SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

Hackers. AI data scrapes. Government surveillance. Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here’s a simple guide for you—and anyone who claims they have nothing to hide.

With President Donald Trump’s return to the White House and the US government’s digital surveillance machine more powerful than ever, digital privacy should be top of mind. But the digital security world can be confusing—and there’s the larger question of why. You may think, if I’m just a regular person, why is my digital privacy important?

Then there are the practical questions. What’s the best password manager? How can you keep your digital life under wraps at the border? And what kind of VPN should you be using? Is AI scraping my data?

WIRED senior writer and security expert Matt Burgess spoke with readers in a Reddit AMA this month about the basics of keeping your digital footprint locked down. Here’s what to know and why it’s important.

**What is your advice for a quick win in terms of improving digital security for the everyday person? Or for someone who isn’t tech-savvy?**

I think the one big thing people can do to improve their security is make sure that multifactor authentication is turned on for as many online accounts as possible. That way if anyone gets access to your password or login details, they’ll also need to have another way to authenticate the login attempt (such as the codes generated by an authentication app), and it's highly unlikely that hackers will have access to that.

Other quick and relatively straightforward changes you can make are to use privacy-friendly browsers and search engines and to use a password manager (the one on your phone or browser is better than nothing at all) and create unique passwords for each service you use.

**There are so many privacy tips out there, and it all feels important, but trying to do everything at once can be overwhelming. What are the things people should prioritize when making changes to their online habits?**

Improving privacy is something that’s ongoing, and if you try to do everything at once then it’s too off-putting. Take it one small step at a time.

If I was starting now, I’d go with:

1.  Switching to a more privacy-focused browser. I alternate between Brave, Firefox and Safari.
2.  Then using a privacy-focused search engine too (such as DuckDuckGo).
3.  Trying to use services that minimize data collection (for instance, messaging app Signal doesn’t collect user data and is the gold standard of end-to-end encryption).

**What’s a good non-US-based VPN?**

Our favorite VPN at WIRED is currently Proton VPN, which is based in Switzerland. Proton VPN also offers the best free VPN. Unlike most services, ProtonVPN's free version gives full access to all the regular plan's features. It is limited to a single device, and there are only three server locations (Japan, Netherlands, and the US), but everything else is the same. If your needs are limited and you want to keep costs down, this is a good option. See our full guide to VPNs here.

**How do I deal with having to have a new account for every service and website? Should I be using new email addresses?**

A new email address for every account is a big undertaking! I’d recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create “burner” emails that you can use to sign-up with services, and if you use an Apple device there’s a “Hide My Email” setting.

**What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)?**

It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you’ve said on social media or in messaging apps could potentially be used against you.

Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn’t the right idea for everyone and it could bring more suspicion on you. It’s better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it.

My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It’s here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border.

**Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure?**

Something that’s always listening in your home—what could go wrong? It’s definitely not great for overall surveillance culture.

Recently Amazon also reduced some of the privacy options for Alexa devices. So if you’re going to use a smart speaker, then I’d look into what each device’s privacy settings are and then go from there.

**How do you see people's willingness to hand over information about their lives to AI playing into surveillance?**

The amount of data that AI companies have—and continue to—hoover up really bothers me. There’s no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don’t have enough awareness about how much they’re sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people’s posts are looking to get in on the AI gold rush by selling or licensing that information.

For the everyday person, I’d warn them not to enter personal details or sensitive business information! We also have a more thorough guide here.

**Are personal data removal services worthwhile, or are they just another vector for data thieves?**

Whether data removal services are worthwhile or not probably depends on where you are based in the world: I’m in Europe where there’s GDPR and stricter privacy laws, and when I have used a data removal service, it hasn’t turned up too much. But in the US, there’s no comprehensive federal privacy law—that really should change—and they may be more useful.

Much of what can be done by data removal services, you can also do yourself. Consumer Reports recently did a good evaluation of data removal services.

**What is your preferred response for people who claim they have nothing to hide?**

I think in a lot of cases when people claim they have nothing to hide, they often jump to thinking about illegal or malicious things. When in fact, privacy, for me, isn’t about “hiding” things at all. You should be able to have the space—both in the physical and digital world—to not be surveilled or have your actions tracked. People should be able to act without intrusion from others—that doesn’t mean you’re hiding anything, but you just don’t want to share everything you do with everyone (or anyone). And really that’s why privacy is considered a fundamental human right.

I actually like a lot of the answers that people sent in to Amnesty International about how they respond to the point of “not having anything to hide.”

