and security of the nation’s critical infrastructure” and touted “the critical skills that CISA experts bring to the fight every day.”

National Security Council spokesperson James Hewitt says the reporting in this story is “nonsense,” adding that “there have been no widespread layoffs at CISA and its mission remains fully intact.”

“We continue to strengthen cybersecurity partnerships, advance AI and open-source security, and protect election integrity,” Hewitt says. “Under President Trump’s leadership, our administration will make significant strides in enhancing national cybersecurity.”

**Partnership Problems**

CISA’s external partnerships—the cornerstone of its effort to understand and counter evolving threats—have been especially hard-hit.

International travel has been frozen, two employees say, with trips—and even online communications with foreign partners—requiring high-level approvals. That has hampered CISA’s collaboration with other cyber agencies, including those of “Five Eyes” allies Canada, Australia, New Zealand, and the UK, staffers say.

CISA employees can’t even communicate with people at other federal agencies the way they used to. Previously routine conversations between CISA staffers and high-level officials elsewhere now need special permissions, slowing down important work. “I can’t reach out to a CISO about an emergency situation without approval,” a fourth employee says.

Meanwhile, companies have expressed fears about sharing information with CISA and even using the agency’s free attack-monitoring services due to DOGE’s ransacking of agency computers, according to two employees. “There is advanced concern about all of our services that collect sensitive data,” the third employee says. “Partners \[are\] asking questions about what DOGE can get access to and expressing concern that their sensitive information is in their hands.”

“The wrecking of preestablished relationships will be something that will have long-lasting effects,” the fourth employee says.

CISA’s Joint Cyber Defense Collaborative, a high-profile hub of government-industry cooperation, is also struggling. The JCDC currently works with more than 300 private companies to exchange threat information, draft defensive playbooks, discuss geopolitical challenges, and publish advisories. The unit wants to add hundreds more partners, but it has “had difficulty scaling this,” the first employee says, and recent layoffs have only made things worse. Contractors might be able to help, but the JCDC’s “vendor support contracts run out in less than a year,” the employee says, and as processes across the government have been frozen or paused in recent weeks, CISA doesn’t know if it can pursue new agreements. The JCDC doesn't have enough federal workers to pick up the slack, the fourth CISA employee says.

With fewer staffers to manage its relationships, the JCDC confronts a perilous question: How should it focus its resources without jeopardizing important visibility into the threat landscape? Emphasizing ties with major companies might be more economical, but that would risk overlooking mid-sized firms whose technology is quietly essential to vital US industries.

“CISA continuously evaluates how it works with partners,” McLaughlin says, “and has taken decisive action to maximize impact while being good stewards of taxpayer dollars and aligning with Administration priorities and our authorities.”

**Gutting Security Advocacy**

Other parts of CISA’s mission have also begun to atrophy.

During the Biden administration, CISA vowed to help the tech industry understand and mitigate the risks of open-source software, which is often poorly maintained and has repeatedly been exploited by hackers. But since Trump took office, CISA has lost the three technical luminaries who oversaw that work: Jack Cable, Aeva Black, and Tim Pepper. Open-source security remains a major challenge, but CISA’s efforts to address that challenge are now rudderless.

The new administration has also frozen CISA’s work on artificial intelligence. The agency had been researching ways to use AI for vulnerability detection and networking monitoring, as well as partnering with the private sector to study AI risks. “About 50 percent of \[CISA’s\] AI expert headcount has been let go,” says a person familiar with the matter, which is “severely limiting” CISA’s ability to help the US Artificial Intelligence Safety Institute test AI models before deployment.

The administration also pushed out CISA’s chief AI officer, Lisa Einstein, and closed down her office, the person familiar with the matter says. Einstein’s team oversaw CISA’s use of AI and worked with private companies and foreign governments on AI security.

A large team of DHS and CISA AI staffers was set to accompany Vice President JD Vance to Paris in February for an AI summit, but those experts “were all pulled back” from attending, according to a person familiar with the matter.

**‘Nefarious’ Retribution**

CISA staffers are still reeling from the agency’s suspension of its election security program and the layoffs of most people who worked on that mission. The election security initiative, through which CISA provided free services and guidance to state and local officials and worked with tech companies to track online misinformation, became a target of right-wing conspiracy theories in 2020, which marked it for death after Trump’s return to the White House.

The program—on hold pending CISA’s review of a recently completed internal assessment—was a tiny part of CISA’s budget and operations, but the campaign against it has alarmed agency employees. “This is definitely in the freak-out zone,” says the first employee, who adds that CISA staffers across the political spectrum support the agency’s efforts to track online misinformation campaigns. “All of us recognize that this is a common deception tactic of the enemy.”

The election security purge rippled across the agency, because some of the laid-off staffers had moved from elections to other assignments or were simultaneously working on both missions. Geoff Hale, who led the elections team between 2018 and 2024, was serving as the chief of partnerships at the JCDC when he was placed on administrative leave, setting off a scramble to replace him.

The removal of Hale and his colleagues “was the start to a decline in morale” at CISA, according to the second employee. Now, staffers are afraid to discuss certain topics in public forums: “No one's going to talk about election security right now,” the first employee says.

“The fact that there’s retribution from the president … is kind of frightening,” this employee adds. “A very nefarious place to be.”

**Abandoned and Demoralized**

The layoffs, operational changes, and other disruptions at CISA have severely depleted morale and undermined the agency’s effectiveness. “Even simple tasks feel hard to accomplish because you don't know if your teammates won't be here tomorrow,” says the fourth employee.

