Scandal surrounding the Trump administration’s Signal group chat has led to a landmark week for the encrypted messaging app’s adoption—its “largest US growth moment by a massive margin.”

SignalGate, as it's come to be called, may be the biggest scandal to hit the Trump administration in its first months in power. But it's been great for Signal.

Since the news broke on Monday that senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a group chat on the Signal encrypted messaging platform where the officials were making secret plans to bomb Yemen, the ensuing news cycle and the constant mentions of Signal have led to the encrypted messaging platform doubling its usual rate of new downloads, the nonprofit organization that runs Signal tells WIRED. Given that 2025 has already been a “banner year” for Signal's growth, according to Signal's leadership, that makes this week the single biggest bump in US adoption of the app in Signal's nearly 11 years of existence.

“In Signal’s history, this is the largest US-growth moment by a massive margin,” says Jun Harada, Signal's head of growth and partnerships. “It’s mind-blowing, even on our side.”

Harada declined to give absolute numbers for Signal's user growth beyond saying that its total downloads are in the “hundreds of millions,” which has been the case for several years. But he said that the week’s rate of adoption has been twice that of a typical week for 2025, which in turn was twice that of a typical week the same time last year. “It happened immediately” after The Atlantic broke the story of Signal's use in the Yemeni bombing, Harada says. “And it’s been sustained. We’ve been maintaining that rate every day.”

In Signal's history, the only comparable spike in adoption occurred when WhatsApp changed its privacy policy in 2021, Harada says, leading to millions of users abandoning that communications app. But that incident mostly brought non-Americans to Signal, unlike the current, US-focused SignalGate bump.

Numbers from the market intelligence firm Sensor Tower largely align with Signal's own analysis of that growth: The company says that Signal downloads in the US increased 105 percent compared to the prior week—and 150 percent compared to an average week in 2024. Outside of the US, Sensor Tower saw only a 21 percent increase in Signal downloads compared to the prior week.

The Atlantic's revelation on Monday that secretary of defense Pete Hegseth, director of national intelligence Tulsi Gabbard, national security adviser Michael Waltz, vice president JD Vance, and other Trump administration officials used a Signal group chat to plan an air strike against Houthi rebels in Yemen—and that Waltz accidentally added Atlantic editor Jeffrey Goldberg to that group in a shocking breach of confidentiality—has raised serious questions about the security practices of the Trump administration that are still resonating days later.

The scandal has called into question whether the executive branch officials were planning the air strike using vulnerable non-approved or even personal devices rather than the secure machines intended for classified conversations. Screenshots of the group chat published by The Atlantic on Wednesday indicate that the officials were using Signal's disappearing messages feature to delete their communications, potentially in violation of US record retention laws.

The incident has raised sometimes-misguided questions, too, about whether Signal itself is to blame for the breach—including from President Trump, who suggested in comments on Wednesday that Signal might be “defective"—despite many cybersecurity and encryption experts' recommendation of Signal as the best end-to-end encrypted messaging tool freely available to the public. “You use Signal, we use Signal, everyone uses Signal,” Trump told reporters, “but it could be a defective platform.”

Signal's Harada declined to respond to Trump's “defective” comment and pointed to Signal's previous statements that it has yet to see any evidence of any vulnerability in the app, much less one that has anything to do with Jeffrey Goldberg being accidentally added to a White House group chat.

But Harada noted that the overall attention to Signal—even the president himself saying that “everyone uses Signal” in the Oval Office—is an example of the kind of visibility it has never had before. “All awareness for Signal is a net positive. The interest in Signal continues to be at an all-time high,” Harada says.

“I don’t think my phone has ever buzzed this much, from people from every walk of life. People are learning about Signal who maybe have never even heard about or considered encrypted messaging before.” Harada also pointed to a report that Google searches for “Signal” were up more than 1,000 percent.

Harada says that Signal was already seeing a significant uptick in adoption in the first few months of 2025. He attributes that growth partly to increasing general interest in privacy among consumers and partly to the breach of nine US telecoms by China's Salt Typhoon hacker group, which led to the hackers accessing some targets' real-time calls and texts. Federal officials at the FBI and the Cybersecurity and Infrastructure Security Agency responded to those breaches by publicly recommending that Americans use encrypted messaging and calling applications.