_With files from Scott Gilbertson._

A Starter Guide to Protecting Your Data From Hackers and Corporations

A list of topics we covered in the week of May 19 to May 25 of 2025

May 22, 2025 - The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

May 22, 2025 - A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

May 22, 2025 - Cybercriminals are using AI-based tools to generate voice clones of the voices of senior US officials in order to scam people.

May 20, 2025 - The bankrupt 23andMe, along with all of its genetic data, has been bought by US drugmaker Regeneron Pharmaceuticals.

May 20, 2025 - You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong.

 A week in security (May 19 &#8211; May 25) 

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data. Discover the telco’s security upgrades & future plans after the massive breach.

A recent data breach at South Korean telecommunications giant SK Telecom was, reportedly, much more deeply rooted than initially thought, with the intrusion remaining hidden for nearly two years. The company announced on Monday that the malware has gone undetected since at least June 2022.

The attack, disclosed in April, affected a significant portion of SK Telecom’s 23 million customers, compromising personal and financial details. The Ministry of Science and ICT, along with a joint team of public and private investigators, revealed that the attack compromised a significant portion of SK Telecom’s user data.

Specifically, approximately 26.69 million International Mobile Subscriber Identity (IMSI) units were leaked. IMSI is a unique 15-digit or shorter number that identifies and authenticates each mobile subscriber. Moreover, investigators identified 25 types of malware and quarantined 23 affected servers, claiming that 9.82 gigabytes of USIM information were compromised.

****Responding to the Breach****

In response to the security lapse, SK Telecom has implemented a series of preventative measures. The company has temporarily stopped new subscriber sign-ups and initiated a nationwide program to replace SIM cards as a safeguard.

Furthermore, they have rolled out an upgraded fraud detection system, FDS 2.0, which uses a “triple-factor authentication” process to prevent unauthorized SIM and device cloning. This enhanced security is now automatically applied across their network.

SK Telecom has also emphasized that no actual customer damages or instances of “terminal cloning” have been reported so far and all attempts at phone or SIM card piracy are now blocked at the network level, with three layers of verification to confirm the legitimacy of the subscriber, SIM card, and device. The company has pledged to “take full responsibility for any damages” that may arise from the breach, offering to replace the USIM of all 25 million subscribers, including 2 million budget phone users, for free.

****National Security Concerns and Future Steps****

SK Group chairman Chey Tae-won issued an apology to customers earlier in May, highlighting the severity of the incident by stating it “needs to be looked at as a matter of national defence.”

The malware used in the attack is believed to be BPFdoor, which can bypass authentication. It is typically used by hacking groups linked to China. Although no specific group has claimed responsibility, the chairman’s concerns and the identified malware align with similar tactics observed in recent attacks on US telecom companies.

Beyond technical upgrades, SK Telecom is also enhancing customer support. Starting May 19, the company plans to offer “mobile service” visits to remote areas, explaining SIM protection services and providing on-site SIM replacements and resets. These efforts highlight the company’s commitment to rebuilding customer trust and strengthening cybersecurity to counter cybersecurity threats.

SK Telecom Uncovers Two-Year Malware Attack, Leaking 26M IMSI Records

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.

****The Deception of Legitimate RATs****

Threat actors are leveraging the inherent trust in these tools to gain access to victim machines, researchers noted in the blog post shared with Hackread.com. Once installed, these legitimate RATs become a gateway for delivering further harmful programs, spying on user activities, or stealing sensitive information like passwords and confidential business records. The versatility of these tools, combined with their appearance of being trustworthy software, makes them a potent weapon in the hands of cybercriminals.

Cofense Intelligence highlighted several frequently abused legitimate RATs. ConnectWise ScreenConnect, previously known as ConnectWise Control and ScreenConnect, emerged as the most popular choice for attackers in 2024, appearing in 56% of active threat reports involving legitimate RATs.

“ConnectWise RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports (ATRs) with legitimate remote access tools in 2024,” wrote Kahng An from Cofense’s Intelligence Team in their report.

Its popularity is surging further in 2025, with current attack volumes already matching those seen throughout last year. Another tool, FleetDeck, saw a surge in use during the summer of 2024, particularly targeting German and French speakers with finance-themed lures.

****Common Attack Methods and Global Impact****

Attackers employ various methods to trick victims into installing these tools. For ConnectWise ScreenConnect, notable campaigns include spoofing the US Social Security Administration with emails falsely claiming to offer updated benefit statements.

