N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users into installation.

A new version of North Korean malware called ‘FlexibleFerret’ is making rounds, specifically targeting macOS devices and developers. This malware, linked to the ‘Contagious Interview’ campaign, uses tricky methods to infect systems, even disguising itself as legitimate software.

****The ‘Contagious Interview’ Trick****

The campaign begins with a **social engineering tactic**. Hackers lure their targets, often job seekers, into downloading malware through fake job interview processes. They send a link that appears to require a software update, like a fake virtual meeting application.

It is worth noting that the ‘Ferret’ malware family was originally discovered in September 2024 targeting Blockchain professionals with fake video conferencing and job scams. The latest variant, ‘FlexibleFerret,’ was discovered by SentinelLabs, and shows that hackers constantly change their methods to avoid detection.

Interestingly, Apple recently strengthened its XProtect security tool to deal with threats like “Ferret,” and other macOS malware. However, despite new security protocols, according to SentinelLabs’ **blog post** shared with Hackread.com, FlexibleFerret remained undetected, at least initially.

****How FlexibleFerret Works****

‘FlexibleFerret’ uses a dropper, which is essentially a package that installs the malware onto the system. This particular dropper contains several components, including fake applications and scripts.

After installation, the malware begins executing several malicious actions. It places and runs hidden components in the computer’s temporary folders, ensuring its presence remains unnoticed. At the same time, it creates a **fake Zoom application** that secretly connects to a suspicious domain.

To further trick victims, it displays a fake error message, making it seem like the installation failed while actually continuing to install itself in the background. Once embedded, it establishes persistence, allowing it to automatically run even after the system is restarted.

****A Signed Threat Against Job Seekers and Developers****

Unlike some older versions, ‘FlexibleFerret’ was initially signed with a valid Apple Developer signature. This helped it bypass some security checks, making it appear more legitimate. Security experts used this signature to discover even more related malware samples. That certificate has since been revoked, but a trail of other signed files has turned up.

The hackers behind ‘FlexibleFerret’ aren’t just focusing on job seekers anymore. They’re also targeting developers directly, using **fake bug reports or comments** on websites like GitHub to trick them into downloading the malware.

A threat actor tricking users into installing FlexibleFerret malware (Via SentinelLabs)

****Links to ChromeUpdate Malware****

FlexibleFerret includes a binary labeled “Mac-Installer.InstallerAlert,” which strongly matches code previously spotted in “**ChromeUpdate**,” an older piece of malware involved in these job interview lures. While Apple’s updated rules catch ChromeUpdate, they currently overlook this newer malware, indicating that attackers have changed minor elements to sneak past protections.

> _“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”_
> 
>   
> SentinelLabs

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
6.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
7.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams

The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process.
"Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or

North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden

Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself.

Cybersecurity researchers at the Positive Technologies Expert Security Center (PT ESC) have found a sneaky malware campaign targeting the Python Package Index (PyPI), a popular online repository for **Python software**. The attack focused on developers, machine learning engineers, and AI enthusiasts who might integrate DeepSeek AI into their projects.

It all began on January 29, 2025, when a suspicious user named “bvk,” whose account had been inactive since its creation in June 2023, uploaded two malicious packages: deepseeek or deepseekai. These packages were designed to mimic legitimate integrations with DeepSeek but contained malicious code aimed at stealing sensitive information from users’ systems.

Malicious DeepSeek packages (Via PT ESC)

Once installed, the harmful packages executed commands that collected system information and stole environment variables. These variables often contain critical data, such as credentials for cloud storage, database access, or other infrastructure resources. The stolen information was then sent to a command-and-control (C2) server hosted on Pipedream, a developer integration platform.

Interestingly, according to PT ESC’s **blog post** shared with Hackread.com, the attackers appeared to use an AI-powered assistant to write their malicious script, as evidenced by the code’s comments explaining its functionality. **AI-generated content** and codes have become a significant cybersecurity threat, with experts warning that the risk is only growing.

****Quick Action****

After discovering the malicious packages, Positive Technologies immediately alerted PyPI administrators, who quarantined and deleted the packages within an hour. However, during that short window, the packages had already been downloaded 222 times across various tools and methods in the following countries:

*   **US**: 117 downloads

*   **China**: 36 downloads

*   **Russia**: 12 downloads

*   Other countries, including Germany, Canada, and Hong Kong, also reported downloads.

****Exploiting DeepSeek’s Popularity****

Although the attack was contained before causing large-scale harm, it presents important questions about the security of open-source repositories. Cybercriminals frequently monitor emerging trends and exploit them to trick unsuspecting users. In this example, the **popularity of DeepSeek** likely attracted malicious actors seeking to exploit its growing user base.

