Download Talos' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks.

Monday, March 31, 2025 05:53

Welcome to Cisco Talos’ 2024 Year in Review, available for download now. This report is powered by threat telemetry from over 46 million global devices across 193 countries and regions, amounting to more than 886 billion security events per day.  

Explore key insights in topics including the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. With Talos' informed analysis and recommendations, you can strategically prioritize your defenses to stay ahead in 2025. 

**2024's Threat Actor Playbook: Stealth and Simplicity **

This year, cybercriminals leaned heavily on stealth and efficiency, favoring straightforward techniques over complex malware and zero-day exploits. Here's more that stood out: 

*   Identity-based attacks were particularly noteworthy, accounting for 60% of Cisco Talos Incident Response cases. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors. 
*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of cases. They also targeted education entities more than any other sector in 2024, a trend in line with previous years.  
*   Based on Cisco Duo data, identity and access management (IAM) applications were most frequently targeted in MFA attacks, accounting for nearly a quarter of related incidents.  
*   Threat actor use of AI and machine learning largely fell short of industry projections, with actors relying on these technologies to enhance their techniques rather than aid in the creation of new ones. 

Want some quick insights? Here’s a two-minute overview of key findings: 

**Stay informed **

Download Talos’ 2024 Year in Review today, and bookmark our landing page to access forthcoming exclusive interviews with Talos experts, videos, podcasts and more.

Available now: 2024 Year in Review

The internet is filled with falsehoods.  We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or...

The internet is filled with falsehoods. 

We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or who—to trust online.  

There’s the scam that takes advantage of grieving people and tricks them into paying for a funeral live stream. 

There’s the fake CAPTCHA that hijacks clipboards and tricks users into installing malware. 

There’s the many, many, many scams that use Google ads to trick people into granting remote access to their machine, handing over money, or installing malware. 

And we’re being tricked constantly by AI, take the Texan restaurant with its dino croissant and photos of Jeff Bezos at the bar. Or the scam that uses an AI replica of a loved one’s voice to trick a family member into handing over money. 

It’s hard to know what to believe any day of the year online and so, while we used to participate in April Fools, it just hits different these days. 

Especially when things go wrong when it comes to April Fools’ pranks. Last year a burger restaurant sent customers into a spin after sending them a fake order confirmation email, which led to customers fearing that their accounts had been hacked. All in good faith, but it no doubt hit a nerve for the affected customers. 

So go ahead and order your Hot Dog Sparkling Water, eat your crust only pizza, or have a snooze in your banana sleeping bag. We love that. But as a cybersecurity brand we want you to feel like you can trust us—every single day of the year. If we say something is fake, then it’s fake. If we say it’s real, then it’s real. No exceptions. 

****How to protect yourself from scams** **

*   **Watch out for a false sense of urgency.** Scammers will often use time pressure to get you to click, fill in your personal data, or hand over money. If you feel like you’re being asked to act quickly, take a pause. 

*   **Is it too good to be true?** Offers of big discounts or free stuff can be really tempting, but they’re often used as lures for scammers. The likelihood is that it is, indeed, **too good to be true** and should be avoided at all costs. 

*   **Have a family code word**. Scammers are known to use an AI-generated voice of a loved one to trick a family member into handing over money. Come up with a code word in person that only you and your loved ones know and keep it a secret so you can ask for it if you receive such a phone call. 

*   **Check via another way**. If your “bank” gives you an unexpected phone call, ring them back on a number you know is theirs. If a Facebook friend DMs you a link, send them a quick text to check it’s really them. Double checking in this way could save you doing something you later regret. 

*   **Use a different password for every account**. If you get your username and password stolen on one account you don’t want scammers to be able to use it on another. Password managers help you create complex passwords, and they remember them for you.  

*   **Set up multi-factor authentication** on every account you can. It’s not foolproof, but it does make it considerably harder for scammers.

