New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails…

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails and how to protect against this sophisticated phishing tactic.

Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. This operation, detected by their Phishing Defense Center and Intelligence teams, diverges from typical LinkedIn-themed phishing attacks, which usually aim to steal user credentials or facilitate business email compromise. Instead, this campaign delivers a remote access trojan called ConnectWise RAT.

The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. However, careful examination reveals that the email uses an outdated template, reminiscent of LinkedIn’s design prior to its 2020 user interface and branding overhaul.

LinkedIn’s 2020 Branding (Source: Cofense)

The email’s narrative centres around a supposed sales director from a company requesting a product or service quote. This strategy aims to create a sense of urgency, prompting the recipient to respond quickly. However, the sender’s identity and the company mentioned are fabricated.

The profile picture used in the email belongs to a real individual, Cho So-young, who is the president of a Korean civil engineering organization, whereas the company name (DONGJIN Weidmüller Korea Ind) combines elements of two legitimate corporations, but this company does not exist.

Clicking the “Read More” or “Reply To” buttons embedded within the email triggers the download of the ConnectWise RAT installer. Interestingly, the email avoids the common tactic of directly prompting users to download or run a file. This subtle approach might be designed to bypass the suspicions of users who are trained to be wary of such direct requests.

Analysis of the email’s security headers reveals that it fails Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication checks, indicating that the email was not sent from a legitimate LinkedIn server and was not digitally signed.

Despite these red flags, the email bypassed existing security measures, likely due to the Domain-based Message Authentication, Reporting & Conformance (DMARC) policy being configured to mark the email as spam rather than outright rejecting it.

This campaign has been active since at least May 2024, with the email template remaining consistent. However, whether earlier iterations of this campaign also delivered the ConnectWise RAT remains unconfirmed.

“This campaign was found to exist in the wild as far back as May 2024. While the email template has not changed since then, Cofense Intelligence was unable to confirm whether this campaign was used to deliver ConnectWise RAT in prior samples that were found via open-source intelligence,” researchers noted in the blog post.

Nevertheless, this campaign highlights the evolving tactics of cybercriminals and the persistent threat of sophisticated phishing attacks involving LinkedIn. Protection against such threats requires educating employees to carefully scrutinize email senders especially those requesting urgent actions, appropriately configuring email authentication protocols (SPF, DKIM, and DMARC), and ensuring your Secure Email Gateway (SEG) is configured to effectively filter and block suspicious emails.

LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how…

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how to protect against this extortion scam.

GuidePoint Security’s Senior Threat Intelligence Analyst, Grayson North, has discovered a peculiar trend in the corporate sector in which executives at various organizations began receiving physical letters delivered via the US Postal Service.

In March 2025, the GuidePoint Research and Intelligence Team (GRIT) received reports of suspicious physical letters from the BianLian ransomware group, claiming that the recipient’s corporate IT network had been compromised and sensitive data had been stolen. The letters were delivered via mail from US addresses.

These senders demanded substantial ransom payments, ranging from $250,000 to $350,000, to a Bitcoin wallet address provided, with a threat of data leakage if payment was not received within ten days. The letter arrived with the following text:

“We no longer negotiate with victims: You have 10 days from the receipt of this letter to pay. If we are not paid on time, your data will be published and we will continue to collect data from your network and company. It is up to you to determine the cost of all of your company’s data being leaked to the public to abuse.”

The letters mimicked the format of traditional digital ransomware notes, including QR codes for easy Bitcoin transfers and Tor links to BianLian’s data leak site on the Dark Web. However, cybersecurity analysts at GuidePoint Security quickly identified numerous inconsistencies that cast doubt on the legitimacy of these claims.

Such as, the letters’ language was notably different from BianLian’s past ransom notes, displaying a level of polished English that was uncharacteristic. Though the provided Tor links did lead to BianLian’s legitimate data leak sites, these links are publicly known and easily accessible. The most glaring anomaly was the method of delivery since ransomware groups typically communicate digitally, and generally avoid using physical mail mediums.

Moreover, according to GRIT’s report, instead of standard threat actors’ practices, the senders refused to negotiate. The Bitcoin wallet addresses were newly generated and showed no previous association with any ransomware activity. Crucially, investigations revealed no evidence of network intrusions or data breaches in the organizations that received these letters.

