In this podcast, Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

Monday, March 31, 2025 07:00

Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

The team also provide insights into some of the topics of the report, including the top-targeted vulnerabilities of the year, network-based attacks, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks. 

Listen below:

For the full report, head to blog.talosintelligence.com/2024yearinreview

Beers with Talos: Year in Review episode

Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.

After senior Trump administration members mistakenly included The Atlantic editor Jeffrey Goldberg in a secret group chat about bombing Houthi targets in Yemen, encrypted messaging app Signal found itself at the center of a storm this week. Some commentators criticized the app, going as far to blame it for the scandal.

But the whole affair that’s dubiously been dubbed “SignalGate” isn’t about Signal at all: Experts say officials shouldn’t invite untrusted contacts into sensitive chats and should only use authorized devices, platforms, and procedures when discussing top-secret military operations. In other words, the people who set up the chat made numerous mistakes, and they had nothing to do with how secure Signal is. In fact, Signal has seen its biggest-ever spike in US downloads as a result of the news.

In other news linked to _that_ Houthi group chat, national security adviser Mike Waltz—an account with the name “Michael Waltz” originally invited Goldberg to the group—left his Venmo account open to public view. As WIRED reported, a “Michael Waltz” Venmo account displayed the names of the adviser’s colleagues and friends, revealing people in Waltz’s wider social network. After WIRED reached out to the White House, the Waltz account hid its friends list. There’s more though: WIRED also discovered other Venmo accounts linked to officials in the Signal chat. Information about who officials associate with could be highly lucrative for foreign spies and hackers.

Elsewhere, we reported on all the ways the White House adopting Elon Musk’s Starlink as an alternative Wi-Fi network could be bad news for network security. There are also early signs in Europe that some companies are going cold on cloud services from Google, Amazon, and Microsoft, as they reassess the risks of dealing with the volatile second Trump administration. And, as crossing the United States border becomes more perilous—for both citizens and visa holders—we updated our guide to keeping your digital privacy intact when you are entering the US.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**Top US Security Officials’ Passwords and Personal Phone Numbers Discovered Online**

On top of SignalGate and Venmo accounts being left exposed, German news outlet Der Spiegel reported that sensitive personal information linked to several senior Trump administration security officials is easily discoverable online. Reporters from the publication found that mobile phone numbers, email addresses, and “some” passwords for top officials could be found on the internet.

Using people-search engines and information contained in public data breaches, Der Spiegel discovered personal information belonging to Waltz, director of national intelligence Tulsi Gabbard, and Pete Hegseth, the secretary of defense. “Most of these numbers and email addresses are apparently still in use, with some of them linked to profiles on social media platforms like Instagram and LinkedIn,” the news organization reported. The details were also linked to Dropbox, Microsoft Teams, Signal, and WhatsApp accounts used by the officials.

While millions of people have been caught up in online data breaches and use inadequate privacy settings on their online accounts, high-level government security officials are exposed to a broader and more severe range of online threats, particularly from nation-state hackers, than most people. Officials told the news organization that many of the accounts and personal details were no longer used or had been updated. However, messages Der Spiegel sent to WhatsApp and Signal accounts belonging to Waltz and Gabbard were delivered, the publication reported. Only after they approached the government for comment were some of the accounts restricted.

**Internet Restrictions May Hide Initial Toll of Myanmar Earthquake Damage**

On Friday, a huge 7.7-magnitude earthquake and aftershock hit Myanmar, with widespread damage being reported hundreds of miles away in Thailand. At the time of writing, at least 144 people have been confirmed dead with hundreds of others injured in Myanmar. As the first impacts of the devastating quake started to emerge, The New York Times reported that long-standing and widespread internet restrictions in worn-torn Myanmar were likely making it harder for news of the damage to be understood. Since the country’s military junta took power in 2021, connectivity within Myanmar has been widely disrupted or blocked. For instance in 2023, 13 out of Myanmar’s 14 states faced internet disruptions.

