For years, North Korea has been secretly placing young IT workers inside Western companies. With AI, their schemes are now more devious—and effective—than ever.

North Korea Stole Your Job

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.…

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign. Learn about the GRU-linked attacks, tactics, and previous incidents like the TV5Monde hack.

France has accused the Russian state-backed hacking group APT28, linked to Russia’s military intelligence agency GRU (Russian General Staff Main Intelligence Directorate), of targeting or compromising a dozen French government and other organizations.

Active since at least 2004 under names like BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy; APT28 typically targets government, military, energy, and media in Europe and the US.

Now, a report by the French cybersecurity agency ANSSI has attributed recent attacks on French local government, administration, defence, aerospace, research, finance, and think-tank organizations to APT28.

APT28’s Targets in France since 2021 (Source: ANSSI)

These attacks, primarily aimed at governmental, diplomatic, and research entities in 2024, utilized phishing, vulnerability exploitation, and brute-force attacks for initial access, often relying on inexpensive, outsourced infrastructure.

This infrastructure, as per ANSSI’s report (PDF), includes rented servers, free hosting services, VPNs (Virtual Private Networks), and temporary email addresses. This approach provides flexibility and enhances their ability to remain undetected.  

ANSSI noted APT28’s targeting of Roundcube email servers to distribute the HeadLace backdoor, use of the OceanMap stealer, and phishing campaigns against UKR.NET and Yahoo users, employing compromised routers and other methods to conceal their infrastructure.

France’s Ministry for Europe and Foreign Affairs strongly condemned Russia’s use of APT28, highlighting past attacks on the 2024 Olympics, and attempted interference in the 2017 elections. They emphasized that such actions violate UN norms of responsible state behaviour in cyberspace and pledged to counter Russia’s malicious cyber activities.

“France condemns in the strongest terms the use by Russia’s military intelligence service of the APT28 attack group, at the origin of several cyber-attacks on French interests,” the French foreign ministry’s statement read.

****France Accused APT28 of Impersonating ISIS Hackers****

Hackread.com has been following the activities of APT28, with a previous report linking it to a 2015 cyberattack on TV5Monde. Initially, that attack was attributed to a group posing as ISIS/ISIL militants, known as “CyberCaliphate,” who claimed responsibility by posting pro-ISIS messages on the broadcaster’s social media and temporarily blacking out their global TV channel.

However, subsequent investigations revealed matching IP addresses and techniques used by APT28, leading French authorities and cybersecurity experts to suspect Russian government involvement.

A similar cyberattack targeted the BBC’s live transmission in April 2015. However, it remains unclear whether the British government linked the incident to APT28 or acknowledged its impersonation tactics.

Nevertheless, this pattern of targeted activity indicates APT28’s persistent threat to France and other nations. It also suggests efforts to gather strategic intelligence and influence public perception within French society.

From TV5Monde to Govt: France Blames Russia’s APT28 for Cyberattacks

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide\_plugin\_from\_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.

Sneaky WordPress Malware Disguised as Anti-Malware Plugin

As the field of artificial intelligence (AI) continues to evolve at a rapid pace, new research has found how techniques that render the Model Context Protocol (MCP) susceptible to prompt injection attacks could be used to develop security tooling or identify malicious tools, according to a new report from Tenable.
MCP, launched by Anthropic in November 2024, is a framework designed to connect

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.…

Google enhances cybersecurity with Agentic AI, launching Unified Security to fight zero-day exploits, enterprise threats, and credential-based attacks.

Google’s Threat Intelligence Group (GTIG) has released its findings for 2024, revealing a slight decrease in the exploitation of zero-day vulnerabilities compared to the previous year, with 75 instances tracked. However, GTIG emphasizes that this decrease is likely a temporary fluctuation within an overall upward trend of zero-day exploitation.

The M-Trends 2025 report, based on extensive incident investigations in 2024, highlights that while exploits remain the most common initial access point for attackers, the use of stolen credentials is on the rise, with the financial sector being the primary target. The report further details that the most common initial infection vector in observed attacks was via exploits (33%), followed by stolen credentials (16%), and email phishing (14%). Here’s a detailed breakdown:

(Source: Google)

Notably, there was a continued rise in attacks targeting enterprise-specific technologies, accounting for 44% of all zero-days exploited, primarily focusing on security and networking products. Cyber espionage actors, including government-backed groups and commercial surveillance vendors, remained the leading culprits behind attributed zero-day exploits, making up over half of the total. For the first time, North Korean actors were credited with exploiting the same number of zero-days as groups linked to China.