The research team, hence, concluded that given the unusual delivery method, the language inconsistencies, the lack of intrusion evidence, and the fresh Bitcoin wallets all pointed to an attempt to impersonate BianLian for financial gain. The letters were marked “TIME SENSITIVE READ IMMEDIATELY” and had a return address in Boston.

The fake ransom letter used in the campaign (Via GRIT)

These aspects indicate that the letters were designed to create a sense of urgency and fear, exploiting the reputation of a known ransomware group. GRIT recommends organizations should educate employees on handling such threats and ensure network defences are up to date and no active alerts are present.

1.  Fake CrowdStrike Recruiters Distribute Malware
2.  Journalist Targeted in USB Drive Bombing Attack
3.  Hackers Call Employees to Steal VPN Data from US Firms
4.  Volcano Demon Ransomware Makes Phones Victim of Ransom
5.  Fake IT Calls Scam MS Teams Users into Installing Ransomware

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware

Boston and Tel Aviv, United States, 4th March 2025, CyberNewsWire

**Boston and Tel Aviv, United States, March 4th, 2025, CyberNewsWire**

Pathfinder AI expands Hunters’ vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation and response.

**Hunters**, the leader in next-generation SIEM, today announced **Pathfinder AI**, a major step toward a more AI-driven SOC. Building on Copilot AI, which is already transforming SOC workflows with LLM-powered investigation guidance, Hunters is introducing its Agentic AI vision, designed to autonomously enhance detection, investigation, and response. Agentic AI will launch soon, with ongoing innovations to further streamline security operations.

> “Hunters has already made a significant impact on our security operations by reducing manual investigations, streamlining data ingestion, and improving threat visibility. With Pathfinder AI, we’re enhancing efficiency and response times through AI-driven detection explanations and automated investigative guidance. This innovation continues to strengthen Emburse’s security posture with cutting-edge AI-powered threat intelligence.” — Casey Sword, Endpoint Security Architect, Emburse

**How AI is Shaping the Future of Security Operations**

Security investigations are complex and unpredictable—each alert triggers multiple investigative steps, creating an overwhelming number of possible paths. Traditional automation follows rigid workflows, often leaving analysts stuck chasing false leads while real threats slip through.

AI changes the equation. Unlike static rule-based automation, Agentic AI dynamically adapts, prioritizing critical threats, filtering out noise, and continuously refining investigations to keep security teams focused and efficient.

To stay ahead of evolving threats, SOCs need two key AI-driven capabilities:

*   **Copilot AI** – Enhances analyst workflows with automated data analysis, report generation, and guided investigations.
*   **Agentic AI** – Delivers autonomous threat detection, investigation, and response, reducing manual workloads and accelerating decision-making.

By leveraging specialized AI agents that collaborate in real time, security teams can move beyond manual triage and fragmented investigations—operating faster, smarter, and with greater precision.

**Hunters Pathfinder AI**

From day one, Hunters was founded with the vision of embedding analyst intelligence into the SIEM—automating triage and investigation to maximize efficiency and accuracy. With years of experience refining AI-driven security operations, they are uniquely positioned to lead the AI-driven SOC transformation, leveraging the deep expertise to deliver automation at scale.

As Hunters Pathfinder AI continues to evolve, they are expanding its capabilities in two key areas: AI-Assisted SOC and AI-Driven SOC. These advancements will further reduce manual workloads while enhancing detection, investigation, and response.

**AI-Assisted SOC with Copilot AI**

*   Lead Summarization – AI-generated summaries that provide analysts with immediate and comprehensive context on security events.
*   Guided Investigation Workflows – Suggests next steps across the entire attack surface.
*   Natural Language Querying – Enables SOC analysts to interact with the system using conversational AI to retrieve insights efficiently.
*   Custom Detection Authoring – Helps analysts refine detections with guided logic and iterative fine-tuning.
*   Threat Classification – AI evaluates signals and context to determine whether a threat is benign or malicious, reducing manual triage time.

**AI-Driven SOC with Agentic AI**

*   Autonomous Triage and Classification – AI-driven agents investigate every threat, classifying incidents and providing full investigation reports.
*   Self-Optimizing Detections – Machine learning models continuously refine detection accuracy based on real-world attack data.
*   Automated Root Cause Analysis – AI correlates attack signals across multiple sources to provide full attack narratives.

