Florida firm IMDataCenter exposed 38GB of sensitive data including names, emails and ownership info. At least one hacker accessed and downloaded the files.

Cybersecurity researcher Jeremiah Fowler discovered a major data leak at a Florida-based data solutions provider, IMDataCenter. The leak exposed a massive database containing personal details of users and client companies.

The misconfigured database, with CSV and PDF files, contained a staggering 38GB of information from 10,820 records and was left wide open on the internet without any password protection or encryption.

This leak is particularly alarming because of the type of data exposed. The files contained a vast amount of personally identifiable information (PII), including names, physical addresses, phone numbers, and email addresses. What makes this data dangerous is that it also had sensitive personal details like lifestyle information and home or vehicle ownership.

This valuable, verified information is typically used by IMDataCenter to help clients in various industries, from healthcare and insurance to political campaigns, with their marketing efforts.

The scale of the company’s operation is extensive, with its data library containing details on over 260 million individuals and 600 million email addresses. In the wrong hands, however, this data becomes a perfect tool for criminals.

“With each CSV document containing the data of thousands of individuals, it is difficult to calculate the total number of those who may have potentially had their data exposed,” Fowler noted in the blog post.

The exposure of such a detailed dataset poses significant risks for the victims. The personal details can be used to launch highly convincing phishing scams and other fraudulent schemes.

For example, a scammer could use a person’s verified home address and phone number to make a fraudulent call or email seem more legitimate. This breach could also lead to an increased risk of identity theft and financial crimes as criminals build detailed profiles on their targets.

Upon discovering the exposed data, Fowler sent a “responsible disclosure notice” to IMDataCenter. The database was quickly restricted from public access and is no longer available. A company representative responded, stating, “Data security is really important to us too and really appreciate you sharing this information with us. We are working to secure the information ASAP.”

While the records appeared to belong to IMDataCenter, it remains unknown if the company directly managed the database or if a third-party contractor was responsible.

****However, There’s More to The Story…****

In mid-July 2025, Hackread.com was contacted by a BreachForum user known as ThinkingOne. They claimed to have accessed IMDataCenter’s AWS bucket, which held around 40 GB of data, expanding to roughly 75 GB once uncompressed, with new records being added daily.

ThinkingOne said they had tried to alert IMDataCenter after spotting the leak but never received a response. Eventually, they downloaded all the data available at that time, which included 20 million unique email addresses and 37 million phone numbers.

They also shared that they were able to extract files revealing the names of some of IMDataCenter’s clients, along with sensitive data such as Social Security Numbers (over 50,000) and dates of birth. While the clients weren’t directly named, folder and file names pointed to organizations like airlines, healthcare providers, universities, car dealerships and others.

Hackread.com has chosen not to name these clients to protect their privacy. However, this does not change the fact that IMDataCenter’s exposed data has already been downloaded by at least one third party.

List of files accessed by the hacker and their messages on Telegram on 11th of July, 2025 (Image credit: Hackread.com)

It’s also important to mention that ThinkingOne is known for previous data-related leaks, including the release of 2.8 billion X (formerly Twitter) user profile data in March 2025.

Hacker Accesses Millions of IMDataCenter Records from Exposed AWS Bucket

We’re thrilled to share that this year, the Microsoft Bounty Program has distributed $17 million to 344 security researchers from 59 countries, the highest total bounty awarded in the program’s history.
In close collaboration with the Microsoft Security Response Center (MSRC), these security researchers have helped identify and resolve more than a thousand potential vulnerabilities, strengthening protections for Microsoft customers around the world.

We’re thrilled to share that this year, the Microsoft Bounty Program has distributed **$17 million** to **344 security researchers** from **59 countries**, the highest total bounty awarded in the program’s history.

In close collaboration with the Microsoft Security Response Center (MSRC), these security researchers have helped identify and resolve more than a thousand potential vulnerabilities, strengthening protections for Microsoft customers around the world.

The Microsoft Bounty Program is a key part of our proactive security approach. By incentivizing independent researchers to identify vulnerabilities in high-impact areas, including the rapidly evolving field of AI, we’re able to stay ahead of emerging threats. Through Coordinated Vulnerability Disclosure, these researchers play a critical role in reinforcing the trust that millions of users place in Microsoft technologies every day.

