Tulsi Gabbard, the director of national intelligence, has long held anti-surveillance views. Now she oversees a key surveillance program she once tried to dismantle.

Former US congresswoman Tulsi Gabbard’s ascendance to director of national intelligence last month signaled a major shift in views toward government surveillance at the highest rung of the US intelligence community. While backing down from some of her more extreme anti-surveillance views in the run-up to her confirmation, Gabbard nevertheless held fast to a few promises of reform that have been traditionally eschewed by federal law enforcement leaders.

Now, some of the nation’s premier civil liberties organizations have begun lobbying America’s “top spy” to follow through on a pledge to bring about new levels of oversight and transparency to a key US surveillance program that’s long been plagued by reports of misuse.

Led by the American Civil Liberties Union, at least 20 major privacy groups this week urged Gabbard to declassify information concerning Section 702 of the Foreign Intelligence Surveillance Act (FISA)—the nation’s cornerstone wiretap authority that, while aimed at collecting intelligence on foreigners overseas, is known to vacuum up large quantities of calls, texts, and emails belonging to Americans.

In a letter first obtained by WIRED, the groups privately urged Gabbard this week to declassify information regarding the types of US businesses that can now be secretly compelled to install wiretaps on the US National Security Agency’s (NSA) behalf.

While it’s no secret that the government routinely compels phone and email service providers like AT&T and Google into conducting wiretaps, Congress passed a new provision last year expanding the range of businesses that can receive such orders. Legal experts had warned in advance that the provision was far too ambiguous and likely to vastly increase the number of Americans whose communications are wiretapped. But their warnings were not heeded.

It is widely assumed that the classified purpose behind the expanded authority is allowing the government to obtain access to communications in US data centers. Lawyers for the US Justice Department attempted to unilaterally expand the reach of the program in 2022, but its efforts were foiled by the secret surveillance court that oversees FISA. Only Congress has the power to expand FISA, the department was told.

As its a matter of secret law, lawmakers were unable to specify much about the limits of the government’s access in the provision they ultimately passed. This inevitably led to the adoption of a vague new definition for what the government calls an “electronic communications service provider” (ECSP)—the term for companies whose cooperation can be compelled under FISA.

Privacy experts and industry leaders had likewise raised concerns about introducing ambiguity into a law that defines the scope of a powerful surveillance tool, warning the changes could expose a near limitless new range of new businesses to secret government demands.

As WIRED reported last spring, opponents of the provision in Washington had cast the surveillance program’s new parameters as effectively “Stasi-like”—a reference to the defunct East German secret police agency notorious for infiltrating industry and forcing private citizens to spy on one another.

Senator Ron Wyden of Oregon, a renowned privacy hawk who has served on the Senate intelligence committee since just after 9/11, has referred to the new provision as “one of the most dramatic and terrifying expansions of government surveillance authority in history.”

Declassifying the new types of businesses that can actually be considered an ECSP is an essential step in bringing about clarity to an otherwise nebulous change in federal surveillance practices, according to the ACLU and the other organizations joined in its effort. “Without such basic transparency, the law will likely continue to permit sweeping NSA surveillance on domestic soil that threatens the civil liberties of all Americans,” the groups wrote in their letter to Gabbard this week.

The Office of the Director of National Intelligence did not respond to multiple requests for comment.

In addition to urging Gabbard to declassify details about the reach of the 702 program, the ACLU and others are currently pressing Gabbard to publish information to quantify just how many Americans have been “incidentally” wiretapped by their own government. Intelligence officials have long claimed that doing so would be “impossible,” as any analysis of the wiretaps would involve the government accessing them unjustifiably, effectively violating those Americans’ rights.

The privacy groups, however, point to research published in 2022 out of Princeton University, which details a methodology that could effectively solve that issue. “The intelligence community’s refusal to produce the requested estimate undermines trust and weakens the legitimacy of Section 702,” the groups say.

Gabbard is widely reported to have softened her stance against government spying while working to secure her new position as director of the nation’s intelligence apparatus. During the 116th Congress, for instance, Gabbard introduced legislation that sought to completely dismantle the Section 702 program, which is considered the “crown jewel” or US intelligence collection and crucial to keeping tabs on foreign threats abroad, including terrorist organizations and cybersecurity threats—exhibiting a stance far more extreme than those traditionally held by lawmakers and civil society organizations who’ve long campaigned for surveillance reform.

While begging off from this position in January, Gabbard’s newly espoused views have, in fact, brought her more closely in line with mainstream reformers. In response to questions from the US Senate ahead of her confirmation, for example, Gabbard backed the idea of requiring the Federal Bureau of Investigation to obtain warrants before accessing the communications of Americans swept up by the 702 program.

