Cybercrime, Download and Information Security

Cisco states that data published on cybercrime forum was taken from public-facing DevHub environment

Security Affairs

OCTOBER 21, 2024

Cisco confirms that data published by IntelBroker on a cybercrime forum was taken from the company DevHub environment. Cisco confirms that the data posted by IntelBroker on a cybercrime forum was stolen from its DevHub environment. for customers to use as needed.

Cybercrime

Cybercrime Data breaches Technology Banking

Belk hit by May cyberattack: DragonForce stole 150GB of data

Security Affairs

JULY 15, 2025

Threat actors stole certain internal documents, including files containing personal information. Names and Social Security numbers were compromised in the attack. “Belk maintains a written information security program. The stolen data are available for download, a circumstance that suggests a failed negotiation.

Data breaches

Data breaches Retail Ransomware Cybercrime

FBI warns of malicious free online document converters spreading malware

Security Affairs

MARCH 24, 2025

” Fake file converters and download tools may perform advertised tasks but can provide resulting files containing hidden malware, giving criminals access to victims’ devices. “To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. .

Malware

Malware Scams Identity Theft Antivirus

Internet Archive was breached twice in a month

Security Affairs

OCTOBER 21, 2024

This file contained an authentication token that allowed the attacker to download the Internet Archive’s source code, which included additional credentials and tokens. This allowed the threat actor to download the organization’s user database, further source code, and modify the site.

Internet

Internet Internet Data breaches Authentication

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Security Affairs

MAY 27, 2025

The first vulnerability, CVE-2024-57727 (CVSS score of 7.5), is an unauthenticated path traversal issue allowing attackers to download arbitrary files from the server. At the end of January, researchers from security firm Arctic Wolf reported a campaign targeting SimpleHelp servers.

Ransomware

Ransomware Software Retail Data breaches

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

Security Affairs

JUNE 19, 2025

“Since March 2025, Check Point Research has been tracking malicious GitHub repositories targeting Minecraft users with an undetected Java downloader.” Upon launching the game, the fake mod downloads a second-stage stealer, which then fetches an additional.NET-based stealer.

Malware

Malware VPN Cyber threats Hacking

The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack

Security Affairs

APRIL 23, 2025

is the recommended library for integrating a JavaScript/TypeScript app with the XRP, it has more than 140.000 weekly downloads. Hundreds of thousands of applications and websites use this package, the package has been downloaded over 2.9 It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads.”

Cryptocurrency

Cryptocurrency Malware Hacking Risk

Russian group RomCom exploited Firefox and Tor Browser zero-days to target attacks Europe and North America

Security Affairs

NOVEMBER 27, 2024

Russian-based cybercrime group RomCom (aka UAT-5647 , Storm-0978 , Tropical Scorpius , UAC-0180, UNC2596 ) exploited two Firefox and Tor Browser zero-day vulnerabilities in recent attacks on users across Europe and North America. . This leads to downloading and executing the RomCom backdoor from C2 servers like journalctd[.]live,

Cybercrime

Cybercrime Hacking Government Information Security

New MassJacker clipper targets pirated software seekers

Security Affairs

MARCH 15, 2025

The attack involves executing a cmd script followed by a PowerShell script, which downloads three executables, including the Amadey botnet and two.NET executables (32-bit and 64-bit). The malware, dubbed PackerE, downloads an encrypted DLL (PackerD1) that employs multiple anti-analysis techniques.

Software

Software Cryptocurrency Malware Encryption

Experts warn of a new wave of Bumblebee malware attacks

Security Affairs

OCTOBER 22, 2024

Once executed, it downloads the payload directly into memory. “Once opened, the LNK file executes a Powershell command to download an MSI file from a remote server, renames it as “%AppData%y.msi”, and then executes/installs it using the Microsoft msiexec.exe tool.” lnk” that, once executed, starts the attack chain.

Malware

Malware Phishing Ransomware Hacking

PLAYFULGHOST backdoor supports multiple information stealing features

Security Affairs

JANUARY 5, 2025

The backdoor is distributed through: Phishing emails with themes such as code of conduct to trick users into downloading the malware. Upon executing the archive, it drops a malicious Windows executable, which eventually downloads and executesthe PLAYFULGHOST payloadfrom a remote server. sys driver.

Malware

Malware Encryption Phishing Hacking

The source code of Banshee Stealer leaked online

Security Affairs

NOVEMBER 26, 2024

We’ve archived the leak and made it available for download on GitHub.” We've archived the leak and made it available for download on GitHub. ” Yesterday Banshee Stealer, the MacOS-based Malware-as-a-Service infostealer, had their source code leaked online.

