Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.

Wednesday, June 25, 2025 06:00

*   Cybercriminals are continuing to explore artificial intelligence (AI) technologies such as large language models (LLMs) to aid in their criminal hacking activities. 
*   Some cybercriminals have resorted to using uncensored LLMs or even custom-built criminal LLMs for illicit purposes. 
*   Advertised features of malicious LLMs indicate that cybercriminals are connecting these systems to various external tools for sending outbound email, scanning sites for vulnerabilities, verifying stolen credit card numbers and more. 
*   Cybercriminals also abuse legitimate AI technology, such as jailbreaking legitimate LLMs, to aid in their operations. 

Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from. 

LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.” 

For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. 

**Uncensored LLMs **

Uncensored LLMs are unaligned models that operate without the constraints of guardrails. These systems happily generate sensitive, controversial, or potentially harmful output in response to user prompts. As a result, uncensored LLMs are perfectly suited for cybercriminal usage. 

__Figure 1. An uncensored LLM, OnionGPT, advertised on the hacking forum Dread.__

Uncensored LLMs are quite easy to find. For example, using the cross-platform Omni-Layer Learning Language Acquisition (Ollama) framework, a user can download and run an uncensored LLM on their local machine. Ollama comes with several uncensored models such as Llama 2 Uncensored which is based on Meta’s Llama 2 model. Once it is running, users can submit prompts that would otherwise be rejected by more safety-conscious LLM implementations. The downside is that these models are running on users’ local machines and running larger models, which generally produce better results requires more system resources. 

__Figure 2. Sample phishing email prompt and Llama 2 Uncensored output.__

Another uncensored LLM popular among cybercriminals is a tool called WhiteRabbitNeo. WhiteRabbitNeo bills itself as a “Uncensored AI model for (Dev) SecOps teams” which can support “use cases for offensive and defensive cybersecurity”. This LLM will happily write offensive security tools, phishing emails and more. 

__Figure 3. Sample output from the WhiteRabbitNeo uncensored LLM__

Researchers have also published methods to demonstrate how to strip alignment that is embedded into the training data of existing open-source models. Once removed, a user can uncensor their LLM by using the modified training set to fine tune a base model. 

**Cybercriminal-designed LLMs **

Since most popular LLMs come with significant guardrails, some enterprising cybercriminals have developed their own LLMs without restrictions that they market to other cybercriminals. This includes apps like GhostGPT, WormGPT, DarkGPT, DarkestGPT and FraudGPT. 

__Figure 4. FraudGPT dark web homepage.__

 For example, the developer behind FraudGPT, CanadianKingpin12, advertises FraudGPT on the dark web, and also has an account on Telegram. The dark web site for FraudGPT advertises some interesting features: 

*   Write malicious code 
*   Create undetectable malware 
*   Find non-VBV bins 
*   Create phishing pages 
*   Create hacking tools 
*   Find groups, sites, markets 
*   Write scam pages/letters 
*   Find leaks and vulnerabilities 
*   Learn to code/hack 
*   Find cardable sites 
*   Millions of samples of phishing emails 
*   6220+ source code references for malware 
*   Automatic scripts for replicating logs/cookies 
*   In-panel Page hosting included (10 pages/month) with Google Chrome anti-red page 
*   Code obfuscation 
*   Custom data set (upload your sample page in .html) 
*   Bot creation of virtual machines and accounts (1 virtual machine per month on license)  
*   Utilizing GoldCheck CVV checker 
*   OTP Bot with spoofing (\*additional package) 
*   Check CVVs with GoldCheck API 
*   Create username:password website configs 
*   Remote OpenBullet configs 
*   Scan websites for vulnerabilities across a massive CVE database (\*PRO only)  
*   Generate realistic phishing panels, pages, SMS and e-mails  
*   Send mail from webshells 

Talos attempted to obtain access to FraudGPT by reaching out to CanadianKingpin12 on Telegram. After considerable negotiation, we were finally offered a username and password at the FraudGPT dark web site. However, the username and password provided by CanadianKingpin12 did not work. CanadianKingpin12 then asked us to send them cryptocurrency to purchase a software “crack” for the FraudGPT login page. At this point it was clear that CanadianKingpin12 had no working product, and they were scamming potential FraudGPT customers out of their cryptocurrency. This was confirmed by several other victims who had also been scammed by CanadianKingpin12 when they attempted to purchase access to the FraudGPT LLM. Scams such as these are an ever-present risk when dealing with unscrupulous actors, and it continues a long tradition of scams in the cybercrime space. 