 Why we’re no longer doing April Fools’ Day  

Palo Alto, USA, 29th March 2025, CyberNewsWire

**Palo Alto, USA, March 28th, 2025, CyberNewsWire**

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats to plague enterprises. Chainalysis estimates that corporations spend nearly $1 billion dollars on ransom each year, but the greater cost often comes from the reputational damage and operational disruption caused by the attack.

Ransomware attacks typically involve tricking victims into downloading and installing the ransomware, which copies, encrypts, and/or deletes critical data on the device, only to be restored upon the ransom payment. Traditionally, the primary target of ransomware has been the victim’s device. However, thanks to the proliferation of the cloud and SaaS services, the device no longer holds the keys to the kingdom. Instead, the browser has become the primary way through which employees conduct work and interact with the internet. In other words, the browser is becoming the new endpoint.

SquareX has been disclosing major browser vulnerabilities like Polymorphic Extensions and Browser Syncjacking, and is now issuing a strong warning on the emergence of browser-native ransomware. 

> SquareX’s founder, Vivek Ramachandran cautions, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together. While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”

Unlike traditional ransomware, browser-native ransomware requires no file download, rendering them completely undetectable by endpoint security solutions. Rather, this attack targets the victim’s digital identity, taking advantage of the widespread shift toward cloud-based enterprise storage and the fact that browser-based authentication is the primary gateway to accessing these resources. In the case studies demonstrated by SquareX, these attacks leverage AI agents to automate the majority of the attack sequence, requiring minimal social engineering and interference from the attacker.

One potential scenario involves social engineering a user into granting a fake productivity tool access to their email, through which it can identify all the SaaS applications the victim is registered with. It can then systematically reset the password of these apps with AI agents, logging the users out on their own and holding enterprise data stored on these applications hostage. 

Similarly, the attacker can also target file-sharing services like Google Drive, Dropbox and OneDrive, using the victim’s identity to copy out and delete all files stored under their account. Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise-wide resources.

As fewer and fewer files are being downloaded, it is inevitable for attackers to follow where work and valuable data are being created and stored. As browsers become the new endpoint, it is crucial for enterprises to reconsider their browser security strategy – just as EDRs were critical to defend against file-based ransomware, a browser-native solution with a deep understanding of client-side application layer identity attacks will become essential in combating the next generation of ransomware attacks.

To learn more about this security research, users can visit https://sqrx.com/browser-native-ransomware

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) solution helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real time. In addition to browser ransomware, SquareX also protects against various browser threats including identity attacks, malicious extensions, advanced spearphishing, GenAI DLP, and insider threats.

The browser-native ransomware disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s research team releases a major web attack that focuses on architectural limitations of the browser and incumbent security solutions. Previously disclosed attacks include Browser Syncjacking and Polymorphic Extensions. 

To learn more about SquareX’s BDR, users can contact \[email protected\].

For press inquiries on this disclosure or the Year of Browser Bugs, users can email \[email protected\]. 

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids. 
The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs.
"The new vulnerabilities can be

Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA

Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

Friday, March 28, 2025 06:00

*   Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024. 
*   The file names use Russian words related to the movement of troops in Ukraine as a lure. 
*   The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the second stage Zip file containing the Remcos backdoor. 
*   The second stage payload uses DLL side loading to execute the Remcos payload. 
*   Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Phishing campaign using the invasion of Ukraine as a theme **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.  

Although Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that Gamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL link to download the file from a remote host.  

Below are some examples of file names used in this campaign: 

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР'ЄВ Павло Андрійович.docx.lnk 

GUR'EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

The translation for these names shows the intent of this campaign in using a war-related theme. We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region of conflict. 

These files contain metadata indicating only two machines were used in creating the malicious shortcut files. As we mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for their campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this threat group. 

The LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy file which is shown to the user after the infection occurs as a way to disguise the compromise.  

The PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute the payload, which could be an attempt to bypass string-based detection by antivirus solutions.  

The servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of them return HTTP error 403 when attempting to download the payload files.  

That indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public sample databases that these servers were still hosting the files for specific regions while returning access denied errors in our tests, like this sample available in the "Any.run” public sandbox: 

*   https://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be 

**Network infrastructure associated with Campaign **

The servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and HyperHosting: 

IP 

ASN 

ISP 

146\[.\]185\[.\]233\[.\]96 

63023 

gthost 

146\[.\]185\[.\]233\[.\]101 

63023 

gthost 

146\[.\]185\[.\]239\[.\]45 

63023 

gthost 

80\[.\]66\[.\]79\[.\]91 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]195 

60602 

hyperhosting 

81\[.\]19\[.\]131\[.\]95 

63023 

ispipoceanllc 

80\[.\]66\[.\]79\[.\]159 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]200 

60602 

hyperhosting 

80\[.\]66\[.\]79\[.\]155 

60602 

hyperhosting 

146\[.\]185\[.\]239\[.\]51 

63023 

gthost 

146\[.\]185\[.\]233\[.\]90 

63023 

gthost 

146\[.\]185\[.\]233\[.\]97 

63023 

gthost 

146\[.\]185\[.\]233\[.\]98 

63023 

gthost 

146\[.\]185\[.\]239\[.\]47 

63023 

gthost 

146\[.\]185\[.\]239\[.\]56 

63023 

gthost 

146\[.\]185\[.\]239\[.\]33 

63023 

gthost 

146\[.\]185\[.\]239\[.\]60 

63023 

gthost 

These servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one server being used as the Command and Control (C2) server for the Remcos backdoor. 

We have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even though all the communication with these servers is done directly via the IP address, the reverse DNS record for some of these IPs show an invalid entry that is quite unique: 

Figure: Reverse DNS resolution for Gamaredon's campaign. Modeled using Crime Mapper (by @UK\_Daniel\_Card) 

While this doesn't necessarily mean the attackers manually changed these records, it did help uncover at least two additional IPs matching the characteristics of the other servers in this campaign: 

**DLL sideloading used to load Remcos backdoor **

Gamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has observed the use of Remcos backdoor as an alternative tool in their campaigns. 

Once the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The binary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading method. This file is actually a malicious loader which decrypts and executes the final Remcos payload from encrypted files found within the ZIP. 

The PowerShell files we observed downloading the ZIP files contain hints of various applications being abused for DLL side loading, and they contain a mix of clean and malicious files: 

*   DefenderUpdate/DPMHelper.exe 
*   DefenderUpdate/DZIPR.exe 
*   DefenderUpdate/IDRBackup.exe 
*   DefenderUpdate/IUService.exe 
*   DefenderUpdate/madHcCtrl.exe 
*   DefenderUpdate/palemoon.exe 
*   Drvx64/Compil32.exe 
*   Drvx64/IsCabView.exe 
*   Drvx64/TiVoDiag.exe 
*   Drvx64/WiseTurbo.exe 
*   SecurityCheck/Mp3tag.exe 
*   SysDrive/AcroBroker.exe 
*   SysDrive/DPMHelper.exe 
*   SysDrive/IsCabView.exe 
*   SysDrive/palemoon.exe 
*   SysDrive/SbieSvc.exe 
*   SysDrive/steamerrorreporter64.exe 
*   SysDrive/TiVoDiag.exe 
*   SysDrive/vmhost.exe 

We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution. 

The payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the C2 server 146\[.\]185\[.\]233\[.\]96 on port 6856: 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

Snort SIDs for this threat:  

Snort 2: 64707, 64708 

Snort 3:  301171 

**Indicators of Compromise **

IOCs for this threat can be found in our GitHub repository here.

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

WIRED has found four new Venmo accounts that appear to be associated with Trump officials who were in an infamous Signal chat. One made a payment with a note consisting solely of an eggplant emoji.

A number of top Trump administration officials—including four who were on a now-infamous Signal group chat—appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target’s social network or even identify individuals who could be paid or coerced to act against them.

The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Trump’s nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of state. All three were participants in the “Houthi PC small group” chat in which sensitive attack plans were discussed and to which Jeffrey Goldberg, editor in chief of The Atlantic, was accidentally invited. Katz was named in it as a point of contact by Scott Bessent, the Treasury secretary; Kent by Tulsi Gabbard, the director of national intelligence, to whom Kent serves as acting chief of staff; and Needham by Marco Rubio, the secretary of state.