In the wake of the earthquake, more video footage and news could be seen immediately emerging from neighbouring Thailand, experts told the Times. “Compare the coverage of the earthquake in Thailand, where tremors and damage have been extensively reported, posted and documented, to Myanmar, where we still don’t have a clear picture of the extent of the damage and loss and may not for some time,” Joe Freeman from Amnesty International said. The lack of connectivity may also make the recovery and humanitarian efforts harder to coordinate, once again highlighting the vital need for people to have reliable and open access to the internet.

**Alleged Snowflake Hacker Connor Moucka Agrees to US Extradition**

Last summer’s Snowflake hacking spree, where customers of the cloud storage company had their accounts targeted, was likely one of the largest mass data exfiltrations that’s publicly known. Toward the end of 2024, Canadian authorities arrested Alexander “Connor” Moucka, 26, who allegedly used online handles such as “Waifu” and “Judische,” in connection to the hacking activity. This week, Moucka consented to be extradited to the United States to face the alleged charges. According to Cyberscoop, Moucka faces 20 federal charges, including those linked to computer fraud, wire fraud, and aggravated identity theft. Moucka is not the only person allegedly behind the Snowflake hacking, with John Binns and Cameron Wagenius being named in indictments. It is unclear when Moucka’s extradition will take place.

**London Is Getting Its First Permanent Face Recognition Cameras**

Police forces across the UK have massively increased their use of live face recognition cameras in recent years. Use of the controversial technology has historically been temporary: mounting cameras on top of police vehicles and deploying them for specific events and set periods of time. That’s now set to change with the first permanent face recognition cameras being rolled out in London. The city’s Metropolitan Police are in the process of installing fixed cameras in Croydon, in the south of the city.

“This will mean our use of LFR technology will be far more embedded as a ‘business as usual’ approach rather than relying on the availability of the LFR vans that are in high demand across London,” a police official wrote in a letter seen by The Times of London. Reportedly, the cameras will not be used continuously, only when officers are nearby to monitor potential alerts. However, privacy campaigners fear the move could be further rolled out across the city, leading to a network of permanent face recognition cameras unlike those seen in any other democratic countries.

Top Trump Officials’ Passwords and Personal Phone Numbers Discovered Online

The phishing campaign is highly sophisticated!

Silent Push uncovers an alleged Russian intelligence phishing campaign impersonating the CIA, targeting Ukraine supporters, anti-war activists and informants.

Cybersecurity researchers at Silent Push have discovered a complex and extensive phishing operation, allegedly launched by Russian Intelligence Services or a similarly motivated entity, targeting individuals who support Ukraine and oppose the Russian government.

The campaign, which surfaced in early 2025, employed fake website lures to gather personal information from Russian citizens and informants. This was a particularly sensitive endeavour given the illegality of anti-war activities within the Russian Federation.

The phishing sites collected user input using a combination of static HTML and JavaScript. Data exfiltration was often facilitated through simple POST requests to threat-actor-controlled servers or through the abuse of Google Forms.

Researchers identified four distinct phishing clusters, each impersonating a prominent organization: the US Central Intelligence Agency (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, an appeals hotline for Russian service members operated by Ukrainian intelligence.

It is worth noting that the CIA has also been actively encouraging Russian citizens to share secret information with the agency through its official darknet site, offering a secure and anonymous way to communicate.

As for the latest campaign, despite their well-planned impersonations, these clusters share a common objective: the illicit collection of personal data. As noted by the legitimate Liberty of Russia Legion in a March 14, 2024, X post, “We remind you that the only official telegram channel of the Legion is listed on our website: hxxps://legionlibertyarmy. Do not be fooled by fakes. Do not fall into the traps of the security forces of the Putin regime!”

The threat actors utilized a bulletproof hosting provider, Nybula LLC (ASN 401116), to host phishing pages designed to mimic the official websites of these organizations. This tactic, along with the use of Google Forms and website forms to gather data, reveals a sophisticated attempt to deceive and extract sensitive information from unsuspecting victims.

The campaign’s infrastructure analysis revealed interconnectedness across the four clusters, with shared technicalities such as the WHOIS organization name “Semen Gerda,” similar metadata, and common registration through the NiceNIC registrar.