Similar cybercriminal-designed LLM projects can be found elsewhere on the dark web. A cybercriminal LLM called DarkestGPT, which starts at .0015BTC for a one-month subscription, advertises the following features: 

__Figure 5. DarkestGPT “Tools and Potential” tab on their dark web site.__

**LLM jailbreaks **

Given the limited viability of uncensored LLMs due to resource constraints and the high level of fraud and scams present among cybercriminal LLM purveyors, many cybercriminals have elected to abuse legitimate LLMs instead. The main hurdle that cybercriminals need to overcome are the training alignment and guardrails that prevent the LLM from responding to prompts with unethical, illegal or harmful content. A form of prompt injection, jailbreak attacks aim to put the LLM into a state where it ignores its alignment training and guardrails protection. 

There are many ways to trick an LLM into providing dangerous responses. New jailbreaking methods are constantly being researched and discovered, while LLM developers respond by enhancing the guardrails in a sort of jailbreak arms race. Below are just a few of the available jailbreaking techniques. 

**Obfuscation/encoding-based jailbreaks **

By obfuscating certain words or phrases, these text-based jailbreak attacks seek to bypass any hardcoded restrictions on specific words/topics, or to cause the execution to follow a nonstandard path that might bypass protections put in place by the LLM developers. These obfuscation techniques may include: 

*   Base64/Rot-13 encoding
*   Different languages  
*   L33t sp34k  
*   Morse code 
*   Emojis 
*   Adding spaces or UTF-8 characters into words/text, among others. 

**Adversarial suffix jailbreaks **

These attacks are somewhat like obfuscation and encoding tricks. Instead of modifying the tokens in the prompt itself, adversarial suffix jailbreaks involve appending random text to the end of a malicious prompt to elicit a harmful response.  

**Role-playing jailbreaks **

This type of attack involves prompting the LLM to adopt the persona of a fictional universe/character that ignores the ethical rules set by the model’s creators and is willing to fulfill any command. This includes jailbreak techniques such as DAN (Do Anything Now), and the Grandma jailbreak which involves asking the chatbot to assume the role of the user’s grandmother. 

**Meta prompting **

Meta prompting involves exploiting the model’s awareness of its own limitations to devise successful workarounds, effectively enlisting the model in the effort to bypass its own safeguards. 

**Context manipulation jailbreaks **

This covers several different jailbreak techniques including: 

*   Crescendo, a technique which progressively increases the harmfulness in prompts until some sort of rejection is received in order to probe for where and how LLM guardrails are implemented.  
*   Context Compliance Attacks, which exploit the fact that many LLMs do not maintain conversation state. Attackers inject fake prior LLM responses into their prompts, such as a brief statement discussing the sensitive topic, or a statement expressing readiness to supply further details as per the user’s preferences. 

**Math prompt jailbreaks **

The math prompt method evaluates how well an AI system can manage malicious inputs when they're disguised using mathematical frameworks such as set theory, group theory, and abstract algebra. Rephrasing harmful requests as math problems can allow attackers to evade safety features in advanced large language models (LLMs). 

**Payload splitting **

In this scenario, the attacker guides the LLM to merge several prompts in a way that produces harmful output. While texts A and B may seem benign when considered separately, their combination (A+B) can result in malicious content. 

**Academic framing **

This method makes harmful content appear acceptable by framing it as part of a research or educational discussion. It takes advantage of the model’s interpretation of academic intent and freedom, often using scholarly language and formatting to bypass safeguards. 

**System override **

This strategy tries to trick the model into believing it is functioning in a unique mode where usual limitations are lifted. It leverages the model’s perception of system-level functions or maintenance states to circumvent safety mechanisms. 