> “Pathfinder AI is a game-changer for SOC teams, allowing us to deliver on our promise of making security operations more effective in the fight against cyber threats. By combining Copilot AI and Agentic AI, we are not just automating tasks but enabling security teams to focus on what truly matters—stopping real threats before they cause harm.” — Ian Forrest, VP of Product, Hunters

**The Road Ahead**

Hunters remains committed to pushing the boundaries of SOC automation with AI-driven investigations, automated response mechanisms, and deeper AI capabilities. Pathfinder AI represents the next advancement toward a faster, smarter, and more effective security operations center and will be delivered in the upcoming months.

For more details, users can explore Hunters’ **blog post** and **join the webinar** about this announcement on March 5th, 2025.

**About Hunters**

Hunters empowers SOC teams with AI-driven automation, maximizing efficiency without large security budgets. As a next-gen SIEM, the Hunters SOC Platform integrates Agentic AI, Copilot AI, machine learning, and graph-based correlation to automate detection, investigation, and response. Trusted by Cimpress, OpenLane, and The RealReal, Hunters delivers built-in detections, AI-driven investigations, and security expert support from Team Axon.

For more information, users can visit **Hunters Security**.

**Contact**

**Ada Filipek**  
**Hunters**  
**\[email protected\]**

Hunters Announces New AI Capabilities with Pathfinder AI for Smarter SOC Automation

View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 6.7
ATTENTION:
Vendor: Hitachi Energy
Equipment: MACH PS700
Vulnerability: Uncontrolled Search Path Element
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to escalate privileges and gain control over the software.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports the following products are affected:
MACH PS700: Version v2
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Uncontrolled search path element in some Intel(R) Chipset Device Software before Version 10.1.19444.8378 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-28388 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
MACH PS700 v2 System: Install patch scripts to safely remove the software causing the vulnerability. In addition, general mitigation factors are recommended. (Due to complexity of individual implementation of project, contact local account team for further information on possible remediation and mitigation strategies.)
For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000208 Cybersecurity Advisory - Intel Chipset Software Vulnerability in Hitachi Energy MACH PS700 v2 System.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.
5. UPDATE HISTORY
March 04, 2025: Initial Publication

Hitachi Energy MACH PS700

Artificial Intelligence is a tool that is currently changing how businesses approach digital marketing and SEO. Explore how your business can transform with AI-powered SEO services here.

Over 70% of marketers and small business owners in the world today use AI for SEO. That’s a staggering amount. Right? Well, AI is changing how businesses approach digital marketing. It enables systems to evaluate massive data, determine patterns, and make decisions with little or no human intervention.

So, now businesses can easily automate and optimise key aspects of SEO, such as keyword research, content creation, and website analysis. This allows businesses to get high search rankings and organic traffic more efficiently than with traditional methods. Let’s learn more about this below.

**Table of Contents**

1.  The integration of artificial intelligence in SEO
    1.  Automation of keyword research
    2.  Optimisation of technical SEO
    3.  Content optimisation and creation
2.  Enhancing user experience through AI-driven strategies
3.  Predictive analytics: forecasting trends with AI
4.  Automating routine SEO tasks using machine learning
5.  Case studies: success stories of AI in SEO
    1.  Bankrate.com
    2.  Rocky Brands
    3.  STACK Media
    4.  RELATED TOPICS

****The integration of artificial intelligence in SEO****

As mentioned earlier, many businesses are adopting the use of AI for SEO. They do so in several ways, including the following:

****Automation of keyword research****

Before AI, keyword research used to involve the tiring work of analysing volume and competition metrics. That’s not the case anymore. Now tools such as Ahrefs and SEMrush use machine learning to predict keyword trends.

This is more efficient and faster than the traditional methods of keyword research. AI quickly analyses a vast amount of data to identify relevant keywords, long-tail phrases, and competitor strategies.

So, it ensures a more targeted content creation. For instance, businesses currently focusing on SEO in Spain, use AI to get more targeted Spanish keywords. Then, they incorporate the keywords in their content to ensure higher search rankings and organic traffic.

****Optimisation of technical SEO****

You can now use AI to automate your technical SEO tasks. This includes identifying technical issues, such as slow loading times and defective links. What’s more, you can use AI to get an insight into where you need to improve your website.

Therefore, AI can help your website shine. This means that it can help you identify and fix issues that can affect your search engine ranking and things like bounce rate.

****Content optimisation and creation****

Today, many businesses use artificial intelligence to develop SEO-driven strategies. Any leading digital marketing agency, such as Seeders, will confirm that AI significantly simplifies and accelerates the process of content optimization and creation. For example, AI-powered tools like Frase, Clearscope, and Surfer SEO help analyze top-ranking content. They provide recommendations on keywords, structure, and readability.

