Sweden’s proposal to mandate encryption backdoors faces backlash from Signal, cybersecurity experts, and even its military over privacy and security risks.

Swedish law enforcement and security agencies are advocating for legislation that would compel encrypted messaging services, such as Signal and WhatsApp, to implement backdoors.

This measure aims to grant authorities access to users’ communications for criminal investigations. However, this proposal has met with strong resistance from both the service providers and Sweden’s own military.

Meredith Whittaker, President of the Signal Foundation, has unequivocally stated that Signal would withdraw from the Swedish market rather than compromise its encryption standards. In an interview with SVT Nyheter, Whittaker emphasized that introducing a backdoor would undermine the app’s entire security architecture, stating, “If you create a vulnerability based on Swedish wishes, it would create a way to undermine our entire network.”

She further stated that Signal’s commitment to user privacy and data protection is paramount, and the organization would not acquiesce to demands that jeopardize this principle.

> Signal has announced that it will “leave Sweden” if the Swedish government mandates encryption backdoors. Many are celebrating this as a bold act of resistance. But what does it actually mean?
> 
> Signal has no offices or legal presence in Sweden. Will they block Swedish IP… https://t.co/ffkD1pyz9n
> 
> — Nadim Kobeissi (@kaepora) February 25, 2025

Interestingly, the Swedish Armed Forces, which have recently adopted Signal for secure, non-classified communications, have also expressed concerns regarding the proposed legislation. In a letter to the government, military officials cautioned that mandating backdoors could introduce vulnerabilities exploitable by malicious actors, thereby compromising national security. This stance highlights a discord between Sweden’s defence priorities and the objectives of its law enforcement agencies.

Justice Minister Gunnar Strömmer has defended the proposal, arguing that it is essential for law enforcement to effectively access electronic communications in the fight against serious crimes. The bill, which could be presented to the Riksdag (Swedish Parliament) as early as March next year, seeks to balance the needs of national security with individual privacy rights, a balance that is proving contentious.

William Wright, CEO of Closed Door Security, criticized the move, stating:

_“Building backdoors into software is akin to deliberately creating vulnerabilities. Once embedded, threat actors will focus on finding and exploiting them, putting millions at risk. History has shown that even government-backed backdoors, like those exploited in the Salt Typhoon attack, can be turned against the very institutions that created them. The long-term risks far outweigh any short-term benefits for law enforcement.”_

This development in Sweden is similar to debates in other countries. Notably, the United Kingdom recently demanded that Apple provide access to encrypted iCloud accounts. In response, Apple chose to remove the option for British users to protect their accounts with end-to-end encryption rather than compromise its security protocols.

These situations highlight the constant struggle between governments wanting access to private data for security reasons and the need to protect people’s privacy. As Sweden debates this proposal, the final decision could have a major impact, not just on encrypted messaging within the country but also on global conversations about privacy and digital security.

Signal Threatens to Exit Sweden Over Government’s Backdoor Proposal

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to…

Chinese Silver Fox APT exploits trojanized medical imaging software to spread ValleyRAT malware, posing a serious threat to healthcare security and patient data.

Forescout’s Vedere Labs’ latest investigation, shared with Hackread.com, reveals that the notorious Chinese advanced persistent threat (APT) group, Silver Fox, has launched a sophisticated new campaign in which the group is exploiting DICOM (Digital Imaging and Communications in Medicine), commonly used for patient medical imaging, to distribute malicious software. 

The Silver Fox group has been active since at least 2024 and Hackread.com has followed its activities ever since. Initially, it focused on Chinese-speaking victims, distributing malware through various channels like SEO poisoning and social media usually disguised as AI applications or VPN software.

Over time, their targets broadened to include government institutions, cybersecurity companies, e-commerce, finance, and even gaming applications. Recent research suggests the group’s expansion into the healthcare sector, with malware samples originating from the US and Canada.

The current campaign uses trojanised versions of the Philips DICOM viewer‘s (PDF) executable file, which acts as a first-stage payload, checks connectivity to its command and control (C2) server using standard Windows commands, and uses PowerShell scripts to weaken Windows Defender’s defences. It then downloads encrypted payloads disguised as image files from an Alibaba Cloud storage bucket, which includes tools to disable antivirus software, auxiliary files, and shellcode.

The downloaded components are decrypted and a second-stage malicious executable is created, designed to persist on the system through scheduled tasks. This second stage disables security software and downloads another encrypted file, which after decryption reveals the core payload: the ValleyRAT backdoor.  