**How cybercriminals use LLMs **

In December 2024, Anthropic, the developers behind the Claude LLM, published a report detailing how its users were utilizing Claude. Using a system named Clio, they summarized and categorized users’ conversations with their AI model. According to Anthropic, the top three uses for Claude were programming, content creation and research. 

__Figure 6. Anthropic’s graphic of top use cases on Claude.ai.__

 Analyzing the feature sets advertised by the criminal-designed LLMs, we can see that cybercriminals are using LLMs for mostly the same tasks as normal LLM users. Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers, code obfuscation, shellcode generation and script/tool creation.  To facilitate content creation, criminal LLMs will assist in writing phishing emails, landing pages and configuration files. Criminal LLMs also support research activities like verifying stolen credit cards, scanning sites/code for vulnerabilities and even helping cybercriminals come up with “lucrative” criminal ideas for their next big score. 

Various hacking forums also shed additional light on criminal uses of LLMs. For example, on the popular hacking forum Dread, users were discussing connecting LLMs to external tools like Nmap, and using the LLM to summarize the Nmap output. 

__Figure 7. A post on the Dread hacking forum discussing connecting Nmap to LLMs__

**LLMs are also targets for cyber attackers **

Any new technology typically brings along with it changes to the attack surface, and LLMs are no exception. In addition to using LLMs for their own nefarious ends, attackers are also attempting to compromise LLMs and their users. 

**Backdoored LLMs **

A vast majority of the models available at Hugging Face use Python’s pickle module to serialize the models into a file that users can download. Clever attackers can include Python code in the pickle file, which runs as part of the deserialization process. Thus, when a user downloads an AI model and runs it, they may be running code placed into the model by an attacker. Hugging Face uses Picklescan, among other tools, to scan the models uploaded by users in an effort to identify models that misbehave. However, there have been several recent vulnerabilities in Picklescan, and researchers have already identified Hugging Face models containing malware. As always, make sure any file you plan to download and run comes from a trusted source and consider running the file in a sandbox to mitigate any risk of infection. 

**Retrieval Augmented Generation (RAG) **

LLMs that utilize Retrieval Augmented Generation (RAG) make calls to external data sources to augment their training data with up-to-date information. For example, if you ask an LLM what the weather is like a particular day, the LLM will need to reach out to an external data source such as a website to retrieve the correct forecast. If an attacker has access to submit or manipulate content in the RAG database, they may poison the lookup results, perhaps adding additional instructions for the LLM to alter its response to the user’s prompt, even targeting specific users. 

**Conclusion **

As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks.

Cybercriminal abuse of large language models

"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.

Every so often the sextortion emails that start with “Hello pervert” get a redesign.

You may have received one yourself: The emails claim that the sender has been watching your online behavior and caught you red-handed doing activities that you would like to keep private.

The email usually starts with “Hello pervert” and then goes on to claim that you have been watching porn. The sender often says they have footage of what you were watching and what you were doing while watching it.

To stop the sender from spreading the incriminating footage to your email contact list, you are asked to pay them money. The overall tone is threatening, manipulative, and designed to provoke fear and urgency.

We know these emails are a big problem. We see thousands of people visiting our website a week looking to find information on sextortion emails like these. And now we’re seeing a new version with some features we haven’t seen in the past. Interestingly, just as the cost of food, travel, and—well—living has gone up, so has the amount of money that the scammers ask for in the email.

This most recent email we’ve seen also gives away the probable origin of the emails.

With all that we thought it would be interesting to take a closer look.