The phishing pages employed various tactics to lure victims. For instance, the rusvolcorpsnet domain lured users with a “Join Here” button, leading to a Google Form requesting detailed personal information. Similarly, the legionlibertytop domain used a blue “Join” button to direct users to a legitimate Google Form, while a green button led to a form controlled by the threat actors.

CIA impersonation involved the creation of domains like ciagovicu and jagotovoffcom, which featured suspicious web forms and embedded illegitimate .onion links. The threat actors even manipulated YouTube content, replacing official CIA links with their phishing domains.

Conversely, the Hochuzhit cluster, targeting Russian service members seeking to surrender, utilized domains like hochuzhitlifecom and hochuzhitlife. Silent Push Threat Analysts, in collaboration with security researcher Artem Tamoian, uncovered additional domains and infrastructure, including legionllbertyarmy, which was hosted on Cloudflare.

Silent Push’s attribution to Russian intelligence services is based on several factors, including the campaign’s focus on targets of strategic interest to the Russian government, the observed TTPs that align with known Russian state-sponsored actor behaviour, and the persistent impersonation of the CIA for intelligence gathering purposes.

Researchers concluded that all domains associated with this Russian Intelligence Agency campaign pose massive privacy and security risks, highlighting the importance of caution and stronger cybersecurity measures.

Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters

WIRED has found four new Venmo accounts that appear to be associated with Trump officials who were in an infamous Signal chat. One made a payment with a note consisting solely of an eggplant emoji.

A number of top Trump administration officials—including four who were on a now-infamous Signal group chat—appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target’s social network or even identify individuals who could be paid or coerced to act against them.

The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Trump’s nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of state. All three were participants in the “Houthi PC small group” chat in which sensitive attack plans were discussed and to which Jeffrey Goldberg, editor in chief of The Atlantic, was accidentally invited. Katz was named in it as a point of contact by Scott Bessent, the Treasury secretary; Kent by Tulsi Gabbard, the director of national intelligence, to whom Kent serves as acting chief of staff; and Needham by Marco Rubio, the secretary of state.

A fourth official with an open Venmo account—Brian McCormack, a senior staffer on the National Security Council—also appears to have been in the chat, in which a user with the screen name “Brian” lists McCormack as a point of contact for the NSC. His account went private after WIRED reached out to the NSC for comment. (“Mr. McCormack has made necessary Venmo updates for his personal privacy protection,” says NSC spokesperson James Hewitt.)

Morgan Ortagus, a former Fox News personality and deputy to Steve Witkoff—Donald Trump’s special envoy for the Middle East, who was himself in the chat—also appears to have left Venmo data exposed.

WIRED established that the accounts are almost certainly those of the government officials in question by analyzing the other accounts they were connected to, which in the cases of Katz, Kent, and Needham included accounts appearing to belong to their spouses. The Treasury Department, the National Counterterrorism Center, and the State Department did not immediately respond to requests for comment.

Some of the information revealed by the accounts is quite granular. McCormack and the accounts that appear to belong to Katz and Ortagus, for example, left not only their contact lists publicly visible but also their transactions, which are as recent as last autumn. These records reveal specific information like a 2018 payment from Katz with a note consisting solely of an eggplant emoji and how much he paid an overnight cat sitter in 2019. They also reveal McCormack’s contributions to what appears to be a get-together for veterans of the Bush-Cheney administration (“Cheney team reunion! Thank you!!”), who has reimbursed Ortagus for picnic expenses, and Kent’s connection to noted conspiracy theorist Ivan Raiklin, who calls himself “the secretary of retribution” and once created a deep state target list.

WIRED has previously reported on the partially public Venmo accounts of several of the high-ranking officials in the Houthi PC chat, including Vice President JD Vance; Mike Waltz, the national security adviser; and Susie Wiles, the White House chief of staff. Waltz and Wiles set their accounts to private only after WIRED reached out to the White House for comment on Wednesday afternoon.