But all of that has been dwarfed by the attention and interest Signal has received this week. As messy as SignalGate may be, Harada says, it has made Signal a household name like never before. “To have this kind of mainstream moment is massive,” he says. “I believe it’s a sea change for private encrypted messaging for the US and the world.”

SignalGate Is Driving the Most US Downloads of Signal Ever

In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.

Thursday, March 27, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends! One of things I learned early on in cyber security is that crime does, in fact, pay. It can pay **very** well, actually. If it didn’t, we wouldn’t have ransomware cartels raking in obscene amounts of money year after year. Ransomware victims pay ransoms with cryptocurrency — typically Bitcoin. A criminal who has their ill-gotten BTC gains then needs to introduce it into a banking system that lets them spend that crypto currency with no questions asked.  

You might be unsurprised to learn that that isn’t as easy as it sounds, but it’s also not a new problem. In the 1980s, South American drug cartels had a similar issue. They were making obscene amounts of money and had massive piles of cash. However, one cannot show up and start dropping massive amounts of money buying very expensive things without drawing legal attention. Plus, it turns out, cash was the preferred way to bribe corrupt officials. As a result, they found legal and banking loopholes, and less than reputable financial practices in the U.S and in other countries to inject ill-gotten money into a legitimate banking system where they could access the funds.  

This is called money laundering, and it is at the heart of every successful organized crime organization. Money Laundering 101 is done in three basic steps: Placement, Layering, and Integration.  

1.  **Placement:** You need to get your money into the financial system(s). 
2.  **Layering:** You need to move the money around so it’s harder to trace and to link it to the crime.  
3.  **Integration:** Now that the connection to the crime is obfuscated, you can spend that money. You can invest it, buy expensive cars, or whatever. That money is now in someone else’s pocket. I used to joke that Ferrari dealerships don’t exactly accept cryptocurrency, but it turns out that joke is now on me. More and more businesses now accept cryptocurrency as a direct means of payment it seems.  

We often think of the crime of ransomware attacks at the point of impact and victimization, but rarely do we think of the reverse — the money that is paid out that flows back into the cartel and its affiliates. Cryptocurrency is _fantastic_ for money laundering. It lags far behind regulatory standards, is largely anonymous, and can be “mixed” and directed to decentralized exchanges where Know Your Customer (KYC) and Anti-Money Laundering (AML) controls are not applied.  

So why am I bringing this up? Well, law enforcement attacking money laundering infrastructure really works. If you can impact how criminals launder their money, you put the brakes on the crime itself happening. After all, what good are the spoils of crime If you can’t do anything with it? 

My fear is that regulatory climates have shifted, which will allow laundering to more easily happen. Time will tell if I’m right, and I don’t want to be.

**The one big thing **

I’m a huge fanboy for clever evasion tactics. Cascading Style Sheets (CSS) evasion tactics in spam emails is just a wicked cool trick. Game knows game, and I have to say, this is super smart. Spam filters play a constant cat and mouse game against adversaries. It goes to show that the threat actors are always innovating neat tricks to exploit victims. 

**Why do I care? **

Spam emails account for a massive threat footprint, especially in enterprise email security. Any attack that sneaks malicious spam emails through a spam filter is worth paying attention to. 

**So now what? **

Knowing is half the battle. Time to look at your email defenses and shore them up. Consider an email proxy service or something similar to help augment your email threat defense.

**Top security headlines of the week **

**Airport outages:** Malaysia PM says country rejected $10 million ransom demand (The Record) 

**Satellites!** I am an absolute sucker for space hacking. ENISA released a great guide on securing commercial space assets. (ENISA)  

**One-click phishing attacks:** Google hastily patched a Chrome zero-day vulnerability exploited by an APT. (Dark Reading) 

**Can’t get enough Talos? **

*   Patch Tuesday was a doozy this time. Check out our blog post here. 
*   Also, keep your eyes peeled: Talos’ 2024 Year in Review will be available for download on Monday, Mar. 31. 