A fourth official with an open Venmo account—Brian McCormack, a senior staffer on the National Security Council—also appears to have been in the chat, in which a user with the screen name “Brian” lists McCormack as a point of contact for the NSC. His account went private after WIRED reached out to the NSC for comment. (“Mr. McCormack has made necessary Venmo updates for his personal privacy protection,” says NSC spokesperson James Hewitt.)

Morgan Ortagus, a former Fox News personality and deputy to Steve Witkoff—Donald Trump’s special envoy for the Middle East, who was himself in the chat—also appears to have left Venmo data exposed.

WIRED established that the accounts are almost certainly those of the government officials in question by analyzing the other accounts they were connected to, which in the cases of Katz, Kent, and Needham included accounts appearing to belong to their spouses. The Treasury Department, the National Counterterrorism Center, and the State Department did not immediately respond to requests for comment.

Some of the information revealed by the accounts is quite granular. McCormack and the accounts that appear to belong to Katz and Ortagus, for example, left not only their contact lists publicly visible but also their transactions, which are as recent as last autumn. These records reveal specific information like a 2018 payment from Katz with a note consisting solely of an eggplant emoji and how much he paid an overnight cat sitter in 2019. They also reveal McCormack’s contributions to what appears to be a get-together for veterans of the Bush-Cheney administration (“Cheney team reunion! Thank you!!”), who has reimbursed Ortagus for picnic expenses, and Kent’s connection to noted conspiracy theorist Ivan Raiklin, who calls himself “the secretary of retribution” and once created a deep state target list.

WIRED has previously reported on the partially public Venmo accounts of several of the high-ranking officials in the Houthi PC chat, including Vice President JD Vance; Mike Waltz, the national security adviser; and Susie Wiles, the White House chief of staff. Waltz and Wiles set their accounts to private only after WIRED reached out to the White House for comment on Wednesday afternoon.

Venmo did not immediately respond to WIRED’s request for comment. In a statement given to WIRED in response to questions about the Waltz and Wiles accounts, spokesperson Erin Mackey said, “We take our customers’ privacy seriously, which is why we let customers choose their privacy settings on Venmo for both their individual payments and friends lists—and we make it incredibly simple for customers to make these private if they choose to do so.”

“From my perspective, as a veteran, everyone is entitled to use the applications and services they feel are necessary to live their lives,” says Tara Lemieux, a 35-year veteran of the US intelligence community including the National Security Agency, Department of Homeland Security, and supporting agencies. “That said, when you post anything in those third-party applications and you don’t understand how that information can be shared or exploited, you are taking a risk for our nation—and that’s not acceptable.”

For Lemieux, while public transactions on Venmo might appear harmless, foreign intelligence services—particularly signals intelligence agencies—look for patterns: who’s paying whom, how often, and when. “Say they’re making payments to their children—now you have a point of leverage. If there’s someone out there looking to target you, they can use that information and start making you feel fearful for the safety of your children,” Lemieux says.

“The speed of the digital world has outpaced our ability to keep a handle on it,” she adds. “If you have all this information out there—how the heck are you going to put the toothpaste back in the tube?”

Mike Yeagley, a specialist in commercial data and its security risks, has spent over 15 years advising the US Department of Defense on how both allies and adversaries leverage what he calls “digital exhaust,” the seemingly mundane details—social connections, service transactions, and metadata trails—left behind in everyday apps. “At the highest level of our national security leadership, regardless of administration, there has to be an awareness of our data and what we project that can be discoverable,” he says.

“What’s the risk of someone at the Cabinet level using Venmo to pay their personal trainer? On the surface, it doesn’t look like much,” Yeagley says. “But now I know who that trainer is—or the gardener, or whoever—and suddenly I’ve expanded my ability to target by identifying the people around that official.”