The biggest source of stress and frustration is acting CISA director Bridget Bean, a former Trump appointee who, employees say, appears eager to please the president even if it means not defending her agency. Bean “just takes whatever comes down and implements \[it\] without thought of how it will affect \[CISA’s\] mission,” the fifth employee says. Employees describe her as a poor leader and ineffective communicator who has zealously enacted Trump’s agenda. In town-hall meetings with employees, Bean has said CISA must carefully review its its authorities and urged staffers to “assume noble intent” when dealing with Trump officials. While discussing Elon Musk’s mass-buyout program, she allegedly said, “I like to say ‘Fork in the Road’ because it's kind of fun,.” according to the fourth employee. She was so eager to comply with Musk’s “What did you do last week?” email that she instructed staffers to respond to it before DHS had finalized its department-wide approach. DHS later told staff not to respond, and Bean had to walk back her directive.

“Bean feels like she's against the workforce just to please the current administration,” the second employee says. The fourth employee describes her as “not authentic, tone-deaf, spineless, \[and\] devoid of leadership.”

McLaughlin, the DHS spokesperson, says CISA “is not interested in ad hominem attacks against its leadership,” which she says “has doubled down on openness and transparency with the workforce.”

The return-to-office mandate has also caused problems. With all employees on-site, there isn’t enough room in CISA’s offices for the contractors who support the agency’s staff. That has made it “very difficult” to collaborate on projects and hold technical discussions, according to the first employee. “There wasn’t much thought about \[RTO’s\] impact to operations,” says the fourth employee. According to a fifth employee, “executing some of our sensitive operations is now harder.” (“CISA has worked tirelessly to make the return to office as smooth as possible from space to technology,” McLaughlin says.)

Employees are dealing with other stressors, too. They have no idea who’s reading their Musk-mandated performance reports, how they’re being evaluated, or whether AI is analyzing them for future layoffs. And there’s a lot of new paperwork. “The amount of extra shit we have to do to comply with the ‘efficiency measures’ … \[takes\] a lot of time away from doing our job,” says the fifth employee.

**Bracing for More**

When Trump signed the bill creating CISA in November 2018, he said the agency’s workforce would be “on the front lines of our cyber defense” and “make us, I think, much more effective.” Six and a half years later, many CISA employees see Trump as the biggest thing holding them back.

“This administration has declared psychological warfare on this workforce,” the fourth employee says.

With CISA drawing up plans for even larger cuts, staffers know the chaos is far from over.

“A lot of people are scared,” says the first employee. “We’re waiting for that other shoe to drop. We don't know what's coming.”

Entire wings of CISA—like National Risk Management Center and the Stakeholder Engagement Division—could be on the chopping block. Even in offices that survive, some of the government’s most talented cyber experts—people who chose public service over huge sums of money and craved the lifestyle of CISA’s now-eliminated remote-work environment—are starting to see their employment calculus differently. Some of them will likely leave for stabler jobs, further jeopardizing CISA’s mission. “What is the organization going to be capable of doing in the future?” the first employee asks.

If Trump’s confrontational foreign-policy strategy escalates tensions with Russia, China, Iran, or North Korea, it’s likely those nations could step up their use of cyberattacks to exact revenge. In that environment, warns Nitin Natarajan, CISA’s deputy director during the Biden administration, weakening the agency could prove very dangerous.

“Cuts to CISA’s cyber mission,” Natarajan says, “will only negatively impact our ability to not only protect federal government networks, but those around the nation that Americans depend on every day.”

‘People Are Scared’: Inside CISA as It Reels From Trump’s Purge

“No Lives Matter” has emerged in recent months as a particularly violent splinter group within the extremist crime network known as Com and 764, and experts are at a loss for how to stop its spread.

The kids are all grown up. In the face of international law enforcement pressure, dozens of prosecutions, and worldwide disrepute, the network of young sadists, misanthropes, child predators, and extortionists known as Com and 764 has not shrunk away into obscurity.

Rather, its members have progressed from online extortion and crimes related to child sexual abuse material, to real-world violence, a trajectory that alarms extremism researchers and government officials alike. Knifings, killings, firebombings, drive-by shootings, school shootings, and murder-for-hire plots in North America and Europe have all been connected to a splinter group called “No Lives Matter” that, per the group’s own manifesto, “idolizes death” and “seeks the purification of all mankind through endless attacks.” The group has released at least two “kill guides” that have been connected to violent attacks and plots in Europe and the United States.

The US Department of Justice classifies Com and 764 as a “Tier One” terrorism threat, the highest priority afforded to an extremist group, ideology, or tendency in American law enforcement’s internal rubric. Intelligence documents reviewed by WIRED show a stream of concern from analysts about the group’s harm to juvenile exploitation victims and the growing exhortations to physical violence that embody the No Lives Matter ethos.

However, the phenomenon has proved incredibly hard to combat due to a lack of coherent structure or ideology. Along with the insidious neo-Nazi propaganda group the Terrorgram Collective, over the past four years, Com/764 has morphed into a twisted amalgam of the Columbine Effect and older domestic terror groups like the Atomwaffen Division: Young extortionists and assailants egg each other on to progressively more lurid and debased acts of violence for the sake of internet notoriety and status.

In response, Western governments have employed terrorism charges against young people accused of conspiring to kill homeless people or phoning in bomb threats to schools and religious institutions beyond their own borders. In the United Kingdom, the Crown Prosecution Service recently secured a six-year prison term for 19-year-old Cameron Finnegan, who went by the handle “Acid,” for a raft of 764-related offenses, including possessing CSAM, urging young people to kill themselves, and possessing a “kill manual” authored by No Lives Matter adherents, replete with viable instructions for carrying out lethal attacks with knives, firearms, and vehicles.

"We want to make the public aware of \[Com/764\]," Detective Chief Superintendent Claire Finlay, the head of Counter Terrorism Policing Southeast, told the BBC following Finnegan’s guilty plea in January. "The threat that they pose, not just within the United Kingdom but globally, is immense."