Slews of national security hawks from former House speaker Nancy Pelosi to former House intelligence committee chairman Mike Turner have long opposed this warrant requirement, as traditionally have all directors of the FBI. “This warrant requirement strengthens the \[intelligence community\] by ensuring queries are targeted and justified," Gabbard wrote in response to Senate questions in late January.

The Section 702 program was reauthorized last spring, but only for an additional two years. Early discussions about reauthorizing the program once more are expected to kick off again as early as this summer.

Sean Vitka, executive director of Demand Progress, one of the organizations involved in the lobbying effort, notes that Gabbard has a long history of supporting civil liberties, and refers to her recent statements about secret surveillance programs “encouraging.” “Congress needs to know, and the public deserves to know, what Section 702 is being used for,” Vitka says, “and how many Americans are swept up in that surveillance.”

“Section 702 has been repeatedly used to conduct warrantless surveillance on Americans, including journalists, activists, and even members of Congress,” adds Kia Hamadanchy, senior policy counsel for the ACLU. “Declassifying critical information, as well as providing long-overdue basic data about the number of US persons whose communications are collected under this surveillance are essential steps to increasing transparency as the next reauthorization debate approaches.”

Trump’s Spy Chief Urged to Declassify Details of Secret Surveillance Program

Discover how artificial intelligence is shaping the future of workplace management, from optimizing efficiency to enhancing employee experience.…

Discover how artificial intelligence is shaping the future of workplace management, from optimizing efficiency to enhancing employee experience. Explore the evolving role of AI in transforming workplace operations and strategies for smarter, more effective decision-making.

Artificial Intelligence (AI) is transforming nearly every aspect of business operations, and workplace management is no exception. The integration of AI into workplace management brings a range of benefits, from optimizing office space to improving employee productivity and engagement. However, it also introduces several challenges that organizations must address to ensure a smooth transition and successful implementation.

**Table of Contents**

1.  The benefits of AI in workplace management
2.  AI: the brain behind modern workplace decision-making
    1.  The challenges of AI in workplace management
    2.  Resistance to change
    3.  Integration with existing systems
    4.  Bias and Fairness in AI
3.  The next frontier: AI in workplace management
4.  Conclusion

AI can significantly improve workplace efficiency by automating routine tasks, such as scheduling, resource allocation, and inventory management. By removing these repetitive and time-consuming activities from employees’ workloads, AI allows them to focus on more critical tasks, ultimately boosting productivity across the organization.

For instance, AI-driven meeting room booking systems can automatically allocate rooms based on team size, equipment requirements, and availability, ensuring seamless operations. For those wondering, **what is workplace management?** It refers to the strategic approach of optimizing workplace resources, processes, and technology to create a more efficient and productive work environment.

****AI: the brain behind modern workplace decision-making****

With the ability to analyze vast amounts of data in real-time, AI can help managers make informed, data-driven decisions. For example, AI-powered workplace analytics tools can provide insights into **employee performance**, space utilization, and overall operational efficiency. These insights allow managers to identify trends, improve resource allocation, and optimize workflows, ensuring that both employees and resources are used to their full potential.

*   **Personalized Employee Experience**: AI is capable of creating a personalized work environment for employees by understanding individual preferences and needs. By analyzing data on work patterns, preferences, and behaviours, AI can suggest customized solutions for improving employee productivity, wellness, and satisfaction. From automatically adjusting room lighting and temperature based on preferences to offering personalized workspaces and task prioritization, AI can tailor the workplace to enhance the overall employee experience.

*   **Cost Savings and Resource Optimization**: AI helps organizations optimize resource utilization, reducing waste and inefficiencies. By utilizing predictive analytics, businesses can better forecast demand for resources, such as meeting rooms, office equipment, and even parking spaces. As a result, companies can minimize costs associated with underutilized assets and improve overall space management. AI-driven energy management systems can also help cut down on energy consumption by adjusting lighting, heating, and cooling systems based on occupancy and weather patterns.

****The challenges of AI in workplace management****

One of the biggest challenges when integrating AI into workplace management is ensuring data privacy and security. AI systems rely on large volumes of data to function effectively, and this data often includes sensitive information about employees and business operations. Without proper safeguards in place, there is a risk of data breaches and privacy violations. Organizations must implement robust cybersecurity protocols and ensure compliance with data protection regulations to mitigate these risks.

****Resistance to change****

Implementing AI solutions in the workplace may encounter resistance from employees who are sceptical about the technology or concerned about job security. Employees may fear that AI will replace human workers, leading to a decline in morale and productivity. To overcome this resistance, organizations must focus on education and training, helping employees understand the benefits of AI and how it can support their work rather than replace it.