In a comment to Hackread.com, **Jason Soroko**, Senior Fellow at Sectigo, emphasized the impact of this incident stating, “This report underscores how attackers exploit trusted naming conventions and the reliance on authentic package sources within the open-source ecosystem. While the threat was neutralized quickly, it serves as a reminder of the growing risks associated with software supply chains.”

****Protecting Yourself from Similar Threats****

This incident is a good sign to be careful when downloading and installing software, especially from public repositories like PyPI. Here are a few quick tips to help you stay safe:

*   **Security Tools**: Use services like Positive Technologies’ PyAnalysis, which monitors PyPI for malicious activity in real-time.

*   **Verify Package Sources**: Only download well-established packages with a strong reputation. Be cautious of newly uploaded tools, especially those with names similar to popular projects.

*   **Scan Dependencies**: Use tools to analyze the code of packages before installing them.

*   **Monitor Environment Variables**: Keep an eye on sensitive data stored in your system and limit its exposure where possible.

Hackers Hide Malware in Fake DeepSeek PyPI Packages

Though Windows, iOS, and macOS users won't need to make any changes, Android users are advised to remove their Defender VPN profiles.

Source: CryptoFX via Alamy Stock Photo

NEWS BRIEF

Microsoft is notifying users that it will no longer support the Privacy Protection VPN feature within the Microsoft Defender app. The feature will be removed on Feb. 28.

Microsoft Defender checks files or apps downloaded and installed on a device for any malicious software, as well as runs scans of files already on a system. It works alongside third-party anti-malware solutions and is included as part of a Microsoft 365 Personal or Family subscription.

Microsoft plans to eliminate only the VPN feature and will still provide device protection, identity theft monitoring, and credit monitoring in the US.

The support update document announcing the change did not have a lot of detail but stated that removing the privacy protection benefit will allow the company to "invest in new areas that will better align to customer needs." The document also notes the company routinely evaluates the effectiveness of its features.

Though Windows, iOS, and macOS users won't have to take any action, Microsoft provided instructions for Android users to follow because the VPN profile must be removed from devices manually.

"Not removing the Defender VPN profile on your Android device will not cause any impact to your device but it's recommended to remove it as it won't be used by Defender to provide protection," Microsoft stated.

Android users can follow the steps below to remove their Defender VPN profiles:

3.  Users should see a "Microsoft Defender" VPN profile in the list of VPN profiles if they've onboarded to privacy protection.
    
4.  Click on the "Info" icon and remove the profile.
    

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Sets End Date for Defender VPN

Adversaries looking to ride the DeepSeek interest wave are taking advantage of developers in a rush to deploy the new technology, by using AI-generated malware against them.

Source: ifeelstock via Alamy Stock Photo

Researchers have found malicious DeepSeek-impersonating packages planted in the Python Package Index (PyPi); the code is actually loaded with infostealers. Experts warn that's probably not the only platform loaded with fake, malicious DeepSeek packages, and that developers should proceed with care.

Researchers with Positive Technologies discovered the malicious packages, labeled "deepseekai" and "deepseeek," trying to trick developers into thinking they were legit.

"The attack targeted developers, machine learning \[ML\] engineers, and ordinary AI enthusiasts who might be interested in integrating DeepSeek into their systems," the Positive Technologies researchers wrote in an analysis.

The account behind the attack, "bvk," was created in June 2023 and sat dormant until the campaign sprang to life on Jan. 29, according to the report. When executed, the researchers noted both "deepseeek" and "deepseekai" drop infostealers to steal sensitive data, including API keys, database credentials, and permissions.

The malicious PyPi packages have been deleted, but there's evidence they were downloaded 36 times using the pip package manager and the bandersnatch mirroring tool, and 186 times using the browser, the researchers reported.

"Sometimes API keys aren’t leaked, they’re just plain stolen," Tim Erlin, vice president of product at Wallarm says. "This incident is a good example of attackers taking advantage of the prevailing news cycle. Anytime you’re doing something popular, whether clicking on a link or installing a PyPi package, it’s best to approach the task with a healthy dose of skepticism."

Related:'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

That mindset can help developers avoid making similar cybersecurity slip-ups, according to Mike McGuire, senior security solutions manager with Black Duck.

"In their eagerness to leverage DeepSeek in their tasks, many developers missed the 'red flag' that they were downloading packages from an account with a limited, poor reputation, and had their environment variables and secrets compromised as a result," McGuire says.