“During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used to gain control of victim computers,” researchers noted in the blog post.

ValleyRAT provides attackers with extensive control over the compromised machine, potentially allowing access to sensitive hospital networks.  In addition to the backdoor, the malware also installs a keylogger to capture user input and a cryptominer to generate digital currency for the attackers. All these components are designed to persist on the system, ensuring continued operation even after reboot.

The Multi-Stage Infection Process (Source: Forescout)

The malware uses various techniques to evade detection and analysis, including obfuscation methods like API hashing and indirect retrieval, long sleep intervals, system fingerprinting, and masked DLL loading. The addition of random bytes complicates detection. Researchers found Alibaba Cloud storage buckets accessible during analysis, despite the C2 server being offline.

Researchers warn that compromised DICOM viewers pose a grave risk to healthcare delivery organizations (HDOs), as infected devices could provide an entry point into hospital networks. To mitigate these risks, HDOs should avoid downloading software from untrusted sources, restrict file loading from patient devices, implement robust network segmentation, maintain up-to-date endpoint protection, monitor network traffic, and actively search for malicious activity.

Malware Alert Icon Via Flaticon/Kliwir Art

Silver Fox APT Hides ValleyRAT in Trojanized Medical Imaging Software

Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering.

Bybit, the world’s second-largest cryptocurrency exchange, suffered a devastating $1.4 billion Ethereum (ETH) hack from a cold wallet breach on February 21, 2025. In the days following the attack, independent blockchain investigator ZachXBT traced the stolen funds directly to North Korea’s Lazarus Group, a notorious state-backed hacking organization. His findings were confirmed by Arkham Intelligence, a blockchain analysis firm, and shared with the Bybit team for further investigation.

****ZachXBT Uncovers Lazarus Group’s Crypto Trail****

On February 21 at 19:09 UTC, Arkham tweeted that ZachXBT had submitted definitive proof linking the attack to the Lazarus Group. His submission included detailed test transactions, connected wallet addresses, forensic graphs, and timing analyses; all of which suggested the hack was premeditated.

The next day, February 22, ZachXBT posted further evidence revealing that Lazarus had not only executed the Bybit hack but had also directly connected the stolen funds on-chain to the recent Phemex hack, which occurred on February 20. He identified a key overlapping address **(**0x33d057af74779925c4b2e720a820387cb89f8f65**)** where funds from both hacks had been commingled, effectively proving the same entity was responsible.

****On-Chain Evidence of Lazarus Group’s Activity********Bybit Hack Transactions (Feb 22, 2025):****

*   0xc963e65b9ec39b11076f78990c31f29aaa80705c75312dafd1748479e3e94ed0
*   0x411374feedcfa560335f00c0fcfa0a3906fdcc33687e6f924dd78ebecc45cd00

****Phemex Hack Transactions (Feb 20, 2025):****

*   0x6262a3339842240aeebae4ebfe338dbc771aa0e2df8f5a1ebcd7f9b090bedfe3

ZachXBT later tweeted that, before these transactions surfaced, he and another blockchain investigator, Josh from CF (Cryptoforensic Investigators), had already traced Bybit-related testing addresses that were involved in laundering funds from the Phemex hack via Tron. Their findings helped them secure a bounty from Arkham, which had launched a reward for anyone who could identify the Bybit hackers.

> Lazarus Group just connected the Bybit hack to the Phemex hack directly on-chain commingling funds from the intial theft address for both incidents.
> 
> Overlap address:  
> 0x33d057af74779925c4b2e720a820387cb89f8f65
> 
> Bybit hack txns on Feb 22, 2025:… pic.twitter.com/dh2oHUBCvW
> 
> — ZachXBT (@zachxbt) February 22, 2025

****New Findings Connect Bybit Hack to BingX Hack****

Later on February 22, ZachXBT made another major revelation: Lazarus Group had also linked an address used in the September 2024 BingX hack to the same cluster of addresses responsible for the Bybit and Phemex hacks. This means that the three hacks: Bybit, BingX, and Phemex, are all connected through on-chain transactions.

