Thanks to drastic policy changes in the US and Big Tech’s embrace of the second Trump administration, many people are moving their digital lives abroad. Here are a few options to get you started.

From your email to your web browsing, it’s highly likely that your daily online life is dominated by a small number of tech giants—namely Google, Microsoft, and Apple. But since Big Tech has been cozying up to the second Trump administration, which has taken an aggressive stance on foreign policy, and Elon Musk’s so-called Department of Government Efficiency (DOGE) has ravaged through the government, some attitudes towards using US-based digital services have been changing.

While movements to shift from US digital services aren’t new, they’ve intensified in recent months. Companies in Europe have started moving away from some US cloud giants in favor of services that handle data locally, and there have been efforts from officials in Europe to shift to homegrown tech that has fewer perceived risks. For example, the French and German governments have created their own Docs word processor to rival Google Docs.

Meanwhile, one consumer poll released in March had 62 percent of people from nine European countries saying that large US tech companies were a threat to the continent’s sovereignty. At the same time, lists of non-US tech alternatives and European-based tech options have seen a surge in visitors in recent months.

For three of the most widely used tech services—email, web browsers, and search engines—we’ve been through some of the alternatives that are privacy-focused and picked some options you may want to consider. Other options are available, but these organizations and companies aim to minimize data they collect and often put privacy first.

There are caveats, though. While many of the services on this list are based outside of the US, there’s still the potential that some of them rely upon Big Tech services themselves—for instance, some search engines can use results or indexes provided by Big Tech, while companies may use software or services, such as cloud hosting, that are created by US tech firms. So trying to distance yourself entirely may not be as straightforward as it first looks.

**Web Browsers**

Mullvad

Based in Sweden, Mullvad is perhaps best known for its VPN, but in 2023 the organization teamed up with digital anonymity service Tor to create the Mullvad Browser. The open source browser, which is available only on desktop, says it collects no user data and is focused on privacy. The browser has been designed to stop people from tracking you via browser fingerprinting as you move around the web, plus it has a “private mode” that isolates tracking cookies enabled by default. “The underlying policy of Mullvad is that we never store any activity logs of any kind,” its privacy policy says. The browser is designed to work with Mullvad’s VPN but is also compatible with any VPN that you might use.

Vivaldi

WIRED’s Scott Gilbertson swears by Vivaldi and has called it the web’s best browser. Available on desktop and mobile, the Norwegian-headquartered browser says it doesn’t profile your behavior. “The sites you visit, what you type in the browser, your downloads, we have no access to that data,” the company says. “It either stays on your local machine or gets encrypted.” It also blocks trackers and hosts data in Iceland, which has strong data protection laws. Its privacy policy says it anonymizes IP addresses and doesn’t share browsing data.

**Search Engines**

Qwant French search engine Qwant has built its own search index, crawling more than 20 billion pages to create its own records of the web. Creating a search index is a hugely costly, laborious process, and as a result, many alternative search engines will not create an extensive index and instead use search results from Google or Microsoft’s Bing—enhancing them with their own data and algorithms. Qwant says it uses Bing to “supplement” search results that it hasn’t indexed. Beyond this, Qwant says it does not use targeted advertising, or store people’s search history. “Your data remains confidential, and the processing of your data remains the same,” the company says in its privacy policy.

Mojeek

Mojeek, based out of the United Kingdom, has built its own web crawler and index, saying that its search results are “100% independent.” The search engine does not track you, it says in its privacy policy, and only keeps some specific logs of information. “Mojeek removes any possibility of tracking or identifying any particular user,” its privacy policy says. It uses its own algorithms to rank search results, not using click or personalization data to create ranks, and says that this can mean two people searching for the same thing while in different countries can receive the same search results.

Startpage

Based in the Netherlands, Startpage says that when you make a search request, the first thing that happens is it removes your IP address and personal data—it doesn’t use any tracking cookies, it says. The company uses Google and Bing to provide its search results but says it acts as an “intermediary” between you and the providers. “Startpage submits your query to Google and Bing anonymously on your behalf, then returns the results to you, privately,” it says on its website. “Google and Microsoft do not know who made the search request—instead, they only see Startpage.”