Ironically given how advanced DeepSeek's capabilities are touted to be, the attack itself was a fairly low-tech affair, Michael Lieberman, CTO at Kusari, notes.

"Typosquatting attacks are popular because they work," Kusari points out. "It's easy for a developer to mistype a word or use something with a similar-sounding name and suddenly their application is pulling in malicious code. Popular or trendy technologies are at particular risk since the pool of potential victims is larger."

Related:DeepSeek Jailbreak Reveals Its Entire System Prompt

**Adversaries Using AI to Write Code Faster Too**

In a novel twist, the researchers found evidence the threat actors used AI to write the malicious code.

"There are clear indications that the compromised code was written with AI assistance, providing a real-world example of AI being used for malicious intent," Wallarm's Erlin says.

Erlin adds that developers should expect similar malicious packages to be scattered among various platforms.

"Developers, with malintent or not, are heavily invested in using AI to be more efficient." he adds. "AI lets developers write more code, faster. We should expect to see the volume of malicious code expand at the same rate as code in general."

To protect their environments from these threats, Raj Mallempati, CEO of BlueFlag Security, says developers need to implement strong security practices throughout the software development lifecycle (SDLC). That means using software composition analysis (SCA) tools, as well as automated vulnerability scanning, limiting the use of unverified packages in developer environments, and threat intelligence monitoring.

"This recent incident underscores the need for developers to specifically protect against threats like OSS typosquatting," Mallempati explains. "Double checking package names and verifying package sources that come from DeepSeek will be key here. As well, developers should enable dependency scanning tools like Github dependabot to ensure they are not downloading malicious packages."

Related:Code-Scanning Tool's License at Heart of Security Breakup

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC, Atomic macOS Stealer (aka AMOS), and Angel Drainer.
"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a

Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware

Security researchers tested 50 well-known jailbreaks against DeepSeek’s popular new AI chatbot. It didn’t stop a single one.

Ever since OpenAI released ChatGPT at the end of 2022, hackers and security researchers have tried to find holes in large language models (LLMs) to get around their guardrails and trick them into spewing out hate speech, bomb-making instructions, propaganda, and other harmful content. In response, OpenAI and other generative AI developers have refined their system defenses to make it more difficult to carry out these attacks. But as the Chinese AI platform DeepSeek rockets to prominence with its new, cheaper R1 reasoning model, its safety protections appear to be far behind those of its established competitors.

Today, security researchers from Cisco and the University of Pennsylvania are publishing findings showing that, when tested with 50 malicious prompts designed to elicit toxic content, DeepSeek’s model did not detect or block a single one. In other words, the researchers say they were shocked to achieve a “100 percent attack success rate.”

The findings are part of a growing body of evidence that DeepSeek’s safety and security measures may not match those of other tech companies developing LLMs. DeepSeek’s censorship of subjects deemed sensitive by China’s government has also been easily bypassed.

“A hundred percent of the attacks succeeded, which tells you that there’s a trade-off,” DJ Sampath, the VP of product, AI software and platform at Cisco, tells WIRED. “Yes, it might have been cheaper to build something here, but the investment has perhaps not gone into thinking through what types of safety and security things you need to put inside of the model.”

Other researchers have had similar findings. Separate analysis published today by the AI security company Adversa AI and shared with WIRED also suggests that DeepSeek is vulnerable to a wide range of jailbreaking tactics, from simple language tricks to complex AI-generated prompts.

DeepSeek, which has been dealing with an avalanche of attention this week and has not spoken publicly about a range of questions, did not respond to WIRED’s request for comment about its model’s safety setup.

Generative AI models, like any technological system, can contain a host of weaknesses or vulnerabilities that, if exploited or set up poorly, can allow malicious actors to conduct attacks against them. For the current wave of AI systems, indirect prompt injection attacks are considered one of the biggest security flaws. These attacks involve an AI system taking in data from an outside source—perhaps hidden instructions of a website the LLM summarizes—and taking actions based on the information.

Jailbreaks, which are one kind of prompt-injection attack, allow people to get around the safety systems put in place to restrict what an LLM can generate. Tech companies don’t want people creating guides to making explosives or using their AI to create reams of disinformation, for example.

Jailbreaks started out simple, with people essentially crafting clever sentences to tell an LLM to ignore content filters—the most popular of which was called “Do Anything Now” or DAN for short. However, as AI companies have put in place more robust protections, some jailbreaks have become more sophisticated, often being generated using AI or using special and obfuscated characters. While all LLMs are susceptible to jailbreaks, and much of the information could be found through simple online searches, chatbots can still be used maliciously.

