Cybercriminals are using text-to-video-AI tools to lure victims to fake websites that deliver malware like infostealers and Trojans.

Cybercriminals are taking advantage of the public’s interest in Artificial Intelligence (AI) and delivering malware via text-to-video tools.

According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors.

Links to the malicious websites were brought to the researchers’ attention by ads and links in comments on social media platforms. The researchers uncovered thousands of malicious ads on Facebook and LinkedIn—beginning in November 2024—that promote fake AI video generator tools such as “Luma AI,” “Canva Dream Lab,” and “Kling AI.”

To avoid detection, the group constantly rotates the domain used in the ads and creates new ads every day, while using both compromised and newly created accounts. The campaign operates through more than 30 websites that imitate popular legitimate AI tools.

Researchers identified the first payload as the Starkveil dropper (detected by Malwarebytes/ThreatDown) classified as Trojan.Crypt. The Trojan, written in Rust, requires users to run it twice to fully compromise their machines. After the first run, the malware displays an error window to trick victims into executing it again.

The dropper then deploys the XWorm (detected as Backdoor.XWorm) and Frostrift (detected as Trojan.Crypt) backdoors and the GRIMPULL downloader (also detected as Trojan.Crypt).

After it has fully compromised the system, this constellation of malware will harvest all kinds of data from the infected devices and send it to the cybercriminals using various methods of communication. For a full technical analysis of the malware, feel free to read the researchers’ report.

The researchers stated:

> “The temptation to try the latest AI tool can lead to anyone becoming a victim.”

So, it’s important to be aware of these campaigns and adopt ways to recognize and thwart them.

*   Be vigilant. Posts or ads with high numbers of views that promise free AI text-to-video tools are a red flag and should be examined carefully, especially if they prompt downloads of executable files, which could be disguised as videos.
*   Don’t trust unsolicited messages or ads promising unbelievable AI tools or free trials, especially if they pressure you to act quickly or provide personal information.
*   Run up-to-date and active protection to intercept these malware infections in the early stages, as well as detect and remove infostealer malware.
*   Use web protection in your browser that can recognize and block scams and malicious websites.
*   Don’t click on sponsored search results. Any other method to find a link to your coveted product is preferable over sponsored results, since criminals have demonstrated that it pays off to outbid the rightful owners.
*   Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers.
*   Scrutinize the provided URLs which might be constructed to look like the “real thing” but they might not be.
*   Only download AI software or tools from official, trusted sources or verified app stores.

For more actionable advice on how to spot scams, join our Facebook Live on June 3.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware 

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers…

ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. Learn how attackers exploit Pickle files and the growing threat to the software supply chain.

Cybersecurity experts from ReversingLabs (RL) have discovered a new trick used by cybercriminals to spread harmful software, this time by hiding it within artificial intelligence (AI) and machine learning (ML) models. 

Researchers discovered three dangerous packages on the Python Package Index (PyPI), a popular platform for Python developers to find and share code, which resembled a Python SDK for Aliyun AI Labs services and targeted users of Alibaba AI labs.

Alibaba AI labs is a significant investment and research initiative within Alibaba Group and a part of Alibaba Cloud’s AI and Data Intelligence services, or Alibaba DAMO Academy.

****New Software Threat Hides in AI Tools****

These malicious packages, named aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk, had no real AI functionality, explained ReversingLabs reverse engineer Karlo Zanki in the research shared with Hackread.com.

“The ai-labs-snippets-sdk package accounted for the majority of downloads, due to it being available for download longer than the other two packages,” the blog post revealed.

A Package’s Readme Page (Source: ReversingLabs)

Instead, once installed, they secretly dropped an infostealer (malware designed to steal information). This harmful code was hidden inside a PyTorch model. For your information, PyTorch models are often used in ML and are essentially zipped Pickle files. Pickle is a common Python format for saving and loading data, but it can be risky because malicious code can be hidden inside. This particular infostealer collected basic details about the infected computer and its .gitconfig file, which often contains sensitive user information for developers.

The packages were available on PyPI starting May 19th for less than 24 hours but were downloaded about 1,600 times. RL researchers believe the attack might have started with phishing emails or other social engineering tactics to trick users into downloading the fake software. The fact that the malware looked for details from the popular Chinese app AliMeeting, and .gitconfig files suggests developers in China might be the main targets.