What does this indicate? It means that you don’t have to do the tiring research work daily. AI can do it for you. In addition to the research, AI can help you write great pieces of content. Remember, it all lies in how you prompt it to write.

****Enhancing user experience through AI-driven strategies****

Have you ever gotten the feeling that Google knows what you think before you finish typing? Well, that’s the power of AI. Today, SEO isn’t just about stuffing keywords into articles or hoping your content will land on the first page.

It’s about semantic search and user intent. What’s more, AI ensures that businesses can deliver more personalised, intuitive, and efficient interactions. It does this by doing the following:

*   Analysing user behaviour and past interactions to ensure personalised content and experiences. For example, Amazon and Netflix will give you product or content recommendations based on your unique history. So this ensures better user engagement.

*   Using chatbots to provide instant responses to user queries. This helps to reduce wait times and ensure better customer support.

*   Predicting customer preferences. This ensures that marketing efforts are more personalised.

****Predictive analytics: forecasting trends with AI****

AI doesn’t just focus on history. It can also help you predict the future. AI uses statistical models, data analytics, and machine learning to predict the future. The best part? Its predictions are often accurate and can help your business stay ahead in competitive markets.

Therefore, you can use AI to analyse industry trends, social media sentiments and economic indicators. Then, use the data received to predict market shifts. At the same time, you can use that data to adjust your digital marketing strategies to ensure they align with future demands.

The benefits of using AI in predictive analytics are that:

*   It offers real-time insights.
*   It analyses large datasets quickly
*   It helps businesses to optimise their marketing efforts.
*   It ensures minimal error. So businesses can make decisions quickly.

****Automating routine SEO tasks using machine learning****

As mentioned earlier, machine learning is one of the things that AI uses to make predictive analytics. Apart from that, machine learning can be used to automate routine SEO tasks. This includes doing things like:

*   Analysing search trends, competitor rankings, and user intent to generate high-performing keywords. So, businesses that use AI for keyword research can stay ahead of trends and search terms.

*   Automating content audits to ensure that content aligns well with search engine algorithms.

*   Providing real-time suggestions for content optimisation, including areas where you can improve readability.

*   Identifying gaps in existing content and suggesting topics to improve search rankings by filling these gaps.

*   Identifying technical SEO issues, like broken links and page speed problems. Then providing ways to solve them.

*   Optimising images by automatically generating alt texts.

****Case studies: success stories of AI in SEO****

Many sites have successfully used AI to improve their SEO performance. They include:

****Bankrate.com****

Bankrate.com has successfully used AI to drive thousands of visits each month to their website. This website uses AI to create responses to questions that have specific limitations, such as “What is Financial Liquidity?” and “What is the Contribution Margin?”

So, when done right, AI content can help you achieve success. And Bankrate.com has proven that. The site also uses a human touch to fact-check and rewrite where necessary.

****Rocky Brands****

Rocky Brands is another company that has managed to successfully use AI for SEO. It has implemented the use of BrightEdge tools for formulating effective SEO strategies.

After the implementation of these AI tools, Rocky Brand experienced an increase of YOY revenue by 74%, search revenue by 30% and new users by 13%.

****STACK Media****

STACK Media also collaborated with BrightEdge to enhance their web traffic. This collaboration involved identifying high search volume keywords, analysing SERP visibility, and conducting competitive research.

1.  Top SEO Agencies in the UK: Expert Insights
2.  Best SEO Experts to Follow on Twitter (X) in 2025
3.  How to Improve Your SEO through Enhanced Web Security
4.  SEO vs. PPC: Choosing the Right Strategy for Your Business
5.  16 Best SaaS SEO Experts That Will Help You Dominate Online

Featured Image via Pexels/Matheus Bertelli

AI-powered SEO services: revolutionizing digital marketing

Cybercriminals pose as IT support, using fake calls and Microsoft Teams messages to trick users into installing ransomware through email floods and remote access.

Cybersecurity researchers at Trend Micro are warning about a new scam where cybercriminals pose as tech support to gain access to victims’ computers. But this isn’t just another spam email scheme; attackers are flooding inboxes and even reaching out through Microsoft Teams to trick people into letting them in. Once inside, they deploy ransomware from groups like Black Basta and Cactus.