Microsoft’s bounty initiatives span a broad portfolio of Microsoft products and services, including Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, Xbox, and more. Each program is designed with clear scopes, eligibility requirements, award tiers, and submission guidelines—ensuring that researchers can safely and effectively contribute to our shared mission to protect customers.  

For full program details, visit the https://aka.ms/bugbounty.

**Zero Day Quest**

In April the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact security scenarios for Copilot and Cloud.

The event received more than 600 vulnerability submissions and awarded more than $1.6 million during the qualifying research challenge and live event.  

During the qualifying rounds, researchers submitted their work for a chance to attend the event in person and earn additional incentives beyond our regular bug bounty awards. A select group of researchers then dug in even further in Redmond and online for the live event where they worked on capture-the-flag challenges in Microsoft products, attended social events, and held technical discussions with the Microsoft security teams.

Nearly 100 researchers also participated in our training sessions, which included AI bug hunting with our AI Red Team, SSRF training with our engineering team, and tips and advice from the bounty team.

Zero Day Quest will return annually with new research challenges, bounty multipliers, and deeper collaboration between Microsoft product engineering teams, Microsoft security teams, and the security research community. The 2026 Research Challenge is now open, with the Live Hacking Event returning in spring, bringing new opportunities for researchers to engage, earn rewards, and help advance security together.

**Bounty Programs updates**

As Microsoft’s threat landscape and product ecosystem continue to evolve, so too does the Microsoft Bounty Program. We regularly adapt our programs—expanding coverage to include new products and services, and refining research priorities to stay ahead of emerging threats and attack techniques. This ongoing evolution ensures our bounty initiatives remain aligned with the latest security challenges and continue to drive meaningful impact.

This past year, the program publicly introduced the following:

*   Copilot Bounty Program was expanded to integrate traditional online service vulnerabilities Microsoft Vulnerability Severity Classification for Online Services, moderate severity issues, and Copilot for WhatsApp & Telegram. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.
    
*   Identity Bounty Program scope expansion to include addition APIs and domains that secure Enterprise accounts
    
*   Defender Bounty Program scope expansion to include Microsoft Defender for Identity (MDI), Microsoft Defender for Office (MDO), and Microsoft Defender for Cloud Applications (MDA)
    
*   M365 Bounty Program scope expansion to include Viva Glint, Learning, Pulse, and Feature Access Control
    
*   Dynamics 365 & Power Platform Bounty Program expanded awards to include AI Bounty Award category
    
*   Windows Bounty Program attack scenario awards were refreshed for remote persistent DoS and local sandbox escape scenarios.
    

**Bounty awards**

Bounty awards are determined by the severity and potential impact of the reported vulnerability, as well as the clarity, accuracy, and completeness of the submission. We prioritize awards in areas that matter most to our customers, encouraging research that drives meaningful security improvements where it counts most.

Looking ahead, we remain committed to evolving our programs to better protect customers and based on your feedback. We’re deeply grateful to our global community of security researchers for their continued partnership and expertise in helping protect millions of Microsoft users.

We’re excited to strengthen existing collaborations and welcome new contributors as we continue building a safer digital ecosystem together.

Stay secure & happy hunting!

_Madeline Eckert, Lynn Miyashita, Nyesha Harden_

Microsoft Bounty Team

Microsoft Bounty Program year in review: $17 million in rewards

Some of the most devastating cyberattacks don’t rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties

Man-in-the-Middle Attack Prevention Guide

The Defense Department operates slot machines on US military bases overseas, raising millions of dollars to fund recreation for troops—and creating risks for soldiers prone to gambling addiction.

When Dave Yeager stumbled upon the chamber of shiny, casino-style slot machines, he felt an instant pull. It was his first night of deployment in Seoul, South Korea, and the United States Army officer was in a bad headspace. The September 11, 2001, attacks had just happened, and he had a wife and two children under the age of 5 at home whom he missed fiercely. He felt lost.