According to senior DOJ officials who were granted anonymity to speak about internal law enforcement matters, the feds have come across related cases in every field office in the US. US authorities are so hell-bent on pursuing this trend that they are trying to extradite a 17-year-old Romanian boy who prosecutors at the Southern District of New York claim took part in exploiting minors and soliciting and distributing CSAM. The teenager also faces US terrorism charges for allegedly phoning in several hundred bomb threats to dozens of schools and institutions in the US as part of 764 and its splinter groups, according to information obtained by this reporter.

"We’ve seen a lot of hybrid movements and ideologies, new trends that we can’t categorize under the traditional categories,” says Bàrbara Molas, a senior analyst at RAND Europe who specializes in far-right extremism and who testified as an expert witness for the prosecution in Finnegan’s recent Com/764-related case.

For Molas, Com/764 represents that type of hybridity, where participants in the network will pick and choose elements from a series of discrete ideologies—neo-Nazism; the satanist group Order of Nine Angles, which has become prevalent throughout the most transgressive spheres of the transnational far right; Ted-Kaczynski-inspired neo-Luddism—and assemble their own belief pantheon.

“When 764 was only about CSAM, their targets tended to be women—but specifically women from diminished social groups, who were seen as the weak party of society,” Molas says. “That ideal of imposing violence on this part of society has carried on and become more violent.” When members of the network commit violence in the name of the group, Molas says, it “helps them rise within the group and advance the larger cause, which is to change society through violence and chaos.”

The lodestar for this transition towards wanton violence is a German teenager named Nino Luciano, who went by the handle “Tobbz” within 764. Sent to live in a foster home in Romania because his mental illnesses overwhelmed the capacity of institutions in his home country, Tobbz was drawn into 764 during the Covid-19 pandemic and quickly became enthralled with the group, daubing its name on a wall in his room and tattooing himself with “764” and a septagram from the Order of Nine Angles. In March 2022, he committed and livestreamed a series of knife attacks, stabbing an elderly woman to death and severely wounding an old man. He was convicted in August 2023 and is serving 14 years in prison.

Tobbz’s behavior inspired other young extremists in the Com/764 network, who have since either tried to emulate his livestreamed attacks or commit similar acts of violence to boost their notoriety and status within their extremist peer group. No Lives Matter’s exhortations to commit mass casualty events and distribution of detailed guides to violence are patterned off Tobbz’s example, according to experts who’ve studied the network.

Baron Martin, a resident of Tucson, Arizona, was charged in federal court with cyberstalking and sexual exploitation of a child that included the production of CSAM. According to court records, the government also accused Martin of soliciting the murder of the grandmother of one of his victims under the handle “Convict.” He allegedly sent the following message to a Discord server, court records show: “know anyone in \[state\] thats willing to do kidnappings or shootings...i need someone to tobbz a grandma. Somebody wanted to dox one of my egirls. now I’m getting their grandma merked.” The use of “Tobbz” as a synonym for murder was not casual: Martin allegedly offered to pay another user to carry out the hit, which was never realized.

According to court documents, Martin, through his handle, was connected to authoring a detailed guide widely distributed in 764’s channels on how to groom victims for extortion, which the FBI claims Martin bragged online was “the catalyst for thousands of extortions.” (Martin has pleaded not guilty.)

Molas, of RAND Europe, says Martin’s alleged path from extortion to soliciting a homicide traces a familiar path of transgressive behavior often seen in Com/764’s online world. “They’ll start with little acts of sin—shoplifting, then robberies, abuse of minors, weapons violations, then all the way up to kidnapping and murder,” Molas says.

In mid-February, Jairo Tinajero, a 25-year-old Arkansas man who took part in the 764 splinter group 8884, pleaded guilty to CSAM and conspiracy charges for extorting an underage girl in Louisville, Kentucky. According to his plea agreement, Tinajero confessed to plotting to kill the girl once she stopped complying with him, posting her address and personal information about her and her family family in 764’s servers, unsuccessfully trying to buy an assault rifle, and talking through a murder plot with other 764 members.

Tinajero also admitted taking part in 764 online chats where prior mass casualty attacks were discussed along with “future attacks on heavily populated areas such as malls or other large gatherings, LGBTQ+ events and gatherings, schools, public places, government buildings and police stations” with the intent to “destabilize society and cause the collapse of governments and rule of law.”

Most recently, neo-Nazi Aidan Harding’s inspiration from 764 was brought up during a mid-February federal court hearing for CSAM possession charges. In addition to participating in public actions with a number of Pittsburgh-area extremist groups, prosecutors claimed that Harding and another man were deeply interested in the Columbine massacre, visiting the memorial in Littleton, Colorado, and posing for a photo in front of a swastika flag while dressed as Dylan Klebold and Eric Harris. “Eric and Dylan were kickstarting a revolution,” Harding wrote in a message, which prosecutors showed in court. Harding and the other man, who hasn’t been charged, also discussed carrying out mass shootings through Instagram direct messages, which were presented in court. “The only thing holding me back is a partner … I don’t want to do it alone or die alone,” Harding wrote.

According to two researchers who attended Harding’s three-and-a-half-hour court appearance related to probable cause on February 12, an FBI agent claimed during questioning that investigators found reams of videos depicting children being raped, ultraviolent videos of executions, and the extremist mass shootings in Buffalo, Nashville, and Columbine, along with a photo on Harding’s phone of a phrase daubed in blood: “I sold my soul to 764,” above a swastika and a Lviathan cross often used by 764. Another photo, handed up to the judge and not shown in court, depicted the naked chest of a young girl wearing a cross, with the words “No Lives Matter” carved into her body with a sharp instrument.” Harding has pleaded not guilty.

The crimes described in court cases this year follow a months-long surge in No Lives Matter–related violence. In October, authorities claim, a 14-year-old Swede committed eight attacks on unsuspecting passersby in Stockholm. The attacker, per national broadcaster SVT, took part in 764 and went by the handle “Slain” in the group. Documents circulated by 764 participants on Telegram and elsewhere claim “Slain764” as one of their own, and identify Sweden, the UK, and Bulgaria as countries where their group has a presence.