****Here’s how it works:****

Victims first get bombarded with a flood of emails. Shortly after, someone claiming to be from the IT department contacts them through Microsoft Teams or even a phone call. This “helper” then convinces the user to grant them remote access to their computer, often using a legitimate program called Quick Assist, which is built into Windows to allow remote tech support.

Once inside, the scammer downloads files that seem harmless at first but are secretly combined and unpacked to install a backdoor called BackConnect. Hidden in OneDrive, this backdoor gives attackers full control over the infected system.

It’s worth noting that the Black Basta gang was previously flagged in December 2024 for a similar modus operandi, using email bombing to target Microsoft Teams users. However, at that time, the group was deploying Zbot and DarkGate malware instead.

According to Trend Micro’s latest technical report, recent incidents analyzed by the company show a strong connection between this BackConnect malware and the notorious Black Basta ransomware group, which reportedly made over $100 million from victims in 2023. There’s even evidence suggesting some members of Black Basta have moved over to another ransomware gang called Cactus, as the methods used in recent Cactus attacks are strikingly similar.

These attacks have been particularly active since October 2024, primarily hitting organizations in North America, with the United States suffering the most. The manufacturing sector, followed by finance, investment consulting, and real estate, have been frequent targets for Black Basta.

Screenshot of the email address used by the attacker (Via Trend Micro)

In some cases, after establishing their backdoor, attackers have been seen using more advanced methods to spread through a network, even targeting specialized systems like ESXi hosts used for running virtual machines. They use tools like WinSCP to move files around and have been caught preparing to encrypt files before being stopped. Leaked internal chats from Black Basta reveal the group sees security tools like Trend Micro as a significant hurdle, showing they are actively trying to find ways around them.

> BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn
> 
> — PRODAFT (@PRODAFT) February 20, 2025

What makes these attacks effective is not necessarily the complexity of the software used, but the way attackers manipulate people. By mixing social engineering with the abuse of genuine software and cloud services, they make their malicious actions look like normal computer activity. It highlights that cybersecurity isn’t just about having the right software, but also about being aware of how criminals try to deceive people.

****What You Should and Should NOT Do!****

If you’re a Microsoft Teams user, don’t panic if you suddenly get flooded with emails. Instead, contact your system administrator to ensure these emails are blocked immediately and your device is scanned regularly. Report any suspicious emails or calls from unknown third parties posing as “helpers” to your cybersecurity team.

Remember, you don’t need a helper if you never asked for one; especially when the ‘helper’ is the one who caused the problem in the first place.

Fake IT Support Calls Trick Microsoft Teams Users into Installing Ransomware

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures.

A new cyberattack campaign discovered by FortiGuard Labs, Fortinet’s threat intelligence and research unit, leverages a combination of social engineering, multi-stage malware, and the manipulation of trusted cloud services to achieve control over compromised systems.

According to FortiGuard’s investigation, shared with Hackread.com ahead of its publishing on Monday, the campaign targets Microsoft Windows users and has a high severity level. Their most crucial observation is that the attackers have innovated by integrating a modified version of the Havoc framework, Havoc Demon Agent, with the Microsoft Graph API, effectively hiding their malicious communications within the legitimate traffic of well-known cloud services.

For your information, Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to obtain full control of the target system.

The initial point of entry for this attack is a carefully crafted phishing email, which contains an HTML attachment designed to deceive the recipient into executing a malicious PowerShell command.

The Phishing Email (Source: FortiGuard Labs)

Through a technique known as “ClickFix,” in which users are tricked into executing malicious commands, the attachment presents a fake error message, prompting the recipient to copy and paste a seemingly harmless command into their system’s terminal. However, this command initiates a chain of events that leads to the downloading/execution of further malicious scripts, which are strategically hosted on a SharePoint site, probably to obscure the malicious operation within a trusted cloud environment.

The initial PowerShell script performs checks to evade sandbox detection and then proceeds to download/execute a Python script, also hosted on SharePoint. This Python script acts as a shellcode loader and injects and executes a malicious DLL, KaynLdr, which reflectively loads an embedded DLL, and further complicates analysis by using API hashing.

The core of the attacker’s C2 infrastructure relies on the modified version of the Havoc Demon DLL as it leverages the Microsoft Graph API to establish communication channels that blend seamlessly with legitimate cloud traffic. The “SharePointC2Init” function within the DLL obtains access tokens for the Microsoft Graph API and creates two files within the victim’s SharePoint document library, each named with a unique identifier derived from the compromised system.

