Cybercriminals are targeting YouTube creators with sophisticated phishing attacks disguised as brand collaborations. Learn how to identify these scams, protect your data, and safeguard your online presence

****summary****

*   **Phishing Attack**: Cybercriminals use fake brand collaboration emails to target YouTube creators.

*   **Malware Disguise**: Malicious files are hidden in password-protected attachments like contracts or promotional materials.

*   **Cloud Hosting**: Attackers leverage platforms like OneDrive to host malware, adding a layer of credibility.

*   **Sensitive Data Theft**: Malware steals login credentials, financial information, and grants remote access.

*   **Wide Reach**: Over 200,000 creators targeted globally, with thousands of phishing emails sent via automated tools.

CloudSEK’s threat research team has disclosed details of an advanced new phishing campaign targeting YouTube creators. According to CloudSEK’s investigation, shared exclusively with _Hackread.com_, scammers are using fake brand collaboration emails to steal accounts and spread scams to millions of followers.

****Campaign Analysis****

Report author Mayank Sahariya notes that this sophisticated phishing campaign involves impersonating trusted brands to distribute malware through fake collaboration offers. 

Attackers begin by scraping email addresses from YouTube channels, likely using a specialized parser tool. This allows them to target creators and organizations directly. With email addresses in hand, attackers use browser automation tools to send bulk phishing emails.

Next, the attackers send cleverly crafted emails that appear to be legitimate business proposals from well-known brands. These emails entice recipients with lucrative collaboration deals and include enticing compensation structures based on subscriber count. The malware is cleverly disguised within attachments such as Word documents, PDFs, or Excel files, often masquerading as promotional materials, contracts, or business proposals.

“At the end of the email, the threat actor includes instructions and a OneDrive link to access a zip file containing the agreement and promotional materials, secured with the password,” the report read.

The extracted files reveal four files, including Digital Agreement Terms and Payments Comprehensive Evaluation.exe, which is a malicious payload. Once downloaded and extracted, the zip file unleashes a malicious script disguised as a harmless file format, such as “webcams.pif.” This script leverages AutoIt3 automation software to execute further malware hidden within the archive.

To further bypass detection, the attackers host these malicious attachments on cloud storage platforms like OneDrive (form this ID- \[email protected\] created on August 15, 2024), protected by passwords. This tactic adds a layer of legitimacy, as recipients might expect collaboration agreements and promotional materials to be password-protected.

Once a curious YouTuber downloads the attachment, the malware installs itself on the victim’s system. This malware is designed to steal sensitive information, including login credentials, financial data, and intellectual property. In some cases, it can even grant remote access to the attacker, compromising the entire system.

Attack flow and malicious email used in the scam (Via CloudSec)

****Who are the Targets?****

According to CloudSec’s blog post, this global campaign primarily targets businesses and individuals involved in marketing, sales, and executive positions. These individuals are more likely to engage with brand collaborations and promotions, making them prime targets for this phishing scheme.  

So far, this campaign has targeted over 2 lakh YouTube creators, involving 500-1,000 phishing emails sent from a single email account and around 340+ SMTP servers have been weaponized for attacks.

To stay protected, YouTube creators should be cautious of unsolicited collaboration offers, especially password-protected attachments. Always double-check email addresses, and contact brands directly to confirm the legitimacy of collaboration offers. Also, avoid downloading attachments from unknown senders, even if password-protected to protect valuable data.

1.  **Scammers Rake in $600K with YouTube Deepfakes**
2.  **YouTube Channels Hacked to Spread Lumma Stealer**
3.  **Fake YouTube Android Apps Used to Distribute CapraRAT**
4.  **New YouTube phishing scam using authentic email address**
5.  **Get Paid to Like Videos YouTube Scam Empties Your Wallets**

Malware Hidden in Fake Business Proposals Hits YouTube Creators

Staffers at the Cybersecurity and Infrastructure Security Agency tell WIRED they fear the new administration will cut programs that keep the US safe—and “persecution.”

Donald Trump helped create the US government’s cybersecurity agency during his first term as president. Six years later, employees of that agency are afraid of what he’ll do with it once he retakes office.

Trump’s alliances with libertarian-minded billionaires like Elon Musk and his promises to cut government spending and corporate oversight have alarmed staffers at the Cybersecurity and Infrastructure Security Agency, the component of the Department of Homeland Security that defends US government computer systems from hackers and helps state and local governments, private companies, and nonprofit groups protect themselves.

CISA, which the Trump administration and Congress created in 2018 by reorganizing an existing DHS wing, became a target of right-wing vitriol after its Trump-appointed director rebuffed the president’s election conspiracy theories in 2020 (prompting Trump to fire him) and after it worked with tech companies to combat online misinformation during the 2022 election.

The incidents turned a once-obscure agency with bipartisan credibility into a conservative bogeyman. House Republicans have accused CISA of spying on and censoring Americans, and the GOP senator who will soon oversee the agency wants to eliminate it.

Now, with Trump returning to office vowing to purge disloyal civil servants and turn DHS into an immigration-crackdown machine, CISA employees are acutely worried about the fate of their still-fledgling agency, according to interviews with four current staffers and another US cyber official, all of whom requested anonymity to speak candidly about a sensitive subject.

“We believe it's our responsibility to help those who don't really have the ability to help themselves,” says one CISA employee. “We take our missions seriously, which is why we are all concerned, to a T, about if any decisions are going to affect our mission negatively.”