****Integration with existing systems****

Integrating AI into existing workplace management systems can be complex and time-consuming. Many organizations rely on legacy systems that may not be compatible with AI technologies. This can lead to difficulties in data transfer, system integration, and operational disruptions. Organizations must carefully plan their **AI implementation strategy**, ensuring that they invest in systems that integrate seamlessly with their current infrastructure to avoid costly delays and technical challenges.

****Bias and Fairness in AI****

AI algorithms are only as good as the data they are trained on, and if that data is biased, the AI system may produce biased results. For example, AI-driven employee performance management tools could inadvertently favour certain groups over others if the data used to train the system reflects biases related to gender, race, or other factors. To address this, organizations must ensure that the data used to train AI models is diverse and representative and that AI systems are regularly audited for fairness and accuracy.

****The next frontier: AI in workplace management****

As AI continues to evolve, its role in workplace management will only expand. Future AI systems will be even more sophisticated, with the potential to transform how employees interact with their work environment. AI-powered tools will become more intuitive, anticipating needs before they arise and offering proactive solutions.

However, for AI to achieve its full potential, organizations must ensure that they are prepared to address the challenges outlined above. By focusing on transparency, employee engagement, and data privacy, businesses can unlock the full benefits of AI while mitigating the associated risks. As AI technology becomes increasingly integrated into workplace management systems, it promises to create smarter, more efficient, and more personalized work environments that benefit both employees and organizations alike.

****Conclusion****

AI is revolutionizing workplace management by improving efficiency, enhancing decision-making, and optimizing resource utilization. While the benefits are clear, organizations must also be mindful of the challenges, such as **data privacy**, employee resistance, and system integration.

By carefully navigating these challenges, businesses can successfully harness the power of AI to create smarter, more efficient, and more productive workplaces. As AI technology continues to advance, the future of workplace management looks promising, offering exciting possibilities for organizations that embrace it.

The Future of AI in Workplace Management

Documents obtained by WIRED show the US Department of Defense is considering cutting up to 75 percent of workers who stop the spread of chemical, biological, and nuclear weapons.

US agencies responsible for preventing the global proliferation of weapons of mass destruction and building security capacity around the world are facing deep cuts, perhaps total abolition, as the Trump administration continues its assault on any and all spending going overseas.

According to a draft working paper provided to WIRED, the Department of Defense is asking all its agencies and services that conduct “security cooperation” programs to consider the impact if the Pentagon were to “realign” its funding. The authors of the paper warn that the cuts could hobble the fight against organized crime in South America, impair the battle against the Islamic State, increase the likelihood of a rogue state producing and using chemical weapons, and defund pandemic surveillance measures.

The working paper is in response to a request for information from Secretary of Defense Pete Hegseth, asking agencies to assess the consequences of four levels of staff reduction—25 percent, 50 percent, and 75 percent cuts, or outright abolition.

This cost-cutting exercise is being conducted in response to a January 20 executive order from President Donald Trump, mandating that departments and agencies review all foreign aid programs. But the DOD review is going well beyond foreign aid. According to the working paper, the Defense Department looks set to make cuts to all humanitarian assistance, security cooperation, and cooperative threat-reduction efforts. The DOD has made clear that all spending ought to align with the secretary’s three priorities: deterring China, increasing border security, and pushing allies to shoulder more of the burden. It is not clear what role, if any, Elon Musk’s so-called Department of Government Efficiency (DOGE) is playing in these workforce reduction decisions.

**Pandemics and Weapons of Mass Destruction**

In response to the Pentagon’s request for information, the agencies contemplated lower bounds of cuts of 20, 40, and 60 percent—a counter-offer, the Pentagon source says, because officials in these agencies see a 60 percent cut as a “red line” that would still severely hurt global and domestic security.

A 20 percent reduction in funding, the memos say, would reduce some mine-clearance efforts in former war zones, significantly hurt programs to surveil and prevent infectious disease outbreaks in Africa, and worsen biosafety and biosecurity programs at biological laboratories worldwide, among other losses.

A 40 percent reduction would limit funding for counter-extremism programs in Africa and the Middle East, close all mine-clearance operations, shut down programs to intercept and prevent the development of weapons of mass destruction, and completely shut down biological surveillance programs.

A 60 percent cut would be significantly more severe, according to the memo. It would fundamentally eliminate America’s role in preventing the spread of chemical, biological, and nuclear weapons, the documents warn, and increase the likelihood of a lab accident or theft of potentially dangerous biological material.

The secretary of defense also asked the agencies to game out the consequences of fully shutting down some of their operations—a move, the agencies claim, that would defund border security measures and anti-drug-trafficking efforts.