Yeagley adds that “our adversaries are sophisticated and carnivorous in their data collection,” which means that “just the smallest bit of daylight is of interest to someone sophisticated. They will use that data point. They will build from it.”

According to Vemmo, its “contact syncing” feature allows users to upload phone contacts to the app so that they can find people they know. When these exposed Venmo accounts were set up—all before 2020—the app would display a prompt allowing users to sync their phone contacts, automatically populating their friends list with anyone in their address book already using the platform. Venmo says this functionality was deprecated more than two years ago. Today, contact syncing no longer creates connections by default. To add someone as a friend, users have to search for them, send a request, and have it accepted.

Nevertheless, according to Venmo’s privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone. That means that even when a user sets their account to private, their friends list remains visible unless they take an additional step. As of publication, hiding your connections requires navigating to **Settings** > **Privacy** > **Friends List** and selecting **Private**.

_Stephen Lurie contributed reporting._

Even More Venmo Accounts Tied to Trump Officials in Signal Group Chat Left Data Public

Scandal surrounding the Trump administration’s Signal group chat has led to a landmark week for the encrypted messaging app’s adoption—its “largest US growth moment by a massive margin.”

SignalGate, as it's come to be called, may be the biggest scandal to hit the Trump administration in its first months in power. But it's been great for Signal.

Since the news broke on Monday that senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a group chat on the Signal encrypted messaging platform where the officials were making secret plans to bomb Yemen, the ensuing news cycle and the constant mentions of Signal have led to the encrypted messaging platform doubling its usual rate of new downloads, the nonprofit organization that runs Signal tells WIRED. Given that 2025 has already been a “banner year” for Signal's growth, according to Signal's leadership, that makes this week the single biggest bump in US adoption of the app in Signal's nearly 11 years of existence.

“In Signal’s history, this is the largest US-growth moment by a massive margin,” says Jun Harada, Signal's head of growth and partnerships. “It’s mind-blowing, even on our side.”

Harada declined to give absolute numbers for Signal's user growth beyond saying that its total downloads are in the “hundreds of millions,” which has been the case for several years. But he said that the week’s rate of adoption has been twice that of a typical week for 2025, which in turn was twice that of a typical week the same time last year. “It happened immediately” after The Atlantic broke the story of Signal's use in the Yemeni bombing, Harada says. “And it’s been sustained. We’ve been maintaining that rate every day.”

In Signal's history, the only comparable spike in adoption occurred when WhatsApp changed its privacy policy in 2021, Harada says, leading to millions of users abandoning that communications app. But that incident mostly brought non-Americans to Signal, unlike the current, US-focused SignalGate bump.

Numbers from the market intelligence firm Sensor Tower largely align with Signal's own analysis of that growth: The company says that Signal downloads in the US increased 105 percent compared to the prior week—and 150 percent compared to an average week in 2024. Outside of the US, Sensor Tower saw only a 21 percent increase in Signal downloads compared to the prior week.

The Atlantic's revelation on Monday that secretary of defense Pete Hegseth, director of national intelligence Tulsi Gabbard, national security adviser Michael Waltz, vice president JD Vance, and other Trump administration officials used a Signal group chat to plan an air strike against Houthi rebels in Yemen—and that Waltz accidentally added Atlantic editor Jeffrey Goldberg to that group in a shocking breach of confidentiality—has raised serious questions about the security practices of the Trump administration that are still resonating days later.

The scandal has called into question whether the executive branch officials were planning the air strike using vulnerable non-approved or even personal devices rather than the secure machines intended for classified conversations. Screenshots of the group chat published by The Atlantic on Wednesday indicate that the officials were using Signal's disappearing messages feature to delete their communications, potentially in violation of US record retention laws.

The incident has raised sometimes-misguided questions, too, about whether Signal itself is to blame for the breach—including from President Trump, who suggested in comments on Wednesday that Signal might be “defective"—despite many cybersecurity and encryption experts' recommendation of Signal as the best end-to-end encrypted messaging tool freely available to the public. “You use Signal, we use Signal, everyone uses Signal,” Trump told reporters, “but it could be a defective platform.”

