Plus: A US judge rules against police cell phone “tower dumps,” China names alleged NSA agents it says were involved in cyberattacks, and Customs and Border Protection reveals its social media spying tools.

Just three months into the Trump administration's promised crackdown on immigration to the United States, Immigrations and Customs Enforcement now has a $30 million contract with Palantir to build a “near-real time” surveillance platform called ImmigrationOS that would track information about people self-deporting (electing to leave the US). Meanwhile, the Department of Homeland Security has been sending aggressive emails telling people with temporary legal status to leave the US. It is unclear who has actually been sent the messages, though, given that a number of people who are US-born citizens have reported receiving them.

The US Cybersecurity and Infrastructure Security Agency briefly seemed poised this week to cancel funding for the critical software vulnerability tracking project known as the CVE Program. CISA eventually came through with the funding, but some members of the CVE Program's governing board are planning to make the project into an independent nonprofit.

A lawsuit over the Trump administration’s Houthi Signal group chat is revealing details on steps that federal departments did—and did not—take to preserve the messages per records laws.

WIRED took a look at the most dangerous hackers you've never heard of, diving deep on the unrelenting and two-faced Russian intelligence group Gamaredon; the incredibly prolific Chinese Smishing Triad text message scammers; the dangerous members of fallen ransomware giant Black Basta; the Iranian critical infrastructure hackers known as CyberAv3ngers; the TraderTraitor North Korean cryptocurrency hackers responsible for a staggering number of massive heists; and the notorious, longtime Chinese criminal and state-backed crossover hackers known as Brass Typhoon.

On top of all of that, a suspected 4chan hack may have devastating consequences for the controversial image board. The AI company Massive Blue is helping cops generate AI-powered social media bots to pose as sympathetic figures and talk to people of interest. And the New Jersey attorney general is suing Discord, claiming that the platform doesn't have adequate safeguards in place to protect children under 13 from sexual predators and harmful content.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Draft Legislation in Florida Explicitly Demands Encryption Backdoors**

A draft bill in the state of Florida would require social media companies to provide law enforcement with encryption backdoors so cops could access users’ accounts. The bill advanced unanimously from committee this week and will now go to the state Senate for a vote. If passed, the Social Media Use by Minors bill, which is sponsored by state senator Blaise Ingoglia, would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” The bill would also ban disappearing messages in accounts designed for children and would require social media companies to create a mechanism for parents or guardians to access children's accounts. Experts have long warned that encryption backdoors make everyone less secure, including those they are intended to help. Yet waves of attacks on encryption have repeatedly emerged over the years, including a recent trend in the European Union and United Kingdom.

**Judge Finds Broad Searches of Cell Tower Data Are Unconstitutional**

A Nevada district judge said this week that the practice of “tower dumps,” in which law enforcement pulls vast quantities of personal caller data from cell towers, violates the Fourth Amendment and is, thus, unconstitutional. Cell towers collect large quantities of information about users, including phone numbers and phone locations, so when cops request data from a tower during a specific time period, they often receive information on thousands of devices or more. In spite of the decision this week, though, Judge Miranda M. Du said that law enforcement could still use the evidence they had collected through a tower dump in their case.

**China Hits US With Accusations of Cyberattacks, Naming Alleged NSA Agents**

China claimed this week that the US National Security Agency perpetrated “advanced” cyberattacks against critical industries in February during the Asian Winter Games. Law enforcement from the northeastern city of Harbin put three alleged NSA agents—Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson—on a wanted list and claimed that the University of California and Virginia Tech were involved in the attacks. “We urge the US to take a responsible attitude on the issue of cyber security and … stop unprovoked smears and attacks on China,” ministry spokesperson Lin Jian said during a news briefing about multiple topics, according to Reuters. The US government frequently calls out Chinese state-backed hacking and names individual alleged perpetrators, but China has been less consistent about such statements. The move this week comes amid escalating tensions between the two countries, including the Trump's administration's trade war.

**US Customs and Border Protection Is Using a Number of AI Tools to Monitor Social Media**

CBP is using multiple artificial intelligence tools to scan social media and identify people of interest online, according to information from the agency and marketing materials reviewed by 404 Media from the contractors. CBP released information about the platforms this week in parallel to the US Department of Homeland Security’s announcement that it will “begin screening aliens’ social media activity for Antisemitism.” That statement also says that US Citizenship and Immigration Services is conducting “antisemitism” social media searches. CBP told 404 Media in an email that “neither tool is used for vetting or travel application processing,” referring to Dataminr and Onyx, but did not elaborate beyond that. The platforms use AI to parse large troves of data and can be used to develop leads on people who may be in violation of US immigration laws.