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1, 2025) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15, 2025) Arlington, VA 
*   Cisco Live U.S. (June 8 – 12, 2022) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**   
MD5: ff1b6bb151cf9f671c929a4cbdb64d86    
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query   
Claimed Product: Endpoint-Collector   
Detection Name: W32.File.MalParent     

**SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**     
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca    
Typical Filename: VID001.exe    
Claimed Product: N/A      
Detection Name: Coinminer:MBT.26mw.in14.Talos  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0    
Typical Filename: c0dwjdi6a.dll     
Claimed Product: N/A      
Detection Name: Trojan.GenericKD.33515991   

**SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

Money Laundering 101, and why Joe is worried

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. Security breaches and data…

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. **Security breaches** and data leaks can have severe financial and reputational consequences. To tackle these risks, businesses must adopt a proactive approach to security that doesn’t just react to threats but actively anticipates and mitigates them. 

This is where **pentesting services** come into play. Unlike automated vulnerability scans, penetration testing involves simulating real-world attacks to uncover security gaps before malicious actors can exploit them. Organizations across industries rely on pentesting to strengthen their defenses, meet compliance requirements, and validate security controls against evolving threats.

This article explores the most relevant penetration testing services, their role in cybersecurity, and how businesses can leverage them to enhance security resilience. From network and application testing to red teaming and cloud security assessments, understanding these services is essential for organizations looking to stay ahead of cyber threats.

****The Role of Penetration Testing in Cybersecurity****

Penetration testing (**pentesting**) is a controlled security assessment that mimics real-world cyberattacks to identify and address vulnerabilities before attackers can exploit them. Unlike traditional security measures that rely on firewalls, antivirus software, and automated scanners, pentesting provides a hands-on evaluation of an organization’s security posture. It helps detect misconfigurations, weak authentication mechanisms, and exploitable flaws that may go unnoticed in routine security checks.

The primary goal of penetration testing is to reduce the attack surface by uncovering security gaps across networks, applications, APIs, and cloud environments. This proactive approach not only strengthens defenses but also ensures compliance with security standards like **PCI DSS, ISO 27001**, and **HIPAA**. Organizations that integrate regular pentesting into their security strategy are better equipped to handle emerging threats and minimize the risk of costly breaches.

However, a common misconception is that penetration testing is just an advanced form of vulnerability scanning. While automated scanners can detect known issues, they cannot analyze complex attack chains, logic flaws, and business logic vulnerabilities. Skilled penetration testers use a combination of manual techniques, custom exploits, and real-world attack scenarios to simulate how an adversary would attempt to compromise a system. This makes penetration testing an essential component of a robust security program.

****Key Types of Penetration Testing Services****

Not all security risks are the same, and different environments require specialized testing approaches. Below are the most relevant penetration testing services, each addressing specific attack surfaces and security concerns.

****Network Penetration Testing****

A core component of security assessments, network penetration testing focuses on identifying vulnerabilities in both external and internal network infrastructure. This involves testing firewalls, routers, VPNs, and other network devices for misconfigurations, outdated protocols, and weak authentication mechanisms.

Common threats mitigated by network pentesting include:

*   Open ports and exposed services provide an entry point for attackers.

*   Weak encryption can be exploited for data interception and manipulation.

*   Misconfigured access controls that allow unauthorized access to sensitive systems.

Network penetration testing is particularly relevant for enterprises, cloud service providers, and organizations handling sensitive data across distributed networks.

****Web Application Penetration Testing****

Web applications are prime targets for cyberattacks due to their accessibility and integration with critical business operations. This form of pentesting evaluates applications against vulnerabilities outlined in the OWASP Top 10, such as:

*   **SQL Injection (SQLi):** Exploiting database queries to extract sensitive data.

*   **Cross-Site Scripting (XSS):** Injecting malicious scripts to hijack user sessions.

*   **Broken Authentication:** Weak login mechanisms that allow unauthorized access.

SaaS providers, fintech companies, and e-commerce platforms rely on web application pentesting to secure customer transactions, APIs, and user authentication mechanisms.

**Mobile Application Penetration Testing**

With mobile apps handling sensitive financial, healthcare, and personal data, securing them is critical. Mobile application penetration testing assesses both iOS and Android apps for risks such as:

*   **Insecure data storage** that exposes sensitive user information.