****Why ML Models are being Targeted?****

The rapid rise in the use of AI and ML in everyday software makes them a part of the software supply chain, creating new opportunities for attackers. ReversingLabs has been tracking this trend, previously warning about the dangers of the Pickle file format.

ReversingLabs product management director Dhaval Shah had noted earlier that Pickle files could be used to inject harmful code. This was proven true in February with the nullifAI campaign, where malicious ML models were found on Hugging Face, another platform for ML projects.

This latest discovery on PyPI shows that attackers are increasingly using ML models, specifically the Pickle format, to hide their malware. Security tools are only just beginning to catch up to this new threat, as ML models were traditionally seen as just data carriers, not places for executable code. This highlights the urgent need for better security measures for all types of files in software development.

Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.

What makes this campaign particularly dangerous is its use of built-in Windows tools and trusted system processes to blend in with normal activity, making it much harder to catch through signatures alone.

Let’s walk through the full infection chain and see how you can safely detect these techniques in seconds with the help of the right analysis solutions.

****See the Full Attack Chain Unfold in Real Time****

To understand how this phishing campaign works end-to-end, let’s take a look at how it unfolds inside ANY.RUN’s interactive sandbox, where every step is visual, traceable, and recorded in real time.

View the full analysis session

Full attack chain of the new phishing danger inside ANY.RUN’s sandbox

From initial delivery to post-exploitation behaviour, the sandbox reveals the full picture, giving SOC teams the visibility they need to respond faster and helping businesses reduce the risk of silent, long-term compromise.

Full attack chain of the latest phishing threat inside ANY.RUN’s sandbox:

**Phishing Email → Malicious Archive → DBatLoader Execution → Obfuscated CMD Scripts → Remcos Injected into .exe**

Inside the sandbox, you can visually trace each stage of the attack as it happens, such as:

Watch how the archive triggers DBatLoader, and how obfuscated .cmd scripts begin executing suspicious commands.

ANY.RUN sandbox detected the commands execution of cmd.exe

See exactly when and where Remcos is injected into legitimate system processes, with process trees and memory indicators updated in real-time.

Remcos RAT exposed inside the interactive sandbox

Observe persistence techniques in action, such as the creation of scheduled tasks, registry changes, and the use of .url and .pif files, clearly highlighted in the system activity log.

To better understand the tactics behind this phishing attack, you can use the built-in MITRE ATT&CK mapping in ANY.RUN. Just click the “ATT&CK” button in the top-right corner of the sandbox interface.

This view instantly highlights the techniques used during the analysis, grouped by tactics like execution, persistence, privilege escalation, and more. It’s a fast, analyst-friendly way to connect behaviour to real-world threat intelligence, no manual mapping is needed.

MITRE ATT&CK techniques and tactics used by the new phishing campaign

Whether you’re performing triage or writing reports, this feature helps security teams act faster and gives managers clear evidence of how threats operate and where defences might be bypassed.

****Techniques Used in This Phishing Attack (Visible Inside Sandbox)****

Here are some of the key tactics observed in the session and how you can spot them easily inside the sandbox:

1.  **Faktura.exe: The Lure File**

Victims receive a phishing email containing an archive with Faktura.exe, posing as a legitimate invoice. When opened, it kicks off the attack.

Most email security tools won’t flag this file if it’s not known or doesn’t match known IOCs. In ANY.RUN, you can immediately see Faktura.exe in the process tree and watch how it spawns malicious activity, giving analysts clarity from the very first click.

FAKTURA.exe displayed inside ANY.RUN sandbox

2.  **DBatLoader: The Initial Loader**

Once the victim opens the phishing archive, **DBatLoader** is executed. It’s responsible for starting the infection chain by launching obfuscated scripts.

In the Process tree, DBatLoader appears as a dropped .exe, immediately spawning cmd.exe. You can inspect the command lines, and file system activity, and see exactly how the script execution begins.

YARA rule triggered by DBatLoader

3.  **Obfuscated Execution with BatCloak-Wrapped CMD Files**

We see inside this analysis session that .cmd scripts obfuscated with BatCloak are used to download and execute the malicious payload.

