A newly created inetpub folder turns out to be part of a Microsoft update against a vulnerability tracked as CVE-2025-21204

In a new update for the guide concerning CVE-2025-21204 Microsoft told users they need the new inetpub folder for protection.

As part of April’s patch Tuesday updates, Microsoft released a patch to a link following flaw in the Windows Update Stack. Applying the patch creates a new %systemdrive%\\inetpub folder on the device.

Users who noticed the new folder asked questions because they were concerned about its origin and purpose. Since the empty folder is generally associated with an Internet Information Services (IIS) feature that most users will not be running, this called for an explanation.

Internet Information Services (IIS) is a web server platform created by Microsoft to host websites, web applications, and services on Windows systems. The platform is not installed by default but can be enabled through the Windows Features dialog.

Microsoft states in the update:

> “This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

CVE-2025-21204, when successfully exploited, allows an authorized attacker to elevate privileges locally.

Per Microsoft:

> “An authenticated attacker who successfully exploits this vulnerability gains the ability to perform and/or manipulate file management operations on the victim machine in the context of the NT AUTHORITY\\SYSTEM account.”

The “link following flaw” means that the product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

As a resolution, denying access to a file can prevent an attacker from replacing that file with a link to a malicious file. Denying access can be done by assigning file/folder permissions. When you set permissions while creating a folder, you specify what users are allowed to do within that folder, such as limiting their ability to “Read-only” which means it allows the user to open and read files within the folder, but not add or edit existing files in the folder.

Read-only inetpub folder

Short answer: the inetpub folder is there to protect you from an attacker exploiting a vulnerability, and it’s hardly taking up any space, so best leave it alone.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 No, it’s not OK to delete that new inetpub folder 

Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

TraderTraitor: The Kings of the Crypto Heist

Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance,…

**Russian APT group Storm-2372 employs device code phishing to bypass Multi-Factor Authentication (MFA). Targets include government, technology, finance, defense, healthcare.**

Cybersecurity researchers at SOCRadar have discovered a new attack tactic used by the notorious Russian state-backed advanced persistent threat (APT), Storm-2372. According to SOCRadar’s research, shared with Hackread.com, Storm-2372 can now break into online accounts of major organizations without trying to guess passwords.

This is achieved through a method called “device code phishing,” which helps them get around even strong security measures like Multi-Factor Authentication (MFA).

Device Code Phishing takes advantage of the way some devices, like smart TVs, connect to online services. Usually, these devices give you a special code that you type into a website on your computer or phone to log in (OAuth device authorization flow). Hackers are using this same process to fool people into giving them access to their work accounts.

****Here’s how it works****

The hackers send fake messages, often through email or text, telling people they need to use a device code to log in. These messages direct them to real-looking login pages, like the ones from Microsoft. The victims then unknowingly type in a code that the hackers have created. Once the person enters the code, the hackers can get into their account without needing a password or triggering the usual security checks. This makes it much harder to spot the attack as the victims don’t realize they have been compromised until it is too late.

Device Code Phishing Attack Sequence (Source: SOCRadar)

Previously, the method OG Device Code Phishing was used by hackers to create a device code using special tools and sent it via message. However, these codes only lasted about 15 minutes, making it difficult for hackers to log in if the person didn’t see the message.

Storm-2372 employs the more advanced Dynamic Device Code Phishing technique, previously documented by Black Hills in 2023, to create fake websites resembling real login pages using services like Azure Web Apps. When a user visits these fake sites, they generate a new device code, allowing hackers to log in. They sometimes use CORS-Anywhere to display the code correctly in the user’s browser. When the user enters the fake code, they receive access tokens and refresh tokens, allowing hackers to access Microsoft email for up to three months.

Storm-2372 is, reportedly, targeting organizations that hold valuable information and make important decisions. This includes government agencies, technology companies, banks, defence contractors, healthcare providers, and media companies. They’ve been seen attacking organizations in countries like the United States, Ukraine, the United Kingdom, Germany, Canada, and Australia.

This new trick shows that these hackers are getting better at fooling people to get past even good security systems, and companies need to find smarter ways to protect themselves from such sneaky attacks.

“The campaign underlines the critical need for modern organizations to embrace adaptive, context-aware defense mechanisms to counter identity-based threats that are increasingly evading conventional protections,” researchers concluded.

Russia’s Storm-2372 Hits Orgs with MFA Bypass via Device Code Phishing

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without strong protection, sensitive data, user access, and cloud infrastructure are left vulnerable to breaches. SaaS security is not a single-layer fix; it demands multiple approaches to address cybersecurity threats across identity, data, and applications.