*   **Weak API security,** leading to unauthorized access or data leaks.

*   **Reverse engineering risks** where attackers decompile apps to extract secrets.

Pentesters analyze app permissions, encryption mechanisms, and backend API security to ensure mobile applications comply with industry best practices and regulatory standards.

****Cloud Penetration Testing****

Cloud security introduces unique challenges, including misconfigured storage services, excessive permissions, and insecure **API endpoints**. Cloud penetration testing assesses environments like AWS, Azure, and Google Cloud for:

*   **Publicly exposed assets** such as S3 buckets or storage blobs.

*   **Identity and Access Management (IAM) misconfigurations** leading to privilege escalation.

*   **Insecure APIs and serverless functions** that could be exploited.

Given the widespread adoption of cloud services, cloud pentesting is critical for organizations leveraging SaaS platforms, multi-cloud environments, and **DevOps workflows**.

**API Penetration Testing**

APIs serve as the backbone of modern applications, yet they are often overlooked in security assessments. API penetration testing targets vulnerabilities like:

*   **Broken authentication and authorization** that allow unauthorized access to critical services.

*   **Rate limiting bypasses** enabling brute-force attacks or data scraping.

*   **Data exposure** due to improper input validation and misconfigured responses.

API pentesting is especially relevant for fintech, healthcare, and logistics platforms that rely on secure data exchange.

**IoT Penetration Testing**

The increasing adoption of IoT devices introduces significant security risks, from industrial control systems to smart home devices. IoT penetration testing identifies weaknesses such as:

*   **Default credentials** that attackers exploit to gain control.

*   **Lack of encryption,** exposing communication channels to interception.

*   **Unpatched firmware vulnerabilities,** leaving devices open to exploitation.

Industries like healthcare, automotive, and industrial automation require IoT pentesting to safeguard connected devices and prevent large-scale cyber incidents.

**Red Team Assessments**

Unlike traditional pentesting, **red team** assessments simulate full-scale attacks to test an organization’s detection and response capabilities. These engagements go beyond vulnerability discovery to mimic advanced persistent threats (APTs) and real-world adversary tactics.

Key attack vectors in red team assessments include:

*   **Physical security bypass,** such as tailgating into restricted areas.

*   **Social engineering** to manipulate employees into disclosing credentials.

*   **Persistence mechanisms** to maintain undetected access over extended periods.

Red teaming is essential for large enterprises, government agencies, and critical infrastructure operators looking to validate their security resilience against sophisticated attacks.

****Choosing the Right Penetration Testing Service****

Selecting the right penetration testing service depends on business impact, regulatory requirements, and infrastructure. Security assessments must be tailored to provide actionable insights rather than generic findings.

****Key Considerations****

*   **Business Impact:** Identifying critical assets that require testing, such as customer data or financial transactions.

*   **Regulatory Compliance:** Industries like finance and healthcare must meet PCI DSS, ISO 27001, HIPAA, and SOC 2 standards.

*   **Infrastructure Type:** Cloud-native environments require different security tests than on-premises systems or API-heavy platforms.

*   **Security Maturity:** Organizations with mature security defenses may benefit from red team assessments, while those with fewer controls should start with network and application pentesting.

****Compliance vs. Risk-Driven Testing****

*   **Compliance-driven:** Focuses on meeting security mandates but may have a limited scope.

*   **Risk-driven:** Simulates real-world attack scenarios beyond compliance checklists.

****The Need for Recurring Assessments****

Cyber threats evolve, making regular pentesting (quarterly or annually) essential. Organizations integrating security into **DevSecOps detect vulnerabilities** early, reducing risks proactively rather than reactively.

****Conclusion****

Penetration testing is essential for identifying vulnerabilities before attackers exploit them. Unlike automated scans, pentesting services simulate real-world threats, strengthening defenses and ensuring compliance.

Choosing the right service, whether network, application, cloud, or red teaming, depends on risk exposure and industry standards. Security isn’t a one-time effort; regular testing and DevSecOps integration help organizations stay alert against increasing cybersecurity threats.

Penetration Testing Services: Strengthening Cybersecurity Against Evolving Threats

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

The eye-popping scandal surrounding the Trump cabinet’s accidental invitation to The Atlantic’s editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal.