Ecosia

Nonprofit search engine Ecosia uses the money it makes to help plant trees. The company also offers various privacy promises when you search with it, too. Based in Germany, the company says it doesn’t collect excessive data and doesn’t use search data to personalize ads. Like other search alternatives, Ecosia uses Google’s and Bing’s search results (you can pick which one in the settings). “We only collect and process data that is necessary to provide you with the best search results (which includes your IP address, search terms and session behavioral data),” the company says on its website. The information it collects is gathered to provide search results from its Big Tech partners and detect fraud, it says. (At the end of 2024, Ecosia partnered with Qwant to build more search engine infrastructure in Europe).

**Email Providers**

ProtonMail

Based in Switzerland, Proton started with a privacy-focused email service and has built out a series of apps, including cloud storage, docs, and a VPN to rival Google. The company says it cannot read any messages in people’s inboxes, and it offers end-to-end encryption for emails sent to other Proton Mail addresses, as well as a way to send password protected emails to non Proton accounts. It blocks trackers in emails and has multiple account options, including both free and paid choices. Its privacy policy describes what information the company has access to, which includes sender and recipient email addresses, plus IP addresses where messages arrive from, message subject lines, and when emails are sent. (Despite Switzerland’s strong privacy laws, the government has recently announced it may require encrypted services to keep user’s data, something that Proton has pushed back on).

Tuta

Tuta, which used to be called Tutanota and is based in Germany, says it encrypts email content, subject lines, calendars, address books, and other data in your inbox. “The only unencrypted data are mail addresses of users as well as senders and recipients of emails,” it says on its website, adding that users' encryption keys cannot be accessed by developers. Like Proton, emails sent between Tuta accounts are end-to-end encrypted, and you can send password protected emails when messaging an account from another email provider. The company also has an end-to-end encrypted calendar and offers both free and paid plans.

The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search

The Russia-aligned threat actor known as TAG-110 has been observed conducting a spear-phishing campaign targeting Tajikistan using macro-enabled Word templates as an initial payload.
The attack chain is a departure from the threat actor's previously documented use of an HTML Application (.HTA) loader dubbed HATVIBE, Recorded Future's Insikt Group said in an analysis.
"Given TAG-110's historical

Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

Hackers. AI data scrapes. Government surveillance. Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here’s a simple guide for you—and anyone who claims they have nothing to hide.

With President Donald Trump’s return to the White House and the US government’s digital surveillance machine more powerful than ever, digital privacy should be top of mind. But the digital security world can be confusing—and there’s the larger question of why. You may think, if I’m just a regular person, why is my digital privacy important?

Then there are the practical questions. What’s the best password manager? How can you keep your digital life under wraps at the border? And what kind of VPN should you be using? Is AI scraping my data?

WIRED senior writer and security expert Matt Burgess spoke with readers in a Reddit AMA this month about the basics of keeping your digital footprint locked down. Here’s what to know and why it’s important.

**What is your advice for a quick win in terms of improving digital security for the everyday person? Or for someone who isn’t tech-savvy?**

I think the one big thing people can do to improve their security is make sure that multifactor authentication is turned on for as many online accounts as possible. That way if anyone gets access to your password or login details, they’ll also need to have another way to authenticate the login attempt (such as the codes generated by an authentication app), and it's highly unlikely that hackers will have access to that.

Other quick and relatively straightforward changes you can make are to use privacy-friendly browsers and search engines and to use a password manager (the one on your phone or browser is better than nothing at all) and create unique passwords for each service you use.

**There are so many privacy tips out there, and it all feels important, but trying to do everything at once can be overwhelming. What are the things people should prioritize when making changes to their online habits?**

Improving privacy is something that’s ongoing, and if you try to do everything at once then it’s too off-putting. Take it one small step at a time.

If I was starting now, I’d go with:

1.  Switching to a more privacy-focused browser. I alternate between Brave, Firefox and Safari.
2.  Then using a privacy-focused search engine too (such as DuckDuckGo).
3.  Trying to use services that minimize data collection (for instance, messaging app Signal doesn’t collect user data and is the gold standard of end-to-end encryption).

**What’s a good non-US-based VPN?**

Our favorite VPN at WIRED is currently Proton VPN, which is based in Switzerland. Proton VPN also offers the best free VPN. Unlike most services, ProtonVPN's free version gives full access to all the regular plan's features. It is limited to a single device, and there are only three server locations (Japan, Netherlands, and the US), but everything else is the same. If your needs are limited and you want to keep costs down, this is a good option. See our full guide to VPNs here.