****Key Components of a Secure SaaS Architecture****

Creating a secure SaaS architecture involves prioritizing the most important security factors. Each factor serves to mitigate certain threats that may endanger your application or customer information.

****Identity and Access Management (IAM)****

A strong IAM solution enforces secure access using multi-factor authentication (MFA), single sign-on (SSO), and user provisioning to minimize identity-based threats. Integrate identity providers like Azure AD, Okta, or Google Workspace to gain centralized control over user authentication and authorization.

****Data Protection****

Encrypt sensitive data, implement data loss prevention (DLP) policies, and control data sharing to prevent leaks or breaches. Implement encryption at rest and in transit to protect data at multiple levels.

****Secure Development Practices****

Adopt secure coding principles, perform code reviews, and implement automated security scanning tools to identify vulnerabilities in the initial phases of the development life cycle. Use tools like SonarQube, Snyk, or Checkmarx to scan code and identify vulnerabilities.

****Network Security****

You must implement firewalls, Virtual Private Clouds (VPCs), and network segmentation so that sensitive workloads are placed within secure boundaries. It will also minimize the attack surface. Implement IP whitelisting, VPN access, and network-level monitoring to secure data flow.

****Incident Response Plan****

Establish a good incident response plan that provides detection, containment, and recovery procedures in the case of security incidents. Regular practice drills are necessary to educate your staff to respond to an incident properly.

Bridging these building blocks contributes to developing a good foundation for your SaaS architecture.

****Essential SaaS Security Practices****

Effective SaaS security requires a layered approach. These essential strategies help protect your SaaS applications from unauthorized access, misconfigurations, and third-party vulnerabilities:

1.  **Data Encryption**: You must encrypt data at rest and in transit to prevent unauthorized access. Ensure encryption keys are managed securely to prevent compromise.
2.  **Access Controls**: Use role-based access controls (RBAC) and implement the principle of least privilege. It is necessary to regularly review and audit permissions to minimize over-privileged accounts.
3.  **Secure Configuration**: Regularly review and harden cloud configurations to minimize exposure. Tools like AWS Config, Azure Security Center, and GCP Security Command Center help maintain consistent security configurations.
4.  **Monitoring and Logging**: Enable detailed logs and use tools to detect suspicious behavior. Solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Operations provide insights for incident response.
5.  **Third-Party Risk Management**: Assess the security posture of third-party integrations. Regularly conduct vendor assessments to evaluate risks posed by external services.

Combining these strategies ensures a stronger security posture for your SaaS applications.

****Implementing Identity First Security for Stronger Access Control****

Identity-first security shifts the security focus from the network perimeter to individual user identities. This approach strengthens access control by ensuring that identity is the core factor in securing resources.

****1\. Centralized Identity Management****

You must use centralized identity providers (IdPs) like Azure AD, Okta, or Google Workspace to simplify user management and ensure consistent security policies. Centralized identity management reduces identity sprawl and makes it easier to enforce MFA, password policies, and session control.

****2\. Multi-Factor Authentication (MFA)****

MFA across critical applications is important so you can prevent unauthorized access even if credentials are compromised. Enable adaptive MFA to assess risk signals, such as user behavior or device location, before prompting additional verification.

****3\. Role-Based Access Control (RBAC)****

Implement RBAC to ensure users only have access to resources relevant to their roles, reducing excessive permissions. Continuously review and audit roles to prevent privilege creep.

****4\. Just-in-Time (JIT) Access****

Grant temporary elevated access only when required, minimizing the risk of long-term privileged accounts. This reduces the risk of attackers exploiting excessive or dormant privileges.

By focusing on identity as the foundation for security, organizations can better control access and reduce exposure to breaches.

****Building Secure SaaS Workflows****

Implementing secure workflows helps reduce the risk of human errors and potential security gaps. Structured workflows ensure consistent handling of data, identity, and application behavior.

*   **Secure Onboarding and Offboarding**: Create well-defined onboarding and offboarding processes to manage user access efficiently. Automated provisioning and deprovisioning tools help ensure that no orphaned accounts remain active. Integrate these processes with your IAM provider to streamline access management.

*   **Secure API Management**: Ensure all SaaS APIs are authenticated, encrypted, and properly documented. Implement API gateways and limit exposure to only essential endpoints. Use OAuth 2.0, OpenID Connect, and API rate limiting to enhance API security.

*   **Data Backup and Recovery**: Establish backup routines with strict data recovery objectives. Regularly test recovery processes to minimize downtime in case of an incident. Adopt services like AWS Backup, Azure Backup, or Google Cloud Backup for automated backup management.