As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

Since The Atlantic’s editor, Jeffrey Goldberg, revealed Monday that he was mistakenly included in a Signal group chat earlier this month created to plan US airstrikes against the Houthi rebels in Yemen, the reaction from the Trump cabinet’s critics and even the administration itself has in some cases seemed to cast blame on Signal for the security breach. Some commentators have pointed to reports last month of Signal-targeted phishing by Russian spies. National security adviser Michael Waltz, who reportedly invited Goldberg to the Signal group chat, has even suggested that Goldberg may have hacked into it.

On Wednesday afternoon, even President Donald Trump suggested Signal was somehow responsible for the group chat fiasco. “I don't know that Signal works,” Trump told reporters at the White House. “I think Signal could be defective, to be honest with you.”

The real lesson is much simpler, says Kenn White, a security and cryptography researcher who has conducted audits on widely used encryption tools in the past as the director of the Open Crypto Audit Project: Don’t invite untrusted contacts into your Signal group chat. And if you’re a government official working with highly sensitive or classified information, use the encrypted communication tools that run on restricted, often air-gapped devices intended for a top-secret setting rather than the unauthorized devices that can run publicly available apps like Signal.

“Unequivocally, no blame in this falls on Signal,” says White. “Signal is a communication tool designed for confidential conversations. If someone's brought into a conversation who’s not meant to be part of it, that's not a technology problem. That's an operator issue.”

Cryptographer Matt Green, a professor of computer science at Johns Hopkins University, puts it more simply. “Signal is a tool. If you misuse a tool, bad things are going to happen,” says Green. “If you hit yourself in the face with a hammer, it’s not the hammer’s fault. It’s really on you to make sure you know who you’re talking to.”

The only sense in which SignalGate _is_ a Signal-related scandal, White adds, is that the use of Signal suggests that the cabinet-level officials involved in the Houthi bombing plans, including secretary of defense Pete Hegseth and director of national intelligence Tulsi Gabbard, were conducting the conversation on internet-connected devices—possibly even including personal ones—since Signal wouldn’t typically be allowed on the official, highly restricted machines intended for such conversations. “In past administrations, at least, that would be absolutely forbidden, especially for classified communications,” says White.

Indeed, using Signal on internet-connected commercial devices doesn’t just leave communications open to anyone who can somehow exploit a hackable vulnerability in Signal, but anyone who can hack the iOS, Android, Windows, or Mac devices that might be running the Signal mobile or desktop apps.

This is why US agencies in general, and the Department of Defense in particular, conduct business on specially managed federal devices that are specially provisioned to control what software is installed and which features are available. Whether the cabinet members had conducted the discussion on Signal or another consumer platform, the core issue was communicating about incredibly high-stakes, secret military operations using inappropriate devices or software.

One of the most straightforward reasons that communication apps like Signal and WhatsApp are not suitable for classified government work is that they offer “disappearing message” features—mechanisms to automatically delete messages after a preset amount of time—that are incompatible with federal record retention laws. This issue was on full display in the principals’ chat about the impending strike on Yemen, which was originally set for one-week auto-delete before the Michael Waltz account changed the timer to four-week auto-delete, according to screenshots of the chat published by The Atlantic on Wednesday. Had The Atlantic’s Goldberg not been mistakenly included in the chat, its contents might not have been preserved in accordance with long-standing government requirements.

In congressional testimony on Wednesday, US director of national intelligence Tulsi Gabbard said that Signal can come preinstalled on government devices. Multiple sources tell WIRED that this is not the norm, though, and noted specifically that downloading consumer apps like Signal to Defense Department devices is highly restricted and often banned. The fact that Hegseth, the defense secretary, participated in the chat indicates that he either obtained an extremely unusual waiver to install Signal on a department device, bypassed the standard process for seeking such a waiver, or was using a non-DOD device for the chat. According to political consultant and podcaster FP Wellman, DOD “political appointees” demanded that Signal be installed on their government devices last month.

Core to the Trump administration’s defense of the behavior is the claim that no classified material was discussed in the Signal chat. In particular, Gabbard and others have noted that Hegseth himself is the classification authority for the information. Multiple sources tell WIRED, though, that this authority does not make a consumer application the right forum for such a discussion.