In mid-February, Italian police arrested a 15-year-old boy on suspicion of planning to murder a homeless man and livestream the act. Police said the teenager was reportedly involved in 764 and faces charges for explosives possession and possession of CSAM material. Italian authorities claim he planned his actions as part of a “week of terror” along with unspecified colleagues.

There is also evidence of 764’s praxis and imagery merging with that of the Terrorgram Collective, a neo-Nazi propaganda network that aims to radicalize young people and inspire solo acts of sabotage and mass murder.

Solomon Henderson, a Tennessee teenager whom police said shot up his high school last month, posted a sprawling manifesto that referenced both mass shooters inspired by Terrorgram as well as homicidal 764 members, including Tobbz. Henderson’s social media accounts also show extensive imagery from 764’s channels as well as the Order of Nine Angles “The influence I see most heavily in that agenda is the Order of Nine Angles,” Molas says.

That confluence of extremist inspirations is highly unpredictable, and may prove influential: There is reportedly evidence that social media accounts connected to Henderson may have communicated with accounts linked to Natalie “Samantha” Rupnow, a young Wisconsin woman who killed two and wounded classmates in a mid-December shooting at her school before dying by suicide. Earlier in December, a high school student in Guadalajara, Mexico, livestreamed an axe attack on his classmates before they were able to subdue him. The young man’s social media posts were rife with O9A influence, including photos of himself with butchered animals and another with a blood pact, a common O9A practice.

The Violent Rise of ‘No Lives Matter’

Tel Aviv, Israel, 12th March 2025, CyberNewsWire

**Tel Aviv, Israel, March 12th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR) solution, announced today that it won Silver in the category of Security Operations Center (SOC) solutions at the annual 2025 Globee Awards. The program aims to raise awareness about cybersecurity issues and honor those who have made significant contributions in protecting organizations and individuals from cyber threats.

This award comes on the heels of significant advancements for CYREBRO, solidifying its position as a future-proof cybersecurity leader. The company has recently launched its proprietary security data lake, enabling unparalleled threat analysis and faster, more precise detection. This innovation, coupled with a strategic partnership with Google Cloud, enhances CYREBRO’s ability to scale and deliver cutting-edge security solutions across diverse environments.

CYREBRO’s commitment to global expansion is evident in its rapidly growing customer base across new markets, demonstrating the universal need for proactive threat detection and response across companies of all sizes.

CYREBRO remains steadfast in its 100% channel-based strategy, empowering its partners to deliver exceptional MDR services to their clients. This approach ensures seamless integration and personalized service, maximizing the value of CYREBRO’s MDR capabilities.

> “We are honored to receive this prestigious award,” said Ori Arbel, CYREBRO CTO. “This recognition validates our relentless pursuit of innovation and our dedication to empowering businesses with robust cybersecurity defenses. We’re particularly proud of the strides we’ve made in enhancing our platform, directly translating to superior security outcomes for our partners and customers.”

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO’s AI-Native MDR Platform Earns Silver at the 2025 Globee Cybersecurity Awards

Threat intelligence firm GreyNoise is warning of a "coordinated surge" in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities spanning multiple platforms.
"At least 400 IPs have been seen actively exploiting multiple SSRF CVEs simultaneously, with notable overlap between attack attempts," the company said, adding it observed the activity on March 9, 2025.
The countries which

Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

The social network X suffered intermittent outages on Monday, a situation owner Elon Musk attributed to a “massive cyberattack.” Musk said in an initial X post that the attack was perpetrated by “either a large, coordinated group and/or a country.” In a post on Telegram, a pro-Palestinian group known as Dark Storm Team took credit for the attacks within a few hours. Later on Monday, though, Musk claimed in an interview on Fox Business Network that the attacks had come from Ukrainian IP addresses.

Web traffic analysis experts who tracked the incident on Monday were quick to emphasize that the type of attacks X seemed to face—distributed denial-of-service, or DDoS, attacks—are launched by a coordinated army of computers, or a “botnet,” pummeling a target with junk traffic in an attempt to overwhelm and take down its systems. Botnets are typically dispersed around the world, generating traffic with geographically diverse IP addresses, and they can include mechanisms that make it harder to determine where they are controlled from.

“It’s important to recognize that IP attribution alone is not conclusive. Attackers frequently use compromised devices, VPNs, or proxy networks to obfuscate their true origin," says Shawn Edwards, chief security officer of the network connectivity firm Zayo.

X did not return WIRED's requests for comment about the attacks.

Multiple researchers tell WIRED that they observed five distinct attacks of varying length against X's infrastructure, the first beginning early Monday morning with the final burst on Monday afternoon.

The internet intelligence team at Cisco's ThousandEyes tells WIRED in a statement, “During the disruptions, ThousandEyes observed network conditions that are characteristic of a DDoS attack, including significant traffic loss conditions which would have hindered users from reaching the application.”

DDoS attacks are common, and virtually all modern internet services experience them regularly and must proactively defend themselves. As Musk himself put it on Monday, “We get attacked every day.” Why, then, did these DDoS attacks cause outages for X? Musk said it was because “this was done with a lot of resources,” but independent security researcher Kevin Beaumont and other analysts see evidence that some X origin servers, which respond to web requests, weren't properly secured behind the company's Cloudflare DDoS protection and were publicly visible. As a result, attackers could target them directly. X has since secured the servers.

“The botnet was directly attacking the IP and a bunch more on that X subnet yesterday. It's a botnet of cameras and DVRs,” Beaumont says.

A few hours after the final attack concluded, Musk told Fox Business host Larry Kudlow in an interview, “We're not sure exactly what happened, but there was a massive cyberattack to try to bring down the X system with IP addresses originating in the Ukraine area.”