Venmo did not immediately respond to WIRED’s request for comment. In a statement given to WIRED in response to questions about the Waltz and Wiles accounts, spokesperson Erin Mackey said, “We take our customers’ privacy seriously, which is why we let customers choose their privacy settings on Venmo for both their individual payments and friends lists—and we make it incredibly simple for customers to make these private if they choose to do so.”

“From my perspective, as a veteran, everyone is entitled to use the applications and services they feel are necessary to live their lives,” says Tara Lemieux, a 35-year veteran of the US intelligence community including the National Security Agency, Department of Homeland Security, and supporting agencies. “That said, when you post anything in those third-party applications and you don’t understand how that information can be shared or exploited, you are taking a risk for our nation—and that’s not acceptable.”

For Lemieux, while public transactions on Venmo might appear harmless, foreign intelligence services—particularly signals intelligence agencies—look for patterns: who’s paying whom, how often, and when. “Say they’re making payments to their children—now you have a point of leverage. If there’s someone out there looking to target you, they can use that information and start making you feel fearful for the safety of your children,” Lemieux says.

“The speed of the digital world has outpaced our ability to keep a handle on it,” she adds. “If you have all this information out there—how the heck are you going to put the toothpaste back in the tube?”

Mike Yeagley, a specialist in commercial data and its security risks, has spent over 15 years advising the US Department of Defense on how both allies and adversaries leverage what he calls “digital exhaust,” the seemingly mundane details—social connections, service transactions, and metadata trails—left behind in everyday apps. “At the highest level of our national security leadership, regardless of administration, there has to be an awareness of our data and what we project that can be discoverable,” he says.

“What’s the risk of someone at the Cabinet level using Venmo to pay their personal trainer? On the surface, it doesn’t look like much,” Yeagley says. “But now I know who that trainer is—or the gardener, or whoever—and suddenly I’ve expanded my ability to target by identifying the people around that official.”

Yeagley adds that “our adversaries are sophisticated and carnivorous in their data collection,” which means that “just the smallest bit of daylight is of interest to someone sophisticated. They will use that data point. They will build from it.”

According to Vemmo, its “contact syncing” feature allows users to upload phone contacts to the app so that they can find people they know. When these exposed Venmo accounts were set up—all before 2020—the app would display a prompt allowing users to sync their phone contacts, automatically populating their friends list with anyone in their address book already using the platform. Venmo says this functionality was deprecated more than two years ago. Today, contact syncing no longer creates connections by default. To add someone as a friend, users have to search for them, send a request, and have it accepted.

Nevertheless, according to Venmo’s privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone. That means that even when a user sets their account to private, their friends list remains visible unless they take an additional step. As of publication, hiding your connections requires navigating to **Settings** > **Privacy** > **Friends List** and selecting **Private**.

_Stephen Lurie contributed reporting._

Even More Venmo Accounts Tied to Trump Officials in Signal Group Chat Left Data Public

Scandal surrounding the Trump administration’s Signal group chat has led to a landmark week for the encrypted messaging app’s adoption—its “largest US growth moment by a massive margin.”

SignalGate, as it's come to be called, may be the biggest scandal to hit the Trump administration in its first months in power. But it's been great for Signal.

Since the news broke on Monday that senior Trump administration cabinet members accidentally included the editor in chief of The Atlantic in a group chat on the Signal encrypted messaging platform where the officials were making secret plans to bomb Yemen, the ensuing news cycle and the constant mentions of Signal have led to the encrypted messaging platform doubling its usual rate of new downloads, the nonprofit organization that runs Signal tells WIRED. Given that 2025 has already been a “banner year” for Signal's growth, according to Signal's leadership, that makes this week the single biggest bump in US adoption of the app in Signal's nearly 11 years of existence.

“In Signal’s history, this is the largest US-growth moment by a massive margin,” says Jun Harada, Signal's head of growth and partnerships. “It’s mind-blowing, even on our side.”

Harada declined to give absolute numbers for Signal's user growth beyond saying that its total downloads are in the “hundreds of millions,” which has been the case for several years. But he said that the week’s rate of adoption has been twice that of a typical week for 2025, which in turn was twice that of a typical week the same time last year. “It happened immediately” after The Atlantic broke the story of Signal's use in the Yemeni bombing, Harada says. “And it’s been sustained. We’ve been maintaining that rate every day.”