**How do I deal with having to have a new account for every service and website? Should I be using new email addresses?**

A new email address for every account is a big undertaking! I’d recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create “burner” emails that you can use to sign-up with services, and if you use an Apple device there’s a “Hide My Email” setting.

**What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)?**

It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you’ve said on social media or in messaging apps could potentially be used against you.

Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn’t the right idea for everyone and it could bring more suspicion on you. It’s better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it.

My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It’s here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border.

**Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure?**

Something that’s always listening in your home—what could go wrong? It’s definitely not great for overall surveillance culture.

Recently Amazon also reduced some of the privacy options for Alexa devices. So if you’re going to use a smart speaker, then I’d look into what each device’s privacy settings are and then go from there.

**How do you see people's willingness to hand over information about their lives to AI playing into surveillance?**

The amount of data that AI companies have—and continue to—hoover up really bothers me. There’s no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don’t have enough awareness about how much they’re sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people’s posts are looking to get in on the AI gold rush by selling or licensing that information.

For the everyday person, I’d warn them not to enter personal details or sensitive business information! We also have a more thorough guide here.

**Are personal data removal services worthwhile, or are they just another vector for data thieves?**

Whether data removal services are worthwhile or not probably depends on where you are based in the world: I’m in Europe where there’s GDPR and stricter privacy laws, and when I have used a data removal service, it hasn’t turned up too much. But in the US, there’s no comprehensive federal privacy law—that really should change—and they may be more useful.

Much of what can be done by data removal services, you can also do yourself. Consumer Reports recently did a good evaluation of data removal services.

**What is your preferred response for people who claim they have nothing to hide?**

I think in a lot of cases when people claim they have nothing to hide, they often jump to thinking about illegal or malicious things. When in fact, privacy, for me, isn’t about “hiding” things at all. You should be able to have the space—both in the physical and digital world—to not be surveilled or have your actions tracked. People should be able to act without intrusion from others—that doesn’t mean you’re hiding anything, but you just don’t want to share everything you do with everyone (or anyone). And really that’s why privacy is considered a fundamental human right.

I actually like a lot of the answers that people sent in to Amnesty International about how they respond to the point of “not having anything to hide.”

_With files from Scott Gilbertson._

A Starter Guide to Protecting Your Data From Hackers and Corporations

A list of topics we covered in the week of May 19 to May 25 of 2025

May 22, 2025 - The Lumma infostealer infrastructure has suffered a serious blow by a coordinated action of the DOJ and Microsoft.

May 22, 2025 - A stalkerware company that recently leaked millions of users' personal information online has taken all of its assets offline without any explanation.

May 22, 2025 - Cybercriminals are using AI-based tools to generate voice clones of the voices of senior US officials in order to scam people.

May 20, 2025 - The bankrupt 23andMe, along with all of its genetic data, has been bought by US drugmaker Regeneron Pharmaceuticals.

May 20, 2025 - You'd hope that spending $6,000 on a printer would give you a secure experience, free from viruses and other malware. However, in the case of Procolored printers, you'd be wrong.

 A week in security (May 19 &#8211; May 25) 

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…

SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data. Discover the telco’s security upgrades & future plans after the massive breach.

A recent data breach at South Korean telecommunications giant SK Telecom was, reportedly, much more deeply rooted than initially thought, with the intrusion remaining hidden for nearly two years. The company announced on Monday that the malware has gone undetected since at least June 2022.

The attack, disclosed in April, affected a significant portion of SK Telecom’s 23 million customers, compromising personal and financial details. The Ministry of Science and ICT, along with a joint team of public and private investigators, revealed that the attack compromised a significant portion of SK Telecom’s user data.

Specifically, approximately 26.69 million International Mobile Subscriber Identity (IMSI) units were leaked. IMSI is a unique 15-digit or shorter number that identifies and authenticates each mobile subscriber. Moreover, investigators identified 25 types of malware and quarantined 23 affected servers, claiming that 9.82 gigabytes of USIM information were compromised.

****Responding to the Breach****

In response to the security lapse, SK Telecom has implemented a series of preventative measures. The company has temporarily stopped new subscriber sign-ups and initiated a nationwide program to replace SIM cards as a safeguard.

Furthermore, they have rolled out an upgraded fraud detection system, FDS 2.0, which uses a “triple-factor authentication” process to prevent unauthorized SIM and device cloning. This enhanced security is now automatically applied across their network.