Obfuscation hides intent from static scanners. In sandboxes like ANY.RUN, you can open the command-line view and see every decoded instruction and suspicious pattern as it executes, no manual decoding is needed.

4.  **LOLBAS Abuse with Esentutl.exe**

The legitimate utility esentutl.exe is abused to copy cmd.exe into alpha.pif, a renamed dropper meant to look harmless.

File copy operations using esentutl.exe show up in the ANY.RUN Process tree and File system activity, including full paths and command context.

LOLBAS Abuse with Esentutl.exe detected inside ANY.RUN sandbox

5.  **Scheduled Tasks Trigger .url → .pif Execution**

A scheduled task is created to run Cmwdnsyn.url, which launches the .pif file on boot or at regular intervals. 

Scheduled task technique in detail

Scheduled tasks are a common persistence mechanism, but in complex environments, they often go unnoticed. With ANY.RUN, you can instantly see when and how the task is created, track its execution chain in the process tree, and inspect related file and registry changes.

This gives SOC teams a clear view of how the malware stays active over time, making it easier to build detection rules, document the persistence method, and ensure it’s fully removed.

6.  **UAC Bypass with Fake “C:\\Windows ” Directory**

A mock directory (C:\\Windows with a space) is used to bypass UAC prompts by exploiting Windows path handling quirks.

Bypass UAC with mock directories (note trailing space)

****Why Sandbox Analysis Is Critical Against Evasive Threats****

This phishing campaign highlights just how far attackers go to stay hidden, using built-in Windows tools, crafted persistence, and subtle privilege escalation tricks that easily bypass traditional defences.

With sandbox analysis, especially through the one like ANY.RUN, security teams gain the clarity and speed needed to stay ahead of these threats. You can observe every step of the infection, uncover techniques that static tools miss, and act with confidence.

*   Faster incident response thanks to real-time behavioural insight
*   Reduced dwell time by identifying threats before they spread
*   Better-informed security decisions through visibility into attacker tactics
*   Improved compliance and audit readiness with shareable, in-depth reports

****Take Advantage of ANY.RUN’s Birthday Offers****

To celebrate its 9th anniversary, ANY.RUN is offering a limited-time promotion:

Get bonus Interactive Sandbox licenses or double your TI Lookup quota, available only until May 31, 2025.

Don’t miss your chance to upgrade your threat detection and response workflow with solutions trusted by over 15,000 organizations worldwide.

New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know

Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed. The advisory blames Fancy Bear group, allegedly linked to Russian state […]

**Vulnerabilities of Western logistics.** On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed.

The advisory blames Fancy Bear group, allegedly linked to Russian state structures. I strongly condemn these slanderous claims❗️

The document mentions the exploitation of vulnerabilities:

🔻 **Remote Code Execution** – WinRAR (CVE-2023-38831)  
🔻 **Elevation of Privilege** – Microsoft Outlook (CVE-2023-23397)  
🔻 **Remote Code Execution** – Roundcube (CVE-2020-12641)  
🔻 **Code Injection** – Roundcube (CVE-2021-44026)  
🔻 **Cross Site Scripting** – Roundcube (CVE-2020-35730)

Patches, exploits, and signs of in-the-wild exploitation have been available for years for these vulnerabilities. 🤦‍♂️🤷‍♂️

🗒 Vulristics Report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Vulnerabilities of Western logistics

Adidas confirms cyber attack compromising customer data, joining other major retailers targeted by advanced threats and rising cybersecurity risks.

Global sportswear giant Adidas has confirmed that it has fallen victim to a cyber attack, with customer data stolen in the incident. The company revealed that personal details, including contact information and account credentials, were accessed by threat actors. While Adidas has not disclosed the exact number of affected customers, users should still reset their passwords and monitor their accounts closely.

Adidas has also not confirmed whether the breach resulted from phishing, system vulnerabilities, or third-party compromise. But it puts the company among the growing list of major retailers hit by cyberattacks because of the rise of attack techniques, including those powered by artificial intelligence.