By following these practices, organizations can maintain secure and efficient workflows.

****Why Identity Security is the Backbone of Modern Cybersecurity****

Identity security plays an important role in protecting cloud applications, services, and data. Since compromised identities are often the starting point for cyberattacks, securing identities is key to preventing major security incidents.

****Preventing Credential-Based Attacks****

Attackers frequently exploit weak passwords or stolen credentials. Strong identity security with MFA, password policies, and behavior-based monitoring can reduce this risk. Use tools like Microsoft Defender for Identity, Google Cloud Identity Protection, or Okta ThreatInsight to detect suspicious identity-related behavior.

****Enabling Zero Trust Architecture****

Identity security aligns with Zero Trust principles, ensuring that no user or device is trusted by default. Every access request is verified based on identity, device health, and location before access is granted.

****Enhancing User Accountability****

With proper identity tracking and auditing, organizations can monitor user actions and quickly detect suspicious behavior. Solutions like AWS CloudTrail, Azure AD Logs, and Google Cloud Audit Logs provide visibility into identity-related events.

****Improving Compliance****

Identity security helps meet compliance standards by enforcing access controls, maintaining audit trails, and ensuring data protection. Frameworks such as ISO 27001, SOC 2, and HIPAA emphasize strong identity security as part of compliance best practices.

Organizations can build a resilient defense against evolving cyber threats by prioritising identity security.

****Conclusion****

SaaS security is not a one-time effort but a continuous strategy combining proactive threat defense, identity-centric access control, and scalable automation. By implementing strong data encryption, enforcing least-privilege access, and managing identities with precision, businesses can significantly reduce their exposure to threats.

Prioritizing identity security lays the groundwork for Zero Trust and helps meet growing compliance demands. Investing in these security measures not only protects your SaaS stack but also builds long-term customer trust and operational resilience as your business scales.

Top/Featured Image by Vicki Hamilton from Pixabay

SaaS Security Essentials: Reducing Risks in Cloud Applications

The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

The US State Department reportedly plans to sign an international agreement designed to govern the use of commercial spyware known as the Pall Mall Pact.

The Pall Mall Pact, formally known as the Pall Mall Process, was initiated by France and the United Kingdom in February 2024. The goal of the Pall Mall Pact is to regulate Commercial Cyber Intrusion Capabilities (CCICs), or what we usually refer to as spyware and surveillance tools.

Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.

Primarily, it aims to tackle the misuse of powerful cybertools sold on the open market. These tools, often developed by private companies like the NSO Group and Paragon Solutions, have been exploited by state and non-state actors to surveil journalists, human rights defenders, activists, and even government officials. The misuse of spyware has raised concerns about its impact on democracy, human rights, and national security.

By promoting international collaboration among governments, combined with industry players like Google and Microsoft, civil society organizations, and academics, the pact represents a collective effort to regulate an industry that has operated almost without reins.

The ongoing proliferation of spyware poses existential risks to privacy and civil liberties. Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights. For example, spyware can infiltrate smartphones and computers, granting unauthorized access to sensitive data such as messages, emails, and location information.

Initially, countries like the United States opted not to sign the Pall Mall Pact but to pursue similar initiatives independently. However, this fragmentation could dilute global efforts to regulate spyware effectively. Not ideal, since its voluntary nature already raises questions about its effectiveness.

While not legally binding, the Code offers building blocks for the future and builds momentum for further development. It also offers the participating states a framework for further discussion and national implementation into laws.

In an increasingly digital world, privacy is a growing concern. As our recent research showed, a majority of people feel isolated in securing their sensitive information from companies, governments, AI models, and scammers.

Privacy is more than a personal concern. It’s a cornerstone of democracy and human rights. The Pall Mall Pact offers a roadmap for protecting these values against the misuse of powerful surveillance technologies. No one should be subject to arbitrary or unlawful interference with their privacy, as set out in the International Covenant on Civil and Political Rights and other applicable international and regional treaties.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 The Pall Mall Pact and why it matters 

Out-of-bounds read in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.