One of the agencies targeted by this spending review is the Defense Threat Reduction Agency (DTRA), which leads counter-proliferation efforts on chemical, biological, and nuclear threats, both on its own and with US allies. In recent years, DTRA took the lead on destroying chemical weapons in Syria, helped secure 10 metric tons of highly enriched uranium in Kazakhstan, and worked with the Ukrainian government to upgrade security at its infectious disease laboratories.

A Pentagon source tells WIRED that if cuts on the higher end of the proposed spectrum are made, DTRA will effectively end. “Anything more than a 60 percent cut cripples the program,” they say. The source, who requested anonymity because they are not authorized to discuss the spending review, claims a total elimination of these programs is also on the table.

"All reductions increase risk to US due to pathogen spread and easier adversary pathways to develop WMD,” the memos read.

The secretary of defense declined to comment for this story, with a spokesperson writing, “We will not comment on internal deliberations.”

The cost-savings of these cuts would be relatively marginal compared to the Pentagon’s $850 billion budget. The Department of Defense only spends about $19 billion on humanitarian assistance, security cooperation, and cooperative threat-reduction programs, including DTRA—of that, the proposed cuts would eliminate between $5 billion and $15 billion. Because many of these programs are funded via congressional earmark, it’s not clear the Pentagon has the authority to cut and reappropriate their funding.

Trump and Hegseth have previewed defense cuts, promising to reduce spending by $50 billion—about 8 percent of the Pentagon’s nonlethal budget, Hegseth has said.

These cuts could also have a domino effect on other programs that are run in conjunction with the State Department and other agencies. One long-standing project facing cuts under this review is the State Partnership Program, which sends National Guard members to liaise and train with friendly militaries abroad. This program has historically been particularly popular with Republican members of Congress. But it, like dozens of other Pentagon activities, faces steep cuts or outright abolition.

A source with knowledge of the funding review says that a decision has yet to be made about the exact level of these cuts, and that meetings are ongoing to decide which agencies or programs will be hit and how hard. A final decision is due in mid-April, at the end of the 90-day window set out in the January 20 executive order. Sources inside the Pentagon who work on security cooperation say they are fearful that the cuts will be severe.

**Burst Bubble**

The people who work to stop the spread of dangerous material insist that these programs are not foreign assistance at all—they are all about domestic and global security.

DTRA, for example, currently works with 35 nations, helping to upgrade their biosafety and biosecurity practices while also helping them destroy dangerous biological samples. Much of this work takes place in veterinary clinics, which often treat and collect samples from sick livestock, making them the front line of infectious disease outbreaks. This work, in recent years, has included many of the African nations hit by Ebola.

Partnering with local health authorities not only helps prevent the next epidemic, but it also makes sure that these virological samples are kept secure—“so it's not accidentally going to leak out of these public health facilities or not be stolen by a terrorist,” Robert Pope, director of Cooperative Threat Reduction at DTRA, explained in a 2022 interview.

DTRA’s staff operate as an “early warning system,” a congressional staffer tells WIRED, ahead of any deployment of the US military, they say. While it may not be a traditional kind of military power, they add, it should still fit into this administration’s priorities. “It secures our border from pathogens.”

An independent analysis conducted for the Pentagon in 2022 found that these threat reduction programs are “well-positioned to respond quickly to emerging \[weapons of mass destruction\] threats; its authorities are unique and fill an existing gap.”

Programs like DTRA ought to be expanded, not cut, says Gigi Gronvall, a professor at the Johns Hopkins Center for Health Security. These are primarily national security programs, she says, designed to “give ourselves the eyes and ears around the world to put out those fires, or prevent them from happening in the first place.”

If you don’t put out the fire—whether it’s a novel infectious disease or a chemical weapons program in a rogue state—it will keep growing, Gronvall adds. “We have areas of the world that don’t have fire departments,” she says. “By helping them help themselves, we are helping them step up.”

**‘A Fire Sale on Expertise’**

The Pentagon’s threat reduction efforts, and the DTRA itself, stem from the work of former US senators Sam Nunn, a Democrat, and Richard Lugar, a Republican, to secure weapons of mass destruction after the fall of the Soviet Union. America, through their work, destroyed thousands of ballistic missiles and nuclear warheads, disposed of tens of thousands of pounds of chemical weapons, and dismantled Soviet bioweapon laboratories. In 1998, DTRA was formally created and given a more expensive mandate to both track and destroy chemical and biological threats while also helping other nations do the same.

For its work, DTRA has been targeted by Russian disinformation efforts, with Moscow accusing America of producing biological weapons in these DTRA-funded labs. Following the full-scale Russian invasion of Ukraine in 2022, conspiracy theorists in America picked up that thread, suggesting the invasion was cover to destroy these bioweapons labs.