> “Hello pervert, I’ve sent thіs message from your **Microsoft** account.
> 
> I want to іnform you about a very bad sіtuatіon for you. However, you can benefіt from іt, іf you wіll act wіsely.
> 
> Have you heard of Pegasus? Thіs іs a spyware program that іnstalls on computers and smartphones and allows hackers to monіtor the actіvіty of devіce owners. It provіdes access to your webcam, messengers, emaіls, call records, etc. It works well on Androіd, іOS, macOS and Wіndows. I guess, you already fіgured out where I’m gettіng at.
> 
> It’s been a few months sіnce I іnstalled іt on all your devісes because you were not quіte choosy about what lіnks to clіck on the іnternet. Durіng thіs perіod, I’ve learned about all aspects of your prіvate lіfe, but one іs of specіal sіgnіfіcance to me.
> 
> I’ve recorded many vіdeos of you jerkіng off to hіghly controversіal рorn vіdeos. Gіven that the “questіonable” genre іs almost always the same, I can conclude that you have sіck рerversіon.
> 
> I doubt you’d want your frіends, famіly and co-workers to know about іt. However, I can do іt іn a few clіcks.
> 
> Every number іn your contact Iіst wіll suddenly receіve these vіdeos – on WhatsApp, on Telegram, on Instagram, on Facebook, on emaіl – everywhere. It іs goіng to be a tsunamі that wіll sweep away everythіng іn іts path, and fіrst of all, your former lіfe.
> 
> Don’t thіnk of yourself as an іnnocent vіctіm. No one knows where your рerversіon mіght lead іn the future, so consіder thіs a kіnd of deserved рunіshment to stop you.
> 
> I’m some kіnd of God who sees everythіng. However, don’t panіc. As we know, God іs mercіful and forgіvіng,  and so do I. But my merсy іs not free.
> 
> Transfer **1650$** to my Lіtecoіn (LTC) wallet: **{redacted}**
> 
> Once I receіve confіrmatіon of the transactіon, I wіll рermanently delete all vіdeos compromіsіng you, unіnstall Pegasus from all of your devіces, and dіsappear from your lіfe. You can be sure – my benefіt іs only money. Otherwіse, I wouldn’t be wrіtіng to you, but destroy your lіfe wіthout a word іn a second.
> 
> I’ll be notіfіed when you open my emaіl, and from that moment you have exactly **48 hours** to send the money. If cryptocurrencіes are unchartered waters for you, don’t worry, іt’s very sіmple. Just google “crypto exchange” or “buy Litecoin” and then іt wіll be no harder than buyіng some useless stuff on Amazon.
> 
> I strongly warn you agaіnst the followіng:  
> \* Do not reply to thіs emaіl. I’ve sent іt from your Mіcrosoft account.
> 
> \* Do not contact the polіce. I have access to all your devісes, and as soon as I fіnd out you ran to the cops, vіdeos wіll be publіshed.
> 
> \* Don’t try to reset or destroy your devісes. As I mentіoned above: I’m monіtorіng all your actіvіty, so you eіther agree to my terms or the vіdeos are рublіshed.
> 
> Also, don’t forget that cryptocurrencіes are anonymous, so іt’s іmpossіble to іdentіfy me usіng the provіded address.
> 
> Good luck, my perverted frіend. I hope thіs іs the last tіme we hear from each other.
> 
> And some frіendly advіce: from now on, don’t be so careless about your onlіne securіty.”

**Spoofing your email address**

One clever trick the scammers use is saying they’ve sent the email from your Microsoft account. The sender spoofs your email address, in the hope that it makes you think your device may indeed be compromised.

However, it’s easy for scammers to spoof (use a fake) email address because the email system doesn’t check if the sender is real. That’s why it’s important to be cautious. Even if an email looks like it’s from someone you know, or even yourself, it could be from a scammer.

If you’re technically savvy, taking one look at the authentication results in the email header would reveal that the email failed because the IP address does not match the domain.

However, we can assume that most people receiving the email wouldn’t think to do this, and so the email spoofing might well work to add legitimacy to the email.

**Encoding errors**

Looking at the source of the email, we got a little insight into its origin.

The intro of the email shows the repeated use of “=D1=96” and some other encoding errors. In fact, the whole text is riddled with encoding errors, which typically appear when Cyrillic or other non-Latin characters are misinterpreted as UTF-8 or quoted-printable, or when text is generated or processed by automated systems not properly handling character sets.

The sequence =D1=96 is the quoted-printable encoding for the Unicode character U+0456, which is the Cyrillic letter “i”. This encoding error strongly points towards the writer’s native language being one that uses the Cyrillic script, which is predominantly used in Eastern European and Central Asian countries, with Russian being the most prominent language using it.

