There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible…

There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible technical talent, were able to spot vulnerabilities others missed, and poured blood, sweat, and tears into building elegant solutions to complex problems. In other words, they knew their stuff. And yet, they failed.

Meanwhile, there are plenty of companies out there with decent but not amazing technology that are thriving, growing, and still gathering plenty of investment. So what is happening here? 

The uncomfortable truth is that in the current cybersecurity market, being the smartest team in the room isn’t enough. The market doesn’t automatically reward the best technology. Instead, it rewards the best-known technology.

But this pattern isn’t exactly unique to the cybersecurity space. History is full of similar examples:

Betamax offered superior video quality to VHS but lost the format war. The electric car was invented in 1890 but was overshadowed by gas engines for over a century. Brilliant social networks like Path and Google+ were technically superior to Facebook in many ways, but they faded away into obscurity. 

The real question is: why does this keep happening, and what can smart cybersecurity companies do about it?

****The Death of “Build It and They Will Come”****

In the early days of cybersecurity, technical excellence was usually enough. The market was much smaller than it is today, and the buyers were more technical. But that era is over.

The cybersecurity space we see today resembles a crowded, noisy bazaar rather than a quiet specialist shop. There are thousands of vendors competing for attention, so much so that even genuinely innovative solutions struggle to get noticed.

What used to be a specialized technical field has expanded into every aspect of business operations. Board members who never cared about security now ask pointed questions about risk. Companies that never had security budgets now have entire departments.

In this dynamic, technical brilliance without visibility is like having the world’s best restaurant hidden in an alley with no sign. The food might be amazing, but not many people will show up. 

****Your Buyers Aren’t Where You Think They Are****

The modern B2B buyer journey has changed a lot in the past decade.

The modern security buyer does a lot of their research independently. They won’t usually contact vendors until they are close to making a decision. This means they’re not sitting around waiting for cold calls or reading technical journals.

Instead, they’re asking their peers in private Slack channels, reading security blogs and newsletters, following thought leaders on social media, attending conferences, listening to podcasts on their commute, and even asking LLMs which vendors they would recommend. If you’re not visible in these places, you don’t exist to many potential buyers.

****The Multi-Channel Security Marketing Equation****

Here’s the new formula: Expertise × Visibility = Success!

When marketing for cybersecurity, a multi-channel approach is your golden ticket to connecting with decision-makers and being given a chance to showcase your solutions. It’s the bridge that links your technical brilliance to the people who need it most, turning unknown expertise into recognized value that clients would be happy to invest in. 

****1\. Inbound Marketing** **

Security professionals are hungry for genuine insight. They’re looking for content that makes them better at their jobs, calms their anxieties, or gives them a deeper understanding of what is going on in the industry around them. They’re not just content that fills space.

To help meet this need, publish a deep technical analysis that proves you know what you’re talking about. This could be a vulnerability research piece that makes other security pros say, “Huh, I hadn’t thought of that.” Or perhaps it’s threat breakdowns that actually teach something new or original perspectives from your team that add to the conversation instead of rehashing the obvious.

When someone types a specific security problem into Google, you want your content to be what they find. And when they read it, it should make them think, “These people get it. They understand the problem better than I do.”

Do some topic and keyword research in your area of expertise and see what terms you could rank for. The more of these queries you can satisfy with your content, the more inbound traffic you will bring to your site. 

****2\. Outbound Marketing** **

Most security professionals have an allergic reaction to traditional outbound marketing (as most people do). But outbound marketing done right shouldn’t feel like spam. 

It means targeted outreach based on actual need signals, reaching out when a company has shown signs it might need your services. It means customized campaigns for specific high-value targets. And it means participation in speaking engagements like conferences, webinars, and workshops that showcase your team’s expertise.

****3\. Third-Party Validation** **

Perhaps nothing matters more in the cybersecurity space than building trust. You’re asking clients to put their most sensitive assets in your hands, and they need to know you’re legitimate.

That’s why getting featured in leading publications is so important for cybersecurity companies. When a reliable Magazine covers your research or solution, you’re borrowing their established credibility. This acts as powerful social proof that you’re a legitimate player in the security space.