****Overlap Address:****

*   0xd555789b146256253cd4540da28dcff6e44f6e50

****Bybit Hack Transaction:****

*   0x4a366130118d750715c2d35fdc07509cf943fcc988fa5e6d02211e3d5472796e

****BingX Hack Transaction:****

*   0x93424aa87731bb9b1d8cc1f708d2ac9f3faf914f368a00494d87cba3e7719e8c

> Lazarus Group just linked an address tied to the BingX hack to this same cluster a few minutes ago which now connects the Bybit, BingX, & Phemex hacks on-chain.
> 
> Overlap  
> 0xd555789b146256253cd4540da28dcff6e44f6e50
> 
> Bybit hack txn:… pic.twitter.com/CGh7pB31Xa
> 
> — ZachXBT (@zachxbt) February 22, 2025

****Investigators Publish 920+ Addresses Linked to the Hack****

On February 22 at 9:05 PM UTC, ZachXBT tweeted that he had spent the entire day graphing the laundering movements of the stolen Bybit funds. He also made 920+ theft-linked wallet addresses publicly available to help exchanges and security teams block illicit transactions.

Bybit responded to his findings with a tweet on February 23 at 9:17 AM, thanking ZachXBT for his work, stating: “Big shoutout to @ZachXBT for always keeping the space sharp. 👀🔍 Your work didn’t go unnoticed—much respect.”

****Bybit Resumes Operations and Warns of Scammers****

Despite the massive theft, Bybit announced that deposits and withdrawals on the platform had returned to normal. However, the exchange warned users of scammers impersonating Bybit employees, urging them to verify all communications and avoid sharing personal information.

“Scammers are out there pretending to be Bybit employees. Stay sharp! Bybit will never ask for your personal info, deposits, or passwords,” Bybit tweeted.

****Coordinated Effort Freezes $42.89M in Stolen Funds****

A coordinated global effort among crypto security teams led to the freezing of $42.89 million in stolen assets within a single day. According to ByBit’s tweet, several key players in the industry, including stablecoin issuers and exchanges, helped track and block the movement of the hacked funds.

****Funds Frozen by Various Entities:****

*   **ChangeNOW:** Froze 34 ETH
*   **Circle:** Assisted with crucial clues
*   **THORChain:** Blocked the blacklist
*   **FixedFloat:** Froze 120K USDC + USDT
*   **Avalanche (AVAX):** Froze 0.38755 BTC
*   **Bitget:** Blocked the blacklist and froze 84 USDT
*   **Tether:** Flagged an address and froze 181K USDT
*   **CoinEx:** Blocked the blacklist and provided key insights

Bybit acknowledged and praised these companies for their swift response, stating that their efforts were essential in tracking and freezing the hacked funds.

****Who is the Lazarus Group?****

The Lazarus Group is a state-sponsored North Korean hacking organization responsible for some of the biggest cyber heists in history. First identified in the early 2010s, the group has been linked to multiple high-profile financial and cyber attacks, including the 2014 Sony Pictures hack, the 2017 WannaCry ransomware attack, and a long list of crypto exchange breaches.

Their primary objective is stealing funds to support North Korea’s heavily sanctioned economy, which struggles under international financial restrictions. According to intelligence agencies and blockchain analytics firms, Lazarus has stolen over $3 billion in cryptocurrency since 2018, with much of the funds being funnelled into North Korea’s nuclear weapons program and military operations.

The group typically executes attacks through social engineering, phishing, and exploiting security vulnerabilities in crypto platforms. Their laundering methods often involve mixing services, decentralized exchanges, and cross-chain swaps to cover transaction trails before cashing out.

Nevertheless, the ByBit incident is one of the largest crypto hacks in history, backing concerns about security vulnerabilities in centralized exchanges. The rapid response from blockchain investigators like ZachXBT, exchanges, and security teams has helped mitigate the impact, but the attack further highlights the sophisticated tactics of hacking groups like Lazarus.

With Bybit now operational again, the industry remains on high alert as investigations continue into the laundering of the stolen funds.

1.  **North Korean Hackers Team Up with Play Ransomware**
2.  **Lazarus Group Exploits Chrome 0-Day for Crypto Theft**
3.  **KnowBe4 Tricked into Hiring North Korean Hacker as IT Pro**
4.  **Elite North Korean Hackers Breach Russian Missile Developer**
5.  **North Korean APT37 Unleashes Dolphin Backdoor on South Korea**

Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group

Plus: Apple turns off end-to-end encrypted iCloud backups in the UK after pressure to install a backdoor, and two spyware apps expose victim data—and the identities of people who installed the apps.

As the so-called Department of Government Efficiency continues to rampage through the United States government by making sweeping cuts to the federal workforce, numerous ongoing lawsuits allege that the group’s access to sensitive data violates the Watergate-inspired Privacy Act of 1974 and that it needs to halt its activity. Meanwhile, DOGE cut staff this week at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and gained access to CISA’s digital systems after the agency had already frozen its eight-year-old election security initiatives late last week.