Fears about DTRA’s work have since been raised by Health and Human Services secretary Robert F. Kennedy Jr., director of national intelligence Tulsi Gabbard, and Russia itself. Republican senator Rand Paul has repeatedly issued subpoenas to the DTRA looking for evidence that it has been engaged in dangerous virological research and suggesting that it may have had a hand in creating Covid-19.

“When Russia was attacking that program, it was doing so because it wanted to erode our national security,” Gronvall says. Russia may not believe these lies, she adds, but “they have been enormously successful in getting people with power to believe these things.”

Last year, the United States accused Russia of using prohibited chemical weapons in its war on Ukraine. According to this working paper, the proposed cuts to the DTRA could eliminate America’s ability to investigate and attribute such chemical weapons attacks in Eastern Europe.

Investigating and attributing these attacks is a form of deterrence, Gronvall says. Without this capability, she adds, “it means you’re going to see a lot more chemical weapons used.”

The United States believes that Russia, North Korea, and other rogue states have active biological weapons programs. Despite that, no state has actually deployed a biological weapon since the adoption of the Biological Weapons Convention. Gronvall is worried that dismantling the DTRA could weaken that prohibition. “I would worry that that would be something we would see,” she says.

The working paper warns that reducing this funding could surrender ground to Russia and China, which may try and fill the void left by the US. That could see Moscow and Beijing move in to partner with foreign militaries, cooperate with these biological facilities, and even recruit new scientists.

“It’s going to be a fire sale on expertise,” Gronvall says, “and that is helping China, 100 percent.”

Pentagon Cuts Threaten Programs That Secure Loose Nukes and Weapons of Mass Destruction

Martin Lee dives into to the complexities of defending our customers from threat actors and covers the latest Talos research in this week's newsletter.

Thursday, March 6, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

**The one big thing**

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

**Why do I care?**

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

**So now what?**

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

**  
Top security headlines of the week**

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

****Can’t get enough Talos?****

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA    
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA   

**Most prevalent malware files from Talos telemetry over the past week**

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac  
MD5: 6361f25ede0442f2e0ad3bcd33c331c8  
Typical Filename: KMSSS.exe  
Detection Name: PUA.Win.Dropper.Hackkms::tpd  
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: img001.exe  
Detection Name: Win.Trojan.Miner-9835871-0  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Who is Responsible and Does it Matter?

Tata Technologies hit by Hunters International ransomware attack. The group threatened to leak 1.4TB of data. Learn about…

Tata Technologies hit by Hunters International ransomware attack. The group threatened to leak 1.4TB of data. Learn about the extortion, potential data leak, and the connection to Hive ransomware.

Tata Technologies, a subsidiary of Indian multinational conglomerate Tata Motors, has reportedly been targeted by the ransomware group Hunters International. The attackers claim to have exfiltrated a massive 1.4 terabytes of data, encompassing over 730,000 files, from the engineering firm.  

This incident follows a mandatory disclosure made by Tata Motors to the Indian stock exchange in January 2025, where they reported a “ransomware incident” that had temporarily disrupted some of their IT services.

“The Company has become aware of a ransomware incident that has affected a few of our IT assets. As a precautionary measure, some of the IT services were suspended temporarily and have now been restored,” the disclosure read.

 While Tata Technologies acknowledged the incident at the time and stated that client delivery services remained unaffected, they did not disclose the identity of the attackers or the extent of the data breach.

Hunters International has now claimed responsibility for the attack. They are threatening to publicly release the stolen data unless a ransom is paid, although the specific amount demanded has not been disclosed.

Hunters International’s Extortion Page Lists Tata Technologies (Source: Bleeping Computer)

For your information, Hunters International is a notorious ransomware gang known for pursuing high-value targets. The group has a history of targeting organizations across various sectors, including automotive, finance, and healthcare. 

There is speculation that Hunters International may be a rebranded version of the now-defunct Hive ransomware gang, which was disrupted in a joint operation by the FBI, German, and Dutch law enforcement agencies in 2023 leading to the seizure of their site The Hive Leak..

This suspicion arises from the observation that both groups utilize the same strain of ransomware. Notably, Hive had previously targeted Tata Power in 2022, leaking stolen data after the company refused to pay the ransom.

The current situation with Tata Technologies remains unresolved. The company has not publicly commented on the ransom demand or confirmed whether they are in contact with the attackers. 

Nonetheless, the incident reignites concerns about the potential resurgence of the Hive ransomware gang under a new guise, raising questions about the effectiveness of law enforcement disruptions. It also reinstates the persistent threat of ransomware attacks and the vulnerability of even large multinational corporations to sophisticated cybercriminal groups.