Musk has mocked Ukraine and its president, Volodymyr Zelensky, repeatedly since Russia invaded its neighbor in February 2022. A major campaign donor to President Donald Trump, Musk now heads the so-called Department of Government Efficiency, or DOGE, which has razed the US federal government and its workforce in the weeks since Trump's inauguration. Meanwhile, the Trump administration has recently warmed relations with Russia and moved the US away from its longtime support of Ukraine. Musk has already been involved in these geopolitics in the context of a different company he owns, SpaceX, which operates the satellite internet service Starlink that many Ukrainians rely on.

DDoS traffic analysis can break down the firehose of junk traffic in different ways, including by listing the countries that had the most IP addresses involved in an attack. But one researcher from a prominent firm, who requested anonymity because they are not authorized to speak about X, noted that they did not even see Ukraine in the breakdown of the top 20 IP address origins involved in the X attacks.

If Ukrainian IP addresses did contribute to the attacks, though, numerous researchers say that the fact alone is not noteworthy.

“What we can conclude from the IP data is the geographic distribution of traffic sources, which may provide insights into botnet composition or infrastructure used,” Zayo’s Edwards says. “What we can’t conclude with certainty is the actual perpetrator’s identity or intent.”

_Additional reporting by Zoë Schiffer._

What Really Happened With the DDoS Attacks That Took Down X

The telecom industry is at a major turning point. With 5G, IoT, and AI reshaping global connectivity, the…

The telecom industry is at a major turning point. With 5G, IoT, and AI reshaping global connectivity, the need for scalable, secure, and smart networks is higher than ever. Cloud IMS is stepping up as a game-changer, combining the flexibility of cloud technology with the reliability of traditional IMS systems. Virtualizing core network functions helps telecom operators roll out next-generation services while keeping security strong in a time of growing cybersecurity threats.

This article breaks down how Cloud IMS has evolved, the key benefits it brings to telecom, and the advanced security measures that help protect essential digital infrastructure.

****Cloud IMS: Redefining Telecommunications Architecture****

Traditional IMS has long served as the foundation for delivering voice, video, and multimedia services over IP networks. However, its reliance on dedicated hardware and inflexible architecture presents limitations in scalability, cost efficiency, and adaptability to emerging network paradigms like 5G and edge computing.

Cloud IMS disrupts this paradigm by decoupling software from hardware, enabling network functions to operate on a highly scalable cloud infrastructure. This expansion introduces several key advantages:

*   Elastic Scalability: Dynamic resource allocation ensures seamless network expansion and load balancing across regions.

*   5G Integration: Cloud IMS seamlessly interfaces with 5G core networks, enabling ultra-low latency communications and network slicing for enterprise applications.

*   Edge Computing Synergy: By distributing processing closer to end users, Cloud IMS enhances real-time applications such as autonomous systems, augmented reality (AR), and smart city infrastructure.

By integrating cloud-native flexibility with IMS standards, operators establish a future-proof foundation for global connectivity.

****Strategic Benefits of Cloud IMS in Modern Networks****

1\. Accelerating Service Deployment

Cloud-native architecture, coupled with DevOps and Continuous Integration/Continuous Deployment (CI/CD) practices, allows operators to launch new services—such as VoNR (Voice over New Radio), 5G-enabled telemedicine, or high-definition video conferencing—in days rather than months. This agility enhances network responsiveness to evolving market demands.

2\. Cost Optimization and Infrastructure Efficiency

By leveraging multi-tenancy and cloud-based resource pooling, Cloud IMS significantly reduces capital expenditure (CAPEX) and operational expenditure (OPEX). Operators transition from hardware-intensive deployments to an on-demand, pay-as-you-go model, optimizing resource utilization.

3\. Global Reach with Localized Performance

Cloud IMS enables geo-distributed deployments, ensuring minimal latency while optimizing bandwidth for mission-critical applications such as emergency services, industrial automation, and defence communications.

4\. 5G Monetization & Network Slicing

With network slicing, telecom operators can create dedicated virtual networks tailored to specific industries, including autonomous transportation, smart grids, and financial services. This customization unlocks new revenue streams while maintaining strict Quality of Service (QoS) and cybersecurity standards.

5\. Sustainable and Energy-Efficient Networks

The transition to cloud-native IMS minimizes physical hardware dependency, reducing energy consumption and carbon footprints. By optimizing server utilization and leveraging AI-powered energy management, telecom providers align with global sustainability initiatives while improving cost efficiency.

****Fortifying National Infrastructure: The Security Imperative of Cloud IMS****

Given the critical role of telecommunications in modern infrastructure, network security remains a paramount concern. As cyber threats evolve in complexity, telecom networks require a multi-layered security framework to safeguard both national and commercial interests.

1\. Zero-Trust Architecture (ZTA)

Cloud IMS adopts a “never trust, always verify” approach, requiring strict authentication and continuous security monitoring. Techniques such as mutual TLS (mTLS), biometric authentication, and blockchain-based identity verification ensure that only authorized entities access network resources.

2\. AI-Powered Threat Intelligence

Artificial intelligence (AI) and machine learning (ML) algorithms continuously monitor network traffic, detecting anomalies such as DDoS attacks, signalling fraud, and unauthorized access. Automated threat response mechanisms neutralize attacks before they escalate.

3\. Quantum-Resistant Encryption

With the impending advancements in quantum computing, traditional encryption methods face obsolescence. Cloud IMS integrates post-quantum cryptographic algorithms to safeguard sensitive communications, ensuring future-proof data protection for national and enterprise-level security.

4\. Secure Network Slicing for Critical Infrastructure

Network slices dedicated to healthcare, finance, and emergency response operate in fully isolated, encrypted environments, ensuring data integrity and operational continuity during crises. For instance, a 5G-powered emergency response network remains segregated from public internet traffic, prioritizing low-latency, high-reliability communication.