Simultaneously, Google Cloud Security is focusing on empowering security teams against such threats, especially with the integration of Artificial Intelligence. To combat these threats, Google has launched Google Unified Security, a platform that converges threat intelligence from Mandiant with security operations, cloud security, and secure enterprise browsing, all enhanced by Gemini AI, and aimed at enabling proactive security measures.

Source (Google)

Specifically, Google Security Operations now offers “Curated Detections” and “Applied Threat Intelligence Rule Packs” based on M-Trends 2025 findings to help detect malicious activities like infostealer malware and cloud compromise.

Google is also focusing on the development of “agentic AI” in security operations, utilizing intelligent AI agents to automate routine tasks like alert triage, investigation, response, threat research, and detection engineering. These agents are designed to learn and act autonomously, allowing security teams to focus on more complex threats. Google has introduced AI-powered features like an alert triage agent and a malware analysis agent, with plans for further development in their “SecOps Labs.”

Furthermore, the tech giant is aiming for an “agentic SOC” where AI enhances and automates security workflows. The tech giant is also promoting open standards like the Agent2Agent protocol and open-sourcing their Model Context Protocol (MCP) servers for interoperability between different security tools and vendors.

Casey Charrier, Senior Analyst at Google Threat Intelligence Group, told Hackread.com that while zero-day exploitation is growing steadily, efforts by major vendors are reducing attacks on historically targeted products. However, threat actors are now shifting focus to enterprise tools, highlighting the need for broader vendor action.

Google Introduces Agentic AI to Combat Cybersecurity Threats

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

Meta on Tuesday announced LlamaFirewall, an open-source framework designed to secure artificial intelligence (AI) systems against emerging cyber risks such as prompt injection, jailbreaks, and insecure code, among others.
The framework, the company said, incorporates three guardrails, including PromptGuard 2, Agent Alignment Checks, and CodeShield.
PromptGuard 2 is designed to detect direct

Meta Launches LlamaFirewall Framework to Stop AI Jailbreaks, Injections, and Insecure Code

Popular messaging app WhatsApp on Tuesday unveiled a new technology called Private Processing to enable artificial intelligence (AI) capabilities in a privacy-preserving manner.
"Private Processing will allow users to leverage powerful optional AI features – like summarizing unread messages or editing help – while preserving WhatsApp's core privacy promise," the Meta-owned service said in a

WhatsApp Launches Private Processing to Enable AI Features While Protecting Message Privacy

WhatsApp's AI tools will use a new “Private Processing” system designed to allow cloud access without letting Meta or anyone else see end-to-end encrypted chats. But experts still see risks.

The end-to-end encrypted communication app WhatsApp, used by roughly 3 billion people around the world, will roll out cloud-based AI capabilities in the coming weeks that are designed to preserve WhatsApp’s defining security and privacy guarantees while offering users access to message summarization and composition tools.

Meta has been incorporating generative AI features across its services that are built on its open source large language model, Llama. And WhatsApp already incorporates a light blue circle that gives users access to the Meta AI assistant. But many users have balked at this addition, given that interactions with the AI assistant aren’t shielded from Meta the way end-to-end encrypted WhatsApp chats are. The new feature, dubbed Private Processing, is meant to address these concerns with what the company says is a carefully architected and purpose-built platform devoted to processing data for AI tasks without the information being accessible to Meta, WhatsApp, or any other party. While initial reviews by researchers of the scheme’s integrity have been positive, some note that the move toward AI features could ultimately put WhatsApp on a slippery slope.

“WhatsApp is targeted and looked at by lots of different researchers and threat actors. That means internally it has a well understood threat model,” says Meta security engineering director Chris Rohlf. “There's also an existing set of privacy expectations from users, so this wasn’t just about managing the expansion of that threat model and making sure the expectations for privacy and security were met—it was about careful consideration of the user experience and making this opt-in.”

End-to-end encrypted communications are only accessible to the sender and receiver, or the people in a group chat. The service provider, in this case WhatsApp and its parent company Meta, is boxed out by design and can’t access users’ messages or calls. This setup is incompatible with typical generative AI platforms that run large language models on cloud servers and need access to users’ requests and data for processing. The goal of Private Processing is to create an alternate framework through which the privacy and security guarantees of end-to-end encrypted communication can be upheld while incorporating AI.