In Signal's history, the only comparable spike in adoption occurred when WhatsApp changed its privacy policy in 2021, Harada says, leading to millions of users abandoning that communications app. But that incident mostly brought non-Americans to Signal, unlike the current, US-focused SignalGate bump.

Numbers from the market intelligence firm Sensor Tower largely align with Signal's own analysis of that growth: The company says that Signal downloads in the US increased 105 percent compared to the prior week—and 150 percent compared to an average week in 2024. Outside of the US, Sensor Tower saw only a 21 percent increase in Signal downloads compared to the prior week.

The Atlantic's revelation on Monday that secretary of defense Pete Hegseth, director of national intelligence Tulsi Gabbard, national security adviser Michael Waltz, vice president JD Vance, and other Trump administration officials used a Signal group chat to plan an air strike against Houthi rebels in Yemen—and that Waltz accidentally added Atlantic editor Jeffrey Goldberg to that group in a shocking breach of confidentiality—has raised serious questions about the security practices of the Trump administration that are still resonating days later.

The scandal has called into question whether the executive branch officials were planning the air strike using vulnerable non-approved or even personal devices rather than the secure machines intended for classified conversations. Screenshots of the group chat published by The Atlantic on Wednesday indicate that the officials were using Signal's disappearing messages feature to delete their communications, potentially in violation of US record retention laws.

The incident has raised sometimes-misguided questions, too, about whether Signal itself is to blame for the breach—including from President Trump, who suggested in comments on Wednesday that Signal might be “defective"—despite many cybersecurity and encryption experts' recommendation of Signal as the best end-to-end encrypted messaging tool freely available to the public. “You use Signal, we use Signal, everyone uses Signal,” Trump told reporters, “but it could be a defective platform.”

Signal's Harada declined to respond to Trump's “defective” comment and pointed to Signal's previous statements that it has yet to see any evidence of any vulnerability in the app, much less one that has anything to do with Jeffrey Goldberg being accidentally added to a White House group chat.

But Harada noted that the overall attention to Signal—even the president himself saying that “everyone uses Signal” in the Oval Office—is an example of the kind of visibility it has never had before. “All awareness for Signal is a net positive. The interest in Signal continues to be at an all-time high,” Harada says.

“I don’t think my phone has ever buzzed this much, from people from every walk of life. People are learning about Signal who maybe have never even heard about or considered encrypted messaging before.” Harada also pointed to a report that Google searches for “Signal” were up more than 1,000 percent.

Harada says that Signal was already seeing a significant uptick in adoption in the first few months of 2025. He attributes that growth partly to increasing general interest in privacy among consumers and partly to the breach of nine US telecoms by China's Salt Typhoon hacker group, which led to the hackers accessing some targets' real-time calls and texts. Federal officials at the FBI and the Cybersecurity and Infrastructure Security Agency responded to those breaches by publicly recommending that Americans use encrypted messaging and calling applications.

But all of that has been dwarfed by the attention and interest Signal has received this week. As messy as SignalGate may be, Harada says, it has made Signal a household name like never before. “To have this kind of mainstream moment is massive,” he says. “I believe it’s a sea change for private encrypted messaging for the US and the world.”

SignalGate Is Driving the Most US Downloads of Signal Ever

OpenAI Bug Bounty program boosts max reward to $100,000, expanding scope and offering new incentives to enhance AI security and reliability.

OpenAI is prioritizing security with a major bug bounty program increase and new AI security research grants. Find out how they’re collaborating with researchers and experts to protect their AI platforms from emerging threats

OpenAI is enhancing its security infrastructure, focusing on a forward-looking approach towards AI, by expanding security initiatives across grant programs, bug bounties, and internal defences.

In its latest **blog post**, OpenAI has unveiled a suite of new cybersecurity initiatives, signalling a bold push towards artificial general intelligence (AGI). A key element of this strategic move is a substantial increase in the maximum reward offered through its bug bounty program, now reaching $100,000 for critical findings.