> _“The affected data does not contain passwords, credit cards or any other payment-related information. It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.”_
> 
> Adidas

“Attackers are evolving fast, using AI to supercharge phishing campaigns, automate exploits, and evade detection with alarming precision,” said Nadir Izrael, Co-Founder and CTO at Armis. “In this environment, traditional defences simply cannot keep up. Legacy point products and siloed security solutions are putting security teams on the back foot, leaving them not only open to vulnerability exploits but also forcing them into a reactive stance, addressing breaches only after the damage is done.”

Recent data from Armis Labs reveals that nearly half of retail organisations feel overwhelmed by the web of regulations they must navigate. Even more concerning, about 49% admit they have been hacked before and still struggle to secure their digital ecosystems.

While the Adidas breach highlights the dangers, it also reflects a broader shift in industry priorities. According to Armis Labs, nearly 80% of retail organisations have shifted to a more proactive cybersecurity stance at the top of their agendas this year. Encouragingly, 82% report that their employees know how to escalate suspicious activity, though that alone may not be enough to stop determined threat actors.

However, Armis Labs shows that only 46% of retailers report being able to detect and respond to major attacks in real time. That leaves a security gap, especially when attackers are getting faster and more sophisticated with each passing month.

For Adidas customers, it is important to change passwords, monitor accounts for unusual activity, and follow any updates or guidance from the company. For the retail industry, the challenge runs deep, but for a company with a market value of 45 billion dollars, top-tier cybersecurity isn’t just expected; it’s demanded.

Adidas Confirms Cyber Attack, Customer Data Stolen

Artificial intelligence is driving a massive shift in enterprise productivity, from GitHub Copilot’s code completions to chatbots that mine internal knowledge bases for instant answers. Each new agent must authenticate to other services, quietly swelling the population of non‑human identities (NHIs) across corporate clouds.
That population is already overwhelming the enterprise: many companies

AI Agents and the Non‑Human Identity Crisis: How to Deploy AI More Securely at Scale

FBI warns law firms: Silent Ransom Group uses phishing emails and fake IT calls to steal data, demanding ransom to prevent public leaks. The agency is also urges victims to share ransom evidence.

The FBI has issued a warning to US law firms about a rising cyber threat targeting the legal sector. A group known as Silent Ransom Group (SRG), also called Luna Moth or Chatty Spider, has been focusing its attacks on law firms since early 2023, using a combination of phishing emails and **social engineering calls** to gain access to sensitive legal data.

This group is no newcomer. Operating since 2022, SRG has a track record of targeting industries such as healthcare and insurance. But in recent months, law firms have become their top target, likely because of the sensitive client information these firms handle.

Back in November 2023, the **FBI issued an alert** highlighting SRG’s use of callback phishing to breach networks. In these attacks, the group sends phishing messages designed as unclickable images, often creating a false sense of urgency and providing a phone number for the recipient to call. This tactic bypasses traditional email security filters and lures victims into making contact, where the attackers then guide them into compromising their own systems.

****Their Tactics****

Aligning with their tickets, SRG’s new phishing campaigns are also deceptively simple. They send emails pretending to come from companies offering subscription services, warning the recipient about a small, questionable charge. To cancel, victims are instructed to call a number provided in the email. On that call, attackers convince the victim to download remote access software, giving SRG an entry point into the company’s systems.

However, what’s new about this campaign is that SRG has started calling employees directly, pretending to be from the company’s own IT department. They instruct the employee to join a remote session or visit a specific web page, again installing tools that give the attackers control. Once inside, they use tools like **WinSCP** or disguised versions of Rclone to quietly exfiltrate sensitive data.

After stealing the data, SRG sends ransom notes demanding payment to prevent the release or sale of the stolen information. Sometimes, they even follow up with phone calls to pressure companies into negotiations.

> _“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”_
> 
> The FBI

It is worth noting that the FBI’s alert came on the same day Cofense Intelligence’s May 2025 **report** revealed widespread abuse of Remote Access Tools (RATs) by cybercriminal groups. The report identified ConnectWise ScreenConnect as the most frequently abused RAT in 2025 attacks so far.

****Why Law Firms?****

Law firms make attractive targets because of the nature of their work such as confidential client details, corporate negotiations, and sensitive legal documents. A breach here doesn’t just threaten financial loss; it risks severe reputational harm.