“Jailbreaks persist simply because eliminating them entirely is nearly impossible—just like buffer overflow vulnerabilities in software (which have existed for over 40 years) or SQL injection flaws in web applications (which have plagued security teams for more than two decades),” Alex Polyakov, the CEO of security firm Adversa AI, told WIRED in an email.

Cisco’s Sampath argues that as companies use more types of AI in their applications, the risks are amplified. “It starts to become a big deal when you start putting these models into important complex systems and those jailbreaks suddenly result in downstream things that increases liability, increases business risk, increases all kinds of issues for enterprises,” Sampath says.

The Cisco researchers drew their 50 randomly selected prompts to test DeepSeek’s R1 from a well-known library of standardized evaluation prompts known as HarmBench. They tested prompts from six HarmBench categories, including general harm, cybercrime, misinformation, and illegal activities. They probed the model running locally on machines rather than through DeepSeek’s website or app, which send data to China.

Beyond this, the researchers say they have also seen some potentially concerning results from testing R1 with more involved, non-linguistic attacks using things like Cyrillic characters and tailored scripts to attempt to achieve code execution. But for their initial tests, Sampath says, his team wanted to focus on findings that stemmed from a generally recognized benchmark.

Cisco also included comparisons of R1’s performance against HarmBench prompts with the performance of other models. And some, like Meta’s Llama 3.1, faltered almost as severely as DeepSeek’s R1. But Sampath emphasizes that DeepSeek’s R1 is a specific reasoning model, which takes longer to generate answers but pulls upon more complex processes to try to produce better results. Therefore, Sampath argues, the best comparison is with OpenAI’s o1 reasoning model, which fared the best of all models tested. (Meta did not immediately respond to a request for comment).

Polyakov, from Adversa AI, explains that DeepSeek appears to detect and reject some well-known jailbreak attacks, saying that “it seems that these responses are often just copied from OpenAI’s dataset.” However, Polyakov says that in his company’s tests of four different types of jailbreaks—from linguistic ones to code-based tricks—DeepSeek’s restrictions could easily be bypassed.

“Every single method worked flawlessly,” Polyakov says. “What’s even more alarming is that these aren’t novel ‘zero-day’ jailbreaks—many have been publicly known for years,” he says, claiming he saw the model go into more depth with some instructions around psychedelics than he had seen any other model create.

“DeepSeek is just another example of how every model can be broken—it’s just a matter of how much effort you put in. Some attacks might get patched, but the attack surface is infinite,” Polyakov adds. “If you’re not continuously red-teaming your AI, you’re already compromised.”

DeepSeek’s Safety Guardrails Failed Every Test Researchers Threw at Its AI Chatbot

Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.

Image: Shutterstock, ArtHead.

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit — a sprawling network tied to Chinese organized crime gangs and aptly named “**Funnull**” — highlights a persistent whac-a-mole problem facing cloud services.

In October 2024, the security firm **Silent Push** published a lengthy analysis of how **Amazon AWS** and **Microsoft Azure** were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages.

Funnull made headlines last summer after it acquired the domain name **polyfill\[.\]io**, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren’t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites.

Silent Push’s October 2024 report found a vast number of domains hosted via Funnull promoting gambling sites that bear the logo of the **Suncity Group**, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean Lazarus Group.

In 2023, Suncity’s CEO was sentenced to 18 years in prison on charges of fraud, illegal gambling, and “triad offenses,” i.e. working with Chinese transnational organized crime syndicates. Suncity is alleged to have built an underground banking system that laundered billions of dollars for criminals.

It is likely the gambling sites coming through Funnull are abusing top casino brands as part of their money laundering schemes. In reporting on Silent Push’s October report, _TechCrunch_ obtained a comment from Bwin, one of the casinos being advertised en masse through Funnull, and Bwin said those websites did not belong to them.

Gambling is illegal in China except in Macau, a special administrative region of China. Silent Push researchers say Funnull may be helping online gamblers in China evade the Communist party’s “Great Firewall,” which blocks access to gambling destinations.

Silent Push’s **Zach Edwards** said that upon revisiting Funnull’s infrastructure again this month, they found dozens of the same Amazon and Microsoft cloud Internet addresses still forwarding Funnull traffic through a dizzying chain of auto-generated domain names before redirecting malicious or phishous websites.

Edwards said Funnull is a textbook example of an increasing trend Silent Push calls “infrastructure laundering,” wherein crooks selling cybercrime services will relay some or all of their malicious traffic through U.S. cloud providers.