Florida Man Enters the Encryption Wars

Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild.
The vulnerabilities in question are listed below -

CVE-2025-31200 (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio

Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024.
While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to

Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users

Follow me for lucky prizes scams are old fake crypto exchange scams in a new jacket and on a different platform

A type of crypto scam that we reported about in 2024 has ported over to a new platform and changed tactics—a bit.

Where the old scams mostly reached me on WhatsApp, the same group of scammers is now using Direct Messages on X. However, the same old trick of “accidentally” sending you login details to a supposedly well-funded financial account is still being used by at least one cybercriminal gang.

Oops, I’m not Sean

> “Sean, your financial management account has been opened. {account details}. Please keep your accoount password safe and do not share it with anyone.”

What’s interesting is that this tactic, which we reported on previously, is coming from a different group than the one included in previous coverage from last year. That earlier gang has now changed their messaging, including references to “follow” a person through cyberspace.

Follow me

> “Follow me to unlock a lucky prize! Click the link below to claim $500!
> 
> No conditions, just follow me! “

In this version, the scammers will also send you the login details for a fake crypto exchange with access to a healthy wallet.

_2,685,012.00 USDT sounds amazing_

The idea is to give the targets of the scam the impression that they can move that wealth to a wallet of their own. After all, they have the login details for this account. But many others might have those too, since the message was sent to 148 other people. So, you’ll have to hurry and not overthink things too much, right?

Wrong! At some point you’ll find out that you will have to buy a VIP account to transfer the funds to your own account. And that’s what this scam is all about.

****Don’t fall for scammers****

*   Any unsolicited Direct Messages from an unknown person are suspect. No matter how harmless or friendly it may seem. Remember, most pig butchering scams start with what seems a misdirected message.
*   Don’t follow links that reach you in any unexpected way, and certainly not from an untrusted source.
*   If it’s too good to be true, then it probably is.
*   Scammers bank on the fact that the more time and money you have invested, the more determined you will become to get to the desired end result.
*   Use a web filtering app to shield you from known malicious websites, such as Malwarebytes Premium or Malwarebytes Browser Guard.

In light of these campaigns, Malwarebytes products block these domains:

oxlop\[.\]com

bjscx\[\].com

bjtlm\[.\]com

bmstw\[.\]com

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 “Follow me” to this fake crypto exchange to claim $500 

A lawsuit over the Trump administration’s infamous Houthi Signal group chat has revealed what steps departments took to preserve the messages—and how little they actually saved.

Attorneys suing the United States government over its use of vanishing Signal messages to coordinate military strikes last month in Yemen allege that new court filings by the government reveal a “calculated strategy” by Trump administration officials to evade transparency laws through the illegal destruction of government records.

US defense and intelligence agencies on Monday submitted supplemental declarations in court outlining their individual efforts to preserve the messages at the center of the “SignalGate” scandal. American Oversight, a watchdog organization whose attorneys are suing the government, claim the declarations reveal “troubling inconsistencies” in efforts by US officials to archive the material, with the Central Intelligence Agency in particular alleging that it had archived no messages of any substance.

“Using encrypted, disappearing messages on Signal for official government business violates the Federal Records Act and represents a calculated strategy to undermine transparency and accountability,” claims the group’s interim executive director, Chioma Chukwu.

The use of the private group chat—in which some messages were configured to automatically delete before they could be archived—was first revealed by The Atlantic’s editor in chief, Jeffrey Goldberg, on March 24, after he was inadvertently added to the group by Trump’s national security adviser, Michael Waltz. American Oversight subsequently filed Freedom of Information Act requests over the chats and then sought a temporary restraining order in a Washington, DC, federal court in an effort to compel the government to salvage any messages yet to be deleted.

In addition to Waltz, known participants in the chat group include, among others, Secretary of Defense Pete Hegseth, Secretary of State Marco Rubio, Vice President JD Vance, Director of National Intelligence Tulsi Gabbard, and CIA Director John Ratcliffe.

WIRED has requested comment from the Justice Department, the Office of the National Intelligence Director, and the White House. The departments of Defense and State declined to comment. The CIA could not be immediately reached for comment.

The declarations filed by the government late Monday show a scattershot attempt by multiple agencies to comply with the court’s demands, with several days elapsing during their various individual efforts to obtain and preserve the messages.

Judge James Boasberg, the chief judge of the US District Court for the District of Columbia, issued his initial order to preserve the communications on March 27, while giving each agency four days to describe what actions were being taken to obey. “We were really trying to seek preservation of Signal chats more broadly,” American Oversight’s deputy chief counsel, Katie Anthony, tells WIRED. “But the court was not willing to step outside the one specific chat we all knew about for certain."