**Scaling Back Corporate Accountability**

CISA is bracing for change in several areas that were key to US president Joe Biden’s cybersecurity agenda.

Biden’s cyber strategy called for companies to take more responsibility for the security of their products and services, and CISA led that effort with its campaign encouraging companies to make their systems “secure by design” and “secure by default.” Agency officials pushed tech firms to make security features free and automatic and to pay closer attention to the quality of their code. Hundreds of companies have signed CISA’s secure-by-design pledge and vowed to take cybersecurity more seriously.

CISA employees and Biden administration officials expect the Trump team to kill Biden’s corporate responsibility initiatives. “They do not think it's the role of the US government to make \[the\] private sector act in a certain way,” says a US cyber official.

A second CISA employee predicts that “compliance efforts like secure-by-design may not have the support that they currently benefit from.”

That retreat from corporate oversight will be a top priority of Musk and other tech billionaires who have flocked to Trump. “The tech influence here, assuming Elon Musk stays in Trump's good graces, is going to be significant,” the cyber official says.

Without high-level White House backing, CISA’s secure-by-design campaign “becomes toothless,” says the first CISA employee. “Some companies will be less inclined to follow these \[guidelines\] if they don't believe that the executive branch is going to support them.”

CISA employees are also watching uneasily to see if Trump officials pressure the cyber agency to water down its draft regulation requiring critical infrastructure operators to report cyber incidents. Congress mandated the rule in a 2022 spending bill, but groups representing infrastructure operators have complained that the draft requirements—which must be finalized by late 2025—are too onerous. Trump could force CISA to scale back the rules in order to appease the private sector.

Trump and his allies want to “get rid of anybody who can enforce the rules, because then the rules don't matter,” the cyber official says. “In CISA’s instance, that's going to be pretty significant.”

CISA is also bracing for changes to its election security mission. The agency has already dramatically scaled back conversations with social media companies about online misinformation following a right-wing backlash, but Trump’s team could force CISA to abandon even more of its election security work. CISA staffers worry that Trump will block the agency from participating in state and local election officials’ “Trusted Info” initiative, which encourages Americans to listen to their local election supervisors instead of provocative online claims.

“I think that work is probably dead,” says a third CISA employee.

South Dakota governor Kristi Noem, Trump’s pick to lead the Department of Homeland Security, embraced election conspiracies after Biden’s win in 2020. “Kristi Noem is a Trump loyalist who has backed him in election denial claims, and now she's going to be in charge of the agency that oversees \[CISA\],” says the cyber official. “I have a lot of questions about what happens there.”

The third CISA employee expects to see the “persecution of those who have done election security work” once Trump takes office.

**Weakening Authorities**

Trump’s victory could also have serious consequences for other CISA missions.

Under Biden, CISA gained broader authority and new funding to monitor other agencies’ networks for suspicious activity, turning it into the centralized defender of federal networks that many experts always hoped it would become. That could change under Trump, especially if senior officials close to Trump bristle at CISA’s oversight.

“I can absolutely see the new administration coming in and saying, ‘Hey, you guys are not letting agencies do what they need to do. You have … too much power \[to look\] at how the agencies do things. We're going to reduce your power,’” says the first CISA employee. “That will prevent us from doing the very necessary work that we need to do to protect the American people.”

One of CISA’s most formidable powers over other agencies could be watered down for an unexpected reason.

CISA can order the rest of the government to rapidly patch vulnerabilities and make other security improvements, and it has repeatedly used this authority in response to emerging digital crises. But while these directives only apply to federal agencies, some businesses treat them like unofficial government dictates and push their security teams to implement them.

If corporate leaders complain about these directives’ effects on their bottom lines, Trump’s team could force CISA to scale back its use of this authority.

The Trump administration could also try to cut costs at CISA by slashing the free services that it provides to state and local governments and critical infrastructure providers.

“My concern would be that some of those programs would just kind of fall to the wayside,” says the first CISA employee, who also fears that CISA’s “ability to express to the nation what we do and what services we offer” will “come under attack.”

**Dimming the Stars**

Trump’s influence on CISA could also undermine the agency’s long-running uphill battle to attract talented experts away from lucrative industry jobs and into public service.

Multiple CISA employees say they worry that Trump’s election will mean the end of what one called “star hires” like senior advisers Bob Lord and Jack Cable, the corporate cyber veteran and young security whiz, respectively, who lead CISA’s secure-by-design program.

“I can absolutely see guys like Bob Lord and Jack Cable—big, well-respected individuals in the security community—deciding that they want to take their stuff elsewhere if they don't believe that the administration is serious about helping companies be more secure,” says the first CISA employee. Lord and Cable declined WIRED’s request to comment.

“This country has gotten so much more politicized over the past eight years to where it gets in the way of us doing our jobs,” the first CISA employee adds.

Trump’s promised changes to civil-service rules, which would expose more government workers to politically motivated firings, are also alarming CISA employees. “I worry about getting weaponized,” says the third CISA employee.

**Political Tensions**

When it comes to CISA’s fate, much will depend on whom Trump picks to lead the agency and how they navigate broader DHS politics.

The main contenders for CISA director—Karen Evans, a former Energy Department cyber official and White House IT official; Matt Hayden, who served as DHS’s assistant secretary for cyber policy during Trump’s first term; and Brian Harrell, who led CISA’s infrastructure protection wing under Trump—have cyber experience and bipartisan credibility. But if Trump passes over them, it’s not clear who will end up leading CISA.