CVE-2025-29834: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

April Microsoft Patch Tuesday. A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild: 🔻 EoP – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.🔻 […]

**April Microsoft Patch Tuesday.** A total of 153 vulnerabilities, 2 times more than in March. Of these, 32 were added between the March and April MSPTs. Three vulnerabilities show signs of exploitation in the wild:

🔻 **EoP** – Windows Common Log File System Driver (CVE-2025-29824). An attacker can gain SYSTEM privileges. No technical details yet.  
🔻 **SFB** – Microsoft Edge (CVE-2025-2783). Sandbox escape with an existing PoC exploit.  
🔻 **RCE** – Microsoft Edge (CVE-2025-24201). Originally reported as a WebKit vuln on Apple OSes. 🤷‍♂️

Microsoft also patched vulnerabilities in Kubernetes with known exploits (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513)

Other notable ones:

🔹 **RCE** – LDAP (CVE-2025-26670, CVE-2025-26663), TCP/IP (CVE-2025-26686), Microsoft Office (CVE-2025-29794, CVE-2025-29793), RDS (CVE-2025-27480, CVE-2025-27482), Hyper-V (CVE-2025-27491)  
🔹 **SFB** – Kerberos (CVE-2025-29809)

🗒 Full Vulristics report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

April Microsoft Patch Tuesday

ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.

**TL;DR – ReversingLabs has identified a malicious npm package, “pdf-to-office,” that targets Atomic and Exodus crypto wallet users by silently patching local software to hijack transactions. The malware swaps recipient wallet addresses and remains persistent even after removal.**

Cybersecurity firm ReversingLabs (RL) has uncovered a new tactic threat actors are employing to target cryptocurrency users. Their latest research, shared with Hackread.com, reveals that cybercriminals are leveraging the **npm** (Node Package Manager) network to inject malicious code into locally installed cryptocurrency wallet software, specifically targeting Atomic Wallet and Exodus.

This attack involves the malicious patching of legitimate software files, allowing attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses.

****Fake Package and Malicious Injection****

RL researchers discovered a malicious npm package named “pdf-to-office” that falsely appeared as a utility for converting PDF files to **Microsoft Office documents**. However, upon execution, it deployed a malicious payload to modify key files within Atomic Wallet and Exodus installation directories.

Malicious Package (Source: RevesingLabs)

The malware overwrites legitimate files with trojanised versions, secretly altering the destination address for outgoing cryptocurrency transactions. This allows attackers to remain undetected for an extended period, as the wallet’s core functionality appears unchanged to the user.

ReversingLabs’ automated Spectra Assure platform flagged this package as suspicious because it exhibited behaviours consistent with previous npm-based malware campaigns. An obfuscated Javascript file was also found within the package, revealing malicious intent.

The payload targeted the "atomic/resources/app.asar" archive in **Atomic Wallet**‘s directory and the "src/app/ui/index.js" file in **Exodus**.

“Atomic Wallets weren’t the only target of this malicious package, either. RL also detected a malicious payload that tried to inject a trojanised file inside a legitimate, locally-installed Exodus wallet as well,” wrote ReversingLabs’ Software Threat Researcher Lucija Valentić in a **blog post**.

The attackers targeted specific Atomic Wallet versions (2.91.5 and 2.90.6), indicating sophistication in their targeting. The malicious files were named accordingly, overwriting the correct file regardless of the installed version.

“We also observed what appears to be an effort by the malicious actors to cover their tracks and thwart incident response efforts, or simply to exfiltrate even more information,” the researcher explained.

****Persistence and Impact****

A particularly problematic part of this campaign is its persistence. Research indicates that even if the malicious “pdf-to-office” package is removed from the victim’s system, the compromised cryptocurrency wallet software remains infected.

Moreover, the trojanised files within Atomic Wallet and Exodus continue to operate, silently redirecting funds to the attackers’ Web3 wallet. The only effective way to eliminate the threat is a complete removal and re-installation of the affected wallet software.

The good news is that the official Atomic Wallet and Exodus Wallet installers remain unaffected, but the compromise occurs after the malicious “pdf-to-office” package is installed and executed.

It is worth noting that this campaign is similar to a previous one RL **reported in late March**, which used two malicious npm packages, "ethers-provider2" and "ethers-providerz" to deliver a payload that patched the legitimate “ethers” package to serve a reverse shell.

The cryptocurrency sector is, therefore, facing increasing risks from software supply chain attacks. These attacks are becoming more sophisticated and frequency-driven, requiring increased vigilance from software producers and end-user organizations.

npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

Tech giant Google may soon help users find content they've previously seen, not by searching the web but by scanning their own digital history.

**TL;DR** – Google has filed a patent for a system that lets users search their personal digital history, including web activity and emails, using natural language. While it promises convenience, it also raises concerns around data privacy and user control.

Google has filed a patent for a system titled **“Generating query answers from a user’s history”** that would allow users to retrieve previously viewed content using natural, conversational questions. The aim is to simplify how people locate things they’ve seen before without needing to remember exact keywords or scroll through browser logs.