Yeager had never seen a slot machine on a military base before—there weren’t any in the US—but he figured trying his luck couldn’t make things worse. “As I’m sitting there, the first thing I’m noticing is that my shoulders are relaxing,” Yeager remembers. “Then, I won. In that moment, all the stress, the anxiety, the pain, the hurt, the fear—it washed away.”

Pulling the slot machine’s levers felt like a salve—until they didn’t. Yeager found another room filled with slot machines at his next base. Over a period of about three months, he spiraled into what he says was a “devastating obsession” with playing the military-run casino games. He eventually drained his savings, sold his stuff, even stole from his unit. He didn’t tell anyone what was going on. “I thought no one could help me,” he says.

While not everyone who plays the slots struggles like Yeager did, a growing body of evidence indicates that veterans and service members are more likely to struggle with gambling disorders than civilians, says Shane W. Kraus, an associate professor at the University of Nevada, Las Vegas, who studies gambling disorders. Service members also tend to be more hesitant to seek help, out of fear of losing rank, security clearance, or being dishonorably discharged, he adds.

Not much has changed since Yeager served—in fact, within the last five years, the slot machine programs the military runs have been making increasing amounts of cash. And, some advocates say, they’re not funneling enough of what they make into education on problem gambling.

**Drafted Into Debt**

The Army Recreation Machine Program (ARMP) currently operates 1,889 slot machines in 79 locations abroad, including Korea, Japan, and Germany, according to Neil Gumbs, general manager, Army Recreation Machine Program (ARMP) Installation Management Command (IMCOM). The ARMP brought in $70.9 million from its slot machine operations during the 2024 fiscal year, according to a document obtained by WIRED. That year, the ARMP made $53 million in net proceeds. (The ARMP program covers slots on Army, Navy, and Marine Corps bases, while the Air Force also has their own version of the program.)

Those figures have been increasing. In the fiscal year 2023, the ARMP brought in $64.8 million in revenue, with $48.9 million in net proceeds. The year before, it made $63.1 million in revenue with net proceeds of $47.3 million, according to documents obtained through a public records request made by this reporter through the Data Liberation Project.

From October 2024 to May 2025, the ARMP’s “house” has had some solid wins. They generated about $47.7 million from players in that period, records obtained by WIRED show. Comparatively, the total return to players from October 2024 to May 2025 was about $37 million in reportable jackpots over $1,200.

In its heyday, the ARMP brought in over $100 million in revenue, per a 2017 report from the Government Accountability Office (GAO), but money-in dwindled substantially between 2010 to 2020, which Gumbs attributed to “movement and reductions in force and installations.” Things began to grow again after 2020. This was partly a boost from Covid-19 boredom, along with “renewed investment in new equipment and cost/expense reductions aided in increasing entertainment on offer,” Gumbs says.

This was a few years after the ARMP installed “Morning Calm,” a popular gambling room on the Army base Camp Humphreys in South Korea (likely a reference to the country’s nickname, “The Land of the Morning Calm”). Slots at the Morning Calm location bring in considerably more than other bases, securing the ARMP more than $6 million from October 2024 through May 2025. Second place? “Ocean Breeze” at Camp Butler/Foster in Japan.

With names like that, you’d think these locations were offering serenity—not siphoning savings. But folks like Yeager claim that’s exactly what they’re doing.

When asked for comment on Yeager’s experience, the ARMP’s Gumbs said: “ARMP is affiliated with the National Council on Problem Gambling (NCPG). Additionally, we promote responsible gambling, and all gaming areas and machines prominently display the national gambling hotline number.” A spokesperson for the NCPG notes that the ARMP became a member as of June 2025, after WIRED began looking into this story.

The ARMP also says it tracks which kinds of gaming machines people play the most, and how much revenue comes from each kind. For instance, 88 Fortunes—a progressive jackpot game inspired by Asian culture—is one of the most popular. It brought in more than $3 million to the house between October 2024 and May 2025. Another game, Novomatic Impera HD 5, brought in $4.3 million during that period.