“There’s not really a ton of star, right-leaning info security people out there who want to risk their credibility as a political appointee,” says the third CISA employee.

Even if CISA gets competent, well-liked senior officials, they will still be at the mercy of DHS leadership. Kristi Noem has touted her work on cybersecurity as South Dakota’s governor, including in an op-ed after her nomination that referenced CISA. But Noem was the only governor to reject money from a DHS cyber grant program for state and local governments in 2023, suggesting that she won’t support the program, which expires in late 2025.

A fourth CISA employee says they hope that once Noem and other Trump appointees “are briefed on the full extent of our nation’s cybersecurity problems, they will recognize the value of our work and its critical importance to national security.”

But even if Noem mostly leaves CISA to its own devices, her department’s leading role in Trump’s controversial immigration agenda—including promised mass deportations of undocumented immigrants—will likely inflame longstanding tensions between DHS and CISA.

“People within CISA don't want to be considered part of DHS,” says the first CISA employee. “They believe that CISA should be its own realm.”

Amid a migration surge during Trump’s first term, DHS asked CISA employees to volunteer to help safeguard the US-Mexico border. “I do not believe that people \[will\] want to be considered part of DHS if that type of stuff is going to continue,” the first CISA employee says.

With DHS leaning harder than ever before into immigration crackdowns, CISA employees are longing for a separation—with even the conservative Project 2025’s unorthodox reorganization proposal sounding appealing to some.

“DHS is gonna be a real awful place the next four years,” says the third CISA employee. “Maybe we should move to Transportation.”

**Quiet Concerns**

While they wait for Trump to signal his approach to cybersecurity, CISA employees are quietly exchanging worries about what’s next for their workplace.

“There have been unspoken concerns about what's going to happen once the administration changes,” says the first CISA employee. “Anything that we do is going to affect the American public in one way or another, so we need to know … what's going to be coming down the pike.”

The mood inside the agency is “uncertain,” says the second CISA employee.

“CISA’s staff isn’t interested in getting politicized,” says the third CISA employee. “We just want to do good work for the American public that makes things more secure and resilient.”

CISA director Jen Easterly said in a statement that she “could not be prouder” of the agency’s achievements.

“CISA’s been able to accomplish its mission thanks to a talented and dedicated workforce, bipartisan support in Congress, and partnerships across government and industry,” Easterly said. “It’s important this work continues as the nation’s critical infrastructure faces an ever evolving and complex threat environment.”

For now, agency employees are distracting themselves by doubling down on that work.

“We kind of bury ourselves into the day to day, just trying to do as much as we can until we get the call that this position or this branch is going to be eliminated,” says the first CISA employee. “We don't have any control over things right now, and I think that's what makes things scary for a lot of us.”

The Top Cybersecurity Agency in the US Is Bracing for Donald Trump

A thwarted attack demonstrates that threat actors using yet another delivery method for the malware, which already has been spread using phishing emails, malvertising, hijacking of instant messages, and SEO poisoning.

Source: Brian Jackson via Alamy Stock Photo

The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.

The attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning, researchers said.

Researchers at Trend Micro discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.

The attacker loaded multiple "suspicious files" onto the victim's machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.

**A Multistage Vishing Cyberattack**

The multistage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim's inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.

The caller claimed to be an employee of an external supplier of the victim's company needing assistance, and instructed the victim to download the Microsoft Remote Support application.

"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. "The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.

**Another Channel for Spreading DarkGate Malware**

While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including other RATs like Remcos.

**How to Protect Against Sophisticated Vishing Attacks**

Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands. Training employees on signs of a vishing attack, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.

"Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.

Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.

Whitelisting approved remote access tools and blocking any unverified applications as well as integrating multifactor authentication (MFA) on remote access tools also reduce "the risk of malicious tools being used to gain control over internal machines," the researchers wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft Teams Vishing Spreads DarkGate RAT

A list of topics we covered in the week of December 9 to December 15 of 2024

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

 A week in security (December 9 &#8211; December 15) 

A fraudulent Google ad meant to phish employees for their login credentials redirects them to a fake browser update page instead.

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.

We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser.

This notification is part of a malware campaign known as SocGholish that tricks users into running a script supposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important enough, a human operator will gain access in order to perform nefarious actions.

In this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan. We already reported the malicious ad to Google.

Several criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey on employees simply googling for their HR portal so that they can display a malicious ad to lure them in.

Case in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:

We were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad was only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:

**Former company’s website hijacked for phishing**

The displayed url shown in the ad (_https://www.bellonasoftware\[.\]com_) does not look associated with Kaiser Permanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their website looked like in 2021, using the Internet Archive:

Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente:

**Malicious redirect to SocGholish**

It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:

When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date:

This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. When a user executes the downloaded _Update.js_ file, they are instead running a malicious script that will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting takes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a _human on keyboard_ type of attack.

To the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the original threat actors did not anticipate for the website they took over to be compromised. As for the gang behind SocGholish, the victims would come from a Google search, something they usually check for via the referer.

**Protecting against web threats**

For victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of what they searched for, they fell into the hands of a different criminal syndicate.

Such is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious players trying to lure users in their own way.

Online ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any brand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.

At the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated websites ready to be compromised and act as a springboard for malware delivery.

When searching online, we urge to use extreme caution with any sponsored results and if possible add protection to your online browsing experience with tools like Malwarebytes Browser Guard.