5\. Immutable Audit Trails and Regulatory Compliance

With blockchain-backed logging and tamper-proof audit trails, Cloud IMS simplifies compliance with international security regulations, including GDPR, HIPAA, and CALEA. This capability enhances transparency in network operations while facilitating forensic investigations in case of security breaches.

****Cloud IMS in Action: Real-World Applications****

Cloud IMS is already driving technological advancements across multiple sectors:

*   Enterprise Unified Communications (UCaaS): Multinational corporations deploy end-to-end encrypted communication platforms with ultra-low latency.

*   Smart Cities: Cloud IMS supports real-time traffic management, AI-powered surveillance, and emergency response systems.

*   Rural Broadband Expansion: Enables cost-effective VoLTE and 5G deployments in underserved regions, bridging the digital divide.

*   Industrial IoT (IIoT): Manufacturers leverage private 5G slices for predictive maintenance, AI-driven automation, and robotics.

****Future Trajectory: Trends Shaping Cloud IMS****

Cloud IMS will continue evolving through:

*   AI-Driven Network Optimization: Predictive analytics for traffic routing, cybersecurity, and personalized telecom experiences.

*   Edge-Native Deployments: Low-latency solutions for autonomous vehicles, remote surgery, and immersive metaverse applications.

*   Public-Private Regulatory Collaboration: Standardized security frameworks for national infrastructure protection and data sovereignty.

*   Green Networks: Energy-efficient architectures leveraging renewable-powered data centers for sustainable telecom solutions.

Cloud IMS represents a defining shift in telecommunications, merging agility, security, and scalability into a unified framework. Telecom operators who fail to embrace this transformation risk obsolescence in an increasingly AI-driven, hyperconnected world.

For consumers, Cloud IMS promises seamless, low-latency, and secure digital experiences, whether in high-definition communication, AI-driven automation, or national security applications. For telecom providers, it unlocks unparalleled efficiency, cost optimization, and revenue diversification.

As telecommunications becomes the backbone of modern infrastructure, keeping it secure, reliable, and resilient is more important than ever. Cloud IMS isn’t just a breakthrough; it’s a necessity. The time to act is now.

Cloud IMS: The Confluence of Innovation and Security in Modern Telecommunications

Push notifications are a common feature that many websites use to keep users engaged. However, what happens when these notifications turn malicious? Renée Burton, Vice President of Threat Intel at Infoblox, recently shared her firsthand experience with this alarming trend. Here’s a look at how scammers exploit push notifications to deliver scams, including fake gift cards and sweepstakes.

****The Push Notification Trap****

Renée found that when users visit a website that requests permission to send notifications, they may unknowingly grant scammers a powerful tool. Cybercriminals take advantage of this by tricking users into accepting notifications, often without fully understanding the consequences. Once accepted, users are bombarded with misleading messages that redirect them to fraudulent content.

These misleading messages often pose as legitimate alerts from trusted brands like Google or Walmart. They may falsely claim that a user’s account has been hacked or that they have won a gift card. Engaging with these notifications can lead to downloading harmful apps or surrendering personal information.

****The Gift Card Scam****

As part of her investigation, Renée visited sites that employ push notification scams and observed how scammers entice users with promises of substantial winnings. A notification may claim the recipient has won a $10,000 Walmart gift card, prompting them to click on it. Instead of receiving a prize, users are redirected through multiple domains before landing on a fraudulent site.

To claim the gift card, users are asked to provide personal details, including their email and home address. In many cases, they must complete a survey before they can “win.” However, the survey never ends, keeping users trapped in a cycle of never-ending ads and data collection schemes.

Screenshot of a series of non-stop email spam pushing gift card scams (Credit: Renée Burton – Infoblox)

****The Survey Scam****

Renée discovered that survey scams are a prevalent tactic used by scammers. Upon clicking a notification that promises a prize, users are led to websites like reward-lockercom. These sites request personal details such as name, email, address, and phone number under the guise of confirming eligibility.

Once users provide this information, they are required to complete a series of surveys. Each survey leads to additional advertisements, and scammers keep them engaged with the illusion of an imminent reward. However, the prize never materializes, and users remain stuck in an endless loop of data harvesting.

****The Sweepstakes Scam****

Similar to survey scams, sweepstakes scams exploit users’ trust. Renée investigated fraudulent sites like zippywinnercom, which advertise lucrative sweepstakes that appear genuine. These sites lure users into believing they have won big prizes, but in reality, the odds of winning are practically nonexistent. Instead, users are funnelled into more surveys and deceptive schemes designed to extract personal information and generate ad revenue for scammers.

****The Bigger Picture****

Through her research, Renée uncovered that scammers use advanced techniques to evade detection. They employ domain cloaking and traffic distribution systems (TDSs) to deliver varied content, making it difficult for security teams to identify and mitigate these threats.

Infoblox has observed this malicious adtech (advertising technology) operating across various websites, including scientific research platforms, car dealership pages, and activist blogs. The problem is extensive, with millions of websites compromised by push notification scams each year.

****The Impact****

While some may dismiss these scams as minor nuisances, Renée’s findings highlight their severe consequences. Scammers harvest personal and financial information, keeping users locked in cycles of misleading ads and phishing attempts. The only beneficiaries of this system are the scammers themselves.

In conclusion, Renée’s research underscores the dangers of push notifications when misused by cybercriminals. While push notifications can be valuable engagement tools, they can also serve as a gateway for scams. Users should remain alert, avoid clicking suspicious notifications, and never share personal information in response to unsolicited alerts.

What Happens When Push Notifications Go Malicious?

Plus: The world’s “largest illicit online marketplace” gets hit by regulators, police seize the Garantex crypto exchange, and scammers trick targets by making up ransomware attacks.