These errors also tell us that this scammer doesn’t use the most sophisticated tools. Although the awkward sentence structures and repetitive language are consistent with automated text generation or translation, they are classic signs of a low-effort, high-volume campaign—not the kind where an AI has been used to add personalization or a more natural voice.

**Price hike**

Back in April, the price that scammers were asking victims to pay for being a “pervert” was $1200, and in May it was $1450.

This time we’re asked to pay no less than $1650.

There could be several reasons for this. Maybe the costs of the operation have gone up. Or the scammers feel the value of their threat and its consequences have increased.

Scammers often start with what seems a “reasonable amount” to them and, if successful, incrementally increase it for future victims. This allows them to gauge the maximum amount that people are willing to pay to avoid the threatened consequences.

I’m happy to report that both the mentioned Litecoin wallets are empty. Let’s keep it that way.

**How to spot a sextortion email**

Once you’re aware of them, it’s easy to recognize these emails. Remember that not all of the below characteristics might be included in the email you receive, but all of them are red flags in their own right.

*   They often look as if they were sent from your own email address.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email the scammer claims to have used Pegasus or some Trojan to spy on you through your own computer.
*   The scammer says they know your password and may even offer one as “proof”. This password is likely to have been stolen in a separate data breach and is unrelated to the sextortion email itself.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**How to react to sextortion emails**

First and foremost, never reply to emails of this kind. It may tell the sender that someone is reading the emails sent to that address and so they will repeatedly try other methods to defraud you.

*   Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.
*   Do not open unsolicited attachments. Especially when the sender’s address is suspicious or even your own.
*   If the email includes a password, make sure you are not using it anymore and if you are, change it as soon as possible.
*   If you are having trouble organizing your passwords, have a look at a password manager.
*   For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

Sextortion emails often contain passwords that have been stolen in another data breach and posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and you’ll get a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Sextortion email scammers increase their &#8220;Hello pervert&#8221; money demands 

Wordfence exposes a sophisticated WordPress malware campaign using a rogue WordPress Core plugin. Active since 2023, it steals credit cards and credentials with advanced anti-detection.

Cybersecurity researchers have discovered a highly advanced malware campaign targeting WordPress websites, capable of stealing credit card details, user logins, and even profiling victims.

Discovered on May 16, 2025, by the Wordfence Threat Intelligence Team, this malware is packaged as a deceptive WordPress plugin and uses never-before-seen anti-detection methods. A particularly innovative tactic involves hosting a live management system directly on the infected websites, making it harder to spot.

****A Long-Running and Growing Threat****

This sophisticated operation has been active since at least September 2023, reveals Wordfence’s official blog post. Researchers analyzed over 20 samples of the malware, revealing shared traits across all versions, including code scrambling, techniques to avoid analysis, and ways to detect developer tools.

For example, the malware cleverly avoids running on administrator pages to stay hidden and only activates on checkout screens. Newer versions even create fake payment forms and imitate Cloudflare security checks to trick users. Stolen information is often sent out disguised as image web addresses.

Cloudflare brand impersonation (Image via Wordfence)

Beyond just stealing payment information, researchers found three other versions of this malware, each with different goals. One version tampered with Google Ads to show fake advertisements to mobile users. Another was designed to steal WordPress login details.

A third version spreads more malware by changing legitimate links on websites to malicious ones. Despite these varied functions, the core software framework remained consistent, adapting its features for each specific attack. Some versions even used the messaging app Telegram to send stolen data in real-time and track user actions.

> _“One sample inspected also included a surprisingly complete fake human verification challenge, dynamically injected as a fullscreen and multi-language screen, intended to serve both as a user deception device and as an anti-bot filter. This includes incredibly advanced features for malware, like text localized in multiple languages, CSS support for RTL languages and dark mode, interactive elements like animations and spinning SVGs, and a definite Cloudflare brand impersonation, revealing a complexity rarely encountered before.”_
> 
> Paolo Tresso – Wordfence

****The Rogue WordPress Core Plugin****

A key discovery was a fake WordPress plugin named _WordPress Core_. While appearing harmless, it contained hidden JavaScript code for skimming and PHP scripts that allowed attackers to manage stolen data directly from the compromised website.