The key is learning how to write cyber press releases that journalists actually want to read. Most security news gets ignored because it blends into the background noise of vendor announcements. Your cyber press releases need to highlight something genuinely newsworthy. That could be a novel research finding, an unusual threat discovery, or a truly innovative approach to a common problem.

****Final Word****

For technical founders and executives frustrated by slow growth despite having what they feel is superior technology, this reality can be hard to accept. The good news is that the same analytical skills that make for good security work apply to marketing effectiveness.

Start by mapping out your ideal client’s information sources. Where do they learn? Who do they trust? What problems keep them up at night? Then create a presence in those spaces with content that addresses those specific concerns.

Be patient but persistent. Security is built on trust, and trust takes time to establish. However, once established, that trust creates a moat around your business that competitors struggle to cross.

Why Quiet Expertise No Longer Wins Cybersecurity Clients

Artificial intelligence is driving a massive shift in enterprise productivity, from GitHub Copilot’s code completions to chatbots that mine internal knowledge bases for instant answers. Each new agent must authenticate to other services, quietly swelling the population of non‑human identities (NHIs) across corporate clouds.
That population is already overwhelming the enterprise: many companies

AI Agents and the Non‑Human Identity Crisis: How to Deploy AI More Securely at Scale

Thanks to drastic policy changes in the US and Big Tech’s embrace of the second Trump administration, many people are moving their digital lives abroad. Here are a few options to get you started.

From your email to your web browsing, it’s highly likely that your daily online life is dominated by a small number of tech giants—namely Google, Microsoft, and Apple. But since Big Tech has been cozying up to the second Trump administration, which has taken an aggressive stance on foreign policy, and Elon Musk’s so-called Department of Government Efficiency (DOGE) has ravaged through the government, some attitudes towards using US-based digital services have been changing.

While movements to shift from US digital services aren’t new, they’ve intensified in recent months. Companies in Europe have started moving away from some US cloud giants in favor of services that handle data locally, and there have been efforts from officials in Europe to shift to homegrown tech that has fewer perceived risks. For example, the French and German governments have created their own Docs word processor to rival Google Docs.

Meanwhile, one consumer poll released in March had 62 percent of people from nine European countries saying that large US tech companies were a threat to the continent’s sovereignty. At the same time, lists of non-US tech alternatives and European-based tech options have seen a surge in visitors in recent months.

For three of the most widely used tech services—email, web browsers, and search engines—we’ve been through some of the alternatives that are privacy-focused and picked some options you may want to consider. Other options are available, but these organizations and companies aim to minimize data they collect and often put privacy first.

There are caveats, though. While many of the services on this list are based outside of the US, there’s still the potential that some of them rely upon Big Tech services themselves—for instance, some search engines can use results or indexes provided by Big Tech, while companies may use software or services, such as cloud hosting, that are created by US tech firms. So trying to distance yourself entirely may not be as straightforward as it first looks.

**Web Browsers**

Mullvad

Based in Sweden, Mullvad is perhaps best known for its VPN, but in 2023 the organization teamed up with digital anonymity service Tor to create the Mullvad Browser. The open source browser, which is available only on desktop, says it collects no user data and is focused on privacy. The browser has been designed to stop people from tracking you via browser fingerprinting as you move around the web, plus it has a “private mode” that isolates tracking cookies enabled by default. “The underlying policy of Mullvad is that we never store any activity logs of any kind,” its privacy policy says. The browser is designed to work with Mullvad’s VPN but is also compatible with any VPN that you might use.

Vivaldi

WIRED’s Scott Gilbertson swears by Vivaldi and has called it the web’s best browser. Available on desktop and mobile, the Norwegian-headquartered browser says it doesn’t profile your behavior. “The sites you visit, what you type in the browser, your downloads, we have no access to that data,” the company says. “It either stays on your local machine or gets encrypted.” It also blocks trackers and hosts data in Iceland, which has strong data protection laws. Its privacy policy says it anonymizes IP addresses and doesn’t share browsing data.