As Donald Trump’s administration continues its relentless reorganization of the United States federal government, documents obtained by WIRED showed this week that the Department of Defense is looking at cutting as much as three-quarters of its workforce that’s specifically focused on stopping proliferation of chemical, biological, and nuclear weapons. Meanwhile, the US Army is using its “CamoGPT” AI tool to “review” diversity, equity, inclusion, and accessibility policies per Trump administration orders. The military originally developed the AI service to improve productivity and operational readiness.

US civil liberties organizations are pushing the director of national intelligence. Tulsi Gabbard, to declassify details about Section 702 of the Foreign Intelligence Surveillance Act—a central overseas wiretap authority that is notorious for also capturing a large number of calls, texts, and emails made or sent by Americans. And the US Justice Department on Wednesday charged 10 alleged hackers and two Chinese government officials over digital crimes spanning more than a decade as part of China’s extensive hack-for-hire ecosystem.

Ongoing analysis from a consortium of researchers led by Human Security found that at least a million low-price Android devices, like TV streaming boxes and tablets, have been compromised as part of a scamming and ad fraud campaign known as Badbox 2.0. The activity, which the researchers say comes out of China, is an evolution of a previous effort to backdoor similar devices.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Cybercriminals Allegedly Used a Backdoor to Steal Taylor Swift Tickets**

Two people who allegedly worked as part of a group to access nearly 1,000 tickets to concerts and other events—many for Taylor Swift’s Eras Tour—before selling them on for more than $600,000 profit were arrested and charged with the potential crimes in Queens this week. Tyrone Rose, 20, and Shamara P. Simmons, 31, of Jamaica, Queens, were arrested and arraigned in connection to the theft and sales, according to Queens district attorney Melinda Katz.

Between June 2022 and July 2023, it is alleged that 350 orders—totaling 993 tickets—on ticketing platform StubHub were accessed at a third-party contractor called Sutherland. “The Sutherland employees, defendant Tyrone Rose and an unapprehended accomplice, allegedly used their access to StubHub’s computer system to find a backdoor into a secure area of the network where already sold tickets were given a URL and queued to be emailed to the purchaser to download,” the district attorney’s office wrote in a statement.

They then emailed URLs to another accomplice who has since died, the office says, before posting the tickets to StubHub for resale. While the investigations are ongoing, the District Attorney’s office claimed the proceeds of the cybercrime totaled around $635,000 and also involved tickets for Ed Sheeran concerts, NBA games, and the US Open Tennis Championships.

**Payment Provider Linked to ‘Largest Illicit Online Marketplace’ Loses Banking License**

Every year, criminals make billions from the operations of highly organized scam compounds in Southeast Asia. As these operations have grown in sophistication, so has the wider ecosystem that supplies them with the technology and services needed to run the scams. And experts say there’s no bigger marketplace than Huione Guarantee—a Cambodian gray market selling scam services that researchers claim has facilitated more than $24 billion in transactions.

This week, according to a report by Radio Free Asia, the banking arm of Huione Guarantee’s parent company, Huione Group, had its financial license suspended by officials in Cambodia. According to the report, the Huione Pay service had its license withdrawn for failing to comply with “existing regulations.” The United Nations Office on Drugs and Crime and crypto tracing firm Elliptic previously had linked money moving through Huione Pay to cyberscamming. “They are willing facilitators of pig butchering and other fraud, so any regulatory action against them should be welcomed,” Elliptic founder Tom Robinson claimed to Radio Free Asia.

**Russian Cryptocurrency Exchange Garantex Taken Down in Law Enforcement Action**

The US Department of Justice announced an operation this week with Germany and Finland to disrupt the digital infrastructure behind notorious Russian cryptocurrency exchange Garantex. For years, the platform has allegedly been used for money laundering and other criminal transactions, including sanctions evasion. The DOJ claimed in its announcement that “transnational criminal organizations—including terrorist organizations” have utilized the exchange. Law enforcement said that the platform has processed at least $96 billion in cryptocurrency transactions since April 2019. US authorities said they froze over $26 million in funds used to facilitate money laundering as part of the Garantex takedown.

**Scammers Are Impersonating Notorious Ransomware Attackers to Extort Targets**

The FBI warned this week that scammers pretending to be attackers from the BianLian ransomware gang are demanding ransoms from corporate executives in the US. The demands include claims that the group has breached a company’s network and threaten to publish sensitive information unless a target pays up. Such criminal digital extortion is common enough that scammers apparently feel that they can plausibly make the claims and intimidate targets without even attacking them. The FBI says that the scammers’ ransom demands say that they come from BianLian and range from $250,000 to $500,000 payable via a QR code that links to a Bitcoin wallet. The real BianLian group has links to Russia and has targeted US critical infrastructure since June 2022, according to a November alert from the US Cybersecurity and Infrastructure Security Agency.

Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Outpost24’s KrakenLabs reveals EncryptHub’s multi-stage malware campaign, exposing their infrastructure and tactics through critical OPSEC failures. Learn how…

Outpost24’s KrakenLabs reveals EncryptHub’s multi-stage malware campaign, exposing their infrastructure and tactics through critical OPSEC failures. Learn how this rising cybercriminal group operates and the threats they pose.  

In a recent in-depth investigation, Outpost24’s specialized threat intelligence team, KrakenLabs, identified previously undisclosed aspects of a sophisticated malware operation known as EncryptHub. KrakenLabs’ analysis, shared with Hackread.com, provides a detailed understanding of the group’s operational infrastructure, tools, and characteristic behavioural patterns.

This enhanced understanding was made possible by a series of security lapses on the part of EncryptHub, which, according to Outpost24, inadvertently exposed crucial elements of their malicious ecosystem.

These operational errors include the enabling of directory listings on their core infrastructure, the storage of stolen data alongside malware files, and the exposure of Telegram bot configurations used for data theft and campaign oversight.