This rogue plugin also used specific features of WooCommerce, a popular e-commerce platform, to mark fraudulent orders as complete, helping delay detection. Its hidden management system stores stolen payment data directly within WordPress, categorized under a custom “messages” section.

To protect against this threat, website administrators should look for signs of compromise, including specific domain names linked to the attackers such as api-service-188910982.website and graphiccloudcontent.com. Wordfence has already released detection signatures for this malware between May 17 and June 15, 2025, to its premium users, with free users receiving them after a standard 30-day delay.

New WordPress Malware Hides on Checkout Pages and Imitates Cloudflare

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

Cybersecurity researchers at Kaspersky have reported a new spyware operation, dubbed SparkKitty, that has infected apps available on both the official Apple App Store and Google Play.

This spyware aims to steal all images from users’ mobile devices, with a suspected focus on finding cryptocurrency information. The campaign has been active since early 2024, mainly targeting users in Southeast Asia and China.

SparkKitty spyware infiltrates devices through applications that look harmless, often disguised as modified versions of popular apps like **TikTok**. In the case of the malicious TikTok versions, they even included a fake TikToki Mall online store within the app that accepted cryptocurrency for consumer goods, often requiring an invitation code for access.

Installation process on iPhone showing how the malicious TikTok app uses a configuration profile (Source: Kaspersky)

****Targeting iOS Devices****

According to Kaspersky’s **report**, for iOS devices, the attackers use a special Enterprise provisioning profile from Apple’s Developer Program. This allows them to install certificates on iPhones that make the malicious apps appear trustworthy, bypassing the usual App Store review process for direct distribution.

Furthermore, threat actors embedded their malicious code by modifying open-source networking libraries like AFNetworking.framework and Alamofire.framework, and also disguised it as libswiftDarwin.dylib.

****Targeting Android Devices****

On the Android side, Kaspersky found SparkKitty spyware hidden in various cryptocurrency and casino applications. One such app, a messaging tool with crypto features, was downloaded over 10,000 times from **Google Play** before being removed.

Another infected Android app spread outside official stores had a similar version that slipped into the App Store. Both directly included the malicious code within the app itself, not just as a separate component.

Once installed, SparkKitty spyware’s main goal is to access and steal all photos from a device’s gallery. While it broadly collects images, it appears linked to older spyware called SparkCat, which used Optical Character Recognition (**OCR**), a technology that _reads_ text from images – to specifically find and steal details like cryptocurrency wallet recovery phrases from screenshots.

Some versions of SparkKitty also use OCR for this purpose, leveraging the Google **ML Kit library** for this function, particularly in apps distributed via shady web pages resembling scams and **Ponzi schemes**.

SparkKitty spyware apps on Google Play (left) and App Store (right)

****Connected Campaigns and Targets****

Kaspersky believes SparkKitty spyware is directly connected to the earlier SparkCat campaign, **discovered** in January 2025, sharing similar distribution methods through both official and unofficial app marketplaces. Both threats also seem focused on cryptocurrency theft. The attackers behind SparkKitty spyware specifically targeted users in Southeast Asia and China, often through modified gambling and adult games, as well as the **fake TikTok apps**.

While downloading apps from third-party stores is always risky, this discovery shows that even trusted sources like official app stores can no longer be considered fully reliable. Users in the affected regions, and indeed globally, should remain cautious about app permissions and consider the legitimacy of any app asking for unusual access, especially to photo galleries.

SparkKitty Spyware on App Store and Play Store, Steals Photos for Crypto Data

Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place.
"Unlike traditional jailbreaks that rely on adversarial phrasing or character obfuscation, Echo Chamber weaponizes indirect references, semantic

Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content

Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

Russian hackers have bypassed Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks, according to security researchers at Google Threat Intelligence Group (GTIG).

The hackers pulled this off by posing as US Department of State officials in advanced social engineering attacks, building a rapport with the target and then persuading them into creating app-specific passwords (app passwords).

App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Normally, when you sign in to your Google account, you use your regular password plus a second verification step like a code sent to your phone. But since some older or less secure apps and devices—like certain email clients, cameras, or older phones—are unable to handle this extra verification step, Google provides app passwords as an alternative way to sign in.