Malware

Malware Cryptocurrency Encryption Hacking

BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns

Security Affairs

JUNE 9, 2025

Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process. 3 ” reads the alert published by the FBI. ” BADBOX 2.0

IoT

IoT Internet Internet Advertising

Threat actors use fake AI tools to deliver the information stealer Noodlophile

Security Affairs

MAY 12, 2025

Users seeking free AI video tools unknowingly download Noodlophile Stealer, a new malware that steals browser credentials, crypto wallets, and may install remote access trojans like XWorm. Noodlophile is being sold on cybercrime forums as part of malware-as-a-service schemes, often bundled with tools for credential theft.

Malware

Malware Media Cybercrime Scams

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Security Affairs

MAY 28, 2025

Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading it as antivirus software. DomainTools Intelligence (DTI) researchers warn of a malicious campaign using a fake website (bitdefender-download[.]com)

Antivirus

Antivirus Malware Banking Passwords

Malicious Go Modules designed to wipe Linux systems

Security Affairs

MAY 4, 2025

Researchers found 3 malicious Go modules with hidden code that can download payloads to wipe a Linux system’s main disk, making it unbootable. ” The executions of the malicious modules can cause total data loss, major downtime, and severe financial and reputational harm, highlighting the need for strong supply chain security.

Software

Software Hacking Malware Cybercrime

Authorities released free decryptor for Phobos and 8base ransomware

Security Affairs

JULY 18, 2025

The software can be downloaded from the police website and Europol’s NoMoreRansom site. In November 2024, Russian Phobos ransomware operator Evgenii Ptitsyn, suspected of playing a key role in the ransomware operations, was extradited from South Korea to the US to face cybercrime charges.

Ransomware

Ransomware Encryption Malware Cybercrime

Russia-linked Gamaredon targets Ukraine with Remcos RAT

Security Affairs

MARCH 31, 2025

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader. The threat actor is using troop-related lures to deploy the Remcos RAT via PowerShell downloader. Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a.

Phishing

Phishing Antivirus Encryption Hacking

Cisco states that the second data leak is linked to the one from October

Security Affairs

DECEMBER 30, 2024

In October 2024, Cisco confirmed that the data posted by the notorious threat actor IntelBroker on a cybercrime forum was stolen from its DevHub environment. At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.

Data breaches

Data breaches Cybercrime Authentication Technology

BadBox rapidly grows, 190,000 Android devices infected

Security Affairs

DECEMBER 21, 2024

” Recently, The Federal Office for Information Security (BSI) announced it had blocked communication between the 30,000 devices infected with the BadBox malware and the C2. BadBox can also download additional payloads, amplifying the risks for the users. .” continues the report “Second, let’s talk volume.

Firmware

Firmware Malware Internet Internet

PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets

Security Affairs

APRIL 7, 2025

Though distinct from groups like Scattered Spider and CryptoChameleon , the attack reflects growing threats in the broader The Com cybercrime ecosystem. They used targeted phishing emails, such as a Sending Privileges Restricted lure, to steal credentials and automate downloads of contact lists.

Scams

Scams Cryptocurrency Phishing Cybercrime

Enhanced capabilities sustain the rapid growth of Vo1d botnet

Security Affairs

FEBRUARY 28, 2025

The malicious code acts as a backdoor allowing attackers to download and install third-party software secretly. Users may also mistakenly believe TV boxes are more secure than smartphones and are less likely to install antivirus software, increasing their risk when downloading third-party apps or unofficial firmware.

Antivirus

Antivirus Firmware Encryption Manufacturing

SpyLend Android malware found on Google Play enabled financial cyber crime and extortion

Security Affairs

FEBRUARY 24, 2025

CYFIRMA researchers discovered that the SpyLend Android malware was downloaded 100,000 times from the official app store Google Play. The Finance Simplified app is still available on Google Play at the time of this reports publication, with downloads doubling to 100,000 in a week. ” reads the report published by CYFIRMA.

Malware

Malware Marketing Hacking Mobile

Europol-led operation shuts down CSAM platform Kidflix, leading to 79 arrests

Security Affairs

APRIL 3, 2025

The investigation was led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB) with the support of Europol. “Unlike other known platforms of this kind, Kidflix not only enabled users to download CSAM but also to stream video files.

Cryptocurrency

Cryptocurrency Cybercrime Hacking Information Security

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Security Affairs

NOVEMBER 15, 2024

To extract cookies from Chromium-based browsers, it downloads a module from the C&C to bypass App-Bound encryption. Upon execution, Glove Stealer pretends to search for system errors while secretly contacting a command-and-control (C&C) server to harvest and exfiltrate data. ” reads the report published by Gen Digital.

Encryption

Encryption Password Management Cryptocurrency Social Engineering

Russia-linked group Nebulous Mantis targets NATO-related defense organizations

Security Affairs

APRIL 30, 2025

” Nebulous Mantis imitates trusted services like OneDrive to trick victims into downloading infected files, often hosted on Mediafire. Post-infection, a fake PDF triggers an EXE that checks for sandbox evasion markers before downloading further payloads like Keyprov.dll. The APT group uses RomCom malware in multi-stage attacks.