 Moving forward, this situation highlights the critical need for organizations to prioritize advanced cybersecurity measures, incident response planning, and proactive threat intelligence to mitigate the impact of such attacks. The outcome of Tata Technologies’ response to this incident will undoubtedly serve as a case study for other organizations facing similar threats.

Camellia Chan, CEO and co-founder of X-PHY commented on the latest development stating, “The industrial sector was the most attacked sector in 2024. With the news that Hunters International has allegedly listed 1.4TB of Tata Technologies’ data, it’s clear this trend shows no signs of slowing down.”

“Due to the scale of their operations, industrials are perceived as having high ransom potential compared with other businesses. Take Tata Technologies as an example. Their customers are household automotive and aerospace engineering names like Jaguar, Airbus, Ford, and Honda which screams ‘cash’ for cybercriminals,” Camellia added.

“The only – and I mean only – way to stop this from happening is AI-first and multi-layer defence strategy that combines software and hardware solutions. This will proactively seek out threats before bad actors have a chance to gain access,” she explained.

Tata Technologies Hit by Hunters International Ransomware, 1.4TB Data at Risk

Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town.

Title: ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit  
Advisory ID: ZSL-2025-5926  
Type: Local/Remote  
Impact: Security Bypass, System Access, DoS  
Risk: (5/5)  
Release Date: 06.03.2025

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

Yo, check it - the ABB BMS/BAS system's got a slick little weakness in them caldavInstall.php, caldavInstallAgendav.php, and caldavUpload.php files. All you gotta do is drop that skipChecksum beat in the POST vibe, and bam, the system skips all that MD5 checksum nonsense, no EXPERTMODE needed to crank the funk. This lets any slick cat without a login slide in some jacked-up CalDAV ZIP files, no questions asked. We're talkin' tampered tunes hittin' the deck, openin' the door to messin' with the system or droppin' some nasty uploads, all unauthorized-like. That's the funky flaw, baby - straight-up tamper town.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.01

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[07.08.2024\] Vendor released version 3.08.02 to address this issue.  
\[06.03.2025\] Public security advisory released.

**PoC**

funkalicious.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5860.php  
\[2\] https://packetstorm.news/files/id/189617/

**Changelog**

\[06.03.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit

CEOs and business owners received personal, customized ransomware threats in a series of letters sent in the mail through USPS.

Business owners and CEOs across the United States received customized ransomware threats this month from the most unusual of places—letters in the mail.

The letters, which were first reported by multiple cybersecurity researchers, claim to come from a ransomware group called BianLian. But since Malwarebytes first started tracking BianLian nearly one year ago, our intelligence analysts have never seen the cybercriminal gang resort to sending physical letters to make their ransom demands, suggesting that the latest snail mail campaign could be the work of copycats.

The threat, however, is still quite real, especially for small business owners who rely either on themselves or contracted IT services to investigate any technical problems.

According to multiple examples discovered by researchers, the letters in this likely hollow threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “TIME SENSITIVE READ IMMEDIATELY” and have the following return address listed:

> BianLian Group  
> 24 Federal St, Suite 100  
> Boston, MA, 02110

The letters themselves lobby a variety of urgent threats to their recipients: Their corporate network has been compromised, sensitive customer and employee data has been stolen, and there is immediately a 10-day deadline to pay a cryptocurrency ransom before the cybercriminals leak the stolen data online.

These threats are standard for ransomware groups today, especially those that have pivoted to not only encrypting a company’s data, but stealing it in the process of an attack to use as further leverage to extort a ransom payment. In fact last year, Malwarebytes wrote about BianLian abusing a common Microsoft tool to avoid cybersecurity detection while storing massive quantities of stolen data from victims.

But the similarities between the threats included in the letter and the recorded actions of BianLian end there. The letter senders claim that they “no longer negotiate with victims,” which is a rarity from ransomware gangs. In fact, the practice is so normalized that a cottage industry of ransomware “negotiators” has popped up to help victims caught in an attack. The letters themselves, researchers said, also include few grammatical errors and better sentence structure than a typical BianLian ransomware note.

One of the letters, in full, begins:

> Dear \[REDACTED\]
> 
> I regret to inform you that we have gained access to \[REDACTED\] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.

Interestingly, researchers noticed that some of the letters were customized based on their recipient. If a letter was sent to a healthcare CEO, for instance, the letter warned about the theft of patient data; if the letter was sent to a CEO of a product maker, the letter warned about breached customer orders and employee data.

The amounts demanded by the letters varied reportedly from $250,000 to $350,000.

While a “physical” cyberthreat may sound silly, these letters could cause significant harm to small and growing businesses.