As previously **reported** by HackRead.com, OpenAI launched its bug bounty program in April 2023 in partnership with Bugcrowd. This program initially focused on **finding flaws** in ChatGPT AI chatbot to enhance its security and reliability, with rewards starting at $200 for low-severity findings and reaching $20,000 for exceptional discoveries.

Now, OpenAI has confirmed that this program is seeing a significant overhaul with the maximum pay-out increased from $20,000 to $100,000 and the scope of program being broadened substantially, a move OpenAI states reflects its commitment to ensuring users’ trust in its systems.

“This increase reflects our commitment to rewarding meaningful, high-impact security research that helps us protect users and maintain trust in our systems,” the company noted in the announcement.

To further incentivize participation, OpenAI is introducing limited-time bonus promotions, with the first focusing on IDOR access control vulnerabilities. This promotion, running from March 26th to April 30th, 2025, also increases the baseline bounty range for these types of vulnerabilities.

The company also plans to expand its Cybersecurity Grant Program, which has already funded 28 research projects focused on both offensive and defensive security strategies. These projects have explored areas such as autonomous cybersecurity defenses, secure code generation, and prompt injection. The grant program is now seeking proposals for five new research areas: software patching, model privacy, detection and response, security integration, and agentic AI security.

OpenAI is also introducing microgrants in the form of API credits to facilitate rapid prototyping of innovative cybersecurity ideas. Furthermore, it plans to engage in open-source security research, collaborating with experts from academic, government, and commercial labs to identify vulnerabilities in open-source software code.

This shift is aimed at improving the ability of OpenAI’s AI models to find and patch security flaws. The company plans to release security disclosures to relevant open-source parties as vulnerabilities are discovered.

In addition, OpenAI is integrating its own AI models into its security infrastructure to enhance real-time threat detection and response. To strengthen its defences, the company has established a new red team partnership with SpecterOps, a cybersecurity firm. This collaboration will involve laborious, simulated attacks across **OpenAI’s infrastructure**, including corporate, cloud, and production environments.

As OpenAI’s user base expands, now serving over 400 million weekly active users, the company acknowledges its growing responsibility to safeguard user data and systems. While it focuses on developing advanced AI agents, the company is also addressing the unique security challenges associated with these technologies. This includes defending against prompt injection attacks, implementing advanced access controls, comprehensive security monitoring, and cryptographic protections, reinforcing their dedication to building secure and trustworthy AI.

OpenAI Bug Bounty Program Increases Top Reward to $100,000

Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat.
"The threat actor behind

New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including…

Discover the novel QWCrypt ransomware used by RedCurl in targeted hypervisor attacks. This article details their tactics, including DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a shift in the operational tactics of the long-standing cyber threat group known as **RedCurl**. This group, also known as Earth Kapre or Red Wolf, has historically maintained a low profile, relying heavily on covert data exfiltration. It has now been linked to a novel ransomware campaign, marking a dramatic change in their activities. This new ransomware strain, dubbed QWCrypt, targets hypervisors, effectively crippling infrastructure while maintaining a stealthy presence.

“This new ransomware…is previously undocumented and distinct from known ransomware families,” the **report** states.

This discovery prompts a reevaluation of RedCurl’s operational model, which has remained largely puzzling since their emergence in 2018. The group’s targeting patterns further complicates their classification.

While telemetry data points to victims primarily in the United States, with additional targets in Germany, Spain, and Mexico, other researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historical evidence of RedCurl selling stolen data, a common practice in ransomware operations, adds to the mystery.

****Living-off-the-Land (LOTL)****

The group uses sophisticated techniques, including DLL sideloading and the abuse of **Living-off-the-Land** (LOTL) strategies, all while avoiding the use of public leak sites, a critical shift from typical ransomware operations.

The initial access vector used by RedCurl in their ransomware deployment remains consistent with their previous campaigns: phishing emails containing IMG files disguised as CV documents. These files, when opened, execute a malicious screensaver file, which in turn loads a malicious DLL. This DLL then downloads the final payload, using encrypted strings and legitimate Windows tools to evade detection. 