Source: Cofense  

These emails often contain links to fake PDF files or directly to the RAT installer. Another tactic observed since February 5, 2025, involves emails pretending to be notifications about shared files on “filesfm,” leading victims to download a seemingly legitimate OneDrive client that is, in fact, the ConnectWise RAT installer.

According to Cofense, other legitimate RATs are also being exploited. Atera, a comprehensive remote monitoring and management suite that integrates with tools like Splashtop, has been used in campaigns targeting Portuguese speakers in Brazil with fake legal notices and invoices since October 2024.

Source: Cofense

Smaller, less common RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Connect, Mesh Agent, N-Able, and Teramind have also been observed in various, often localized, campaigns.

The ease and low cost of acquiring these tools allow attackers to quickly switch between different ones, posing a continuous challenge for cybersecurity protection, Cofense researchers concluded, adding that such campaigns are typically one-off events that are hard to sustain.

“These campaigns are generally one-off events and do not appear to be sustained over time. It is possible that the threat actors quickly pivot between different RATs because of the overall large number of different options that are available on the market.”

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Friday, May 23, 2025 06:00

_By Darin Smith and John Arneson_

*   Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
*   Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
*   Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

**Research Methodology ****Hypothesis**

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

**Data Collection **

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell\_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

**Data Processing**

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

**Threat Intelligence and Manual Review **

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

**Findings & Analysis ****Domain Contact Distribution **

The distribution of contacts was heavily skewed: 

*   **Percentiles**: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
*   **Top Domains**: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
    *   Automox is a service for automated endpoint configuration and patch management.
    *   LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
    *   Amazon Web Services (AWS) is the largest cloud service provider. 
*   **Rare Domains**: 550 of 742 domains fell into the rare category.

Figure 1. Cumulative distribution of domain contact frequencies. 

**Malicious Domain Statistics **

*   **Rare Domains**: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
*   **Non-Rare Domains**: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
*   **Odds Ratio**: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Figure 2. Malicious rates by domain rarity.

**Case Study: githubusercontent.com **

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

**Comparison to other Processes **

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

*   ‘rundll32.exe’ 
*   Python (including macOS and Windows versions) 
*   ‘cmd.exe’ 
*   ‘cscript.exe’ 
*   ‘wscript.exe’ 
*   ‘bash’ 
*   ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

**Recommendations **

*   **Prioritize Rare Domains**: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
*   **Subdomain Analysis**: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
*   **Integrate Manual Review**: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
*   **Investigate Anomalous Utilization of ‘wscript.exe’:** Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

**Future Work **

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Scarcity signals: Are rare activities red flags?

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling **DanaBot**, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The **FBI** says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

DanaBot’s features, as promoted on its support site. Image: welivesecurity.com.

Initially spotted in May 2018 by researchers at the email security firm **Proofpoint**, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.

Today, the **U.S. Department of Justice** unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.

The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as **Aleksandr Stepanov**, 39, a.k.a. “**JimmBee**,” and **Artem Aleksandrovich Kalinkin**, 34, a.k.a. “**Onix**”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant **Gazprom**. His Facebook profile name is “Maffiozi.”

According to the FBI, there were at least two major versions of DanaBot; the first was sold between 2018 and June 2020, when the malware stopped being offered on Russian cybercrime forums. The government alleges that the second version of DanaBot — emerging in January 2021 — was provided to co-conspirators for use in targeting military, diplomatic and non-governmental organization computers in several countries, including the United States, Belarus, the United Kingdom, Germany, and Russia.

“Unindicted co-conspirators would use the Espionage Variant to compromise computers around the world and steal sensitive diplomatic communications, credentials, and other data from these targeted victims,” reads a grand jury indictment dated Sept. 20, 2022. “This stolen data included financial transactions by diplomatic staff, correspondence concerning day-to-day diplomatic activity, as well as summaries of a particular country’s interactions with the United States.”

The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.

“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”

Image: welivesecurity.com

A statement from the DOJ says that as part of today’s operation, agents with the **Defense Criminal Investigative Service** (DCIS) seized the DanaBot control servers, including dozens of virtual servers hosted in the United States. The government says it is now working with industry partners to notify DanaBot victims and help remediate infections. The statement credits a number of security firms with providing assistance to the government, including **ESET**, **Flashpoint**, **Google**, **Intel 471**, **Lumen**, **PayPal**, **Proofpoint**, **Team CYMRU**, and **ZScaler**.

It’s not unheard of for financially-oriented malicious software to be repurposed for espionage. A variant of the **ZeuS Trojan**, which was used in countless online banking attacks against companies in the United States and Europe between 2007 and at least 2015, was for a time diverted to espionage tasks by its author.