**Search Engines**

Qwant French search engine Qwant has built its own search index, crawling more than 20 billion pages to create its own records of the web. Creating a search index is a hugely costly, laborious process, and as a result, many alternative search engines will not create an extensive index and instead use search results from Google or Microsoft’s Bing—enhancing them with their own data and algorithms. Qwant says it uses Bing to “supplement” search results that it hasn’t indexed. Beyond this, Qwant says it does not use targeted advertising, or store people’s search history. “Your data remains confidential, and the processing of your data remains the same,” the company says in its privacy policy.

Mojeek

Mojeek, based out of the United Kingdom, has built its own web crawler and index, saying that its search results are “100% independent.” The search engine does not track you, it says in its privacy policy, and only keeps some specific logs of information. “Mojeek removes any possibility of tracking or identifying any particular user,” its privacy policy says. It uses its own algorithms to rank search results, not using click or personalization data to create ranks, and says that this can mean two people searching for the same thing while in different countries can receive the same search results.

Startpage

Based in the Netherlands, Startpage says that when you make a search request, the first thing that happens is it removes your IP address and personal data—it doesn’t use any tracking cookies, it says. The company uses Google and Bing to provide its search results but says it acts as an “intermediary” between you and the providers. “Startpage submits your query to Google and Bing anonymously on your behalf, then returns the results to you, privately,” it says on its website. “Google and Microsoft do not know who made the search request—instead, they only see Startpage.”

Ecosia

Nonprofit search engine Ecosia uses the money it makes to help plant trees. The company also offers various privacy promises when you search with it, too. Based in Germany, the company says it doesn’t collect excessive data and doesn’t use search data to personalize ads. Like other search alternatives, Ecosia uses Google’s and Bing’s search results (you can pick which one in the settings). “We only collect and process data that is necessary to provide you with the best search results (which includes your IP address, search terms and session behavioral data),” the company says on its website. The information it collects is gathered to provide search results from its Big Tech partners and detect fraud, it says. (At the end of 2024, Ecosia partnered with Qwant to build more search engine infrastructure in Europe).

**Email Providers**

ProtonMail

Based in Switzerland, Proton started with a privacy-focused email service and has built out a series of apps, including cloud storage, docs, and a VPN to rival Google. The company says it cannot read any messages in people’s inboxes, and it offers end-to-end encryption for emails sent to other Proton Mail addresses, as well as a way to send password protected emails to non Proton accounts. It blocks trackers in emails and has multiple account options, including both free and paid choices. Its privacy policy describes what information the company has access to, which includes sender and recipient email addresses, plus IP addresses where messages arrive from, message subject lines, and when emails are sent. (Despite Switzerland’s strong privacy laws, the government has recently announced it may require encrypted services to keep user’s data, something that Proton has pushed back on).

Tuta

Tuta, which used to be called Tutanota and is based in Germany, says it encrypts email content, subject lines, calendars, address books, and other data in your inbox. “The only unencrypted data are mail addresses of users as well as senders and recipients of emails,” it says on its website, adding that users' encryption keys cannot be accessed by developers. Like Proton, emails sent between Tuta accounts are end-to-end encrypted, and you can send password protected emails when messaging an account from another email provider. The company also has an end-to-end encrypted calendar and offers both free and paid plans.

The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from…

Cisco Talos warns of active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks supposedly by Chinese hackers from the UAT-6382 threat group. Learn about the malware, affected organizations, and critical security patches.

Cisco Talos researchers have issued a critical alert regarding active cyberattacks targeting Trimble Cityworks, a widely used platform for managing public assets. According to Cisco Talos’ latest research, shared with Hackread.com, a sophisticated threat group, tracked as UAT-6382, is exploiting a newly discovered high-severity vulnerability CVE-2025-0994 in the system.

This vulnerability, having a CVSS score of 8.6, allows for remote code execution, meaning attackers can run their malicious programs on affected systems from afar. These attacks have been observed since January 2025 and primarily target local government organizations in the United States. Some attacks have already resulted in successful compromises.