“The way this was being communicated, the conversation had no formal designation like 'for official use only' or something. But whether it should have been classified or not, whatever it was, it was obviously sensitive operational information that no soldier or officer would be expected to release to the public—but they had added a member of the media into the chat,” says Andy Jabbour, a US Army veteran and founder of the domestic security risk-management firm Gate 15.

Jabbour adds that military personnel undergo annual information awareness and security training to reinforce operating procedures for handling all levels of nonpublic information. Multiple sources emphasize to WIRED that while the information in the Yemen strike chat appears to meet the standard for classification, even nonclassified material can be extremely sensitive and is typically carefully protected.

“Putting aside for a moment that classified information should never be discussed over an unclassified system, it’s also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?” US senator Mark Warner, a Virginia Democrat, said during Tuesday’s Senate Intelligence Committee hearing.

According to The Atlantic, 12 Trump administration officials were in the Signal group chat, including vice president JD Vance, secretary of state Marco Rubio, and Trump adviser Susie Wiles. Jabbour adds that even with ​​decisionmaking authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As he puts it, “If you spill milk on the floor, you can’t just say, ‘That’s actually not spilled milk, because I intended to spill it.’”

All of which is to say, SignalGate raises plenty of security, privacy, and legal issues. But the security of Signal itself is not one of them. Despite that, in the wake of The Atlantic’s story on Monday, some have sought tenuous connections between the Trump cabinet’s security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google’s security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app’s users in Ukraine. But Signal pushed out an update to make that tactic—which tricks users into adding a hacker as a secondary device on their account—far harder to pull off, and the same tactic also targeted some accounts on the messaging services WhatsApp and Telegram.

“Phishing attacks against people using popular applications and websites are a fact of life on the internet,” Signal spokesperson Jun Harada tells WIRED. “Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

In fact, says White, the cryptography researcher, if the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts.

“Signal is the consensus recommendation for highly at-risk communities—human rights activists, attorneys, and confidential sources for journalists,” says White. Just not, as this week has made clear, executive branch officials planning airstrikes.

_Updated at 5:50 pm ET, March 25, 2025: Added remarks about Signal by President Trump._

SignalGate Isn’t About Signal

With its growing popularity, sponsored Google search ads have started impersonating DeepSeek AI.

_The threat intel research used in this post was provided by Malwarebytes Senior Director of Research, Jérôme Segura._

DeepSeek’s rising popularity has not only raised concerns and questions about privacy implications, but cybercriminals are also using it as a lure to trap unsuspecting Google searchers.

Unfortunately, we are getting so used to sponsored Google search results being abused by criminals that we advise people not to click on them. So, it was to be expected that DeepSeek would show up in our monitoring of fake Google ads.

Here’s the fake ad:

If you put it side by side with the real DeepSeek ads, the difference is relatively easy to spot:

But as an unsuspecting searcher, you aren’t likely to make that comparison, and as you may know from previous posts about fake Google sponsored ads, the criminals behind these campaigns can be a lot more convincing.

In this case, they certainly put a lot more effort into creating the fake website which the advertisement linked to:

It’s different from the real website, but it looks convincing, nonetheless.

Should you happen to click the download button, you will receive a Trojan programmed in Microsoft Intermediate Language (MSIL), which the Artificial Intelligence (AI) module in Malwarebytes/ThreatDown products detects as Malware.AI.1323738514.

**How to avoid these traps**

As we mentioned earlier, Google has demonstrated that it can’t keep fake ads out of its sponsored search results. And apparently the success rate of these fake ads is high enough to allow the criminals to pay Google enough to outrank legitimate brands.

So, our first tip is not to click on sponsored search results. Ever.

The second tip is to look at the advertiser by clicking the three dots behind the URL in the search result and look whether he advertiser listed is the legitimate owner of the brand or not.

Here is one example of another DeepSeek impersonator we found. The advertiser’s name is not in Chinese characters by the way. The language in which the advertiser’s name is written is Hebrew: תמיר כץ.