As detailed in this 2015 story, the author of the ZeuS trojan created a custom version of the malware to serve purely as a spying machine, which scoured infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

The public charging of the 16 DanaBot defendants comes a day after **Microsoft** joined a slew of tech companies in disrupting the IT infrastructure for another malware-as-a-service offering — Lumma Stealer, which is likewise offered to affiliates under tiered subscription prices ranging from $250 to $1,000 per month. Separately, Microsoft filed a civil lawsuit to seize control over 2,300 domain names used by Lumma Stealer and its affiliates.

Further reading:

Danabot: Analyzing a Fallen Empire

ZScaler blog: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

Flashpoint: Operation Endgame DanaBot Malware

Team CYMRU: Inside DanaBot’s Infrastructure: In Support of Operation Endgame II

March 2022 criminal complaint v. Artem Aleksandrovich Kalinkin

September 2022 grand jury indictment naming the 16 defendants

Oops: DanaBot Malware Devs Infected Their Own PCs

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.

Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.

At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries.

That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.

More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.

Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.

All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.”

In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes.

The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike.

“Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.”

Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying

Global crackdown: Operation RapTor leads to 270 arrests, millions seized as law enforcement targets dark web drug, weapon, and crypto vendors.

In one of the largest global law enforcement actions against dark web crime to date, authorities from ten countries have arrested 270 individuals involved in drug trafficking, weapons sales, and the distribution of counterfeit goods online. The operation has been dubbed Operation RapTor.

Coordinated by Europol and the U.S. Department of Justice’s JCODE task force, the operation followed months of intelligence gathering after the takedowns of several dark web marketplaces: Nemesis, Incognito, Tor2Door, Bohemia, and Kingdom Market. These takedowns gave investigators access to key infrastructure and transaction data, which they used to identify vendors and buyers across the globe.

****A Multi-Continent Crackdown****

The arrests span the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19) and several other nations. Authorities also confiscated over €184 million ($200 million) in cash and cryptocurrency, more than 2 metric tons of drugs, 144 kilograms of fentanyl, over 180 firearms, and thousands of counterfeit and illicit products.

Machines used by drug traffickers to produce fake prescription pills (Seized now) Via US DOJ

According to Europol and the DOJ, the scope of the operation reflects the evolving nature of cybercrime, where illegal activity often mirrors legitimate e-commerce in form but thrives in secrecy and deception. Many of those arrested had conducted thousands of sales, using crypto and encryption tools to evade detection.

****Dark Web Isn’t Invisible Anymore****

“This historic international seizure of firearms, deadly drugs, and illegal funds will save lives,” said Attorney General Pam Bondi. “Criminals cannot hide behind computer screens or seek refuge on the dark web.”

The operation also marks a major step forward in dismantling supply chains responsible for fentanyl-laced pills, a growing threat in the opioid crisis. Several US-based vendors convicted as part of related investigations were directly linked to fatal overdoses, including a trafficking ring that distributed over 120,000 fentanyl-laced pills nationwide.

****Targeting Infrastructure and Crypto****

A notable element of Operation RapTor is its focus not just on sellers but also on the marketplace infrastructure itself. The seizure of Nemesis Market, in particular, played a pivotal role. The market’s alleged operator, Behrouz Parsarad, an Iranian national, was sanctioned and indicted on drug trafficking charges.

The IRS Criminal Investigation Division noted that crypto forensics played a central role in tracing illicit transactions. “No digital wallet can hide you from facing justice,” said DEA Acting Administrator Robert Murphy.

****Changing Tactics of Dark Web Operators****

Law enforcement agencies are observing a shift in how dark web vendors operate. As major marketplaces go offline, criminals are increasingly turning to single-vendor shops, smaller, standalone sites that reduce exposure.

While this decentralization makes investigations more fragmented, the Operation RapTor results show that targeted surveillance and intelligence sharing can still yield high-impact outcomes.

The international partnerships powering the operation included not only Europol but also agencies from Austria, Brazil, France, Germany, the Netherlands, South Korea, Spain, Switzerland, and the United Kingdom, along with U.S. federal agencies like the FBI, DEA, FDA OCI, HSI, and IRS-CI.

Europol’s Head of Cybercrime Edvardas Šileris stressed that this operation is not the finish line but the launchpad for deeper investigations. “Operation RapTor shows that the dark web is not beyond the reach of law enforcement and Europol will continue working with our partners to make the internet safer for everyone,” he said in a press release.

Tag

#mac