Once inside the network, RedCurl employs lateral movement techniques, utilizing WMI and other built-in Windows tools to gather intelligence and escalate access. The group’s use of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their sophisticated approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint security and launch the ransomware’s GO executable, rbcw.exe, which encrypts virtual machines using **XChaCha20-Poly1305** encryption and excludes network gateways.

The file also includes a hardcoded personal ID for victim identification.  The ransom note, researchers claim, is not original, but rather a compilation of sections from other ransomware groups. Additionally, the absence of a dedicated data leak site further complicates the understanding of RedCurl’s motives.Bitdefender

****Bitdefender’s Hypotheses****

Bitdefender proposes two potential hypotheses to explain RedCurl’s unconventional behaviour. The first suggests they may operate as “gun-for-hire” cyber mercenaries, explaining their diverse victimology and inconsistent operational patterns.

The second hypothesis posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public attention to maintain extended, low-profile operations. This theory is supported by the group’s targeting of hypervisors while maintaining network gateways, suggesting an attempt to limit disruption and confine the attack to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced detection and response capabilities, and a focus on preventing LOTL attacks to mitigate the risks posed by groups like RedCurl. They also emphasize the importance of data protection, resilience, and advanced threat intelligence.

RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

A WIRED review shows national security adviser Mike Waltz, White House chief of staff Susie Wiles, and other top officials left sensitive information exposed via Venmo—until WIRED asked about it.

A Venmo account under the name “Michael Waltz,” carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz’s personal and professional associates, including journalists, military officers, lobbyists, and others—information a foreign intelligence service or other actors could exploit for any number of ends, experts say.

Among the accounts linked to “Michael Waltz” are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called “Houthi PC small group.”

The White House declined to comment after being presented with WIRED’s findings, but the accounts appearing to belong to Waltz and Wiles went fully private following WIRED’s inquiry.

Earlier this week, The Atlantic reported that an account with the name “Michael Waltz” accidentally invited the publication’s editor in chief, Jeffrey Goldberg, to the chat, in which senior administration officials discussed plans for a strike on Yemen. (Waltz told Fox News’ Laura Ingraham he takes “full responsibility” for inviting Goldberg, adding, “We have some of the best technology minds looking at how this happened.”) Over the encrypted messaging app, which Department of Defense guidelines bar from being used for the discussion of any nonpublic defense information, the group debated whether a strike should be carried out at all. Hours after an account with the name of defense secretary Pete Hegseth shared missile targets, strike timing, and other highly sensitive operational details of a coming strike, US forces bombed Houthi targets in Yemen, reportedly killing at least 53 people.

A WIRED review of public data exposed on Venmo accounts associated with senior administration officials suggests that the Signal group chat was not an isolated mistake, but part of a broader pattern of what national security experts describe as reckless behavior by some of the most powerful people in the US government.

The Venmo account under Waltz’s name includes a 328-person friend list. Among them are accounts sharing the names of people closely associated with Waltz, such as Barrett, formerly Waltz’s deputy chief of staff when Waltz was a member of the House of Representatives, and Micah Thomas Ketchel, former chief of staff to Waltz and currently a senior adviser to Waltz and President Donald Trump.

Other accounts carry the names of a wide range of media figures, from on-air personalities like Bret Baier and Brian Kilmeade of Fox News and Brianna Keilar and Kristen Holmes of CNN to a cable news producer, a prominent national security reporter, local news anchors, documentarians, and noted conspiracy theorist Ivan Raiklin, who calls himself the “the secretary of retribution” and once created a deep state target list. (Fox News declined to comment; CNN did not respond to a request for comment.)

Many of the accounts appear to belong to local and national politicians and political operatives ranging from US representative Dan Crenshaw of Texas to a former mayor of Deltona, Florida, as well as venture capitalists, defense industry entrepreneurs, and executives like Christian Brose, the president of defense tech giant Anduril. (Crenshaw’s office and Anduril did not respond to requests for comment.)

One of the most notable appears to belong to Wiles, one of Trump’s most trusted political advisers. That account’s 182-person friend list includes accounts sharing the names of influential figures like Pam Bondi, the US attorney general, and Hope Hicks, Trump’s former White House communications director.