The declarations ultimately offered scant information about the methods that were employed to preserve the messages or the degrees to which those methods are forensically sound. And it is unclear from the disclosures what portion of the chat—alleged to cover five days in early March—might have been irretrievable by that time. According to reporting by The Atlantic, some of the messages concerning the military strikes, which targeted Houthi fighters in Yemen, were set to delete automatically after four weeks. Others were reportedly set to disappear after only one.

The US Treasury Department was initially alone in providing the court a timeline of the messages that it was able to retrieve. Treasury Secretary Scott Bessent had received a preservation memo on March 26, his acting general counsel said, as well as advice regarding his fundamental duty to preserve records. Resultingly, "images were taken from the phones of Secretary Bessent and Mr. \[Daniel\] Katz," Bessent’s chief of staff. The messages begin at 1:48 pm EST on March 15, 2025.

"The Atlantic article was about a chat that took place the 11th through the 15th,” Anthony says, “so pretty much everything was gone—from the only defendant who gave us clear and specific information about what they were able to save.”

The Department of Defense told the court last month that its attorneys were "in the process" of complying with the agency's preservation rules and that Secretary Hegseth’s communications team had been asked to forward the Signal messages to an official DOD account. Pressed by the court for further details last week, the DOD said Monday that a search of Hegseth's device had been conducted "on or about March 27," adding that screenshots of the "existing Signal application messages" had been preserved.

American Oversight’s lawyers had urged the court to seek greater specificity, arguing on April 4 that "vague, incomplete assertions" in the government's original declarations had only cast fresh doubts on its "purported efforts" to preserve the chats. In light of new reporting, the group argued, the government's response seemed otherwise "grossly inadequate." Politico had reported two days prior that as many as 20 private Signal chat groups had been started by Waltz’s team with a slew of cabinet officials.

“It seems very likely that the individuals who are defendants in our lawsuit are probably involved in some of those other chats, and we have this problem on a much wider basis,” Anthony says.

The Department of Justice, meanwhile, opposed the court’s involvement, arguing that its efforts on behalf of a watchdog group were legally confused and that the question of whether any laws were broken is in any case moot. Members of the public, it argued, have no "enforceable rights” when it comes to challenging the destruction of specific government records. A court order was unnecessary, the department said, because the government was already taking steps to do what is required. A “partial version of the chat” had already been committed to a federal record keeping system, it said, by “at least one agency.”

Among other new details, Monday’s disclosures provided a range of dates for the preservation efforts at multiple agencies, including the date that Hegseth’s phone was finally “searched.”

Screenshots of chats on Marco Rubio's phone were likewise captured on March 27, the State Department said. The Office of the Director of National Intelligence said its screenshots were taken the following day, on March 28. The CIA said it took a screenshot of the chat on March 31; however, it also clarified one of its previous declarations to the court, revealing that the image shows mainly the name of the chat group and some of its members and settings but not any of its “substantive messages.”

American Oversight previewed a case to amend its initial complaint during a hearing last week, with plans to encourage the court to expand the scope of its review to include the now-reported widespread use of Signal by top officials across the national security state.

“This attack on government transparency threatens the very foundation of our democracy,” Chukwu says. “And we are committed to using every legal tool available to expose the truth and hold those responsible accountable.”

Here’s What Happened to Those SignalGate Messages

Microsoft held off on releasing the privacy-unfriendly feature after a swell of pushback last year. Now it’s trying again, with a few improvements that skeptics say still aren't enough.

Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds.

When Recall was introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders, criminals, or nation-state spies if they managed to gain even brief administrative access to a Windows device. Privacy advocates warned that Recall was ripe for abuse in intimate partner violence settings. They also noted that there was nothing stopping Recall from preserving sensitive disappearing content sent through privacy-protecting messengers such as Signal.

**Total Recall**

Following months of backlash, Microsoft later suspended Recall. On Thursday, the company said it was reintroducing Recall. It currently is available only to insiders with access to the Windows 11 Build 26100.3902 preview version. Over time, the feature will be rolled out more broadly. Microsoft officials wrote:

> Recall (preview)\* saves you time by offering an entirely new way to search for things you’ve seen or done on your PC securely. With the AI capabilities of Copilot+ PCs, it’s now possible to quickly find and get back to any app, website, image, or document just by describing its content. To use Recall, you will need to opt-in to saving snapshots, which are images of your activity, and enroll in Windows Hello to confirm your presence so only you can access your snapshots. You are always in control of what snapshots are saved and can pause saving snapshots at any time. As you use your Copilot+ PC throughout the day working on documents or presentations, taking video calls, and context switching across activities, Recall will take regular snapshots and help you find things faster and easier. When you need to find or get back to something you’ve done previously, open Recall and authenticate with Windows Hello. When you’ve found what you were looking for, you can reopen the application, website, or document, or use Click to Do to act on any image or text in the snapshot you found.