SK Telecom has also emphasized that no actual customer damages or instances of “terminal cloning” have been reported so far and all attempts at phone or SIM card piracy are now blocked at the network level, with three layers of verification to confirm the legitimacy of the subscriber, SIM card, and device. The company has pledged to “take full responsibility for any damages” that may arise from the breach, offering to replace the USIM of all 25 million subscribers, including 2 million budget phone users, for free.

****National Security Concerns and Future Steps****

SK Group chairman Chey Tae-won issued an apology to customers earlier in May, highlighting the severity of the incident by stating it “needs to be looked at as a matter of national defence.”

The malware used in the attack is believed to be BPFdoor, which can bypass authentication. It is typically used by hacking groups linked to China. Although no specific group has claimed responsibility, the chairman’s concerns and the identified malware align with similar tactics observed in recent attacks on US telecom companies.

Beyond technical upgrades, SK Telecom is also enhancing customer support. Starting May 19, the company plans to offer “mobile service” visits to remote areas, explaining SIM protection services and providing on-site SIM replacements and resets. These efforts highlight the company’s commitment to rebuilding customer trust and strengthening cybersecurity to counter cybersecurity threats.

SK Telecom Uncovers Two-Year Malware Attack, Leaking 26M IMSI Records

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat.

A new report from Cofense Intelligence reveals a troubling trend in cyberattacks: criminals are increasingly hijacking legitimate Remote Access Tools (RATs) to infiltrate computer systems. Unlike malicious software specifically designed for hacking, these tools are built for lawful purposes, often used by IT professionals in companies. Their genuine nature makes them particularly dangerous, as they can bypass traditional security measures and user suspicion.

****The Deception of Legitimate RATs****

Threat actors are leveraging the inherent trust in these tools to gain access to victim machines, researchers noted in the blog post shared with Hackread.com. Once installed, these legitimate RATs become a gateway for delivering further harmful programs, spying on user activities, or stealing sensitive information like passwords and confidential business records. The versatility of these tools, combined with their appearance of being trustworthy software, makes them a potent weapon in the hands of cybercriminals.

Cofense Intelligence highlighted several frequently abused legitimate RATs. ConnectWise ScreenConnect, previously known as ConnectWise Control and ScreenConnect, emerged as the most popular choice for attackers in 2024, appearing in 56% of active threat reports involving legitimate RATs.

“ConnectWise RAT is the most popularly abused legitimate remote access tool and accounted for 56% of all active threat reports (ATRs) with legitimate remote access tools in 2024,” wrote Kahng An from Cofense’s Intelligence Team in their report.

Its popularity is surging further in 2025, with current attack volumes already matching those seen throughout last year. Another tool, FleetDeck, saw a surge in use during the summer of 2024, particularly targeting German and French speakers with finance-themed lures.

****Common Attack Methods and Global Impact****

Attackers employ various methods to trick victims into installing these tools. For ConnectWise ScreenConnect, notable campaigns include spoofing the US Social Security Administration with emails falsely claiming to offer updated benefit statements.

Source: Cofense  

These emails often contain links to fake PDF files or directly to the RAT installer. Another tactic observed since February 5, 2025, involves emails pretending to be notifications about shared files on “filesfm,” leading victims to download a seemingly legitimate OneDrive client that is, in fact, the ConnectWise RAT installer.

According to Cofense, other legitimate RATs are also being exploited. Atera, a comprehensive remote monitoring and management suite that integrates with tools like Splashtop, has been used in campaigns targeting Portuguese speakers in Brazil with fake legal notices and invoices since October 2024.

Source: Cofense

Smaller, less common RATs like LogMeIn Resolve (GoTo RAT), Gooxion RAT, PDQ Connect, Mesh Agent, N-Able, and Teramind have also been observed in various, often localized, campaigns.

The ease and low cost of acquiring these tools allow attackers to quickly switch between different ones, posing a continuous challenge for cybersecurity protection, Cofense researchers concluded, adding that such campaigns are typically one-off events that are hard to sustain.

“These campaigns are generally one-off events and do not appear to be sustained over time. It is possible that the threat actors quickly pivot between different RATs because of the overall large number of different options that are available on the market.”

ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks

Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones.

Friday, May 23, 2025 06:00

_By Darin Smith and John Arneson_

*   Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious. 
*   Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains. 
*   Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.  

**Research Methodology ****Hypothesis**

At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module. 

**Data Collection **

Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell\_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.  

**Data Processing**

Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).  

**Threat Intelligence and Manual Review **

Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.