Currently, if you want to revisit a webpage or document from last week, you’re left relying on your memory or search history. This system would change that by identifying when a user’s question refers to past activity, for example, questions like _“I remember reading about…”_ or _“What was that article on…”_

****How It Would Work****

The system analyzes the phrasing of spoken or typed queries to decide whether a user is asking about something they’ve seen before. If so, it shifts from searching the entire web to searching the user’s activity such as browser history or even email accounts.

“One or more servers classify the natural language query as a query that seeks information previously accessed by the user,” the patent states.

Sources for this search could include web browsing, emails, or other personal data stored on or accessible through the user’s device. However, it goes further than keyword matching. For example, if a user says, _“Find that gardening article I read on my tablet last month,”_ the system would break down “gardening” as the topic, “tablet” as the device, and “last month” as the timeframe, all used as filters to narrow the result.

The patent also describes showing cached versions of past webpages. If a site has changed since the last visit, users might still be able to view the version they saw originally.

“For example, the search result ‘World Chess Championship’ includes a ‘View Cached Result’ link,” the patent reads. “This link may direct the client device to a version of the webpage that was cached on or about 10 days ago.”

****Voice Assistants, Emails, and Everyday Search****

Source: Google

This feature could be integrated into voice assistants, allowing users to say things like, _“What was that turkey recipe I read on my phone?”_ It could also work within Gmail or search engines, pulling up old emails or documents based on vague or natural prompts like _“Grandma’s meatball recipe.”_

****Privacy Questions****

The patent mentions that users may be able to control whether their personal data is used and that anonymization could be applied “in one or more ways before it is stored or used.”

But as with any system that relies on indexing private activity, there are clear concerns. If implemented, this would require a high level of access to personal data browsing history, emails, and device usage, all linked together and searchable from a single query.

The question is whether users will trust a tool powerful enough to remember what they’ve forgotten.

It’s important to note that patents don’t always lead to real products. For example, **Google filed a patent in 2015** for a system that would store user memories in a searchable database, and in July 2021, a **Microsoft patent** described a chatbot that could simulate conversations with deceased individuals.

Although these ideas never became consumer features, they highlight the kinds of directions tech companies are exploring. In this case, Google appears to be pushing toward making personal memory itself searchable.

Google Eyes User Browsing Data Search in New Patent Filing

Authorities arrest 5 Smokeloader botnet customers after Operation Endgame; evidence from seized data links customers to malware, ransomware, and more.

**TL;DR:** The hammer’s coming down not just on malware creators but the users funding them. If you paid to compromise others, your info might’ve been in that seized database and law enforcement is knocking.

Authorities across North America and Europe have started arresting users of the now-defunct Smokeloader botnet, marking a shift in cybercrime enforcement. These individuals paid for access to infected computers and used them to deploy malware, including ransomware, spyware, and cryptominers.

The action is part of a follow-up to Operation Endgame, a **major takedown in May 2024** that dismantled the infrastructure behind Smokeloader, IcedID, SystemBC, Bumblebee, and Pikabot.

Unlike the original operation, which focused on malware operators, this phase targets the customers who bought access from Smokeloader’s pay-per-install service run by a cybercriminal known as “Superstar.”

****Evidence Came From Seized Botnet Database****

During the 2024 takedown, law enforcement obtained backend databases showing who had purchased access to the infected machines. Investigators matched usernames and payment info to real identities. Some suspects believed they were safe, only to be approached months later with search warrants or formal charges.

In several cases, as per Europol’s **press release**, suspects cooperated and provided investigators with digital evidence. Others were found to be reselling Smokeloader access for profit.

****Smokeloader Still Active Despite Takedown****

Although the Smokeloader infrastructure was disrupted in May 2024, the malware continues to circulate. **In February 2025**, customers of Ukraine’s largest bank, PrivatBank, were hit by a large-scale phishing campaign that delivered Smokeloader.

Earlier, **in December 2024**, the malware was used in targeted attacks exploiting Microsoft Office vulnerabilities to infect Windows systems and steal browser credentials.

The investigation remains open. Authorities are working through leads, with more actions expected. A dedicated website, operation-endgame.com, has been launched to collect tips and issue updates.

**Jake Moore**, cybersecurity advisor at ESET, called the operation “a significant disruption to cybercrime networks,” but warned that prosecution will depend on solid evidence.

“This kind of international coordination is difficult to pull off,” Moore said. “But the real challenge now is in court—tying devices and data to criminal intent.”

Law enforcement involved in the operation includes agencies from the U.S., Canada, Germany, France, the Netherlands, Denmark, and the Czech Republic, coordinated by Europol and the Joint Cybercrime Action Taskforce (J-CAT).

Tag

#microsoft