These files act as channels for transmitting victim information and receiving C2 commands, while the entire communication is handled by the modified “TransportSend” function and encrypted using AES-256 in CTR mode. The agent then parses and executes these commands, which include a wide range of post-exploitation capabilities, such as information gathering, file operations, and token manipulation.

FortiGuard Labs’s discovery highlights the evolution of open-source C2 frameworks to create new, difficult-to-detect attacks and the growing need for adopting advanced security measures against such attacks.

“In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands,” FortiGuard’s researchers concluded.

The attack Flow (Source: FortiGuard Labs)

In a comment to Hackread.com, Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based application security provider, noted that hackers are using trusted Microsoft services to evade detection, showing a high level of sophistication, but what stands out is that their attack method requires more manual action from the victim than usual.

_“_These bad actor groups aim for obfuscation so they can achieve their goals. It’s not unusual to see them use open-source frameworks, however, the use of legitimate Microsoft services shows a level of sophistication that is concerning. Using those services allows them to hide in plain sight and have the benefits of being trusted servers,_“_ Thomas explained. _“_What is surprising about this is the level of manual intervention needed on the victim for the attack to be a success. Usually with these campaigns, the bad actors want as little interaction as possible on the victim’s part aside from clicking on a link._“_

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

Plus: The FBI pins that ByBit theft on North Korea, a malicious app download breaches Disney, spyware targets a priest close to the pope, and more.

As scam compounds in Southeast Asia continue to drive massive campaigns targeting victims around the world, WIRED took a deeper look at how Elon Musk’s satellite internet service provider Starlink is keeping many of those compounds in Myanmar online. Meanwhile, FTC complaints obtained by WIRED allege that an “OpenAI” job scam used Telegram to recruit workers in Bangladesh for months before the fraudsters suddenly disappeared.

WIRED published the inside story of Russian tech executive Vladislav Klyushin, who—at Vladimir Putin’s behest—was part of a notable US-Russia prisoner swap last summer after he was convicted and incarcerated in the US for insider trading that netted him $93 million. Earlier this week, TVs at the headquarters of the Department of Housing and Urban Development in Washington, DC, showed an apparently AI-generated video on loop of Donald Trump kissing Elon Musk’s feet. The words “LONG LIVE THE REAL KING” were superimposed over the video.

WIRED conducted an investigation into Telegram groups devoted to doxing and harassing women who joined “Are We Dating the Same Guy?” groups on Facebook. And, as female entrepreneurs in tech face ever steeper odds of gaining support for a business, a team of female founders got seed funding and completed a series A round in a matter of months for the cloud container security firm Edera.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Trump Administration Backs Off on Countering Russian Cyber Foes**

After years of Russian cyber aggression against the United States and its longtime allies—including repeated election meddling, hack and leak operations, disinformation campaigns, elaborate espionage, and brazen, disruptive cyberattacks—multiple recent actions from the Trump administration have recast the US stance on the cybersecurity threats posed by the Kremlin, downplaying the risks of Russian hackers as US adversaries. The about-face comes as Donald Trump and Russian president Vladimir Putin have increasingly strengthened their ties. Consistent US intelligence community assessments of Russia's activity in cyberspace and the threat it poses to the US would indicate, though, that such a change in approach could put the US at risk.

That deprioritization of the Russia threat has come in several different forms. US State Department deputy assistant secretary for international cybersecurity Liesyl Franz said during a speech in a United Nations working group last week that the US is concerned about digital attacks from China and Iran, but did not mention Russia. A recent memo distributed at the Cybersecurity and Infrastructure Security Agency laid out priorities for the agency, focusing on China and defense of US systems but omitted any reference to Russia. And on Friday, the cybersecurity news outlet The Record reported that, last week, Defense Secretary Pete Hegseth ordered US Cyber Command to stop all cyber operational planning against Russia, including offensive digital campaigns.

**Crypto Bounty Hunters Are Racing to Find and Freeze $1.4 Billion Stolen From ByBit**

Eight days have passed since the cryptocurrency exchange ByBit revealed that hackers stole $1.4 billion worth of Ethereum-based assets from the company, a heist that is by some measures the biggest theft of crypto in history. Now the race is on to track the stolen funds across blockchains, prevent its liquidation, or even recover it—and that race is being propelled by $140 million in bounties offered by ByBit itself. ByBit earlier this week launched a website where it’s inviting crypto sleuths to submit tips about the destination of its stolen Ethereum funds and offering as a reward 5 percent of the value of any funds that those tracers can identify and help to freeze or seize. ByBit has offered another 5 percent of the value as a separate reward for any crypto exchange or other platform that obtains the funds.