EncryptHub’s attack campaigns are characterized by multi-layered PowerShell scripts, designed to collect system information, extract valuable data, implement evasion techniques, inject malicious code, and deploy additional data-stealing programs. Their distribution methods include the use of trojanized versions of popular applications and the employment of third-party pay-per-install services. The group prioritizes stolen credentials based on factors such as cryptocurrency holdings, corporate network access, and VPN usage.

Furthermore, EncryptHub is developing a remote access tool, “EncryptRAT,” which features a command-and-control panel for managing infected systems, suggesting potential future commercialization. The group also actively monitors the ongoing cybersecurity trends, integrating newly discovered vulnerabilities into their attacks.

EncryptHub has tested various methods to deploy malware without detection, including disguising malicious software as legitimate applications. During the investigation, researchers observed the group used counterfeit versions of applications like QQ Talk, WeChat, and Microsoft Visual Studio 2022 signed with revoked code-signing certificates, and later with certificates issued by Encrypthub LLC. These trojanized applications contained PowerShell scripts to download and execute further malicious code, gathering system information and deploying data stealers.

Another distribution method involved the use of LabInstalls, a pay-per-install service, which facilitates the rapid deployment of malware through automated Telegram bots. It is available for as low as $10 (for 100 loads) to up to $450 (for 10,000 loads). EncryptHub confirmed their use of this service through feedback posted on an underground forum.

Encrypthub’s positive feedback on an underground forum “XSS” (Source: Outpost24)

The group’s attack process, or killchain, has evolved, with the latest version involving a multi-stage PowerShell script execution. The initial script steals sensitive data, including messaging sessions, cryptocurrency wallet information, and password manager files. It then downloads and executes a second script, which deploys further malicious components, including a modified Microsoft Common Console Document. The final stage involves the deployment of Rhadamanthys, an information stealer.

EncryptHub’s Killchain and Attack Process (Source: Outpost24)

EncryptHub is also developing a command-and-control panel, EncryptRAT, which allows for the management of infected systems, remote command execution, and the monitoring of stolen data. The tool’s development suggests a potential move towards commercialization, with features like multi-user support and segregated data storage.

KrakenLabs’ findings emphasise the need for continuous monitoring and enhancing security measures to counter the evolving threats posed by groups like EncryptHub. The group’s ability to adapt and utilize both in-house tools and third-party services highlights the importance of multi-layered security strategies.

EncryptHub’s OPSEC Failures Expose Its Malware Operation

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the…

Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the use of LOLBAS, and the various malware payloads. Get detailed analysis, IOCs, and mitigation recommendations.

Microsoft’s Threat Intelligence team has recently dismantled a large-scale malvertising campaign that impacted nearly one million devices worldwide. The primary targets were Windows systems running various browsers, including Chrome and Edge and it impacted a wide range of organizations, from individual users to large enterprises, which demonstrates its widespread impact.

Tracked under the name Storm-0408, this campaign was discovered in December 2024 and involved a multi-stage attack chain. According to Microsoft’s research report, shared with Hackread.com, the attack originated from illegal streaming websites where the attackers utilized compromised GitHub repositories to distribute malware as well as Discord and Dropbox for hosting some payloads. The malicious GitHub repositories have since been removed.

Users were initially redirected from illegal streaming sites, which embedded malicious advertisements within video frames “to generate pay-per-view or pay-per-click revenue,” leading to intermediate websites. These websites then redirected users to GitHub, where the first-stage malware payloads were hosted.

These repositories served as a launchpad for deploying additional malware and scripts. The initial malware established a foothold on the compromised devices, enabling the deployment of subsequent payloads – designed to collect system information and exfiltrate documents and data from the affected systems. 

The initial access payloads on GitHub were typically obfuscated JavaScript files that initiated the download and execution of further malware. The attack chain consisted of multiple stages, each with specific objectives as Microsoft explained in this image:

Attack Stages and Attack Chain (Source: Microsoft)

The first-stage payload, hosted on GitHub, acted as a dropper for the second-stage files. These files were used for system discovery, collecting information such as memory size, graphics details, screen resolution, operating system, and user paths. This data was then Base64-encoded and exfiltrated to a command-and-control (C2) server. A typical redirection chain might look like this:

illegalstreamingsite.com/movie.html -> malvertisingredirector.com/redirect.php -> intermediarysite.net/landing.html -> github.com/malicioususer/malware.js.

Depending on the second-stage payload, various third-stage payloads were deployed, which conducted additional malicious activities, including C2 communication, data exfiltration, and defence evasion techniques.

The attackers also utilized legitimate tools and scripts, and most importantly a technique known as “living-off-the-land binaries and scripts” (LOLBAS), to blend in with normal system activity. For example, one common tactic was to inject malicious code into the legitimate RegAsm.exe process to establish C2 connections and exfiltrate data.

The campaign employed a modular approach, with each stage dropping another payload with distinct functions including system discovery, credential theft, and data exfiltration. Persistence was achieved through modifications to the registry and the creation of shortcut files in the Windows Startup folder.

The prompt collaboration between Microsoft and GitHub in taking down malicious repositories highlights the importance of industry cooperation in combating cyber threats.

Microsoft has provided detailed recommendations to mitigate the impact of this threat, including strengthening Microsoft Defender for Endpoint configurations, enhancing operating environment security, and implementing multi-factor authentication.

Ensar Seker, Chief Security Officer at SOCRadar commented on the latest development stating, “The attackers used geofencing, device fingerprinting, and cloaking techniques to evade detection, which means the malicious payload is only delivered to targeted users, making it harder for security solutions to track and mitigate the campaign.”

“This campaign is likely part of a broader MaaS (Malware as a Service) ecosystem, where attackers use pre-built malvertising kits to distribute payloads like stealers, ransomware, and banking trojans,” Ensar added. “Malvertising has traditionally targeted Windows users, but with more professionals using macOS and Linux, we’ll see cross-platform payloads becoming more common.”

Tag

#intel