The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have also released their warnings about this serious flaw. Reportedly, the vulnerability allows attackers to gain remote access and execute malicious code against Microsoft Internet Information Services web server without needing to authenticate. Cityworks vulnerability affects versions before 15.8.9 and Cityworks with Office Companion versions before 23.10.

Once inside, UAT-6382 quickly deploys _web shells_ like AntSword and chinatso/Chopper on the compromised web servers to maintain hidden access. They also use custom-made tools, including a Rust-based loader called TetraLoader to install more persistent malware such as Cobalt Strike and VSHell.

> _“Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning in January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.”_
> 
> Cisco Talos

****Chinese-Speaking Actors Identified****

Based on their methods and tools, Cisco Talos’ report suggests with high confidence that UAT-6382 is a group of “Chinese-speaking threat actors.” Evidence supporting this includes the Chinese language found in the web shells and the fact that MaLoader, the framework used to build TetraLoader, is also written in Simplified Chinese. This malware builder, which emerged in December 2024, allows operators to package malicious code into Rust-based programs like TetraLoader.

MaLoader Builder Interface (Source: Cisco Talos)

Researchers noted that upon gaining access, the attackers show a particular interest in systems related to utility management. Their initial actions involve scanning the compromised server to understand its setup, looking for specific directories related to Cityworks, and then quickly setting up their web shells. They also stage sensitive files for potential data theft and deploy backdoors using PowerShell commands to ensure long-term access.

****Understanding the Malware****

TetraLoader’s main function is to inject various payloads into legitimate processes, such as notepad.exe. These payloads can be Cobalt Strike beacons, which are widely used by attackers for command and control, or VShell stagers.

For your information, VShell is a GoLang-based remote access Trojan that allows attackers to manage files, run commands, take screenshots, and set up proxy services on infected systems. Like other tools used by this group, the VShell control panels also display Chinese text, indicating the operators’ proficiency in the language.

Cityworks has released security patches to address the CVE-2025-0994 vulnerability, urging users to update immediately. Organizations should monitor suspicious activity using Cisco Talos’ technical indicators of compromise (IOCs). Cisco Talos also recommend the use of security products like Cisco Secure Endpoint, Secure Firewall, and Umbrella to protect against such attacks.

Chinese Hackers Exploit Cityworks 0-Day to Hit US Local Governments

Hackers. AI data scrapes. Government surveillance. Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here’s a simple guide for you—and anyone who claims they have nothing to hide.

With President Donald Trump’s return to the White House and the US government’s digital surveillance machine more powerful than ever, digital privacy should be top of mind. But the digital security world can be confusing—and there’s the larger question of why. You may think, if I’m just a regular person, why is my digital privacy important?

Then there are the practical questions. What’s the best password manager? How can you keep your digital life under wraps at the border? And what kind of VPN should you be using? Is AI scraping my data?

WIRED senior writer and security expert Matt Burgess spoke with readers in a Reddit AMA this month about the basics of keeping your digital footprint locked down. Here’s what to know and why it’s important.

**What is your advice for a quick win in terms of improving digital security for the everyday person? Or for someone who isn’t tech-savvy?**

I think the one big thing people can do to improve their security is make sure that multifactor authentication is turned on for as many online accounts as possible. That way if anyone gets access to your password or login details, they’ll also need to have another way to authenticate the login attempt (such as the codes generated by an authentication app), and it's highly unlikely that hackers will have access to that.

Other quick and relatively straightforward changes you can make are to use privacy-friendly browsers and search engines and to use a password manager (the one on your phone or browser is better than nothing at all) and create unique passwords for each service you use.

**There are so many privacy tips out there, and it all feels important, but trying to do everything at once can be overwhelming. What are the things people should prioritize when making changes to their online habits?**

Improving privacy is something that’s ongoing, and if you try to do everything at once then it’s too off-putting. Take it one small step at a time.

If I was starting now, I’d go with:

1.  Switching to a more privacy-focused browser. I alternate between Brave, Firefox and Safari.
2.  Then using a privacy-focused search engine too (such as DuckDuckGo).
3.  Trying to use services that minimize data collection (for instance, messaging app Signal doesn’t collect user data and is the gold standard of end-to-end encryption).