We reported the malicious ad to Google and will update this blog if we hear anything back.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Phishing site

bellonasoftware\[.\]com

SocGholish infrastructure

premium\[.\]davidabostic\[.\]com  
riders\[.\]50kfor50years\[.\]com

 Malicious ad distributes SocGholish malware to Kaiser Permanente employees 

Resecurity unveils AI-powered GSOC at NATO Edge 2024, integrating VR for advanced cybersecurity. Tailored for MSSPs, it enhances…

Resecurity unveils AI-powered GSOC at NATO Edge 2024, integrating VR for advanced cybersecurity. Tailored for MSSPs, it enhances threat detection, response, and collaboration globally.

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC) during NATO Edge 2024, the NATO Communications and Information Agency’s flagship conference. The solution is also specifically tailored for MSSPs that protect aerospace and defense organizations.

This year’s event, held from December 3 to 5, emphasized emerging technologies in defense, fostering collaboration between governments, academia, and private enterprises. Resecurity’s GSOC harnesses cutting-edge artificial intelligence (AI) through Context AI and innovative virtual reality (VR) capabilities, revolutionizing the future of cybersecurity operations.

Resecurity’s GSOC solution resonated strongly with the event’s goals, demonstrating how advanced AI and VR capabilities could bolster NATO’s cybersecurity infrastructure and address its operational challenges.

****GSOC: A modern approach to cybersecurity****

The **Government Security Operations Center (GSOC)** is a centralized hub for cybersecurity monitoring, threat detection, and response coordination. Resecurity’s GSOC leverages **AI and VR** to address the increasing complexity of cybersecurity operations by enabling real-time insights, collaboration, and action.

****SOC solution powered by AI****

Context AI is at the core of Resecurity’s GSOC, an advanced AI-powered engine designed to revolutionize how security events are analyzed and managed. Context AI integrates machine learning, predictive analytics, and data visualization to deliver unparalleled capabilities in cybersecurity operations:

*   **Real-time threat analysis**: Resecurity quickly and precisely identifies suspicious activities and potential vulnerabilities by processing and correlating data from numerous sources, including threat intelligence feeds, network logs, and endpoint devices.
*   **Enhanced decision-making**: Context AI by Resecurity employs natural language processing (NLP) and machine learning to generate actionable insights, enabling operators to make faster, more informed decisions.
*   **Scalability and automation**: The SOC platform automates repetitive tasks such as alert triaging, allowing cybersecurity professionals to focus on complex, high-priority incidents.

By integrating Context AI into GSOC, Resecurity addresses the critical challenges faced by traditional SOCs, such as **overwhelming alert volumes** and false positives, ensuring efficient operations even under significant stress.

****VR and the Cybersecurity Metaverse****

A standout feature of the GSOC is its integration of virtual reality (VR), enabling operators to leverage the cybersecurity metaverse for enhanced situational awareness, threat management, and collaboration. The use of VR offers a unique and immersive way to interact with cybersecurity data and operational environments:

**1\. Immersive threat visualization**: Operators can explore attack surfaces, breach points, and threat vectors in a dynamic, 3D virtual space. This visualization provides a holistic view of cybersecurity events that are often impossible to achieve with traditional tools.

**2\. Collaborative incident response**: In the VR environment, multiple operators, regardless of geographic location, can collaborate in real-time to simulate, analyze, and respond to cyber incidents. These foster improved communication and coordination, which are critical for national and allied security operations.

**3\. Advanced training simulations**: VR environments allow GSOC personnel to train in realistic scenarios, such as handling ransomware attacks or defending against state-sponsored cyber intrusions. These simulations provide operators with hands-on experience in a controlled yet realistic setting, improving their readiness for real-world incidents.

By integrating VR, GSOC goes beyond conventional dashboards and interfaces, creating a more intuitive and interactive approach to managing cybersecurity threats.

****The role of GSOC in national security****

Resecurity’s GSOC is designed to serve as a comprehensive cybersecurity framework for governments and allied organizations. It enables a **centralized approach to security operations**, ensuring real-time monitoring and response capabilities across agencies and infrastructure.

Key benefits of the GSOC include:

*   **Unified security monitoring**: By consolidating security operations, GSOC provides a holistic view of all potential threats across critical systems, such as energy grids, transportation networks, and communication platforms.
*   **Threat intelligence aggregation**: The GSOC collects and processes threat intelligence from various public and private sources, enabling governments to stay ahead of emerging threats.
*   **Cross-agency collaboration**: Governments can use GSOC to coordinate cybersecurity efforts between multiple agencies, ensuring cohesive and timely responses to incidents.

NATO Edge 2024 emphasized the importance of leveraging advanced technologies, such as AI and VR, to bolster member states’ defense capabilities.

****The future of GSOC: Driving cybersecurity innovation****

Resecurity’s GSOC is not just a technological solution; it represents a paradigm shift in how governments and organizations approach cybersecurity. The integration of AI and VR is just the beginning of what GSOCs can achieve in the future.

*   **Evolving AI applications**: Advances in AI, such as predictive analytics and autonomous systems, will enable GSOCs to anticipate and neutralize threats before they materialize.
*   **Expanding VR capabilities**: The use of VR in GSOCs will extend beyond training and visualization, incorporating augmented reality (AR) tools for field operatives and remote teams.
*   **International collaboration**: GSOCs will play a key role in fostering global partnerships, allowing nations to pool resources, share intelligence, and build collective defense strategies.