These personalized letters convincingly threaten network compromise, password abuse, employee exploitation, and data theft, which can be difficult to verify for any lean organization. Think about it this way: If an everyday person would struggle to check whether their home router had been compromised, many small business owners would struggle to do the same regarding their corporate infrastructure, and that’s through no fault of their own.

If you receive one of these letters in the mail, notify your IT or security team immediately. They can provide the investigation necessary to verify the security of your business.

Whether you have dedicated IT staff or not, you can protect your small business with Malwarebytes Teams, which prevents malware attacks and notifies you about suspicious activity on your network.

 Ransomware threat mailed in letters to business owners 

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

Developed to boost productivity and operational readiness, the AI is now being used to “review” diversity, equity, inclusion, and accessibility policies to align them with President Trump’s orders.

The United States Army is employing a prototype generative artificial intelligence tool to identify references to diversity, equity, inclusion, and accessibility (DEIA) for removal from training materials in line with a recent executive order from President Donald Trump.

Officials at the Army’s Training and Doctrine Command (TRADOC)—the major command responsible for training soldiers, developing leaders, and shaping the service’s guidelines, strategies, and concepts—are currently using the AI tool, dubbed CamoGPT, to “review policies, programs, publications, and initiatives for DEIA and report findings,” according to an internal memo reviewed by WIRED.

The memo followed Trump’s signing of a January 27 executive order titled “Restoring America’s Fighting Force,” which directed Defense Secretary Pete Hegseth to eliminate all Pentagon policies seen as promoting what that the commander in chief declared “un-American, divisive, discriminatory, radical, extremist, and irrational theories” regarding race and gender, a linguistic dragnet that extends as far as past social media posts from official US military accounts.

In an email to WIRED, TRADOC spokesman Army Major Chris Robinson confirmed the use of CamoGPT to review DEIA materials.

TRADOC “will fully execute and implement all directives outlined in the Executive Orders issued by the president. We ensure that these directives are carried out with the utmost professionalism, efficiency, and in alignment with national security objectives,” Robinson says. “Specific details about internal policies and tactics cannot be discussed. However, the use of all tools in our portfolio, including CamoGPT, to increase productivity at all levels can and will be used.”

Developed last summer to boost productivity and operational readiness across the US Army, CamoGPT currently has around 4,000 users who “interact” with it on a daily basis, Captain Aidan Doyle, a CamoGPT data engineer, tells WIRED. The tool is used for everything from developing comprehensive training program materials to producing multilingual translations, with TRADOC providing a “proof of concept and demonstration” at last October’s annual Association of the United States Army conference in Washington, DC, according to Robinson.

While Doyle declined to comment on the specifics on how TRADOC officials were likely using the CamoGPT to scan for DEIA-related policies, he described the process of searching through documents as relatively straightforward.

“I would take all the documentation you want to examine, order it all in a collection on CamoGPT, and then ask questions about the documents,” he says. “The way retrieval-augmented generation works is that the more specific your question is to the concepts inside the document, the more detailed information the model will provide back.”

In practical terms, this means that TRADOC officials are likely inputting a large number of documents into CamoGPT and asking the LLM to scan for targeted keywords like “dignity” or “respect” (which, yes, the Army is currently using to screen past digital content) to identify materials for subsequent alteration and bring them in line with Trump’s executive order.

By using CamoGPT, the work of eliminating DEIA-related content will likely result in a rapid change to the US Army’s documentation. “We’re competing with ‘control+F’ in Adobe Acrobat,” Doyle says.

CamoGPT isn’t the only AI chatbot in the Pentagon’s arsenal: The US Air Force’s NIPRGPT has seen extensive use among airmen since its launch in June for “summarization of documents, drafting of documents and coding assistance,” according to DefenseScoop.

The AI-assisted assessment of US military training materials comes amid a government-wide effort to root out DEIA initiated the day Trump returned to the Oval Office in January to start his second term. Detailed in Trump’s January 27 executive order, the Defense Department’s purge has taken the form of the closure of service-specific DEIA offices and program, a department-wide review of past DEI initiatives, and even the removal of historical content related to the famed all-Black Tuskegee Airmen from Air Force basic training materials, the latter of which was swiftly reversed amid public outcry.

Originally inspired by the public release of OpenAI’s ChatGPT in November 2022, CamoGPT is a product of the Army’s Artificial Intelligence Integration Center (AI2C), the organization formed in 2018 as part of Army Future Command to spearhead AI research and development efforts by “leveraging a soldier workforce to build experimental prototypes,” as Eric Schmitz, AI2C’s operations and intelligence portfolio lead, tells WIRED.

“The mission is to make AI accessible to the Army through experimentation, and we have an ethos and culture that is very much a start-up ethos.” Schmitz says. “We are product-centric and believe AI is inherently software-driven: You can do all the research you like in academia, but if you don't have software to deliver it to somebody and find out if it's useful software, then you’ll never know if your AI is useful in the real world.”