Encryption

Encryption Ransomware Malware Phishing

Malicious NPM packages target PayPal users

Security Affairs

APRIL 14, 2025

“We urge the public to be cautious when downloading packages and to ensure they are from trusted sources to avoid falling victim to such attacks.” . “The authors oftommyboy_h1andtommyboy_h2are likely the same person, publishing multiple malicious packages in a short time. ” concludes the report.

Cryptocurrency

Cryptocurrency Hacking Accountability Cybercrime

Node.js malvertising campaign targets crypto users

Security Affairs

APRIL 17, 2025

In this attack phase, a PowerShell script downloads an archive from the command-and-control server containing the Node.js In a documented instance, attackers used a ClickFix social engineering tactic to trick users into running a PowerShell command that downloads and installs Node.js runtime and a compiled JavaScript file. components.

Social Engineering

Social Engineering Malware Cryptocurrency Engineering

Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps

Security Affairs

APRIL 16, 2025

” In September, security researchers from G DATA discovered more than two dozen Android mobile phones from different manufacturers already infected by pre-installed malware.

Malware

Malware Manufacturing Mobile Spyware

Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner

Security Affairs

MARCH 10, 2025

com to distribute an infected archive, which had over 40,000 downloads. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware. Attackers used the malicious site gitrok[.]com

Cryptocurrency

Cryptocurrency Malware Social Engineering Antivirus

A new Mirai botnet variant targets DigiEver DS-2105 Pro DVRs

Security Affairs

DECEMBER 26, 2024

” Upon exploiting the vulnerability, the malicious code can inject commands via the ntp parameter, allowing attackers to download Mirai-based malware through HTTP POST requests over port 80, referencing IP Address :80/cfg_system_time.htm in the HTTP Referer header. dyn” for C2 communication.

Manufacturing

Manufacturing Malware Firmware IoT

Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations

Security Affairs

JANUARY 22, 2025

It extracts Python backdoors from ZIP files downloaded via remote SharePoint links and employs techniques associated with the FIN7 threat actor. Once access was established, the attacker used a web browser to download a malicious payload, which was split into parts, reassembled, and unpacked to deploy malware.

Ransomware

Ransomware Malware Social Engineering Phishing

Crooks are reviving the Grandoreiro banking trojan

Security Affairs

MARCH 28, 2025

Clicking the “Download PDF” button leads to a zip payload from MediaFire. Clicking the “Download PDF” button triggers a JavaScript function that checks the browser and platform, then retrieves a Mediafire URL from a PHP file to download a.zip file. contaboserver[.]net.

Banking

Banking Phishing Malware Passwords

Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware

Security Affairs

APRIL 21, 2025

The emails contained links that downloaded a malicious file (wine.zip). GRAPELOADER is a 64-bit DLL (ppcore.dll) used as an initial-stage downloader, triggered via its PPMain function through DLL side-loading by wine.exe. The phishing campaign used domains like bakenhof[.]com com and silry[.]com

Malware

Malware Phishing Encryption Hacking

Malicious npm packages target Ethereum developers

Security Affairs

JANUARY 4, 2025

The campaign is still ongoing and the malicious packages collectively totaled more than one thousand downloads. The attack has led to the identification of 20 malicious packages published by three primary authors, with the most downloaded package, @nomicsfoundation/sdk-test , accumulating 1,092 downloads.”

Encryption

Encryption Hacking Cybercrime Information Security

Valve removed the game PirateFi from the Steam video game platform because contained a malware

Security Affairs

FEBRUARY 13, 2025

PCMag cited the case of a gamer who downloaded the game and reported that his accounts were hijacked using stolen cookies. SteamDB estimates that over 800 users may have downloaded the game. According to the website PCMag , the free-to-play game PirateFi was released last week. A few days later, Valve notified impacted users.

Malware

Malware Antivirus Accountability Software

Silent Ransom Group targeting law firms, the FBI warns

Security Affairs

MAY 24, 2025

Indicators of SRG activity include unauthorized downloads of tools like Zoho Assist or AnyDesk, external WinSCP/Rclone connections, ransom emails or calls from unnamed groups, and phishing emails about subscriptions urging recipients to call a number to cancel charges. ” concludes the report.

Social Engineering

Social Engineering Antivirus Phishing Authentication

U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog

Security Affairs

MARCH 18, 2025

The commit, falsely attributed to the renovate bot, downloads and executes a script from an external source, using memory forensics to locate and extract secrets. Attackers retroactively altered multiple release tags to point to the same malicious commit, injecting an exploit that dumps memory and extracts sensitive data.