However, it is not only recently that cybercriminals have been targeting law firms and the valuable information they hold. In April 2022, **researchers observed** scammers using AI-generated images to create fake law firm identities.

****Hard to Detect, Harder to Stop****

One reason SRG’s campaigns are effective is that they use legitimate system management and remote access tools, which are less likely to alert antivirus. Their attacks leave few traces, making post-attack investigations and protection more difficult.

This is why the FBI is urging everyone, including researchers and even victims, to share any ransom notes used by SRG during the attacks. If you have the phone number the group used to call, the wallet address they provided, or even voice call recordings, the FBI is seeking that information.

The FBI’s alert advised Network administrators to watch for unusual downloads of tools like Zoho Assist, **AnyDesk**, Splashtop, Syncro, or Atera, and to pay attention to unexplained external file transfers using WinSCP or Rclone.

Other red flags include unexpected emails about subscription renewals, strange calls or voicemails claiming data theft, and unsolicited contact from people claiming to be part of the company’s IT team.

> The Silent Ransom Group (SRG), aka Luna Moth or Chatty Spider, is targeting law firms. Tactics include IT social engineering calls and callback phishing emails to remotely access devices and steal data for extortion. Learn more about SRG’s IOCs and TTPs: https://t.co/ro96zjD1hA pic.twitter.com/pBAd89WaBJ
> 
> — FBI (@FBI) May 23, 2025

The FBI recommends paying strong attention to basic cybersecurity practices. This includes **training staff** to spot phishing attempts and social engineering tactics, and setting clear internal guidelines for how the IT team communicates with employees.

Additionally, using strong passwords along with two-factor authentication (2FA) across the organization and maintaining regular data backups can also help reduce the damage in case of a breach.

FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.

****The Deception of Legitimate RATs****

Threat actors are leveraging the inherent trust in these tools to gain access to victim machines, researchers noted in the blog post shared with Hackread.com. Once installed, these legitimate RATs become a gateway for delivering further harmful programs, spying on user activities, or stealing sensitive information like passwords and confidential business records. The versatility of these tools, combined with their appearance of being trustworthy software, makes them a potent weapon in the hands of cybercriminals.

Cofense Intelligence highlighted several frequently abused legitimate RATs. ConnectWise ScreenConnect, previously known as ConnectWise Control and ScreenConnect, emerged as the most popular choice for attackers in 2024, appearing in 56% of active threat reports involving legitimate RATs.

“ConnectWise RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports (ATRs) with legitimate remote access tools in 2024,” wrote Kahng An from Cofense’s Intelligence Team in their report.

Its popularity is surging further in 2025, with current attack volumes already matching those seen throughout last year. Another tool, FleetDeck, saw a surge in use during the summer of 2024, particularly targeting German and French speakers with finance-themed lures.

****Common Attack Methods and Global Impact****

Attackers employ various methods to trick victims into installing these tools. For ConnectWise ScreenConnect, notable campaigns include spoofing the US Social Security Administration with emails falsely claiming to offer updated benefit statements.

Source: Cofense  

These emails often contain links to fake PDF files or directly to the RAT installer. Another tactic observed since February 5, 2025, involves emails pretending to be notifications about shared files on “filesfm,” leading victims to download a seemingly legitimate OneDrive client that is, in fact, the ConnectWise RAT installer.

According to Cofense, other legitimate RATs are also being exploited. Atera, a comprehensive remote monitoring and management suite that integrates with tools like Splashtop, has been used in campaigns targeting Portuguese speakers in Brazil with fake legal notices and invoices since October 2024.

Source: Cofense

Smaller, less common RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Connect, Mesh Agent, N-Able, and Teramind have also been observed in various, often localized, campaigns.

The ease and low cost of acquiring these tools allow attackers to quickly switch between different ones, posing a continuous challenge for cybersecurity protection, Cofense researchers concluded, adding that such campaigns are typically one-off events that are hard to sustain.

“These campaigns are generally one-off events and do not appear to be sustained over time. It is possible that the threat actors quickly pivot between different RATs because of the overall large number of different options that are available on the market.”

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Tag

#intel