**Findings & Analysis ****Domain Contact Distribution **

The distribution of contacts was heavily skewed: 

*   **Percentiles**: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87 
*   **Top Domains**: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
    *   Automox is a service for automated endpoint configuration and patch management.
    *   LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
    *   Amazon Web Services (AWS) is the largest cloud service provider. 
*   **Rare Domains**: 550 of 742 domains fell into the rare category.

Figure 1. Cumulative distribution of domain contact frequencies. 

**Malicious Domain Statistics **

*   **Rare Domains**: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
*   **Non-Rare Domains**: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
*   **Odds Ratio**: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare) 

Figure 2. Malicious rates by domain rarity.

**Case Study: githubusercontent.com **

The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.

**Comparison to other Processes **

Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis: 

*   ‘rundll32.exe’ 
*   Python (including macOS and Windows versions) 
*   ‘cmd.exe’ 
*   ‘cscript.exe’ 
*   ‘wscript.exe’ 
*   ‘bash’ 
*   ‘zsh’

These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.

When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.

Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.

**Recommendations **

*   **Prioritize Rare Domains**: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.  
*   **Subdomain Analysis**: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’. 
*   **Integrate Manual Review**: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains. 
*   **Investigate Anomalous Utilization of ‘wscript.exe’:** Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.

**Future Work **

This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.

Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.

Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.

Scarcity signals: Are rare activities red flags?

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling **DanaBot**, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The **FBI** says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

DanaBot’s features, as promoted on its support site. Image: welivesecurity.com.

Initially spotted in May 2018 by researchers at the email security firm **Proofpoint**, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.

Today, the **U.S. Department of Justice** unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.

The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as **Aleksandr Stepanov**, 39, a.k.a. “**JimmBee**,” and **Artem Aleksandrovich Kalinkin**, 34, a.k.a. “**Onix**”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant **Gazprom**. His Facebook profile name is “Maffiozi.”

According to the FBI, there were at least two major versions of DanaBot; the first was sold between 2018 and June 2020, when the malware stopped being offered on Russian cybercrime forums. The government alleges that the second version of DanaBot — emerging in January 2021 — was provided to co-conspirators for use in targeting military, diplomatic and non-governmental organization computers in several countries, including the United States, Belarus, the United Kingdom, Germany, and Russia.

“Unindicted co-conspirators would use the Espionage Variant to compromise computers around the world and steal sensitive diplomatic communications, credentials, and other data from these targeted victims,” reads a grand jury indictment dated Sept. 20, 2022. “This stolen data included financial transactions by diplomatic staff, correspondence concerning day-to-day diplomatic activity, as well as summaries of a particular country’s interactions with the United States.”

The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.

“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”

Image: welivesecurity.com

A statement from the DOJ says that as part of today’s operation, agents with the **Defense Criminal Investigative Service** (DCIS) seized the DanaBot control servers, including dozens of virtual servers hosted in the United States. The government says it is now working with industry partners to notify DanaBot victims and help remediate infections. The statement credits a number of security firms with providing assistance to the government, including **ESET**, **Flashpoint**, **Google**, **Intel 471**, **Lumen**, **PayPal**, **Proofpoint**, **Team CYMRU**, and **ZScaler**.

It’s not unheard of for financially-oriented malicious software to be repurposed for espionage. A variant of the **ZeuS Trojan**, which was used in countless online banking attacks against companies in the United States and Europe between 2007 and at least 2015, was for a time diverted to espionage tasks by its author.

As detailed in this 2015 story, the author of the ZeuS trojan created a custom version of the malware to serve purely as a spying machine, which scoured infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

The public charging of the 16 DanaBot defendants comes a day after **Microsoft** joined a slew of tech companies in disrupting the IT infrastructure for another malware-as-a-service offering — Lumma Stealer, which is likewise offered to affiliates under tiered subscription prices ranging from $250 to $1,000 per month. Separately, Microsoft filed a civil lawsuit to seize control over 2,300 domain names used by Lumma Stealer and its affiliates.

Further reading:

Danabot: Analyzing a Fallen Empire

ZScaler blog: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

Flashpoint: Operation Endgame DanaBot Malware

Team CYMRU: Inside DanaBot’s Infrastructure: In Support of Operation Endgame II

March 2022 criminal complaint v. Artem Aleksandrovich Kalinkin

September 2022 grand jury indictment naming the 16 defendants

Tag

#mac