“It’s crucial for global hosting companies based in the West to wake up to the fact that extremely low quality and suspicious web hosts based out of China are deliberately renting IP space from multiple companies and then mapping those IPs to their criminal client websites,” Edwards told KrebsOnSecurity. “We need these major hosts to create internal policies so that if they are renting IP space to one entity, who further rents it to host numerous criminal websites, all of those IPs should be reclaimed and the CDN who purchased them should be banned from future IP rentals or purchases.”

A Suncity gambling site promoted via Funnull. The sites feature a prompt for a Tether/USDT deposit program.

Reached for comment, Amazon referred this reporter to a statement Silent Push included in a report released today. Amazon said AWS was already aware of the Funnull addresses tracked by Silent Push, and that it had suspended all known accounts linked to the activity.

Amazon said that contrary to implications in the Silent Push report, it has every reason to aggressively police its network against this activity, noting the accounts tied to Funnull used “fraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.”

“When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity,” Amazon’s statement continues. “In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form. In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft.”

Microsoft likewise said it takes such abuse seriously, and encouraged others to report suspicious activity found on its network.

“We are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,” Microsoft said in a written statement. “We encourage reporting suspicious activity to Microsoft so we can investigate and take appropriate actions.”

**Richard Hummel** is threat intelligence lead at **NETSCOUT**. Hummel said it used to be that “noisy” and frequently disruptive malicious traffic — such as automated application layer attacks, and “brute force” efforts to crack passwords or find vulnerabilities in websites — came mostly from botnets, or large collections of hacked devices.

But he said the vast majority of the infrastructure used to funnel this type of traffic is now proxied through major cloud providers, which can make it difficult for organizations to block at the network level.

“From a defenders point of view, you can’t wholesale block cloud providers, because a single IP can host thousands or tens of thousands of domains,” Hummel said.

In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. Experts said much of the malicious traffic  traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers.

Stark’s network has been a favorite of the Russian hacktivist group called **NoName057(16)**, which frequently launches huge distributed denial-of-service (DDoS) attacks against a variety of targets seen as opposed to Moscow. Hummel said NoName’s history suggests they are adept at cycling through new cloud provider accounts, making anti-abuse efforts into a game of whac-a-mole.

“It almost doesn’t matter if the cloud provider is on point and takes it down because the bad guys will just spin up a new one,” he said. “Even if they’re only able to use it for an hour, they’ve already done their damage. It’s a really difficult problem.”

Edwards said Amazon declined to specify whether the banned Funnull users were operating using compromised accounts or stolen payment card data, or something else.

“I’m surprised they wanted to lean into ‘We’ve caught this 1,200+ times and have taken these down!’ and yet didn’t connect that each of those IPs was mapped to \[the same\] Chinese CDN,” he said. “We’re just thankful Amazon confirmed that account mules are being used for this and it isn’t some front-door relationship. We haven’t heard the same thing from Microsoft but it’s very likely that the same thing is happening.”

Funnull wasn’t always a bulletproof hosting network for scam sites. Prior to 2022, the network was known as **Anjie CDN**, based in the Philippines. One of Anjie’s properties was a website called **funnull\[.\]app**. Loading that domain reveals a pop-up message by the original Anjie CDN owner, who said their operations had been seized by an entity known as **Fangneng CDN** and **ACB Group**, the parent company of Funnull.

A machine-translated message from the former owner of Anjie CDN, a Chinese content delivery network that is now Funnull.

“After I got into trouble, the company was managed by my family,” the message explains. “Because my family was isolated and helpless, they were persuaded by villains to sell the company. Recently, many companies have contacted my family and threatened them, believing that Fangneng CDN used penetration and mirroring technology through customer domain names to steal member information and financial transactions, and stole customer programs by renting and selling servers. This matter has nothing to do with me and my family. Please contact Fangneng CDN to resolve it.”

In January 2024, the **U.S. Department of Commerce** issued a proposed rule that would require cloud providers to create a “Customer Identification Program” that includes procedures to collect data sufficient to determine whether each potential customer is a foreign or U.S. person.

According to the law firm **Crowell & Moring LLP**, the Commerce rule also would require “infrastructure as a service” (IaaS) providers to report knowledge of any transactions with foreign persons that might allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

“The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space,” Crowell wrote. “To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.”

It remains unclear if the new White House administration will push forward with the requirements. The Commerce action was mandated as part of an executive order President Trump issued a day before leaving office in January 2021.

Tag

#mac