The National Institute of Standards and Technology was also bracing this week for roughly 500 staffers to be fired, which could have serious impacts on NIST’s cybersecurity standards and software vulnerability tracking work. And cuts last week at the US Digital Service included the cybersecurity lead for the central Veterans Affairs portal, VA.gov, potentially leaving VA systems and data more vulnerable without someone in his role.

Multiple US government departments are now considering bans on China-made TP-Link routers following recent aggressive Chinese digital espionage campaigns. (The company denies any connection to cyberattacks.) A WIRED investigation found that users of Google’s ad tech can target categories that shouldn’t be available under the company’s policies, including people with chronic diseases or those in debt. Advertisers could also target national security “decision makers” and people involved in the development of classified defense technology.

Google researchers warned this week that hackers tied to Russia have been tricking Ukrainian soldiers with fake QR codes for Signal group invites that exploited a flaw to allow the attackers to spy on target messages. Signal has rolled out updates to stop exploitation. And a WIRED deep dive examines how difficult it can be for even the most connected web users to have nonconsensual intimate images and videos of themselves removed from the web.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Running a cryptocurrency exchange is a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and plenty of others can attest. But never before has a platform for buying and selling crypto lost a 10-figure dollar sum in a single heist. That new record belongs to ByBit, which on Friday revealed that thieves hacked its Ethereum-based holdings. The hackers made off with a sum that totals to $1.4 billion, according to an estimate by cryptocurrency tracing firm Elliptic—the largest crypto theft of all time by some measures.

ByBit CEO Ben Zhou wrote on X that the hackers had used a “musked transaction”—likely a misspelling of “masked transaction”—to trick the exchange into cryptographically signing a change in the code of the smart contract controlling a wallet holding its stockpile of Ethereum. “Please rest assured that all other cold wallets are secure,” Zhou wrote, suggesting that the exchange remained solvent. “All withdraws are NORMAL.” Zhou later added in another note on X that the exchange would be able to cover the loss, which if true suggests that no users will lose their funds.

The theft dwarfs other historic hacks of crypto exchanges like Mt. Gox and FTX, each of which lost sums of cryptocurrency that were worth hundreds of millions of dollars at the time the thefts were discovered. Even the stolen loot from the 2016 Bitfinex heist, which was worth close to $4.5 billion at the time the thieves were identified and the majority of the funds recovered in 2022, was only worth $72 million at the time of the theft. ByBit’s $1.4 billion is by that measure a far bigger loss and, considering that all crypto thefts in 2024 totaled to $2.2 billion, according to blockchain analysis firm Chainalysis, a stunning new benchmark in crypto crime.

**Bowing to a Government Demand, Apple Disables iCloud End-to-End Encryption in the UK**

The British government earlier this month raised privacy alarms worldwide when it demanded that Apple give it access to users’ end-to-end encrypted iCloud data. That data had been protected with Apple’s Advanced Data Protection feature, which encrypts stored user information such that no one other than the user can decrypt it—not even Apple. Now Apple has caved to the UK’s pressure, disabling that end-to-end encryption feature for iCloud across the country. Even as it turned off that protection, Apple expressed its reluctance in a statement: "Enhancing the security of cloud storage with end-to-end-encryption is more urgent than ever before," the company said. "Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK." Privacy advocates worldwide have argued that the move—and the UK’s push for it—will weaken the security and privacy of British citizens and leave tech companies vulnerable to similar surveillance demands from other governments around the world.

**Cocospy and Spyic Stalkerware Apps Expose Millions of Victims’ Data Online**

The only thing worse than the scourge of stalkerware apps—malware installed on phones by snooping spouses or other hands-on spies to surveil virtually all of the victim’s movements and communications—is when those apps are so badly secured that they also leak victims’ information onto the internet. Stalkerware apps Cocospy and Spyic, which appear to have been developed by someone in China and largely share the same source code, left data stolen from millions of victims exposed, thanks to a security vulnerability in both apps, according to a security researcher who discovered the flaw and shared information about it with TechCrunch. The exposed data included messages, call logs, and photos, TechCrunch found. In a karmic twist, it also included millions of email addresses of the stalkerware’s registered users, who had themselves installed the apps to spy on victims.

