In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-jx6p-9c26-g373: Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account

QR phishing is on the rise, tricking users into scanning malicious QR codes. Learn how cybercriminals exploit QR codes and how to protect yourself.

QR codes have become an everyday convenience, allowing quick access to websites, payment platforms, and digital menus with a simple scan. However, as their popularity has grown, so has the interest of cybercriminals looking to exploit them. A not-so-new but lesser-known wave of phishing attacks known as “QR phishing” or “quishing” is on the rise, tricking unsuspecting users into scanning malicious codes that can steal personal information, install malware, or redirect to fraudulent websites.

****How QR Phishing Works****

Cybercriminals have found multiple ways to manipulate QR codes for their scams. One of the most common methods involves placing fake QR codes over legitimate ones. This can happen at restaurants, parking meters, or public spaces where businesses commonly use QR codes for services. When a user scans the fake code, they might be taken to a website that looks legitimate but is designed to steal login credentials, financial information, or other sensitive data.

A real-time example of a malicious QR code on a parking meter in Kirklees, West Yorkshire, England. (Via  Kirklees Council)

Another approach involves sending QR codes via email or text messages, claiming to be from a trusted source like a bank, delivery service, or tech support team. These messages often create a sense of urgency, telling users that their account has been compromised or that they must verify a payment. Once scanned, the user is unknowingly handing over their private information to hackers.

According to Online QR Code, a QR code generating tool, there are different types of QR codes and almost every type of code can be abused by scammers. This means that no matter how a QR code is presented, on a poster, in an email, or even on an official-looking document; there’s always a risk if the source isn’t verified.

****Why QR Phishing Is So Effective****

QR phishing works so well because QR codes themselves don’t immediately show where they lead. Unlike a traditional link, which allows users to hover over and preview the URL, scanning a QR code often takes users directly to the intended site without any immediate warning. On mobile devices, where most QR scans happen, this makes it even easier for scammers to operate undetected.

Additionally, many people trust QR codes because they are widely used by legitimate businesses and organizations. Scammers take advantage of this trust by placing their malicious codes in places where people wouldn’t normally question their authenticity. This is why even the FBI had to issue warnings about QR phishing.

****How to Protect Yourself from QR Phishing****

While QR phishing is a growing threat, there are simple steps you can take to stay safe:

1.  **Verify Before Scanning** – If you see a QR code in a public place, check for signs of tampering. If a sticker looks like it’s been placed over another code, avoid scanning it.
2.  **Preview the URL** – Some smartphone cameras and QR scanner apps allow you to preview the link before opening it. If the URL looks suspicious or doesn’t match the expected destination, don’t proceed.
3.  **Avoid Scanning Codes from Emails or Texts** – Be cautious with QR codes sent via email or text, especially if the message is unexpected or urgent. Instead of scanning, visit the official website of the organization by typing the address directly into your browser.
4.  **Use a QR Code Scanner with Security Features** – Some security apps and QR scanners come with built-in protection that can detect and warn users about malicious links.
5.  **Check for HTTPS and Official Domains** – If you do scan a QR code, look at the URL before entering any personal information. Legitimate websites should have “https” in the address, and the domain should match the official website of the company.
6.  **Be Skeptical of Unsolicited QR Codes** – If you receive a QR code claiming to offer a prize, discount, or urgent security alert, treat it with suspicion. Scammers often use these tactics to lure victims into scanning.
7.  **Keep Your Phone’s Security Updated** – Ensure that your phone’s operating system and security software are up to date. This can help prevent malware infections from malicious sites.

QR codes aren’t going away anytime soon. They’ve become a vital tool in marketing, payments, and everyday interactions. But just like with email phishing and other cyber threats, awareness is key to staying safe. By taking a few extra seconds to verify the source of a QR code before scanning, you can protect yourself from falling victim to these increasingly sophisticated scams.

1.  YouTube Scammers Rake in $600K with QR Codes
2.  Hackers Exploit QR Codes with QRLJacking for Malware
3.  Unicode QR Code Phishing Bypasses Traditional Security
4.  QR Code Scam: Fake Voicemails Hit 1000 Users in 14 Days
5.  Top Barcode Scanner app infected 10m users with malware

The Rise of QR Phishing: How Scammers Exploit QR Codes and How to Stay Safe

Plus: The FBI pins that ByBit theft on North Korea, a malicious app download breaches Disney, spyware targets a priest close to the pope, and more.