If you don’t want to see sponsored ads at all then it’s worth considering installing an ad-blocker that will make sure you go straight to the regular search results.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 DeepSeek users targeted with fake sponsored Google ads that deliver malware 

Veer Chetal, known online as "Wiz" and one of the key suspects in the massive $243 million cryptocurrency heist, has been apprehended by U.S. Marshals.

In a new development in the investigation of a massive $243 million cryptocurrency heist, one of the key suspects, Veer Chetal, known online as “Wiz,” has been apprehended by U.S. Marshals. This news was delivered via a tweet from blockchain investigator **ZachXBT**.

****A Sophisticated Scam Unravels****

To recap, back in September 2024, Hackread.com **published a report** detailing how hackers had planned a phishing operation by impersonating Google and Gemini support. They managed to trick a victim in Washington, D.C., into resetting their two-factor authentication, granting them access to a treasure trove of cryptocurrency.

The team of scammers, which included Chetal, along with individuals known as “Greavys” (Malone Iam) and “Box” (Jeandiel Serrano), then proceeded to siphon off a whopping $243 million.

****ZachXBT’s Online Detective Work****

Blockchain investigator ZachXBT played a crucial role in tracing the movement of the stolen funds. Their efforts provided a clear picture of how the hackers laundered the cryptocurrency (including a video of scammers celebrating the hack), using it to fund a lavish lifestyle of luxury cars, expensive watches, and high-end jewelry.

> 3/ Here is a private video recording showing the live reaction by multiple of the threat actors to receiving $238M.
> 
> Theft txn hash  
> 4064 BTC – Aug 19 at 4:05 am UTC  
> 4b277ba298830ea538086114803b9487558bb093b5083e383e94db687fbe9090 pic.twitter.com/djSxBTkOF8
> 
> — ZachXBT (@zachxbt) September 19, 2024

ZachXBT’s recent tweet, which shared Chetal’s mugshot, confirmed the arrest and is a big step forward in a case that’s drawn a lot of attention. Thanks to ZachXBT’s efforts, the public learned about Veer Chetal’s involvement in the early stages of the hack, where he gained access to the victim’s personal accounts.

> Update: Wiz (Veer Chetal) was arrested by US Marshall’s and here is his mug shot. pic.twitter.com/O25UU25VhR
> 
> — ZachXBT (@zachxbt) March 25, 2025

****Lesson Learned?****

While authorities are still investigating, the hack of the victim’s accounts is a reminder that no antivirus software, firewall, or ad blocker can fully protect you if you lack basic **cybersecurity knowledge** and don’t use common sense when dealing with online threats.

Take the time to educate yourself about phishing scams, and remember never to trust anyone online who claims to be from a reputable company asking for your account details or trying to trick you into resetting your 2FA. Stay alert and think twice before sharing sensitive information.

Crypto Heist Suspect “Wiz” Arrested After $243 Million Theft

Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that it said has been exploited in the wild as part of attacks targeting organizations in Russia. 
The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a

Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks

Cybercriminals exploit AbyssWorker driver to disable EDR systems, deploying MEDUSA ransomware with revoked certificates for stealthy attacks.

Cybercriminals are exploiting custom and compromised drivers to disable endpoint detection and response (EDR) systems, facilitating undetected malicious activity. Elastic Security Labs (ESL) has identified a financially motivated campaign deploying MEDUSA ransomware, utilizing a loader paired with a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese vendor, is designed to neutralize EDR solutions.

As per ESL’s investigation, shared with Hackread.com, this tactic blinds security tools and allows malicious actors to operate freely, increasing the success rate of their attacks.

The AbyssWorker driver, originating from a Chinese vendor, is a key component in a campaign that installs itself on victim machines and systematically targets and silences various EDR solutions.

“This EDR-killer driver was recently reported by ConnectWise in another campaign, using a different certificate and IO control codes, at which time some of its capabilities were discussed. In 2022, Google Cloud Mandiant disclosed a malicious driver called POORTRY, which we believe is the earliest mention of this driver,” researchers noted in the blog post.

The actual filename of the malicious driver is identified as smuol.sys (a 64-bit Windows PE driver). It cleverly mimics a legitimate CrowdStrike Falcon driver, probably to blend into legitimate system processes. ESL identified multiple samples on VirusTotal dating from August 2024 to February 2025, all signed with revoked certificates from various Chinese companies, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd and FEI XIAO, among others. These certificates, while widely used across various malware campaigns, are not specific to AbyssWorker.

