A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels.
"AsyncRAT is a remote access trojan (RAT) that exploits the async/await pattern for efficient, asynchronous communication," Forcepoint X-Labs researcher Jyotika Singh said in an analysis.
"It allows attackers to control infected systems

AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

Threat Index global mapSource: Check Point Software Technologies

Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams.

On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people.

The defendants willfully "caused to be accessed, a computer system which was organized to seriously destabilize the economic and social structure of the Federal Republic of Nigeria, by procuring and employing several Nigerian youths for identity theft and other computer related fraud," according to an EFCC statement.

Cybercrime and cyberattacks continue to be a major problem for Nigeria, and Africa as a whole. The average African organization sees nearly 3,200 attacks per week, 73% more than the global average, according to data provided by cybersecurity firm Check Point Software Technologies. Africa has increasingly become a hub for cybercrime, charting eight countries in Check Point's top 20 areas at high risk of cybercrime. Ethiopia claimed the top spot as the riskiest nation for cybercrime, while Nigeria ranked number 19.

The continent is rapidly adopting technology, not always with the right security, leading to vulnerable systems, says Lionel Dartnall, acting country manager for South Africa at Check Point.

"We are seeing that Africa is particularly susceptible compared to other regions, and many attackers often test new methods here before deploying them in other parts of the world," he says, listing the rapidly expanding digital footprint and widespread adoption of cloud computing as factor\[s\] that are opening up the region to more attacks."

**Africa: Rapidly Securing Its Ecosystem**

Overall, the Global South — including nations in the African, Latin American, and South Asian regions — have the lowest number of organizations reporting themselves to be cyber-resilient, according to the World Economic Forum's "Global Cybersecurity Outlook 2025." In Europe and North America, about 15% of organizations lack confidence in their nation's ability to respond to significant cyber incidents. In Africa and Latin America, 36% and 42% lack confidence, respectively.

While African nations are disproportionately represented in the top-20 cyber-riskiest nations and in lacking confidence in their cyber resilience, their economies are also topping the list in terms of growth, with 11 of the 20 fastest-growing economies in Africa. Overall, Africa's younger population and the increased digitization brings more risk, but also more opportunities, Check Point's Dartnall says.

"\[T\]he continent has only 20,000 qualified cybersecurity engineers, indicating a critical need for more experts to join the field," he says. "However, there is a focus by both private and public sector institutions to stimulate cyber security training especially among young people, both to plug the acute skills gap and also provide critically needed employment."

Organizations in Nigeria — and Africa as a whole — have suffered a much higher pace of attacks, compared with global groups. Source: Check Point Software's "2024 African Perspectives on Cyber Security"

Nigeria, however, continues to face economic problems that impact its ability to create a trusted online ecosystem. Nigeria had significant economic challenges over the past three years, including annual inflation of more than 30%, higher unemployment, and growing debt, according to PricewaterhouseCoopers' 2025 Nigeria Budget and Economic Outlook. In 2024, the Nigerian government had to pause the implementation of a cybersecurity tax after public dissent. At the same time, Nigeria saw far more attacks per organizations than the global average.

**Importing Cybercrime**

The trick for countries like Nigeria is to make cybersecurity jobs available and more appealing than cybercrime. The government has already reached out to organizations, such as the Student Union Executives and the Nigeria Internet Registration Association (NIRA), to bolster cybersecurity training and fraud awareness.

In addition, law enforcement authorities have ramped up investigations and enforcement operations in the last year. In July 2024, Interpol worked with authorities in 21 countries to arrest the West African cybercriminals involved in financial fraud in an effort dubbed Operation Jackal III. In December 2024, similar cooperation led to the arrest of more than 1,000 suspects linked to more than $192 million in financial losses across Africa.