$1.4 Billion Stolen From ByBit in Biggest Crypto Theft Ever

Apple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data.
The development was first reported by Bloomberg.
ADP for iCloud is an optional setting that ensures that users' trusted devices retain sole access to the encryption keys used to unlock data stored in its

Apple Drops iCloud's Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself.  

Cybersecurity researchers at Netskope have discovered a new, functional, but possibly still-in-development, Golang-based backdoor that uses Telegram for command and control (C2).

This malware (Trojan.Generic.37477095), apparently of Russian origin, takes advantage of cloud services like Telegram, which are easy for attackers to use and difficult for researchers to monitor. This method of C2 communication avoids the need for dedicated attacker infrastructure. Other cloud platforms like OneDrive, GitHub, and Dropbox could also be misused in this way.

Upon execution, the malware, compiled in Go, initiates an “installSelf” function. This function checks if the malware is running from the designated location and filename: “C:\\Windows\\Temp\\svchost.exe”. If it does not, the malware copies itself to that location, creates a new process to launch the copy, and then terminates the original instance. This process, executed in an initialization function, ensures the malware runs from the intended location before proceeding. 

Detect It Easy tool used by researchers shows malware acting like a backdoor upon execution (Screenshot via Netskope)

For C2 communication, the backdoor employs an open-source Go package to interact with Telegram. It establishes a bot instance using the Telegram BotFather feature and a specific token (8069094157:AAEyzkW\_3R3C-tshfLwgdTYHEluwBxQnBuk in the analysed sample). The malware then monitors a designated Telegram chat for new commands.

The malware supports four commands, but only three are currently implemented. It validates the length and content of received messages before execution. The “/cmd” command requires two messages: the command itself, followed by a PowerShell command to be executed.

In the next phase, the malware sends a Russian-language prompt (“Enter the command:”) to the chat after receiving the initial command and then waits for the subsequent PowerShell command. This command is then executed in a hidden PowerShell window. 

The “/persist” command replicates the initial installation check and process, relaunching the malware and exiting. The “/screenshot” command, while not fully implemented, still sends a “Screenshot captured” message to the Telegram channel. 

The “/selfdestruct” command deletes the malware file (C:\\Windows\\Temp\\svchost.exe) and terminates the process, notifying the Telegram channel with a “Self-destruct initiated” message. All command outputs are transmitted back to the Telegram channel via the “sendEncrypted” function.

This exploitation of cloud applications for malicious purposes highlights the challenges faced by defenders.

“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from a defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted in their technical blog post.

To stay protected, ensure you have up-to-date and reputable antivirus and anti-malware software installed on all your devices. These solutions should be capable of detecting and blocking malicious files, including Go-based executables.

Hackers Exploit Telegram API to Spread New Golang Backdoor

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications.
Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin.
"The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire.

As the United States reels from the upheaval caused by Elon Musk’s so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar.

New research shows that China’s Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11.

Russia’s notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an “initial access operation,” breaching targets for the purpose of handing over access to those systems to other Sandworm hackers.

Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**The Official DOGE Website Launch Was a Security Mess**

Elon Musk’s DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn’t the only entity publishing on the site.

Two web developers, working independently, found that it is possible to push updates to the DOGE.gov domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: “This is a joke of a .gov site,” one read, while the other says: “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN.”

The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been “slapped together.”

The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be “maximally transparent.” That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material.

As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE’s homepage is a feed of its own X posts, but it also uses code that directs search engines to X.com instead of DOGE.gov, a WIRED review of the site found. “This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,” one developer told WIRED.

**RedNote Security Flaws Come Into Focus**

Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto’s Citizen Lab has highlighted how a lack of encryption could have opened up US users to “surveillance by any government or ISP \[Internet Service Provider\], and not just the Chinese government.”

The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have “read” permissions on a phone; and it “transmitted insufficiently encrypted device metadata.” The flaws were contained in RedNote’s app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them.

The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. “As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,” the research says.

It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. “Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,” the analysis says.

**Military Spy Planes Increase Surveillance Flights at US-Mexico Border**

Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a “dramatic escalation in activity,” the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation’s security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor “negative” social media posts that people make about it.

**Backlash Mounts Against UK’s Secret Apple Encryption Order**

Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK’s controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there’s been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world.

US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. “If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,” the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance “backdoor.” Since details of the order emerged, Human Rights Watch has called it an “alarming overreach,” while 109 civil society organizations, companies, and other groups signed an open letter saying the “demand jeopardizes the security and privacy of millions.”

Tag

#backdoor