Operations like Morning Calm appear much more organized than what Yeager remembers from his time in the service: “It’s like they had an extra back room, so they threw 50 slot machines in there,” Yeager recalls. He describes some rooms as the size of an average fast-food chain dining room, though the one he played in most in Seoul had maybe 200 machines. He says the atmosphere is “club-like” and dark.

Not all of ARMP cash is coming from service members—local civilians, retirees, veterans, and contractors who work on bases can also play—but a portion of the money the house generates is taken from a vulnerable population that’s literally putting their existence on the line for their country.

The money doesn’t go into thin air. The ARMP’s earnings go back into each branch’s Morale, Welfare, and Recreation (MWR). Some of it pays for entertainment on bases, such as golf courses, bowling alleys, and libraries. “Proceeds that are returned to MWR are decided and allocated by the garrison commander at each installation,” Gumbs tells WIRED via email. (Garrison commanders are leaders sometimes described as “city managers” of Army installations.) Yeager and other experts say the work the MWR does _is_ important. But he and other experts argue that the military must invest more in prevention, education, and treatment from problem gambling.

**Slot History**

Even though Congress banned gambling devices from domestic US bases in 1951, it’s done little to curb the ARMP on bases abroad. In the early 2000s, Congress asked the Pentagon to study how on-base slots impacted military families like Yeager’s. The Pentagon originally hired consulting firm PricewaterhouseCoopers to do the study, but within months ended the contract to complete the research itself. Rachel Volberg, who worked on the original PricewaterhouseCoopers report, tells WIRED that, while she was never told exactly why they decided to take it in-house, she got the strong impression “they didn't want the money to disappear because they were using it to fund recreational activities for enlisted folks.” She remembers chaplains as the main authority figures in leadership who took the issue seriously.

The final report didn’t reference new problem-gambling rates, but noted that the military couldn’t keep many of its morale operations like golf courses running “without slot machine revenue or a significant new source of cash.”

Volberg now studies problem gambling at the University of Massachusetts Amherst.# Asked for comment on the PricewaterhouseCoopers report, an IMCOM spokesperson, referred WIRED to the Pentagon, which referred WIRED back to the Army. The Army’s Public Affairs team also didn’t respond to a request from WIRED on this matter.

After the 2017 GAO report raised concerns, Congress passed a provision under the National Defense Authorization Act (NDAA), which, for the first time, required screening for gambling disorders every year for service members. A 2018 bill that would have required the DOD to create policies and programs to prevent and treat gambling disorders failed to gain traction.

Last year, US representative Paul Tonko, a New York Democrat, proposed an amendment to the NDAA that would ban the operation of slots on bases. That didn’t pass either. “Our brave service men and women sacrifice everything,” Tonko tells WIRED. “We must do all we can to support them by confronting problem gambling head-on.”

Perhaps counterintuitively, Yeager disagrees with abolishing the ARMP outright. “They do generate money for good causes,” he says, noting that having recreation on bases is key, particularly since eliminating the slots won’t eliminate ways to bet online, or the boredom and anxiety many service members feel.

Instead, he wishes the ARMP would dedicate more of its millions to helping folks struggling like he did. “Rather than just eliminate them, why don’t you mandate a small percentage of that money be turned back over into education, screening, and treatment?” Yeager says. He’d like to see a broad education campaign and more controls.

Other advocates want to see more money put into research and treatment programs, along with adding responsible gambling tools and information, says Cait Huble, communications director for the NCPG. In a 2022 review of the DOD’s responsible gambling policies compared with those of US states, the Kindbridge Research Institute, a nonprofit that focuses on gambling-related issues faced by veterans and other groups, found the DOD had the worst, compared to other jurisdictions with legal slot machine gambling in America.

When asked for comment on this report and whether more responsible gambling tools have been put in place since the Kindbridge review, Gumbs said that “proceeds that are returned to MWR are decided and allocated by the garrison commander at each installation,” and reiterated ARMP’s affiliation with NCPG and its commitment to “responsible gambling.” Another IMCOM spokesperson tells WIRED the NCPG partnership “provides us with insights, tools, and materials that help increase the visibility of responsible gaming at our locations, while also keeping ARMP aligned with the broader industry and any real-time updates from NCPG.”