In response to the arrival of ChatGPT, AI2C quickly spun up a CamoGPT prototype based on an open-source LLM in June 2024. The center’s approach to CamoGPT is “model agnostic,” according to Schmitz: While the system currently relies on tech giant Meta’s open-source Llama 3.3 70B LLM, the underlying model is “expendable” should a better version hit the market. What really matters is building software that the average soldier will actually use in their day-to-day operations, an achievement that might influence its long-term adoption across the force.

“When you talk about how the Army doesn’t build software well, it’s because user adoption is not a priority, but it’s a massive priority to us,” Schmitz says.

Whether CamoGPT proliferates more broadly across the Army remains to be seen, and Schmitz and Doyle emphasized that AI2C’s role is laser-focused on experimental prototyping rather than building products ready for immediate fielding. But with the entire federal government reorienting itself in the name of “efficiency,” the success of CamoGPT’s application to Trump’s DEIA overhaul may end up cementing its utility for military planners.

“You need to be ruthlessly critical of what you have built and what you plan to build and hyper focused on driving user adoption,” Schmitz says. “The core question is, how do you build something that’s so valuable that people say they can't live without it?”

The US Army Is Using ‘CamoGPT’ to Purge DEI From Training Materials

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot…

YouTube CEO Neal Mohan was impersonated in a deepfake phishing scam. Learn about the attack, how to spot the red flags, and how to protect your account from credential theft.

A new sophisticated phishing operation, leveraging artificial intelligence, has recently targeted YouTube content creators. Scammers have utilized deepfake technology to create a convincing video of YouTube’s CEO, Neal Mohan, delivering a fabricated announcement about changes to the platform’s monetization policies.

This video is privately shared with targeted users to steal their login credentials and install malware on their devices. The fraudulent scheme begins with an email, seemingly originating from an official YouTube address, notifying creators that a private video has been shared with them. The video itself features a remarkably realistic deepfake of Neal Mohan, mimicking his appearance, voice, and mannerisms to an alarming degree.

In the video, the AI-generated Mohan discusses alleged alterations to YouTube’s monetization, urging viewers to take specific actions. These actions typically involve clicking on links, entering login credentials on fake websites, or downloading software from untrusted sources.

The Fraudulent Video (Source: Reddit)

Upon compromising a user’s account, the attackers gain access to their YouTube channel. This access can then be exploited for various malicious purposes, including spreading misinformation, conducting further phishing attacks, or engaging in fraudulent activities.

YouTube has responded to this threat with an urgent warning to its creator community. The company has explicitly stated that it will never share important information or contact users through private videos. Furthermore, they emphasized that any private video claiming to be from YouTube, particularly those featuring its CEO, should be treated as a phishing scam.

“We’re aware that phishers have been sharing private videos to send false videos, including an AI-generated video of YouTube’s CEO Neal Mohan announcing changes in monetization. YouTube and its employees will never attempt to contact you or share information through a private video,” Google’s official announcement read.

“If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam. Do not click these links as the videos will likely lead to phishing sites that can install malware or steal your credentials,” Rob from YouTube warned users.

AI deepfakes are a dangerous illusion created by sophisticated AI models trained on real footage and voice samples, exploiting people’s trust in public figures. Even tech-savvy individuals would struggle to distinguish them from real footage. This incident highlights that the sophistication of phishing attacks has increased, with deepfake technology being used to impersonate high-profile figures like YouTube’s CEO.

Cybercriminals exploit creators’ trust in official platform communications, creating believable deceptions. Content creators are encouraged to exercise caution and avoid downloading files from untrusted sources. If you receive the video, Google recommends following these steps to report it.

Max Gannon, Intelligence Manager at Cofense commented on the latest development stating, _“_Given that deepfakes have typically only been used in high-value targeted scams, it’s a surprise that threat actors are using it for such a broad attack. It’s concerning and potentially indicates a shift in the threat landscape where we can expect to see more deepfakes and other targeted attack methods being broadly applied to larger audiences._“_

_“_However, according to affected users posting about these fake YouTube emails on various social media platforms, the emails deliver malicious executables to steal session cookies and hijack YouTube accounts. Ultimately, the initial phishing hook may be shifting, but the best defence remains the same: training and awareness to detect suspect emails and not click on their links.”

1.  YouTube Channels Hacked to in Fake CS2 Giveaways Scam
2.  Malware in Fake Business Proposals Hits YouTube Creators
3.  Ukrainian News Channel Hacked to Run Zelensky’s Deepfake
4.  Scam Uses AI-Generated Images to Represent Fake Law Firm
5.  “Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets

Tag

#intel