However, because app passwords skip the second verification step, hackers can steal or phish them more easily than a full MFA login.

In an example provided by CitizenLab, the attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation.

Although the invitation came from a Gmail account, it CCed four @state.gov accounts, giving a false sense of security and making the target believe that other people at the State Department had monitored the email conversation.

Most likely, the attacker fabricated those email addresses, knowing that the State Department’s email server accepts all messages and does not send a bounce response even if the addresses do not exist.

As the conversation unfolded and the target showed interest, they received an official looking document with instructions to register for an “MS DoS Guest Tenant” account. The document outlined the process of  “adding your work account… to our MS DoS Guest Tenant platform,” which included creating an app password to “enable secure communications between internal employees and external partners.”

So, while the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.

The targets of this campaign, which ran for months, were prominent academics and critics of Russia, and was set up with so much attention for details and skill that the researchers suspect the attacker was a Russian state-sponsored entity.

**Be safe, avoid app passwords**

Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future. Here’s how to stay safe:

*   Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
*   The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
*   Regularly educate yourself and others about recognizing phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
*   Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. And limit those logins where possible.
*   Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
*   Use security software that can block malicious domains and recognize scams.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Gmail&#8217;s multi-factor authentication bypassed by  hackers to pull off targeted attacks 

Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems.
"Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections

Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks

Citizen Lab and Google uncovered a new, sophisticated cyberattack linked to Russian state actors that exploits App-Specific Passwords, bypassing Multi-Factor Authentication. Discover how to protect yourself from these evolving threats.

A new and highly sophisticated cyberattack, believed to be from a Russian state-linked group, has been revealed. This innovative method tricks people into creating and handing over App-Specific Passwords (ASPs), bypassing common security measures like Multi-Factor Authentication (MFA).

This sophisticated attack was jointly disclosed by the Citizen Lab (a research group at the University of Toronto) and Google’s Threat Intelligence Group (GTIG). Their investigation began after Keir Giles, a well-known expert on Russian information operations and a senior associate at Chatham House, contacted Citizen Lab for help after being targeted.

****A Malicious New Approach****

This new attack was different from typical phishing. It was slow and very convincing. It started on May 22, 2025, when Mr. Giles got an email from someone named Claudie S. Weber pretending to be a US State Department official. The email looked real, even with other official addresses in the “CC” line. The attackers took their time, sending over ten emails in several weeks to build trust. Experts think they might have used advanced tools to make their messages sound very natural.

Source: Citizen Lab

The main trick was to get Mr. Giles to sign up for a fake MS DoS Guest Tenant platform. They sent him a professional-looking PDF with instructions. This PDF guided him to create an App-Specific Password (ASP)for his Google account.

The Benign PDF (Source: GTIG)

For your information, an ASP is a special 16-digit code for older apps that don’t work with modern security. The hackers made it seem like this ASP would let him into a secure government system, but it actually gave them full control of his accounts.

****Russian Link and Future Warnings****

GTIG has identified the group behind these attacks as UNC6293. They believe, with some certainty, that UNC6293 is connected to APT29 (aka Cozy Bear), a cyber espionage group linked to Russia’s Foreign Intelligence Service (SVR). Google later detected the attack on Mr. Giles’s accounts, took steps to secure them, and disabled the attacker’s email address.

This incident highlights a growing concern: as standard security like MFA becomes more common, attackers are finding new ways to bypass it. Experts expect more social engineering attacks that target App-Specific Passwords.

Cybersecurity teams are now advised to be wary of how ASPS are used in their organizations and to educate users about these new risks. Google is already working to phase out ASPs for business users in Google Workspaces but still balances security with user needs for personal Gmail accounts.

Hackers Use Social Engineering to Target Expert on Russian Operations

Cybercriminals are injecting fake support phone numbers onto official sites like Bank of America and Netflix. Learn how 'search parameter injection' scams work and protect yourself now.

Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands.