Signal's Harada declined to respond to Trump's “defective” comment and pointed to Signal's previous statements that it has yet to see any evidence of any vulnerability in the app, much less one that has anything to do with Jeffrey Goldberg being accidentally added to a White House group chat.

But Harada noted that the overall attention to Signal—even the president himself saying that “everyone uses Signal” in the Oval Office—is an example of the kind of visibility it has never had before. “All awareness for Signal is a net positive. The interest in Signal continues to be at an all-time high,” Harada says.

“I don’t think my phone has ever buzzed this much, from people from every walk of life. People are learning about Signal who maybe have never even heard about or considered encrypted messaging before.” Harada also pointed to a report that Google searches for “Signal” were up more than 1,000 percent.

Harada says that Signal was already seeing a significant uptick in adoption in the first few months of 2025. He attributes that growth partly to increasing general interest in privacy among consumers and partly to the breach of nine US telecoms by China's Salt Typhoon hacker group, which led to the hackers accessing some targets' real-time calls and texts. Federal officials at the FBI and the Cybersecurity and Infrastructure Security Agency responded to those breaches by publicly recommending that Americans use encrypted messaging and calling applications.

But all of that has been dwarfed by the attention and interest Signal has received this week. As messy as SignalGate may be, Harada says, it has made Signal a household name like never before. “To have this kind of mainstream moment is massive,” he says. “I believe it’s a sea change for private encrypted messaging for the US and the world.”

SignalGate Is Driving the Most US Downloads of Signal Ever

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a shift in the operational tactics of the long-standing cyber threat group known as **RedCurl**. This group, also known as Earth Kapre or Red Wolf, has historically maintained a low profile, relying heavily on covert data exfiltration. It has now been linked to a novel ransomware campaign, marking a dramatic change in their activities. This new ransomware strain, dubbed QWCrypt, targets hypervisors, effectively crippling infrastructure while maintaining a stealthy presence.

“This new ransomware…is previously undocumented and distinct from known ransomware families,” the **report** states.

This discovery prompts a reevaluation of RedCurl’s operational model, which has remained largely puzzling since their emergence in 2018. The group’s targeting patterns further complicates their classification.

While telemetry data points to victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, other researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the mystery.

****Living-off-the-Land (LOTL)****

The group uses sophisticated techniques, including DLL sideloading and the abuse of **Living-off-the-Land** (LOTL) strategies, all while avoiding the use of public leak sites, a critical shift from typical ransomware operations.

The initial access vector used by RedCurl in their ransomware deployment remains consistent with their previous campaigns: phishing emails containing IMG files disguised as CV documents. These files, when opened, execute a malicious screensaver file, which in turn loads a malicious DLL. This DLL then downloads the final payload, using encrypted strings and legitimate Windows tools to evade detection. 

Once inside the network, RedCurl employs lateral movement techniques, utilizing WMI and other built-in Windows tools to gather intelligence and escalate access. The group’s use of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their sophisticated approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint security and launch the ransomware’s GO executable, rbcw.exe, which encrypts virtual machines using **XChaCha20-Poly1305** encryption and excludes network gateways.

The file also includes a hardcoded personal ID for victim identification.  The ransom note, researchers claim, is not original, but rather a compilation of sections from other ransomware groups. Additionally, the absence of a dedicated data leak site further complicates the understanding of RedCurl’s motives.Bitdefender

****Bitdefender’s Hypotheses****

Bitdefender proposes two potential hypotheses to explain RedCurl’s unconventional behaviour. The first suggests they may operate as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns.

The second hypothesis posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public attention to maintain extended, low-profile operations. This theory is supported by the group’s targeting of hypervisors while maintaining network gateways, suggesting an attempt to limit disruption and confine the attack to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing LOTL attacks to mitigate the risks posed by groups like RedCurl. They also emphasize the importance of data protection, resilience, and advanced threat intelligence.

RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

A critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation.
SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources.

The vulnerability, tracked as

Tag

#mac