Microsoft is hoping that the concessions requiring opt-in and the ability to pause Recall will help quell the collective revolt that broke out last year. It likely won’t for various reasons.

First, even if User A never opts in to Recall, they have no control over the setting on the machines of Users B through Z. That means anything User A sends them will be screenshotted, processed with optical character recognition and Copilot AI, and then stored in an indexed database on the other users’ devices. That would indiscriminately hoover up all kinds of User A's sensitive material, including photos, passwords, medical conditions, and encrypted videos and messages. As Privacy Guides writer Em wrote on Mastodon:

> This feature will unfortunately extract your information from whatever secure software you might have used and store it on this person's computer in a possibly less secure way.
> 
> Of course this person could manually take a screenshot of all of this anyway, but this feature makes it that even a well-intentioned person might either not be aware it is on, or might wrongly assume it is secure enough.
> 
> This feature isn't fully released yet, but it might be soon.

The presence of an easily searchable database capturing a machine’s every waking moment would also be a bonanza for others who don’t have users’ best interests at heart. That level of detailed archival material will undoubtedly be subject to subpoena by lawyers and governments. Threat actors who manage to get their spyware installed on a device will no longer have to scour it for the most sensitive data stored there. Instead they will mine Recall just as they do browser databases storing passwords now.

Microsoft didn’t immediately respond to a message asking why it’s reintroducing Recall less than a year after the feature got such a chilly reception. For critics, Recall is likely to remain one of the most pernicious examples of enshittification, the recently minted term for the shoehorning of unwanted AI and other features into existing products when there is negligible benefit to users.

_This story originally appeared on_ _Ars Technica._

Microsoft’s Recall AI Tool Is Making an Unwelcome Return

Cheap Android phones with preinstalled malware use fake apps like WhatsApp to hijack crypto transactions and steal wallet recovery phrases.

A new wave of smartphone-based attacks is draining crypto wallets without victims ever realizing it. According to researchers at Doctor Web, a surge in malware-laced Android phones has exposed a coordinated operation where attackers are embedding spyware directly into the software of newly sold devices. The goal is to intercept cryptocurrency transactions through a hijacked version of WhatsApp.

****Cheap Phones, Expensive Consequences****

The phones in question look familiar. Models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” imitate premium brands with sleek branding and tempting specs. But beneath the surface, they’re running older software despite claiming to have the latest Android version, and they come with malicious software within.

The infected devices ship with preinstalled, modified versions of WhatsApp that operate as clippers, which are malicious programs designed to replace copied cryptocurrency wallet addresses with the attacker’s own. Once installed, this fake WhatsApp quietly swaps out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat.

Even more worrying, victims never see anything suspicious. The malware shows the correct wallet address on the sender’s screen but delivers the wrong one to the receiver and vice versa. Everything looks normal until the money disappears.

****Not Just WhatsApp****

The attackers didn’t stop at one app. According to Dr. Web’s report, researchers found nearly 40 fake applications, including Telegram, crypto wallets like Trust Wallet and MathWallet, QR code readers, and others. The technique behind the infection relies on a tool called LSPatch, which allows modifications without altering the core app code. This method not only evades detection but also lets the malicious code survive updates.

What makes this campaign particularly dangerous is the supply chain angle. Researchers believe the infection occurred at the manufacturing stage, meaning these phones were compromised before reaching store shelves. Many devices originate from smaller Chinese brands, with some models linked to a label called “SHOWJI.” Others remain untraceable.

SHOWJI S19 Pro

Note 30i

Camon 20

SHOWJI Note 13 Pro

S23 Ultra

P70 Ultra

SHOWJI X100S Pro

S18 Pro

M14 Ultra

SHOWJI Reno12 Pro

6 Pro

S24 Ultra

Smartphone models identified by Dr. Web to be malicious

****Beyond Message Hijacking****

The spyware doesn’t just swap out wallet addresses; it digs through targeted devices’ image folders like DCIM, Downloads, and Screenshots, looking for pictures of recovery phrases. A lot of people snap screenshots of these for convenience, but those phrases are the master keys to their crypto wallets. If attackers get their hands on them, they can drain the account in minutes.