As of Friday, the website counted a dozen bounty hunters currently registered as part of that crypto-tracing effort and put the tally of paid-out rewards at around $4.3 million. The site also includes a leaderboard of tracers who have successfully identified tranches of the funds by following them across blockchains or frozen funds—as well as a list of crypto exchanges who have, by contrast, liquidated the stolen funds on behalf of the thieves. So far only one exchange, known as eXch, has been flagged as liquidating $94 million of the stolen assets. ByBit notes that eXch has refused to respond to its messages, and the exchange didn’t respond to a BBC request for comment.

**FBI Urges Crypto Industry Not to Launder ByBit Funds for North Korea**

Earlier this week, the FBI took the unusual step of publicly identifying the hackers behind that massive ByBit hack: TraderTraitor, a group of state-sponsored cybercriminals working on behalf of the North Korean government. The FBI asked the crypto industry not to launder the funds of those hackers, a part of the larger umbrella group widely known as Lazarus that has long plagued the cryptocurrency world and has stolen billions in both crypto and non-crypto assets. In its alert, the bureau also released a list of Ethereum addresses associated with the stolen funds in an effort to help the crypto industry identify and seize any part of the $1.4 billion before it can be cashed out. Crypto tracing firm TRM Labs wrote in a post Thursday that around $400 million of the funds have already been moved and may have been successfully liquidated.

**A Disney Staffer Opened the Door for a Slack Hack by Accidentally Downloading Malware**

In July, an entity calling itself “NullBulge” published a 1.1-TB trove of data stolen from Disney's internal Slack archive, tipping off a frenzied cleanup effort as Disney rushed to get a handle on leaked revenue numbers, employee information like passport numbers, and sensitive customer information. The breach occurred after a Disney employee, Matthew Van Andel, inadvertently downloaded malware onto his personal computer that collected his login credentials for a number of services, including, crucially, the password to his 1Password credential vault. “It’s impossible to convey the sense of violation,” he told The Wall Street Journal. Van Andel also had his credit card numbers and other personal data stolen, and then lost his job as well when a Disney audit of his work computer alleged that he had accessed porn from the device. Van Andel denies the accusation. The episode is just one in a series of breaches where malware that infects a worker’s personal computer can have major ramifications for the institution that employs them.

**An Italian Priest Close to the Pope Had His Phone Hacked**

Mattia Ferrari, an Italian priest who works with a migrant-rescue group and has a close relationship with the Pope, revealed this week that he received a warning from Meta that his phone had been hacked with sophisticated spyware from Israeli-based Paragon. The news follows revelations that Luca Casarini, the founder of the NGO Mediterranea Saving Humans, where Ferrari served as a chaplain, also had his phone compromised by spyware, as did Italian investigative reporter Francesco Cancellato. The string of spyware infections targeting Italian activists and a journalist raises the question of who might be carrying out the hacking operations, with opposition leaders calling on the administration of Italian prime minister Giorgia Meloni to address the issue. Meloni’s government has denied being behind the hacking incidents. Pope Francis, who is currently in critical condition with pneumonia, has mentioned speaking to Ferrari on the phone during a TV interview in January, raising the question of whether the spies who hacked Ferrari’s phone eavesdropped on a conversation with the pope himself.

The Trump Administration Is Deprioritizing Russia as a Cyber Threat

One of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm **Kaspersky Lab**, KrebsOnSecurity has learned.

Security experts say the Russia-based service provider **Prospero OOO** (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm **Intrinsec** detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names **Securehost** and **BEARHOST**.

The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.

“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”

Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.

A fake browser update page pushing mobile malware. Image: Intrinsec.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter **Kim Zetter** notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:

> According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.
> 
> Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.

Phishing data gathered last year by the **Interisle Consulting Group** ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.

AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.

It remains unclear why Kaspersky is providing transit to Prospero. **Doug Madory**, director of Internet analysis at **Kentik**, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.

Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — **Alfa-Bank**. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.

But if that is the case, it doesn’t make the situation any better, said **Zach Edwards**, a senior threat researcher at the security firm **Silent Push**.

“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

Tag

#intel