****About Resecurity****

Resecurity® is a cybersecurity company that delivers a unified endpoint protection, fraud prevention, risk management, and cyber threat intelligence platform. Known for providing best-of-breed data-driven intelligence solutions, Resecurity’s services and platforms focus on early-warning identification of data breaches and comprehensive protection against cybersecurity risks.

Founded in 2016, it has been globally recognized as one of the world’s most innovative cybersecurity companies with the sole mission of enabling organizations to combat cyber threats regardless of how sophisticated they are.

Most recently, Resecurity was named one of the Top 10 fastest-growing private cybersecurity companies in Los Angeles, California, by Inc. Magazine. An Official Partner of the Cybercrime Atlas by the World Economic Forum (WEF), a Member of InfraGard National Members Alliance (INMA), AFCEA, NDIA, SIA, FS-ISAC, Cloud Security Alliance (CSA), and the American Chamber of Commerce in Saudi Arabia (AmChamKSA), Singapore (AmChamSG), Korea (AmChamKorea), Mexico (AmChamMX), Thailand (AmChamThailand), and UAE (AmChamDubai).

****Contact****

**Mills**

**Peter**

**Resecurity, Inc.**

**\[email protected\]**

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

_The original version of_ _this story_ _appeared in Quanta Magazine._

For thousands of years, if you wanted to send a secret message, there was basically one way to do it. You’d scramble the message using a special rule, known only to you and your intended audience. This rule acted like the key to a lock. If you had the key, you could unscramble the message; otherwise, you’d need to pick the lock. Some locks are so effective they can never be picked, even with infinite time and resources. But even those schemes suffer from the same Achilles’ heel that plagues all such encryption systems: How do you get that key into the right hands while keeping it out of the wrong ones?

The counterintuitive solution, known as public key cryptography, relies not on keeping a key secret but rather on making it widely available. The trick is to also use a second key that you never share with anyone, even the person you’re communicating with. It’s only by using this combination of two keys—one public, one private—that someone can both scramble and unscramble a message.

To understand how this works, it’s easier to think of the “keys” not as objects that fit into a lock, but as two complementary ingredients in an invisible ink. The first ingredient makes messages disappear, and the second makes them reappear. If a spy named Boris wants to send his counterpart Natasha a secret message, he writes a message and then uses the first ingredient to render it invisible on the page. (This is easy for him to do: Natasha has published an easy and well-known formula for disappearing ink.) When Natasha receives the paper in the mail, she applies the second ingredient that makes Boris’ message reappear.

In this scheme, anyone can make messages invisible, but only Natasha can make them visible again. And because she never shares the formula for the second ingredient with anyone—not even Boris—she can be sure the message hasn’t been deciphered along the way. When Boris wants to receive secret messages, he simply adopts the same procedure: He publishes an easy recipe for making messages disappear (that Natasha or anyone else can use), while keeping another one just for himself that makes them reappear.

In public key cryptography, the “public” and “private” keys work just like the first and second ingredients in this special invisible ink: One encrypts messages, the other decrypts them. But instead of using chemicals, public key cryptography uses mathematical puzzles called trapdoor functions. These functions are easy to compute in one direction and extremely difficult to reverse. But they also contain “trapdoors,” pieces of information that, if known, make the functions trivially easy to compute in both directions.

One common trapdoor function involves multiplying two large prime numbers, an easy operation to perform. But reversing it—that is, starting with the product and finding each prime factor—is computationally impractical. To make a public key, start with two large prime numbers. These are your trapdoors. Multiply the two numbers together, then perform some additional mathematical operations. This public key can now encrypt messages. To decrypt them, you’ll need the corresponding private key, which contains the prime factors—the necessary trapdoors. With those numbers, it’s easy to decrypt the message. Keep those two prime factors secret, and the message will stay secret.

Illustration: Mark Belan/_Quanta Magazine_

The foundations for public key cryptography were first discovered between 1970 and 1974 by British mathematicians working for the U.K. Government Communications Headquarters, the same government agency that cracked the Nazi Enigma code during World War II. Their work (which remained classified until 1997) was shared with the US National Security Agency, but due to limited and expensive computing capacity, neither government implemented the system. In 1976, the American researchers Whitfield Diffie and Martin Hellman discovered the first publicly known public key cryptography scheme, influenced by the cryptographer Ralph Merkle. Just a year later, the RSA algorithm, named after its inventors Ron Rivest, Adi Shamir and Leonard Adleman, established a practical way to use public key cryptography. It’s still in wide use today, a fundamental building block of the modern internet, enabling everything from shopping to web-based email.

This two-key system also makes possible “digital signatures”—mathematical proof that a message was generated by the holder of a private key. This works because private keys can be used to encrypt messages too, not just decrypt them. Of course, this is useless for keeping messages secret: If you used your private key to scramble a message, anyone could just use the corresponding public key to unscramble it. But it does prove that you, and only you, created the message, since as the holder of the private key, only you could have encrypted the message. Cryptocurrencies like bitcoin couldn’t exist without this idea.

If two cryptographic keys instead of one is so effective, why did it take millennia to discover? According to Russell Impagliazzo, a computer scientist and cryptography theorist at the University of California, San Diego, the concept of a trapdoor function just wasn’t useful enough before the invention of computers.