While none of the Venmo transactions for the account listed for Waltz, Wiles, or Barrett were publicly visible, it appears that none of them had opted out of sharing their contact list, allowing their friend lists to remain visible to the public. After WIRED reached out to the White House for comment, both Waltz and Wiles appeared to change their Venmo privacy settings to hide their friend lists.

Venmo spokesperson Erin Mackey said in a statement, “We take our customers’ privacy seriously, which is why we let customers choose their privacy settings on Venmo for both their individual payments and friends lists—and we make it incredibly simple for customers to make these private if they choose to do so.” The comment is nearly identical to the one Venmo provided to WIRED in response to a 2024 story about now-vice president JD Vance’s Venmo.

Last July, WIRED reported that Vance had left his Venmo account public, exposing a network of connections to Project 2025 architects, DOJ officials, Yale Law classmates, and far-right media figures. (While it was not reported at the time, WIRED’s analysis of that public Venmo account—and the networks of his listed friends—found that the Michael Waltz Venmo account appeared in Vance’s extended network, comprising friends and friends of friends.) According to The Atlantic, Vance was also an active participant in the Signal chat alongside Waltz, where he questioned whether the planned military operation in Yemen aligned with President Trump’s broader message on Europe.

When the Michael Waltz account was set up in 2017, the app would display a prompt allowing users to sync their phone contacts, automatically populating their friends list with anyone in their address book already using the platform. Privacy advocates, including the Electronic Frontier Foundation, criticized this design, arguing that it exposes users to unnecessary risks by making social connections public by default. It wasn’t until BuzzFeed News revealed in 2021 that then-president Joe Biden was easily found on the app that Venmo, which is owned by PayPal, added the option to hide friend lists. But that setting remains opt-in. According to its privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone.

Mixed in with the high-profile names connected to the apparent Waltz Venmo account are a number of accounts appearing to belong to ordinary people, such as several doctors, real estate agents, and a tailor. These are the kinds of low-level connections that, experts say, spies look at for basic information—a relationship with a medical specialist could expose that a person is being treated for an illness that hasn’t been made public—as well as patterns, pressure points, or a way in. Experts call them “soft targets”: people who have access but aren’t protected.

For instance, when the US and Israel reportedly sabotaged Iran’s nuclear program with the Stuxnet virus, they used a control engineer’s USB stick, not one belonging to a senior official. Chinese intelligence has used similar tactics, contacting thousands of foreign citizens using LinkedIn or going after university students to get closer to US researchers and companies. While WIRED has found no evidence that foreign adversaries have used Venmo to target a US politician’s network, the platform makes these relationships visible—potentially giving adversaries a searchable map of the people around power.

“The first thing you think of is the counterintelligence issue, right? And the security vulnerabilities. It kind of boggles the mind, in a way,” says Michael Ard, a former intelligence analyst who now runs the masters program in intelligence analysis at Johns Hopkins. “It would be really easy for somebody to spoof a contact, and that is something the security industry has already been issuing notices on.”

Waltz has spent years inside the Republican national security establishment. A former Green Beret—something reflected in the number of apparent veteran Green Berets, Navy SEALs, and other special operators to whom the Venmo account bearing his name is connected—he served as a defense adviser at the Pentagon under former defense secretaries Donald Rumsfeld and Robert Gates, and later counseled US vice president Dick Cheney on counterterrorism. In 2020, following the US drone strike that killed Iranian general Qassem Soleimani, Waltz says he was part of a small group of lawmakers privately briefed at the White House.

Another participant in that thread was Hegseth. A public Venmo account under his name, identified by The American Prospect in February, revealed a similarly elite network—including names matching executives at defense firms like Palantir and Anduril as well as lobbyists and President George W. Bush–era officials. In the Signal chat, the defense secretary directly responded to Vance’s concerns: “VP: I fully share your loathing of European free-loading. It’s PATHETIC.”

Both Vance’s and Hegseth’s Venmo accounts have since been deleted.

_Jake Lahut contributed reporting._

Tag

#intel