Authentication

Authentication Ransomware Firewall Hacking

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Security Affairs

MARCH 12, 2025

. “The botnet exploits this vulnerability by injecting a payload that downloads and executes a cleartext shell dropper named dropbpb.sh, responsible for downloading the malware binaries and executing them on the compromised device.” 70) via HTTP on port 81. .” 70) via HTTP on port 81.

IoT

IoT Malware Encryption DDOS

Cloak ransomware group hacked the Virginia Attorney General’s Office

Security Affairs

MARCH 24, 2025

Initially, the group published screenshots of stolen data as proof of the attack, now the whole archive can be downloaded from the leak page. The group said that the waiting period had expired and claimed the theft of 134GB of sensitive data.

Ransomware

Ransomware Hacking Social Engineering Manufacturing

Security Affairs newsletter Round 528 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

JUNE 15, 2025

CISA adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog Exposed eyes: 40,000 security cameras vulnerable to remote hacking Operation Secure: INTERPOL dismantles 20,000+ malicious IPs in major cybercrime crackdown Over 80,000 servers hit as Roundcube RCE bug gets rapidly exploited A flaw could allow recovery of the phone number (..)

Spyware

Spyware Data breaches Cybercrime Scams

Fog and Akira ransomware attacks exploit SonicWall VPN flaw CVE-2024-40766

Security Affairs

OCTOBER 29, 2024

The latest patch builds are available for download on mysonicwall.com “ In September, SonicWall warned that the flaw CVE-2024-40766 in SonicOS is now potentially exploited in attacks. The latest patch builds are available for download on mysonicwall.com ,” warns the updated SonicWall advisory.

VPN

VPN Ransomware Firewall Internet

Crooks are targeting Docker API servers to deploy SRBMiner

Security Affairs

OCTOBER 23, 2024

“Afterwards, the attacker downloaded and deployed the SRBMiner cryptominer from GitHub, and started mining to their cryptocurrency wallet and public IP address.” The attacker downloads SRBMiner from GitHub, unzips it into a temporary directory, and deploys it in the /usr/sbin directory. continues the analysis.

Cryptocurrency

Cryptocurrency Authentication Hacking Cybercrime

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

Security Affairs

MAY 17, 2025

Avoid clicking links or downloading files from unverified sources. Use a secret word with family to confirm identities and stay secure. To avoid fraud or data loss, never share sensitive info with unknown contacts. Verify identity through trusted channels, especially on new platforms.

Government

Government Social Engineering Authentication Accountability

Cisco states that data published on cybercrime forum was taken from public-facing DevHub environment

Belk hit by May cyberattack: DragonForce stole 150GB of data

Trending Sources

FBI warns of malicious free online document converters spreading malware

Internet Archive was breached twice in a month

DragonForce operator chained SimpleHelp flaws to target an MSP and its customers

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

The popular xrpl.js Ripple cryptocurrency library was compromised in a supply chain attack

Russian group RomCom exploited Firefox and Tor Browser zero-days to target attacks Europe and North America

New MassJacker clipper targets pirated software seekers

Experts warn of a new wave of Bumblebee malware attacks

PLAYFULGHOST backdoor supports multiple information stealing features

The source code of Banshee Stealer leaked online

BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns

Threat actors use fake AI tools to deliver the information stealer Noodlophile

Crooks use a fake antivirus site to spread Venom RAT and a mix of malware

Malicious Go Modules designed to wipe Linux systems

Authorities released free decryptor for Phobos and 8base ransomware

Russia-linked Gamaredon targets Ukraine with Remcos RAT

Cisco states that the second data leak is linked to the one from October

BadBox rapidly grows, 190,000 Android devices infected

PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets

Enhanced capabilities sustain the rapid growth of Vo1d botnet

SpyLend Android malware found on Google Play enabled financial cyber crime and extortion

Europol-led operation shuts down CSAM platform Kidflix, leading to 79 arrests

Glove Stealer bypasses Chrome’s App-Bound Encryption to steal cookies

Russia-linked group Nebulous Mantis targets NATO-related defense organizations

Malicious NPM packages target PayPal users

Node.js malvertising campaign targets crypto users

Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps

Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner

A new Mirai botnet variant targets DigiEver DS-2105 Pro DVRs

Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations

Crooks are reviving the Grandoreiro banking trojan

Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware

Malicious npm packages target Ethereum developers

Valve removed the game PirateFi from the Steam video game platform because contained a malware

Silent Ransom Group targeting law firms, the FBI warns

U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog

New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?

Cloak ransomware group hacked the Virginia Attorney General’s Office

Security Affairs newsletter Round 528 by Pierluigi Paganini – INTERNATIONAL EDITION

Fog and Akira ransomware attacks exploit SonicWall VPN flaw CVE-2024-40766

Crooks are targeting Docker API servers to deploy SRBMiner

US Government officials targeted with texts and AI-generated deepfake voice messages impersonating senior U.S. officials

Stay Connected