“It’s a matter of technology,” he said. “A person in the 19th century thought of encryption as being between individual agents with military intelligence in the field—literally, in a field with guns firing. So if your first step is ‘pick two 100-digit prime numbers to multiply together,’ the battle is going to be over before you do that.” If you reduce the problem to something a human can do quickly, it’s not going to be terribly secure.

But while computers helped make public key cryptography possible, they’ve also created cracks in its armor. In 1994, the mathematician Peter Shor discovered a way for quantum computers to efficiently reverse the trapdoor functions that underlie most current public key cryptography systems, including prime factorization. This algorithm, if implemented, would act like an all-purpose “reappearing ink,” capable of making any invisible message reappear. Goodbye, internet security.

Luckily, quantum computers themselves are “still in the ENIAC phase,” Impagliazzo said, referring to the room-size machine built for the US Army in 1945. By the time quantum computers become sophisticated enough to pose a real threat to public key cryptography, its original trapdoor functions could be replaced by “quantum-safe” versions called lattice problems. Of course, this new computational “ink” may also become susceptible to attack in the future. But that’s the great thing about public key cryptography: As long as we can find new functions to use, we can just keep reinventing the wheel. Or in this case, the key.

_Original story_ _reprinted with permission from Quanta Magazine, an editorially independent publication of the_ _Simons Foundation_ _whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences._

The Simple Math Behind Public Key Cryptography

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

Source: Daniel Chetroni via Alamy Stock Photo

Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on.

The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy.

Practically, TPUXtract enables a cyberattacker with no prior information to essentially steal an artificial intelligence (AI) model: They can recreate a model in its entirety and save the actual data it was trained on, for purposes of intellectual property (IP) theft or follow-on cyberattacks.

**How TPUXtract Works to Recreate AI Models**

The study was conducted on a Google Coral Dev Board, a single-board computer for machine learning (ML) on smaller devices: think edge, Internet of Things (IoT), medical equipment, automotive systems, etc. In particular, researchers paid attention to the board's Edge Tensor Processing Unit (TPU), the application-specific integrated circuit (ASIC) at the heart of the device that allows it to efficiently run complex ML tasks.

Any electronic device like this, as a byproduct of its operations, will emit EM radiation, the nature of which will be influenced by the computations it performs. Knowing this, the researchers conducted their experiments by placing an EM probe on top of the TPU — removing any obstructions like cooling fans — and centering it on the part of the chip emanating the strongest EM signals. Then they fed the machine input data and recorded the signals it leaked.

To begin to make sense of those signals, they first identified that before any data gets processed, a neural network quantizes — compresses — its input data. Only when the data is in a format suitable for the TPU does the EM signal from the chip shoot up, indicating that computations have begun.

At this point, the researchers could begin mapping the EM signature of the model. But trying to estimate all of the dozens or hundreds of compressed layers that comprise the network at the same time would have been effectively impossible.

Every layer in a neural network will have some combination of characteristics: It will perform a certain type of computation, have a certain number of nodes, etc. Importantly, "the property of the first layer affects the 'signature,' or the side-channel pattern of the second layer," notes Ashley Kurian, one of the researchers. Thus, trying to understand anything about the second, 10th, or 100th layer becomes increasingly impossible, as it rests on all of the properties of what came before it.

"So if there are 'N' layers, and there are 'K' numbers of combinations \[of hyperparameters\] for each layer, then computing cost would have been N raised to K," she explains. The researchers studied neural networks with 28 to 242 layers (N) and estimated that K — the total number of possible configurations for any given layer — equaled 5,528.

Instead of having to commit infinite computing power to the problem, they figured they could isolate and analyze each layer in turn.

To recreate each layer of a neural network, the researchers built "templates" — thousands of simulated combinations of hyperparameters, and read the signals they gave off when processing data. Then they compared those results to the signals emitted by the model they were trying to approximate. The closest simulation would be considered correct. Then, they applied the same process to the next layer.

"Within a day, we could completely recreate a neural network that took weeks or months of computation by the developers," Kurian reports.

**Stolen AIs Lead to IP, Cybercrime Risk to Companies**

Pulling off TPUXtract isn't trivial. Besides a wealth of technical know-how, the process also demands a variety of expensive and niche equipment.

The NCSU researchers used a Riscure EM probe station with a motorized XYZ table to scan the chip's surface, and a high sensitivity electromagnetic probe for capturing its weak radio signals. A Picoscope 6000E oscilloscope recorded the traces, Riscure's icWaves field-programmable gate array (FPGA) device aligned them in real-time, and the icWaves transceiver used bandpass filters and AM/FM demodulation to translate and filter out irrelevant signals.

As tricky and costly as it may be for an individual hacker, Kurian says, "It can be a competing company who wants to do this, \[and they could\] in a matter of a few days. For example, a competitor wants to develop \[a copy of\] ChatGPT without doing all of the work. This is something that they can do to save a lot of money."

Intellectual property theft, though, is just one potential reason anyone might want to steal an AI model. Malicious adversaries might also benefit from observing the knobs and dials controlling a popular AI model, so they can probe them for cybersecurity vulnerabilities.

And for the especially ambitious, the researchers also cited four studies that focused on stealing regular neural network parameters. Theoretically, those methods in combination with TPUXtract could be used to recreate the entirety of any AI model — parameters and hyperparameters in all.

To combat these risks, the researchers suggested that AI developers could introduce noise into the AI inference process using dummy operations, or running random operations concurrently, or confuse analysis by randomizing the sequence of layers during processing.