In 2020, the Army updated its regulations to “provide information” to both soldiers and civilians about problem gambling. However, Huble says this isn’t enough. “Checking the box and saying: ‘We have information, there's a brochure in the health office,’ it's certainly different than making sure that clinicians and even commanders are trained in how to handle a situation where a soldier says they have a gambling problem.”

Meanwhile, another GAO report on problem gambling is expected, but some, like responsible gambling lobbyist Brianne Doura-Schawohl, say it’s “long overdue.” It’s also unclear how recent funding cuts by the so-called Department of Government Efficiency (DOGE) and the administration of President Donald Trump, a former casino mogul, will impact the report and future policy.

Yeager says that any recent DOD updates to gambling prevention policy have been “rudimentary at best,” adding: “There’s still a long way to go.”

**Clear and Present Danger**

For years, Yeager felt that neither the Army nor the Department of Veterans Affairs knew how to help him. That is, until 2007. He showed up to the VA (not for the first time) looking for help. By this time, he’d been disciplined and eventually released by the Army for his gambling, had separated from his wife, and survived multiple suicide attempts. Finally, a counselor dug through her desk and procured a pamphlet. “I swear to god, she blew the dust off of it before handing it to me,” he says.

It mentioned one of the VA’s few gambling treatment programs in the country, located in Ohio. This was what finally helped him. Now, he’s in recovery, spending his time working to improve the way the DOD handles problem gambling. “Because I didn’t fulfill my obligation as a noncommissioned officer, I try to fulfill it now as a veteran in recovery,” he says. “This is where I try to pay it forward.”

If Yeager could talk to defense secretary Pete Hegseth today, he has one main message to get across, starting but not ending with the gambling rooms “where the seed of gambling disorder was planted,” he says. “Educating soldiers, sailors, marines, and airmen that this is a real addiction and that there’s treatment that could improve readiness and could bring people out of the woodwork who are scared to go to treatment,” he says. “It would not be difficult to do.”

_For those struggling with problem gambling, you can contact 1-800-GAMBLER for the National Problem Gambling Helpline._

The US Military Is Raking in Millions From On-Base Slot Machines

This week Bill connects the hype of literary awards to cybersecurity conference season. We highlight key insights from the Q2 2025 IR Trends report, including phishing trends, new ransomware strains, and top targeted sectors. Finally, check out all the places Talos will be at Black Hat.

Thursday, July 31, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

This week the Booker Prize Longlist was released and it featured several books I’ve read this year a couple that are on my TBR (To Be Read), a couple that I had not heard of, and a couple that make me scratch my head and question why they would be included at all. It’s always exciting for me to see the Booker Longlist as it gives me an idea of how I’ve tapped into the literary fiction zeitgeist in first half of the year and what I may be tapping into in the back half of the year. That got me thinking about the cycle of staying up to date with the current threat landscape and the evolution of the threat actor behaviors and techniques and how Black Hat and DEF CON reside in a similar space for all of us in the cyber security space. Some of the new or interesting things that will come out will provide actionable insights, others will be a heaping serving of more of the same and while not trivial they will be super interesting and important, and finally some information will simply be all name and sizzle, but in the end full of sound and fury and signifying nothing.  

As a reader I’ve to understand that these lists, and the authors and books included in them, are there for various reasons and not all of them are on the merit of the narrative and the craft of writing. Early in my career it was hard to separate the things that came out of Summer Camp because I was so desperate to learn and so excited that I often couldn’t leverage my own experiences and separate the actionable from the detritus. Now I find that I don’t even have to expend much energy to move the firehose of information into the proper channels in my mind and then dive in and take what I’ve learned and apply it. Also trusting that if something that seems like empty sizzle is important – that I have team members that will keep me clued in and finding the needles in the never-ending field of haystacks.  

I hope you all have a tremendous time at Summer Camp, see a lot of old friends and make new ones and most importantly that you shower and use deodorant. Conference season is a marathon, it’s long, it’s arduous, it’s sweaty – be the hygienic change you want to see in the world.  