Upon initialization, AbyssWorker establishes a device and symbolic link, registering callbacks for major functions. A critical defence evasion mechanism involves stripping existing handles to its client process from other processes, preventing external manipulation. It also registers callbacks to deny access to handles of protected processes and threads.

The driver’s core functionality resides in its DeviceIoControl handlers, which execute a range of operations based on I/O control codes. These operations include file manipulation, process and driver termination, and API loading. A password is required to enable the driver’s malicious capabilities. For file operations, AbyssWorker uses I/O Request Packets (IRPs), bypassing standard APIs.

AbyssWorker can remove notification callbacks, replace driver major functions, detach mini-filter devices, terminate processes and threads, and restore hooked NTFS and PNP driver functions. Notably, it can trigger a system reboot using the undocumented HalReturnToFirmware function. These capabilities directly support MEDUSA ransomware’s ability to operate without security interference.

A key obfuscation technique AbyssWorker employs is calling “constant-returning functions” throughout the binary to complicate static analysis. However, Elastic deemed it inefficient, as they are easy to identify and declared it “an inefficient obfuscation scheme.”

Nevertheless, AbyssWorker represents a significant threat, demonstrating the increasing sophistication of kernel-level malware designed to disable security infrastructure. ESL has provided a client implementation example, offering researchers a means to further explore and experiment with this malware. To further aid in detection, Elastic Security has released YARA rules, available on their GitHub repository, enabling security professionals to identify instances of AbyssWorker within their environments.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating,

_“_The Medusa malware is living up to its name, finding new ways to infect hosts even after one method has been blocked. Using a batch file to disable system services is a short-term ploy as it can be detected and blocked. Security teams should be on alert for any systems that have a time change and review end-user permissions to prevent the user from stopping the time service._“_

Top/Featured Image by WaveGenerics from Pixabay

Medusa Ransomware Disables Anti-Malware Tools with Stolen Certificates

Google has admitted it accidentally deleted some Maps Timeline user data after what it calls a "technical issue".

Google has admitted it accidentally deleted some users’ Google Maps Timeline data after a “technical issue”.

As reported by Forbes on March 11, users started noticing that their Google Maps Timelines had completely disappeared. At the time, we didn’t know anything about the cause of this issue.

However, now we do, after some of the impacted users received a email from Google on March 21. Not with an apology, mind you, but with an explanation.

Google wrote that it had:

> “Briefly experienced a technical issue that caused the deletion of Timeline data for some people. If you have encrypted backups enabled, you may be able to restore your data.”

If you’re among those affected and you did have backups enabled, here’s how you can attempt to restore your data:

*   Make sure you have the latest version of the Google Maps app installed on your device.
*   Open Google Maps, tap on your profile picture in the top right corner, and select **Your Timeline**.
*   Look for a cloud icon at the top of the Timeline screen and tap it. Choose a backup to import your data.

This doesn’t seem to work for everyone though, with some users commenting that this method didn’t work for them.

If you didn’t have backups enabled, it might not be possible to recover your lost Timeline data.

**Planned deletion**

For those interested in keeping their Timeline, bear in mind that if you don’t take action soon, your visits and routes might be erased, and your Timeline settings disabled. Earlier this month, Google announced that it will begin deleting the last three months of Timeline data unless you take action to back it up, as part of a roll out of significant changes to Maps Timeline.

After you receive the notification from Google, you have about six months to save or transfer your Timeline data before deletion takes place. The sender of the email is “Google Location History,” with the subject line: “Keep your Timeline? Decide by \[date\].”

When you get the prompt, follow the instructions on how to adjust your settings on your device. If you don’t, your visits and routes will be erased, and your Timeline settings will be disabled.

**How to back up your Google Maps Timeline data**

Here’s how back up your Timeline data to prevent any future losses, and help preserve your data during the planned deletion:

*   Open the Google Maps app.
*   Tap your profile picture, then **Your Timeline**.
*   At the top right, tap the cloud icon.
*   If auto-delete is turned on, turn it off.
*   On the Backup screen, turn on **Backup**.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#google