"During the training process," says Kurian, "developers will have to insert these layers, and the model should be trained to know that these noisy layers need not be considered."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

With 'TPUXtract,' Attackers Can Steal Orgs' AI Models

### Summary
A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. 

### Details
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).
![image](https://github.com/user-attachments/assets/74fee719-1eea-4bcb-9c7d-da0c5045c74b)

### PoC

1. create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie <p><iframe "index.php?action=attachment&amp;id=2"
![image](https://github.com/user-attachments/assets/06072ef6-9311-423a-a735-1d6a3274cde8)

3. in the FAQ record, insert a "source code" blob using the "< >" button
4. insert in the following snippet: <p><iframe src="index.php?action=attachment&amp;id=2"></iframe></p> and save FAQ record
5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:
![image](https://github.com/user-attachments/assets/b10e137f-de01-4268-8f9c-0b440ae45349)

(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en
although a fresh installation overwrites this demo instance every 24 hours)

(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)

### Impact
Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance. 


**Summary**

A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent.

**Details**

In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).  

**PoC**

1.  create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie
    
    <iframe "index.php?action=attachment&id=2"  
    
2.  in the FAQ record, insert a "source code" blob using the "< >" button
    
3.  insert in the following snippet:
    
    <iframe src="index.php?action=attachment&id=2"></iframe>
    
    and save FAQ record
4.  once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:  
    

(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en  
although a fresh installation overwrites this demo instance every 24 hours)

(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)

**Impact**

Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

**References**

*   GHSA-m3r7-8gw7-qwvc
*   https://nvd.nist.gov/vuln/detail/CVE-2024-55889
*   thorsten/phpMyFAQ@fa0f736

GHSA-m3r7-8gw7-qwvc: thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames

The white supremacist Robert Rundo faces years in prison. But the “Active Club” network he helped create has proliferated in countries around the world, from Eastern Europe to South America.

American neo-Nazi Robert Rundo’s six-year “battle with the feds”—a fight that spans two dismissals, three appellate reversals, and an extradition and deportation from at least two countries—concludes today with his sentencing to federal prison for attacking ideological opponents at political rallies across California in 2017.

Along with several members of the Rise Above Movement, a fight club-cum-street gang Rundo cofounded with fellow extremist Ben Daley in Southern California during the peak of the alt-right movement, Rundo was convicted on 2018 charges of conspiracy to violate the federal Anti-Riot Act for training and planning a series of attacks on political opponents at rallies across California and Unite the Right in Virginia the year prior. While Rundo may be locked behind bars for years, the movement he created is running wild around the globe.

In the interceding years since his initial arrest, indictment, imprisonment, and flight from the US after his case was initially dismissed in 2019, Rundo helped mastermind an international network of RAM clones known as “Active Clubs.” A transnational alliance of far-right fight clubs that closely overlap with skinhead gangs and neofascist political movements in North America, Europe, the Antipodes, and South America, the Active Club network is proliferating internationally. There are dozens of Active Clubs in the United States, United Kingdom, Ireland, France, Germany, Holland, Scandinavia, Australia, and Colombia, according to the groups’ presence on Telegram and extremism researchers.

Seemingly harmless from the outside, Active Clubs are small groups of young men who go on hikes, train in combat sports, weight-lift, and build camaraderie—all part of the Rise Above Movement’s original program. But the darkness is in the details: The groups’ membership often overlaps with other extremist organizations like Patriot Front, criminal skinhead groups like the Hammerskins, and other violent extremists in foreign nations. Some US-based Active Clubs are branching out into political intimidation and violence, like the Rise Above Movement before them.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online shortly before his March 2023 arrest in Bucharest, Romania. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

Hannah Gais, a senior research analyst at the Southern Poverty Law Center who has long researched Rundo and his associates, says the Active Club model stands out for its low barrier to entry, emphasis on positive community building to draw new blood from outside of extremist circles, and a ready-made international network. “The model has really made it easier to facilitate those transnational connections,” Gais says. “If you’re not an organization, then you can network with whoever you want.”

The Active Club network is seeing expanded breadth and growing significance in street politics (American members appeared alongside foreign counterparts at extreme right-wing demonstrations in Paris this May and Warsaw this fall), a fact emphasized by US prosecutors in their filing seeking prison time for Rundo. Federal attorneys scoured Rundo’s media output—which is considerable, ranging from a series of far-right “influencer” Telegram channels to the Media2Rise propaganda outlet that he ran in conjunction with stateside followers and members of Patriot Front—for their explanation of how seemingly innocuous fitness organizations like Active Clubs serve as vehicles for radicalization.

In a November 26 sentencing memorandum, prosecutors flagged Rundo’s description of the Active Cub network as “brush fire effect” that will be difficult for authorities to stamp out “because these clubs are generally small and local, helping to shield it from infiltrators and broader law enforcement actions.”

The Active Club ideology also leans heavily on young male grievances against a world that supposedly singles them out in favor of people of color and LGBTQ+ youth. “Defendant lamented that ‘\[b\]oy scouts no longer teach boys how to be men, instead softening them up, discouring \[sic\] any forms of competition, accepting girls, and promoting LGBT values,’ and encouraged Active Clubs to ‘put out propaganda’ to ‘let\[\] our own know the fight is not over,’ the government’s filing reads.