**The one big thing **

The Cisco Talos Incident Response Trends Q2 2025 report is out today, and as always it is packed with in-depth insights into recent attacker behavior. Phishing remains the top initial access vector, but interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities. Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Talos IR observed Qilin and Medusa ransomware for the first time, while also responding to previously seen Chaos ransomware. Education was the most targeted industry vertical this quarter.

**Why do I care? **

The report contains details of how attackers are exploiting vulnerabilities and circumventing security tools. Examples include MFA installations with self-service options that allow attackers to register their own devices. We also saw stealthy tactics in ransomware attacks such as the use of PowerShell 1.0 (yes the original version from 2006) in what we’re calling “bring your own binary”.

**So now what? **

The report outlines actionable advice based on observed incidents,  
such as:

*   Proper configuration and monitoring of multi-factor authentication (MFA).
*   Importance of centralized logging
*   Steps to harden endpoint detection and response (EDR) systems.

These insights help prioritize mitigations that directly address real-world attack techniques. Download the report today.

**Top security headlines of the week ****Journalist Discovers Google Vulnerability That Allowed People to Disappear Specific Pages From Search**

By accident, journalist Jack Poulson discovered Google had completely de-listed two of his articles from its search results. “We only found it by complete coincidence,” Poulson told 404 Media. “I happened to be Googling for one of the articles, and even when I typed in the exact title in quotes it wouldn’t show up in search results anymore.” (404 media)

**ChatGPT, GenAI Tools Open to 'Man in the Prompt' Browser Attack**

A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. (DarkReading)

**Phishers Target Aviation Execs to Scam Customers**

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries (Krebs)

**Can’t get enough Talos? **

We have lots of videos to share, so queue them up and let’s get learning!

**Tales from the Frontlines**

Join the Cisco Talos Incident Response team to hear real-world stories from the frontlines of cyber defense. **Reserve your spot.**

**IR Trends Q2 2025**

Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy. **Read more.**

**Beers with Talos**

So You Wanna Be an Incident Commander? Meet Alex Ryan. Bill, Joe and Hazel chat with Alex about what it really takes to lead through the chaos of a cybersecurity incident, from coordinating stressed-out teams, fielding exec questions, and making sure people eat. **Listen here.**

**Upcoming events where you can find Talos **

Join us at hacker summer camp! **Read our Black Hat preview here.**

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**  
MD5: 906282640ae3088481d19561c55025e4  
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08/details  
Typical Filename: AAct\_x64.exe  
Claimed Product: N/A  
Detection Name: PUA.Win.Tool.Winactivator::1201  

**SHA 256: 0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442**  
MD5: 7854b00a94921b108f0aed00f77c7833  
VirusTotal: https://www.virustotal.com/gui/file/0581bd9f0e1a6979eb2b0e2fd93ed6c034036dadaee863ff2e46c168813fe442/details  
Typical Filename: winword.exe  
Claimed Product: Microsoft Word, Excel, Outlook, Visio, OneNote  
Detection Name: W32.0581BD9F0E.in12.Talos 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**  
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277  
Typical Filename: Rainmeter-4.5.22.exe  
Detection Name: Artemis!Trojan    

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**  
MD5: ff1b6bb151cf9f671c929a4cbdb64d86  
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
Typical Filename: endpoint.query   
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Detection Name: Win.Worm.Bitmin-9847045-0

The Booker Prize Longlist and Hacker Summer Camp

Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025.
"Over the course of three days, a threat actor gained access to the customer's network, attempted to download several suspicious files and communicated with malicious infrastructure linked to Auto-Color

Hackers Exploit SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware

This week on the Lock and Code podcast, we revisit an interview with Joseph Cox about the largest FBI sting operation ever carried out.

_This week on the Lock and Code podcast…_

For decades, digital rights activists, technologists, and cybersecurity experts have worried about what would happen if the US government secretly broke into people’s encrypted communications.

The weird thing, though, is that, in 2018, it already happened. Sort of.

US intelligence agencies, including the FBI and NSA, have long sought what is called a “backdoor” into the secure and private messages that are traded through platforms like WhatsApp, Signal, and Apple’s Messages. These applications all provide what is called “end-to-end encryption,” and while the technology guarantees confidentiality for journalists, human rights activists, political dissidents, and everyday people across the world, it also, according to the US government, provides cover for criminals.