The Nigerian government has stressed that many of the cybercriminal schemes that operate in the country are not run by Nigerians. During the massive raid leading to the arrest of 792 suspects allegedly involved in a romance and cryptocurrency-investment fraud ring, nearly a quarter of those detained were not Nigerian citizens and included 148 Chinese, 40 Filipinos, two Kharzartans, one Pakistani, and one Indonesian, according to a December 2024 statement.

"Foreigners are taking advantage of our nation's unfortunate reputation as a haven of frauds to establish a foothold here to disguise their atrocious criminal enterprises," Ola Olukoyede, the EFCC chairman, said at a press conference. "But, as this operation has shown, there will be no hiding places for criminals in Nigeria."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria Touts Cyber Success, Even as Cybercrime Rises in Africa

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files.

**Note:**

This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-f2q5-6mx7-q9qq: Browsershot Local File Inclusion

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.

GHSA-j2gw-r24m-j2qw: Browsershot Path Traversal

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

GHSA-wp68-xrfg-xvq4: Cockpit Arbitrary File Upload

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows -

CVE-2024-45195 (CVSS score: 7.5/9.8) - A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

Source: Ronstik via Alamy Stock Photo

NEWS BRIEF

Developers and security teams are bombarded with too many security alerts. Security tools are finding issues, but organizations lack the staff and time to address the most severe security findings. That is why there has been a lot of discussion on how artificial intelligence (AI) can help prioritize and triage the volume of security alerts to a more manageable amount.

Backline, which came out of stealth on Jan. 30, goes a step further, using AI agents to remediate security vulnerabilities and misconfigurations automatically. The autonomous security remediation platform integrates seamlessly with the organization's existing security tools and consolidates the information into a centralized security findings lake, the company said. The AI-native remediation playbooks the platform uses have been enriched with customer-specific context, Backline said.

Backline's autonomous security remediation platform can safely implement verified code and configuration changes. Backline's agents analyze security findings, gather necessary context, determine the optimal fix for the organization's environment, implement the necessary changes, and then test the fixes. Teams can choose their preferred level of oversight and automation.

When the AI agent needs human analysts to intervene or provide more context, it contacts the relevant engineers using tools such as Jira, Slack, and GitHub.

As part of the launch, Backline also raised $9 million in seed funding from StageOne Ventures, Evolution Equity Partners, and Gradient. Backline's co-founder and CEO, Maor Goldberg, previously co-founded Whitebox Security, which he sold to SailPoint in 2015, and Apolicy, which was sold to Sysdig in 2021. Goldberg left Sysdig in 2024 to start Backline with Eran Leib, chief customer officer, and Aviad Chen, vice president of research and development.

Backline Tackles Enterprise Security Backlogs With AI

Researchers measured a threefold increase in credential stealing between 2023 and 2024, with more than 11.3 million such thefts last year.

Source: Artur Marciniec via Alamy Stock Photo

NEWS BRIEF

After analyzing more than a million pieces of malware collected in 2024, researchers have found that 25% of them target user credentials.

That's three times the number from 2023 and has bumped stealing credentials from password stores into the top 10 techniques listed in the MITRE ATT&CK framework, which accounted for 93% of all malicious cyber activity in 2024.

In "The Red Report 2025" conducted by Picus Security, researchers observed that the attackers are prioritizing "complex, prolonged, multi-stage attacks that require a new generation of malware to succeed." In what the researchers dubbed "SneakThief," threat actors are looking to revolutionize info-stealing malware, focusing on increased stealth, persistence, and automation.

The researchers add that threat actors likely have their sights set on these malware attributes in order to pull off "the perfect heist," adding that most malware samples now have the capability to do so with more than a dozen malicious actions installed to help bad actors evade defenses, exfiltrate data, and more.

The researchers also report they found no evidence that cybercriminals are using AI-driven malware, and that malware samples on average can complete 14 malicious actions. And of the millions of cybercrime acts seen in 2024, exfiltration and stealth tactics made up 11.3 million.

"Focusing on Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Credential Theft Becomes Cybercriminals' Favorite Target

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Latest News