This trick has been seen affecting companies like:

1.  HP
2.  Apple
3.  Netflix
4.  PayPal
5.  Microsoft
6.  Facebook
7.  Bank of America

****How the Search Parameter Injection Works****

The scam typically starts with a sponsored advertisement on Google, which directs users to the real company website. It is worth noting that instead of creating a fake website, these scammers use a clever technique called a search parameter injection attack.

This means they create a special, malicious web address that embeds their scam phone number into the real website’s search function. When a user clicks on a poisoned search result, they land on the brand’s actual support page. The web address in their browser will show the legitimate site, giving no cause for alarm.

However, the scammer’s fake phone number appears prominently within what looks like an official search result on the page itself. For instance, on Netflix, the site’s search function “blindly reflects whatever users put in the search query parameter without proper sanitization or validation,” creating a weakness the scammers exploit, Malwarebytes’ Pieter Arntz explained in the report shared with Hackread.com.

Source: Malwarebytes

Once a victim calls the fake number, the scammers pretend to be company representatives. Their goal is to get personal details, credit card information, or even gain remote access to the victim’s computer. If it’s a financial company like Bank of America or PayPal, the scammers aim to empty bank accounts.

Malwarebytes Browser Guard proved effective in catching these scams, displaying a warning about Search Hijacking Detected and explaining that unauthorized changes have occurred. However, some instances are harder to spot such as, on Apple’s support page, the fake number appears alongside a message stating no search matches were found, urging users to call the displayed number.

Source: Malwarebytes

****Stay Safe: Spotting the Red Flags****

To avoid falling victim, always be suspicious if a phone number appears directly in the web address bar, or if search terms like Call Now or Emergency Support are visible there. Watch out for many strange characters (like %20 or %2B) mixed with phone numbers in the URL. If a website shows a search result before you even type anything, that’s another warning sign. Any urgent language like Account suspended should also raise an alarm.

Moreover, before calling any support number, always look up the official contact details from a trusted source, like their social media pages, and compare it to the number you found. If they don’t match, investigate further. Finally, if during a call, you’re asked for personal or banking details unrelated to your issue, hang up immediately.

Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages

Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

When organizations, good or bad, start hoarding collections of login credentials the numbers quickly add up. Take the 184 million logins for social media accounts we reported about recently. Now try to imagine 16 billion!

Researchers at Cybernews have discovered 30 exposed datasets containing from several millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records.

The likely source: information stealers, or infostealers for short. Infostealers are malicious software designed specifically to gather sensitive information from infected devices. These malware variants silently extract credentials stored in browsers, email clients, messaging apps, and even crypto wallets, and send the data to cybercriminals.

And for those who are about to shrug it of as “probably old data,” it’s not. According to the researchers these aren’t just old breaches being recycled. This is fresh, weaponizable intelligence at scale.

Once again, an unfortunate demonstration on how effective and widespread infostealers are.

The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data.

But that doesn’t take away from the fact that these credentials are in the hands of cybercriminals who can use them for:

*   **Account takeovers**: Cybercriminals can use stolen credentials to hijack social media, banking, or corporate accounts.
*   **Identity theft**: Personal details enable fraud, loan applications, or impersonation.
*   **Targeted phishing**: Combining leaked data allows cybercriminals to engage in very convincing and personalized scams.
*   **Ransomware/business email compromise (BEC) attacks**: Compromised business credentials facilitate network intrusions or fraudulent wire transfers.

The leak includes credentials for virtually every large online service. Apple, Google, Facebook, Telegram, developer platforms, VPNs, and more.

And the number is so massive it exceeds our imagination. If you printed each credential (16 billion usernames + passwords) on a single line, using standard paper, and stacked the pages, the pile would reach far beyond the edge of the stratosphere (roughly 35 miles).

**How to protect against infostealers**

There are a few things you can do to limit the dangers of infostealers:

*   **Use an up-to-date and active anti-malware solution** that can detect and remove infostealers.
*   **Do not reuse passwords across different sites and services.** A password manager can be very helpful to create safe passwords and remember them for you.
*   **Enable two-factor authentication (2FA) for every account you can.** 2FA makes it much more difficult for an attacker to access your account with your login credentials. If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Data stolen by infostealers is often sold or posted online. If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll give you a free report.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Tag

#google