But to access any single criminal or criminal suspect’s encrypted messages would require an entire reworking of the technology itself, opening up not just one person’s communications to surveillance, but everyone’s. This longstanding struggle is commonly referred to as The Crypto Wars, and it dates back to the 1950s during the Cold War, when the US government created export control regulations to protect encryption technology from reaching outside countries.

But several years ago, the high stakes in these Crypto Wars became somewhat theoretical, as the FBI gained access to the communications and whereabouts of hundreds of suspected criminals, and they did it without “breaking” any encryption whatsover.

It all happened with the help of Anom, a budding company behind an allegedly “secure” phone that promised users a bevy of secretive technological features, like end-to-end encrypted messaging, remote data wiping, secure storage vaults, and even voice scrambling. But, unbeknownst to Anom’s users, the entire company was a front for law enforcement. On Anom phones, every message, every photo, every piece of incriminating evidence, and every order to kill someone, was collected and delivered, in full view, to the FBI.

Today, on the Lock and Code podcast with host David Ruiz, we revisit a 2024 interview with 404 Media cofounder and investigative reporter Joseph Cox about the wild, true story of Anom. How did it work, was it “legal,” where did the FBI learn to run a tech startup, and why, amidst decades of debate, are some people ignoring the one real-life example of global forces successfully installing a backdoor into a company?

> The public…and law enforcement, as well, \[have\] had to speculate about what a backdoor in a tech product would actually look like. Well, here’s the answer. This is literally what happens when there is a backdoor, and I find it crazy that not more people are paying attention to it.

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 How the FBI got everything it wanted (re-air) (Lock and Code S06E15) 

Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks.

Darktrace, a leading cybersecurity research firm, has identified what is believed to be the first documented instance of threat actors exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy the evasive Auto-Color backdoor malware.

This flaw, disclosed by SAP SE on April 24, 2025 and assigned a CVSS score of 10, is particularly dangerous as it enables attackers to upload malicious files to the SAP NetWeaver application server, potentially leading to remote code execution and full system compromise.

****About Auto-Color****

The Auto-Color Backdoor, first seen in November 2024 and previously observed targeting systems in the US and Asia, is a Remote Access Trojan (RAT) named for its ability to rename itself to “/var/log/cross/auto-color” post-execution. It primarily targets Linux systems, often found in universities and government institutions in the US and Asia.

Auto-Color is highly evasive, exploiting built-in Linux features like ld.so.preload for persistent system compromise. Each instance is unique due to statically compiled and encrypted command-and-control (C2) configurations. A key new finding is the malware’s suppression tactic: it can “pretend to be sleep” if C2 connections fail, appearing benign to analysts and hiding its full capabilities during analysis.

****Attack Timeline: SAP Exploit to Malware Delivery****

This crucial research was shared with Hackread.com ahead of its publishing on Tuesday, according to which in April 2025, Darktrace Security Operations Centre (SOC) identified a multi-stage Auto-Color attack on a US-based chemicals company’s network.

According to researchers, initial scanning for CVE-2025-31324 was observed from April 25. Active exploitation began on April 27, with an incoming connection from IP 91.193.19.109 and a ZIP file download signalling the exploit.

The compromised device immediately made suspicious DNS requests for Out-of-Band Application Security Testing (OAST) domains on April 27 and 28, a tactic for vulnerability testing or data tunnelling.

Timeline of Exploit (Source: Darktrace)

Roughly ten hours later, on April 27, a shell script (config.sh) was downloaded. The device then made connections to 47.97.42.177, an endpoint linked to Supershell, a C2 platform. Less than 12 hours later, on April 28, the Auto-Color ELF malware file was downloaded from 146.70.41.178. Darktrace’s investigation confirmed this was the first observed pairing of SAP NetWeaver exploitation with Auto-Color malware.

****AI-Powered Security Halts Stealthy Intrusion****

Darktrace’s AI-driven Autonomous Response capability quickly intervened, enforcing a “pattern of life” on the affected device for 30 minutes, starting on April 28. This prevented further malicious actions while allowing normal business operations. Multiple alerts were triggered, prompting investigation by Darktrace’s Managed Detection and Response (MDR) service.