As scam compounds in Southeast Asia continue to drive massive campaigns targeting victims around the world, WIRED took a deeper look at how Elon Musk’s satellite internet service provider Starlink is keeping many of those compounds in Myanmar online. Meanwhile, FTC complaints obtained by WIRED allege that an “OpenAI” job scam used Telegram to recruit workers in Bangladesh for months before the fraudsters suddenly disappeared.

WIRED published the inside story of Russian tech executive Vladislav Klyushin, who—at Vladimir Putin’s behest—was part of a notable US-Russia prisoner swap last summer after he was convicted and incarcerated in the US for insider trading that netted him $93 million. Earlier this week, TVs at the headquarters of the Department of Housing and Urban Development in Washington, DC, showed an apparently AI-generated video on loop of Donald Trump kissing Elon Musk’s feet. The words “LONG LIVE THE REAL KING” were superimposed over the video.

WIRED conducted an investigation into Telegram groups devoted to doxing and harassing women who joined “Are We Dating the Same Guy?” groups on Facebook. And, as female entrepreneurs in tech face ever steeper odds of gaining support for a business, a team of female founders got seed funding and completed a series A round in a matter of months for the cloud container security firm Edera.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Trump Administration Backs Off on Countering Russian Cyber Foes**

After years of Russian cyber aggression against the United States and its longtime allies—including repeated election meddling, hack and leak operations, disinformation campaigns, elaborate espionage, and brazen, disruptive cyberattacks—multiple recent actions from the Trump administration have recast the US stance on the cybersecurity threats posed by the Kremlin, downplaying the risks of Russian hackers as US adversaries. The about-face comes as Donald Trump and Russian president Vladimir Putin have increasingly strengthened their ties. Consistent US intelligence community assessments of Russia's activity in cyberspace and the threat it poses to the US would indicate, though, that such a change in approach could put the US at risk.

That deprioritization of the Russia threat has come in several different forms. US State Department deputy assistant secretary for international cybersecurity Liesyl Franz said during a speech in a United Nations working group last week that the US is concerned about digital attacks from China and Iran, but did not mention Russia. A recent memo distributed at the Cybersecurity and Infrastructure Security Agency laid out priorities for the agency, focusing on China and defense of US systems but omitted any reference to Russia. And on Friday, the cybersecurity news outlet The Record reported that, last week, Defense Secretary Pete Hegseth ordered US Cyber Command to stop all cyber operational planning against Russia, including offensive digital campaigns.

**Crypto Bounty Hunters Are Racing to Find and Freeze $1.4 Billion Stolen From ByBit**

Eight days have passed since the cryptocurrency exchange ByBit revealed that hackers stole $1.4 billion worth of Ethereum-based assets from the company, a heist that is by some measures the biggest theft of crypto in history. Now the race is on to track the stolen funds across blockchains, prevent its liquidation, or even recover it—and that race is being propelled by $140 million in bounties offered by ByBit itself. ByBit earlier this week launched a website where it’s inviting crypto sleuths to submit tips about the destination of its stolen Ethereum funds and offering as a reward 5 percent of the value of any funds that those tracers can identify and help to freeze or seize. ByBit has offered another 5 percent of the value as a separate reward for any crypto exchange or other platform that obtains the funds.

As of Friday, the website counted a dozen bounty hunters currently registered as part of that crypto-tracing effort and put the tally of paid-out rewards at around $4.3 million. The site also includes a leaderboard of tracers who have successfully identified tranches of the funds by following them across blockchains or frozen funds—as well as a list of crypto exchanges who have, by contrast, liquidated the stolen funds on behalf of the thieves. So far only one exchange, known as eXch, has been flagged as liquidating $94 million of the stolen assets. ByBit notes that eXch has refused to respond to its messages, and the exchange didn’t respond to a BBC request for comment.

**FBI Urges Crypto Industry Not to Launder ByBit Funds for North Korea**

Earlier this week, the FBI took the unusual step of publicly identifying the hackers behind that massive ByBit hack: TraderTraitor, a group of state-sponsored cybercriminals working on behalf of the North Korean government. The FBI asked the crypto industry not to launder the funds of those hackers, a part of the larger umbrella group widely known as Lazarus that has long plagued the cryptocurrency world and has stolen billions in both crypto and non-crypto assets. In its alert, the bureau also released a list of Ethereum addresses associated with the stolen funds in an effort to help the crypto industry identify and seize any part of the $1.4 billion before it can be cashed out. Crypto tracing firm TRM Labs wrote in a post Thursday that around $400 million of the funds have already been moved and may have been successfully liquidated.