**What’s a good non-US-based VPN?**

Our favorite VPN at WIRED is currently Proton VPN, which is based in Switzerland. Proton VPN also offers the best free VPN. Unlike most services, ProtonVPN's free version gives full access to all the regular plan's features. It is limited to a single device, and there are only three server locations (Japan, Netherlands, and the US), but everything else is the same. If your needs are limited and you want to keep costs down, this is a good option. See our full guide to VPNs here.

**How do I deal with having to have a new account for every service and website? Should I be using new email addresses?**

A new email address for every account is a big undertaking! I’d recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create “burner” emails that you can use to sign-up with services, and if you use an Apple device there’s a “Hide My Email” setting.

**What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)?**

It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you’ve said on social media or in messaging apps could potentially be used against you.

Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn’t the right idea for everyone and it could bring more suspicion on you. It’s better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it.

My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It’s here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border.

**Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure?**

Something that’s always listening in your home—what could go wrong? It’s definitely not great for overall surveillance culture.

Recently Amazon also reduced some of the privacy options for Alexa devices. So if you’re going to use a smart speaker, then I’d look into what each device’s privacy settings are and then go from there.

**How do you see people's willingness to hand over information about their lives to AI playing into surveillance?**

The amount of data that AI companies have—and continue to—hoover up really bothers me. There’s no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don’t have enough awareness about how much they’re sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people’s posts are looking to get in on the AI gold rush by selling or licensing that information.

For the everyday person, I’d warn them not to enter personal details or sensitive business information! We also have a more thorough guide here.

**Are personal data removal services worthwhile, or are they just another vector for data thieves?**

Whether data removal services are worthwhile or not probably depends on where you are based in the world: I’m in Europe where there’s GDPR and stricter privacy laws, and when I have used a data removal service, it hasn’t turned up too much. But in the US, there’s no comprehensive federal privacy law—that really should change—and they may be more useful.

Much of what can be done by data removal services, you can also do yourself. Consumer Reports recently did a good evaluation of data removal services.

**What is your preferred response for people who claim they have nothing to hide?**

I think in a lot of cases when people claim they have nothing to hide, they often jump to thinking about illegal or malicious things. When in fact, privacy, for me, isn’t about “hiding” things at all. You should be able to have the space—both in the physical and digital world—to not be surveilled or have your actions tracked. People should be able to act without intrusion from others—that doesn’t mean you’re hiding anything, but you just don’t want to share everything you do with everyone (or anyone). And really that’s why privacy is considered a fundamental human right.

I actually like a lot of the answers that people sent in to Amnesty International about how they respond to the point of “not having anything to hide.”

_With files from Scott Gilbertson._

A Starter Guide to Protecting Your Data From Hackers and Corporations

FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks. The agency is also urges victims to share ransom evidence.

The FBI has issued a warning to US law firms about a rising cyber threat targeting the legal sector. A group known as Silent Ransom Group (SRG), also called Luna Moth or Chatty Spider, has been focusing its attacks on law firms since early 2023, using a combination of phishing emails and **social engineering calls** to gain access to sensitive legal data.

This group is no newcomer. Operating since 2022, SRG has a track record of targeting industries such as healthcare and insurance. But in recent months, law firms have become their top target, likely because of the sensitive client information these firms handle.

Back in November 2023, the **FBI issued an alert** highlighting SRG’s use of callback phishing to breach networks. In these attacks, the group sends phishing messages designed as unclickable images, often creating a false sense of urgency and providing a phone number for the recipient to call. This tactic bypasses traditional email security filters and lures victims into making contact, where the attackers then guide them into compromising their own systems.

****Their Tactics****

Aligning with their tickets, SRG’s new phishing campaigns are also deceptively simple. They send emails pretending to come from companies offering subscription services, warning the recipient about a small, questionable charge. To cancel, victims are instructed to call a number provided in the email. On that call, attackers convince the victim to download remote access software, giving SRG an entry point into the company’s systems.