Alerts from the device’s Model Alert Log (Source: Darktrace)

Analysts extended the Autonomous Response actions for an additional 24 hours, giving the customer’s security team crucial time for investigation and remediation.

This incident highlights that despite urgent disclosures, vulnerabilities like CVE-2025-31324 remain actively exploited, leading to more persistent threats. Darktrace’s timely detection and autonomous response ensured the threat was contained, preventing escalation and demonstrating the power of AI in thwarting sophisticated, multi-stage attacks.

Since CVE-2025-31324 remains actively exploited despite disclosure, organisations should take immediate actions, said Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit.

“Immediately patch SAP NetWeaver systems against CVE-2025-31324, but if for some reason, they cannot install the patch, they should immediately stop exposing these SAP NetWeaver installations on the internet, isolate them and block the /developmentserver/metadatauploader endpoint and also deploy a zero-trust architecture that assumes breach and verifies every network transaction before transmission.”, stressed Mayuresh.

SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2…

Cybersecurity researchers at CloudSEK’s STRIKE team used facial recognition and GPS data to expose a massive, over $2 million, fake currency operation in India. This report details the exposure of individuals and their activities on Facebook and Instagram.

A large-scale counterfeit currency operation is reportedly circulating fake notes worth millions of dollars, which has been brought to light by cybersecurity firm CloudSEK. Its investigation, shared with Hackread.com, CloudSEK’s STRIKE team has not only calculated the vast spread of this illicit trade, estimated at ₹17.5 crore (over $2 million) in fake Indian currency over just six months (December 26, 2024, to June 26, 2025), but has also managed to identify and pinpoint key individuals behind it.

The unique aspect of this exposé lies in the direct attribution of culprits. Using digital forensics, GPS data, and facial recognition technology, CloudSEK has identified and located major players across the Indian state of Maharashtra.

According to Sourajeet Majumder, a security researcher at CloudSEK, “This is the first time that a cyber investigation has offered such precise attribution of counterfeit actors operating in public digital spaces. We didn’t just find content, we identified the key perpetrators.”

Reportedly, bad actors are using popular social media platforms like Facebook and Instagram in this campaign. CloudSEK’s XVigil platform played a crucial role in its detection by monitoring open-source environments for specific terms like “second series” or “A1 notes,” which are codewords used by sellers.

Source: CloudSEK

The investigation revealed over 4,500 posts promoting counterfeit currency and more than 750 accounts or pages involved in selling these fake notes. Furthermore, over 410 unique phone numbers were found to be connected to sellers. These groups even used Meta Ads for paid promotions, openly reaching out to potential buyers. Some sellers went as far as sharing videos, handwritten notes, and even video calls to show the supposed quality of their fake currency, creating a dangerous “trust-based” black market out in the open.

Source: CloudSEK

****Tracking Down the Accused****

CloudSEK’s researchers combined advanced Open Source Intelligence (OSINT) and Human Intelligence (HUMINT) techniques to unmask group administrators and sellers. They collected facial images, phone numbers, exact GPS locations, and social media profiles of the main suspects.

The researchers also identified several accounts operating under aliases such as Vivek Kumar, Karan Pawar, and Sachin Deeva. Geolocation evidence pointed to activity in Jamade Village (Dhule district, Maharashtra) and Pune, strongly suggesting a coordinated syndicate primarily based in Maharashtra, with Dhule being the potential hotspot.

Further probing revealed that the counterfeiters advertise their fake notes through various social media channels using hashtags like #fakecurrency. To gain trust, they engage with buyers via WhatsApp, sharing “proof” images and even offering live video calls. The production involves professional tools like Adobe Photoshop, industrial-grade printers, and paper that sometimes mimics security features like Mahatma Gandhi watermarks and green security threads.

Source: CloudSEK

CloudSEK has shared its findings with relevant law enforcement agencies at both the state and national levels, providing detailed intelligence to aid in disrupting this criminal network and protecting the country’s financial stability.

Tag

#sap