**A Disney Staffer Opened the Door for a Slack Hack by Accidentally Downloading Malware**

In July, an entity calling itself “NullBulge” published a 1.1-TB trove of data stolen from Disney's internal Slack archive, tipping off a frenzied cleanup effort as Disney rushed to get a handle on leaked revenue numbers, employee information like passport numbers, and sensitive customer information. The breach occurred after a Disney employee, Matthew Van Andel, inadvertently downloaded malware onto his personal computer that collected his login credentials for a number of services, including, crucially, the password to his 1Password credential vault. “It’s impossible to convey the sense of violation,” he told The Wall Street Journal. Van Andel also had his credit card numbers and other personal data stolen, and then lost his job as well when a Disney audit of his work computer alleged that he had accessed porn from the device. Van Andel denies the accusation. The episode is just one in a series of breaches where malware that infects a worker’s personal computer can have major ramifications for the institution that employs them.

**An Italian Priest Close to the Pope Had His Phone Hacked**

Mattia Ferrari, an Italian priest who works with a migrant-rescue group and has a close relationship with the Pope, revealed this week that he received a warning from Meta that his phone had been hacked with sophisticated spyware from Israeli-based Paragon. The news follows revelations that Luca Casarini, the founder of the NGO Mediterranea Saving Humans, where Ferrari served as a chaplain, also had his phone compromised by spyware, as did Italian investigative reporter Francesco Cancellato. The string of spyware infections targeting Italian activists and a journalist raises the question of who might be carrying out the hacking operations, with opposition leaders calling on the administration of Italian prime minister Giorgia Meloni to address the issue. Meloni’s government has denied being behind the hacking incidents. Pope Francis, who is currently in critical condition with pneumonia, has mentioned speaking to Ferrari on the phone during a TV interview in January, raising the question of whether the spies who hacked Ferrari’s phone eavesdropped on a conversation with the pope himself.

The Trump Administration Is Deprioritizing Russia as a Cyber Threat

Microsoft exposes Storm-2139, a cybercrime network exploiting Azure AI via LLMjacking. Learn how stolen API keys enabled harmful…

Microsoft exposes Storm-2139, a cybercrime network exploiting Azure AI via LLMjacking. Learn how stolen API keys enabled harmful content generation and Microsoft’s legal action

Microsoft has taken legal action against a cybercriminal network, known as Storm-2139, responsible for exploiting vulnerabilities within its Azure AI services. The company publicly identified and condemned four individuals central to this illicit operation. Their names are as follows:

1.  Arian Yadegarnia aka “Fiz” of Iran
2.  Phát Phùng Tấn aka “Asakuri” of Vietnam
3.  Ricky Yuen aka “cg-dot” of Hong Kong, China
4.  Alan Krysiak aka “Drago” of the United Kingdom

According to Microsoft’s official report, shared exclusively with Hackread.com, these individuals used various online aliases to operate a scheme called LLMjacking. It is the act of hijacking Large Language Models (LLMs) by stealing API (Application Programming Interface) keys, which act as digital credentials for accessing AI services. If obtained, API keys can allow cybercriminals to manipulate the LLMs to generate harmful content.

Storm-2139’s core activity involved leveraging stolen customer credentials, obtained from publicly available sources, to gain unauthorized access to AI platforms, modify the capabilities of these services, circumvent built-in safety measures, and then resell access to other malicious actors. They provided detailed instructions on how to generate illicit content, including non-consensual intimate images and sexually explicit material, often targeting celebrities.

Microsoft’s Digital Crimes Unit (DCU) initiated legal proceedings in December 2024, initially targeting ten unidentified individuals. Through subsequent investigations, they identified the key members of Storm-2139. The network operated through a structured model, with creators developing the malicious tools, providers modifying and distributing them, and users generating the abusive content.

“Storm-2139 is organized into three main categories: creators, providers, and users. Creators developed the illicit tools that enabled the abuse of AI-generated services. Providers then modified and supplied these tools to end users often with varying tiers of service and payment. Finally, users then used these tools to generate violating synthetic content,” Microsoft’s blog post revealed.

Visual Representation of Storm-2139 (Source: Microsoft)

The legal actions taken by Microsoft, including the seizure of a key website, resulted in significant disruption to the network. Members of the group reacted with alarm, engaging in online chatter, attempting to identify other members, and even resorting to doxing Microsoft’s legal counsel, highlighting the effectiveness of Microsoft’s strategy in dismantling the criminal operation.

Microsoft employed a multi-faceted legal strategy, initiating civil litigation to disrupt the network’s operations and pursuing criminal referrals to law enforcement agencies. This approach aimed to both halt the immediate threat and establish a deterrent against future AI misuse.