However, what’s new about this campaign is that SRG has started calling employees directly, pretending to be from the company’s own IT department. They instruct the employee to join a remote session or visit a specific web page, again installing tools that give the attackers control. Once inside, they use tools like **WinSCP** or disguised versions of Rclone to quietly exfiltrate sensitive data.

After stealing the data, SRG sends ransom notes demanding payment to prevent the release or sale of the stolen information. Sometimes, they even follow up with phone calls to pressure companies into negotiations.

> _“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”_
> 
> The FBI

It is worth noting that the FBI’s alert came on the same day Cofense Intelligence’s May 2025 **report** revealed widespread abuse of Remote Access Tools (RATs) by cybercriminal groups. The report identified ConnectWise ScreenConnect as the most frequently abused RAT in 2025 attacks so far.

****Why Law Firms?****

Law firms make attractive targets because of the nature of their work such as confidential client details, corporate negotiations, and sensitive legal documents. A breach here doesn’t just threaten financial loss; it risks severe reputational harm.

However, it is not only recently that cybercriminals have been targeting law firms and the valuable information they hold. In April 2022, **researchers observed** scammers using AI-generated images to create fake law firm identities.

****Hard to Detect, Harder to Stop****

One reason SRG’s campaigns are effective is that they use legitimate system management and remote access tools, which are less likely to alert antivirus. Their attacks leave few traces, making post-attack investigations and protection more difficult.

This is why the FBI is urging everyone, including researchers and even victims, to share any ransom notes used by SRG during the attacks. If you have the phone number the group used to call, the wallet address they provided, or even voice call recordings, the FBI is seeking that information.

The FBI’s alert advised Network administrators to watch for unusual downloads of tools like Zoho Assist, **AnyDesk**, Splashtop, Syncro, or Atera, and to pay attention to unexplained external file transfers using WinSCP or Rclone.

Other red flags include unexpected emails about subscription renewals, strange calls or voicemails claiming data theft, and unsolicited contact from people claiming to be part of the company’s IT team.

> The Silent Ransom Group (SRG), aka Luna Moth or Chatty Spider, is targeting law firms. Tactics include IT social engineering calls and callback phishing emails to remotely access devices and steal data for extortion. Learn more about SRG’s IOCs and TTPs: https://t.co/ro96zjD1hA pic.twitter.com/pBAd89WaBJ
> 
> — FBI (@FBI) May 23, 2025

The FBI recommends paying strong attention to basic cybersecurity practices. This includes **training staff** to spot phishing attempts and social engineering tactics, and setting clear internal guidelines for how the IT team communicates with employees.

Additionally, using strong passwords along with two-factor authentication (2FA) across the organization and maintaining regular data backups can also help reduce the damage in case of a breach.

FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data. Discover the telco’s security upgrades & future plans after the massive breach.

A recent data breach at South Korean telecommunications giant SK Telecom was, reportedly, much more deeply rooted than initially thought, with the intrusion remaining hidden for nearly two years. The company announced on Monday that the malware has gone undetected since at least June 2022.

The attack, disclosed in April, affected a significant portion of SK Telecom’s 23 million customers, compromising personal and financial details. The Ministry of Science and ICT, along with a joint team of public and private investigators, revealed that the attack compromised a significant portion of SK Telecom’s user data.

Specifically, approximately 26.69 million International Mobile Subscriber Identity (IMSI) units were leaked. IMSI is a unique 15-digit or shorter number that identifies and authenticates each mobile subscriber. Moreover, investigators identified 25 types of malware and quarantined 23 affected servers, claiming that 9.82 gigabytes of USIM information were compromised.

****Responding to the Breach****

In response to the security lapse, SK Telecom has implemented a series of preventative measures. The company has temporarily stopped new subscriber sign-ups and initiated a nationwide program to replace SIM cards as a safeguard.

Furthermore, they have rolled out an upgraded fraud detection system, FDS 2.0, which uses a “triple-factor authentication” process to prevent unauthorized SIM and device cloning. This enhanced security is now automatically applied across their network.