The Active Club network was not Rundo’s creation alone: He came up with the idea along with Denis Nikitin, a German-Russian neo-Nazi who started out as a soccer hooligan before moving into combat sports as a fighter, promoter, and organizer of far-right tournaments. According to exhibits filed by US prosecutors, Nikitin counseled Rundo on how to flee the US in 2018 while dodging what he believed to be his first arrest warrant, and sought to smuggle him into Ukraine with the assistance of the Azov Movement (a neo-Nazi political movement that has its own paramilitary forces integrated with the Ukrainian military and organizes with other similar extremist groups across Europe) and its allies in that country’s security services. Nikitin is not currently charged with an offense by the United States government.

Nikitin, whose legal surname is Kapustin, is one of Europe’s most influential neo-Nazi activists, starting out small with fight club events held in backwater Russian cities among amateurs from soccer hooligan and skinhead groups. In 2012, Nikitin’s MMA tournament promotion vehicle, White Rex, ran its first tournament outside Russia, in Kyiv. Soon Nikitin was hosting tournaments in Italy, Hungary, France, Germany, Greece, and elsewhere.

Nikitin also got his hands dirty. He allegedly participated in the hooligan riot during Russia’s 2016 European Championship clash with England in Marseille and trained British Nazis in armed combat tactics in 2014 at camps in England and Wales, as well as Swiss extremists in 2017. In 2019, he was reportedly banned from the European Union’s Schengen Zone for promoting extremism in several countries.

Nikitin currently leads a volunteer combat battalion of far-right wing extremists in association with Ukrainian command that spearheaded a surprise assault on Russia’s Kursk region earlier this year.

Since Rundo and Kapustin coined the concept of an Active Club in 2021 on an eponymous podcast, the neo-Nazi fight clubs have proliferated throughout Western Europe, Australia, and the United States, and are currently the preeminent organizing model for far-right streetfighters. Their members have been involved in political violence in the US and France, have been banned and arrested in Germany, and are a growing concern for UK and Irish law enforcement as the place of their recruiting has skyrocketed following this summer's riots.

Michael Vandelune, a research fellow at the American Counterterrorism Targeting & Resilience Institute, has long studied transnational networking by neo-fascist groups, including Rundo’s relationship with Nikitin. “Rundo was building on the Eastern European emphasis on hypermasculinity and physical fitness, and in many ways, he was a perfect Western mouthpiece for Nikitin and similar peoples’ ideas,” Vandelune says. Rundo’s devotion to Nikitin is apparent: While getting RAM off the ground, he repeatedly cited Nikitin’s white-nationalist clothing brand and MMA promotion company White Rex as inspiration, and got the company’s logo tattooed on his shin in 2018.

Along with members of the Azov Movement’s 3rd Assault Battalion who have been integrated into the regular units of Ukraine military intelligence directorate (HUR), Nikitin hosted a September conference in Lviv that gathered representatives from extreme right-wing organizations across Europe for a strategy conference. Italian fascist organization Casapound, which Rundo visited in 2018 and views as an exemplar, sent a representative, as did Germany’s openly neo-Nazi party Dritte Weg (Third Way).

Patrick Macdonald, a Canadian known as ‘Dark Foreigner’ who allegedly produced the neo-Nazi group Atomwaffen Division’s eyecatching signature far-right propaganda at the end of the last decade, did the same work for the Active Club network, according to testimony given during his trial in Ottawa this month (Macdonald has plead not guilty to several charges, including participating in terrorist activity). Last year, the Canadian Anti-Hate Network identified Macdonald as a participant in Canada’s Active Club.

Outside of North America, the Active Clubs have proliferated most widely in France, the first European country to start such an organization. There are currently at least 50 such organizations in operation across the country, from Normandy to Provence and the Swiss border.

Sébastien Bourdon, a French journalist with Le Monde’s video investigations unit who authored a forthcoming book on that country’s far-right, says Active Clubs are the fastest-expanding facet of far-right militancy in France.

“When they launched the first Active Club in France in early 2022, within a few months they had 10 to15 groups. That’s already quite a lot. The fact that within two years they’ve grown from 15 groups to 50-plus groups throughout the country is mad,” Bourdon says. “Historically, most far-right groups in France have been active in big cities like Paris, Lyon, but if you look at some of the places they claim, some of them I’ve never heard of before.”

In France, where far-right street violence has a decades-long history despite authorities’ attempts to ban and dissolve organized groups, Bourdon says Active Clubs have proved effective at dodging legal crackdowns while appearing to have carried out acts of violence including an attack on an asylum center near Nantes last year. At least one founding member of the Active Club in Lyon has gone on to fight in Ukraine alongside other far-right volunteers.

As for Rundo, he will likely spend years in prison—a place he’s been before. He previously served nearly two years for stabbing a rival gang member in Flushing Queens in 2009. While he did radicalize during his stint at New York’s Greene Correctional Facility, starting a small white power gang, Rundo’s forthcoming prison term will mark his first federal term as a certified domestic extremist. But it remains unlikely that federal lockup will change his ideologies.

Rundo “has not renounced the violent extremist ideology that motivated that conduct,” US prosecutors wrote in their sentencing memo. It’s also likely that Rundo will hold out for help from a friendlier government.

Prior to the US election in November, Rundo urged his supporters to vote for Donald Trump specifically in the hope that the Republican president-elect would pardon him and other extremists who plead guilty to federal crimes. Since the election, there has been a sustained pardon campaign from corners of the far-right internet, which is a possibility since Rundo will be serving time in a federal prison when the incoming administration is sworn in this January.

Tag

#mac