To make things worse, the malicious WhatsApp update system doesn’t point to official servers. Instead, it fetches updates from domains controlled by the hackers, ensuring the spyware stays functional and up to date.

So far, Doctor Web has identified over 60 servers and 30 domains used in the campaign. Some attacker wallets linked to the operation have already received more than $1 million, with others holding six-figure balances. And because many addresses are generated dynamically, the full financial scope remains unclear.

One of the attacker-controlled wallets has already stolen a substantial amount of cryptocurrency from victims (Screenshot via Dr. Web).

****How to Stay Safe****

Cybersecurity experts at Dr. Web warned users to be extra cautious, especially when it comes to mobile devices and crypto security. They recommend avoiding Android phones from unverified sellers, particularly if the price feels too good to be true. To make sure a device is legit, tools like DevCheck can help verify hardware specs since fake models often manipulate system details, even in well-known apps like CPU-Z or AIDA64.

Experts also advise against storing recovery phrases, passwords, or private keys as unencrypted images or text files, which can be easy targets for spyware. Installing reliable security software can help catch deeper system-level threats. And when it comes to downloading apps, it’s safest to stick with official sources like Google Play.

Although the campaign is currently targeting Russian-speaking users, pre-installed malware on cheap Android devices, including smartphones and TV boxes, has already been used to target unsuspecting users worldwide. Therefore, regardless of your location, if your Android phone isn’t what it claimed to be or if you’ve recently bought one off-brand device, it might be worth checking what’s running under the hood.

Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

For the past decade, this group of FSB hackers—including “traitor” Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.

“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”

The group's initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.

“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They’re just relentless. And that itself can be kind of a superpower.”

In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”

Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.

"Drudgery is so core to their operations,” he says. "This group grinds out wins."

As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.

In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.

“It's exhausting work,” says Anton Cherepanov, an ESET malware researcher. “People overdose and get burnt out.”

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.

The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.

All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

“They're not interesting,” ESET malware researcher Zoltán Rusnák says. “Just dangerous.”

Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

Read More

_The Last of Us_ Creator Didn’t Want to Sweep ‘Upsetting’ Moments Under the Rug

During _The Last of Us_’ second-season premiere, Ellie gets called a homophobic slur. Craig Mazin tells WIRED it highlights what happens when humanity stops moving forward.

FTC v. Meta Trial: The Future of Instagram and WhatsApp Is at Stake

The blockbuster antitrust case begins Monday. Its outcome could impact how Big Tech companies grow—but the government has a long way to go to prove its case.

The Best Laptops to Work and Play Wherever You Are

These are our favorite Windows laptops, MacBooks, Chromebooks, and Linux portables.

The Best Backpacking Water Filters

We’ve tested filter from Sawyer, Katadyn, LifeStraw, MSR and more to find the best option for every adventure.

The Best Way to Roast a Chicken Is on a Stick

This simple gadget is a fun and inexpensive way to tinker.

Small Language Models Are the New Rage, Researchers Say

Larger models can pull off a wider variety of feats, but the reduced footprint of smaller models makes them attractive tools.

Homeland Security Email Tells a US Citizen to 'Immediately' Self-Deport

An email sent by the Department of Homeland Security instructs people in the US on a temporary legal status to leave the country. But who the email actually applies to—and who actually received it—is far from clear.

The Best Google Pixel 9 Cases and Accessories

Whether you saved some cash with the Pixel 9a or went big with the Pixel 9 Pro XL, we’ve got a selection of cases—MagSafe included—to kit out your new Android phone.

Am I the Asshole if I Don’t Put My Phone on Airplane Mode?

If you don’t, your flight won’t crash, but ignoring airplane mode uses up your battery and annoys the pilot.

The 24 Best Shows on Amazon Prime Right Now

_The Wheel of Time, Reacher_, and _The Bondsman_ are just a few of the shows you should be watching on Amazon Prime Video this week.

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

The Most Dangerous Hackers You’ve Never Heard Of

A list of topics we covered in the week of April 7 to April 13 of 2025

April 14, 2025 - Malwarebytes has been rewarded with prestigious accolades by two renowned publications, PCMag and CNET. 

April 11, 2025 - The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

April 10, 2025 - A report from Edinburgh University warns that child abusers are using dating apps to find single parents with vulnerable children.

April 10, 2025 - US senator Cassidy is afraid that Chinese companies will jump at the opportunity to buy the genetic data of 15 million 23andMe customers.

April 9, 2025 - If you use WhatsApp for Windows, you'll want to make sure you're on the latest version.

Tag

#sap