SK Telecom has also emphasized that no actual customer damages or instances of “terminal cloning” have been reported so far and all attempts at phone or SIM card piracy are now blocked at the network level, with three layers of verification to confirm the legitimacy of the subscriber, SIM card, and device. The company has pledged to “take full responsibility for any damages” that may arise from the breach, offering to replace the USIM of all 25 million subscribers, including 2 million budget phone users, for free.

****National Security Concerns and Future Steps****

SK Group chairman Chey Tae-won issued an apology to customers earlier in May, highlighting the severity of the incident by stating it “needs to be looked at as a matter of national defence.”

The malware used in the attack is believed to be BPFdoor, which can bypass authentication. It is typically used by hacking groups linked to China. Although no specific group has claimed responsibility, the chairman’s concerns and the identified malware align with similar tactics observed in recent attacks on US telecom companies.

Beyond technical upgrades, SK Telecom is also enhancing customer support. Starting May 19, the company plans to offer “mobile service” visits to remote areas, explaining SIM protection services and providing on-site SIM replacements and resets. These efforts highlight the company’s commitment to rebuilding customer trust and strengthening cybersecurity to counter cybersecurity threats.

SK Telecom Uncovers Two-Year Malware Attack, Leaking 26M IMSI Records

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any…

Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any Active Directory user. Learn about the BadSuccessor attack and mitigation steps.

A significant security flaw has been uncovered in Windows Server 2025, posing a serious threat to organizations utilizing Active Directory (AD). Discovered by Akamai researcher Yuval Gordon, this privilege escalation vulnerability could allow malicious actors to gain full control over any user account within an organization’s AD, even with minimal initial access.

****The BadSuccessor Attack Explained****

According to Akamai’s research, shared exclusively with Hackread.com, the vulnerability exploits a new feature introduced in Windows Server 2025 called delegated Managed Service Accounts (dMSAs). For your information, dMSAs are designed to streamline the management of service accounts by allowing a new dMSA to _inherit_ permissions from an older account it replaces.

However, Gordon’s research revealed a critical oversight in this process. Attackers can simulate this migration by simply modifying two attributes on a dMSA object: msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState. By setting the first attribute to reference a target user and the second to “2” (indicating migration completion), an attacker can trick the system into believing a legitimate migration occurred.

This deceptive act, dubbed _BadSuccessor_ by the researchers, allows the attacker’s dMSA to automatically gain all the permissions of the targeted user, including highly privileged accounts like Domain Admins. Crucially, this attack doesn’t require any direct permissions on the targeted user’s account itself, only the ability to create or control a dMSA.

****Widespread Impact and No Immediate Patch****

The implications of this discovery are far-reaching. Akamai’s analysis revealed that in 91% of tested environments, users outside the domain admins group already possessed the necessary permissions to execute this attack. This highlights the widespread potential for compromise across organizations that rely on Active Directory.

Even more concerning, Microsoft has acknowledged the issue after a report on April 1, 2025, but currently has no patch available. While Microsoft has assessed the vulnerability as Moderate severity, citing that initial exploitation requires existing permissions on a dMSA object, Akamai researchers strongly disagree.

They emphasize that the ability to create a new dMSA, a benign permission often granted to users, can lead to full domain compromise. They compare its impact to highly critical attacks like DCSync.

“This vulnerability introduces a previously unknown and high-impact abuse path that makes it possible for any user with CreateChild permissions on an OU to compromise any user in the domain and gain similar power to the Replicating Directory Changes privilege used to perform DCSync attacks,” researchers wrote in the blog post.

****Proactive Measures and Ongoing Risks****

With no immediate fix from Microsoft, organizations are urged to take proactive steps to reduce their exposure. Key recommendations include monitoring for new dMSA objects, modifying the msDS-ManagedAccountPrecededByLink attribute, tracking dMSA authentication events, and reviewing permissions on Organizational Units (OUs).

As Windows Server 2025 becomes more widely adopted, organizations must prioritize understanding and mitigating the risks associated with its new features.

Tag

#git