Users opt into using WhatsApp’s AI features, and they can also prevent people they’re chatting with from using the AI features in shared communications by turning on a new WhatsApp control known as “Advanced Chat Privacy.”

“When the setting is on, you can block others from exporting chats, auto-downloading media to their phone, and using messages for AI features,” WhatsApp wrote in a blog post last week. Like disappearing messages, anyone in a chat can turn Advanced Chat Privacy on and off—which is recorded for all to see—so participants just need to be mindful of any adjustments.

Private Processing is built with special hardware that isolates sensitive data in a “Trusted Execution Environment,” a siloed, locked-down region of a processor. The system is built to process and retain data for the minimum amount of time possible and is designed grind to a halt and send alerts if it detects any tampering or adjustments. WhatsApp is already inviting third-party audits of different components of the system and will make it part of the Meta bug bounty program to encourage the security community to submit information about flaws and potential vulnerabilities. Meta also says that, ultimately, it plans to make the components of Private Processing open source, both for expanded verification of its security and privacy guarantees and to make it easier for others to build similar services.

Last year, Apple debuted a similar scheme, known as Private Cloud Compute, for its Apple Intelligence AI platform. And users can turn the service on in Apple’s end-to-end encrypted communication app, Messages, to generate message summaries and compose “Smart Reply” messages on both iPhones and Macs.

Looking at Private Cloud Compute and Private Processing side by side is like comparing, well, Apple(s) and oranges, though. Apple’s Private Cloud Compute underpins all of Apple Intelligence everywhere it can be applied. Private Processing, on the other hand, was purpose-built for WhatsApp and doesn’t underpin Meta’s AI features more broadly. Apple Intelligence is also designed to do as much AI processing as possible on-device and only send requests to the Private Cloud Compute infrastructure when necessary. Since such “on device” or “local” processing requires powerful hardware, Apple only designed Apple Intelligence to run at all on its recent generations of mobile hardware. Old iPhones and iPads will never support Apple Intelligence.

Apple is a manufacturer of high-end smartphones and other hardware, while Meta is a software company, and has about 3 billion users who have all types of smartphones, including old and low-end devices. Rohlf and Colin Clemmons, one of the Private Processing lead engineers, say that it wasn’t feasible to design AI features for WhatsApp that could run locally on the spectrum of devices WhatsApp serves. Instead, WhatsApp focused on designing Private Processing to be as unhelpful as possible to attackers if it were to be breached.

“The design is one of risk minimization,” Clemmons says. “We want to minimize the value of compromising the system.”

The whole effort raises a more basic question, though, about why a secure communication platform like WhatsApp needs to offer AI features at all. Meta is adamant, though, that users expect the features at this point and will go wherever they have to to get them.

“Many people want to use AI tools to help them when they are messaging,” WhatsApp head Will Cathcart told WIRED in an email. “We think building a private way to do that is important, because people shouldn’t have to switch to a less-private platform to have the functionality they need.”

“Any end-to-end encrypted system that uses off-device AI inference is going to be riskier than a pure end to end system. You’re sending data to a computer in a data center, and that machine sees your private texts,” says Matt Green, a Johns Hopkins cryptographer who previewed some of the privacy guarantees of Private Processing, but hasn’t audited the complete system. “I believe WhatsApp when they say that they’ve designed this to be as secure as possible, and I believe them when they say that they can’t read your texts. But I also think there are risks here. More private data will go off device, and the machines that process this data will be a target for hackers and nation state adversaries.”

WhatsApp says, too, that beyond basic AI features like text summarization and writing suggestions, Private Processing will hopefully create a foundation for expanding into more complicated and involved AI features in the future that involve processing, and potentially storing, more data.

As Green puts it, “Given all the crazy things people use secure messengers for, any and all of this will make the Private Processing computers into a very big target.”

WhatsApp Is Walking a Tightrope Between AI Features and Privacy

Various generative artificial intelligence (GenAI) services have been found vulnerable to two types of jailbreak attacks that make it possible to produce illicit or dangerous content.
The first of the two techniques, codenamed Inception, instructs an AI tool to imagine a fictitious scenario, which can then be adapted into a second scenario within the first one where there exists no safety

Tag

#intel