The company is also addressing the issue of AI misuse to generate harmful content, implementing stringent guardrails and developing new methods to protect users. It also advocates for modernizing criminal law to equip law enforcement with the necessary tools to combat AI misuse.

Security experts have highlighted the importance of stronger credential protection and continuous monitoring in preventing such attacks. Rom Carmel, Co-Founder and CEO at Apono told Hackread that companies who use AI and cloud tools for growth must limit access to sensitive data to reduce security risks.

_“_As organizations adopt AI tools to drive growth, they also expand their attack surface with applications holding sensitive data. To securely leverage AI and the cloud, access to sensitive systems should be restricted on a need-to-use basis, minimizing opportunities for malicious actors._“_

Top/Featured Image via Pixabay/BrownMantis

Microsoft Disrupts Storm-2139 for LLMjacking and Azure AI Exploitation

One of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm **Kaspersky Lab**, KrebsOnSecurity has learned.

Security experts say the Russia-based service provider **Prospero OOO** (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm **Intrinsec** detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names **Securehost** and **BEARHOST**.

The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.

“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”

Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.

A fake browser update page pushing mobile malware. Image: Intrinsec.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter **Kim Zetter** notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:

> According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.
> 
> Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.

Phishing data gathered last year by the **Interisle Consulting Group** ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.

AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.

It remains unclear why Kaspersky is providing transit to Prospero. **Doug Madory**, director of Internet analysis at **Kentik**, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.

Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — **Alfa-Bank**. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.

But if that is the case, it doesn’t make the situation any better, said **Zach Edwards**, a senior threat researcher at the security firm **Silent Push**.

“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab

Not getting enough views or traffic to your podcasts? Try this stunning AI audio-to-video generator to transform your…

Not getting enough views or traffic to your podcasts? Try this stunning AI audio-to-video generator to transform your podcasts into must-watch videos.

Is the audience viewing count of your podcasts lower than you expect? Many content creators deal with the problem of maintaining viewer interest because video content popularity is increasing in digital spaces. Being excellent in audio content delivery isn’t sufficient to thrive. The solution? Convert audio to video! 

An AI audio-to-video generator enhances podcasts by turning them into multimedia presentations that catch viewers’ attention. This article showcases a proven solution to convert your audio content into compelling video materials that people will watch.

Let’s dive in!

**Table of Contents Hide**

1.  Part 1: Why You Should Turn Podcasts into Videos?
    1.  Expand Your Reach
    2.  Increase Accessibility
    3.  Boost Engagement
    4.  Enhance SEO
    5.  Leverage Trends
2.  Part 2: Key Elements of Must-Watched Podcast Video
    1.  High-Quality Video
    2.  Clear Audio
    3.  Subtitles
    4.  Captions
    5.  Engaging Thumbnails
    6.  Brand Elements
3.  Part 3: Wondershare Filmora: Best Tool to Help You Transform Podcasts into Videos
4.  Conclusion

**Part 1: Why You Should Turn Podcasts into Videos?**

You gain several benefits when you transform your podcast content into video format.

**Expand Your Reach**

The broadcast of video content allows you to extend your presence toward wider audiences through YouTube and social media channels.

**Increase Accessibility**

Through video format, you provide learning opportunities for visual learners as well as auditory learners simultaneously.

**Boost Engagement**

The combination of visual elements surpasses audio content in grabbing viewers’ attention, which results in higher chances of sharing and liking activities.

**Enhance SEO**

Your content benefits from improved SEO rankings when video content is included because search engines prefer video content. This practice drives more traffic to your material.

**Leverage Trends**

The usage of videos has gained extreme popularity across all digital platforms. You should design your content to align with the ways people use and consume media during the present period.

Thus, your podcast will reach its full potential when you turn from audio to video.

**Part 2: Key Elements of Must-Watched Podcast Video**

To develop an interesting podcast video, you need to focus on essential elements.

**High-Quality Video**

The quality of your video content should include clear images and sharp visual elements for improved viewer engagement.

**Clear Audio**

The quality of your audio must be exceptional because poor sound will cause viewers to leave your content.

**Subtitles**

The addition of subtitles establishes accessibility for your content to viewers who have hearing challenges alongside other listener groups.

**Captions**

The inclusion of subtitles, known as captions, enables powerful message transmission to viewers who listen without sound.

**Engaging Thumbnails**

Attractive thumbnails must be designed to attract more viewers and raise the number of clicks on your content.

**Brand Elements**

Employ branding elements that include consistent logos and visual color schemes to achieve better recognition.

The implementation of these elements leads to a major enhancement of your podcast’s aesthetic quality.

Let’s get straight to the tool named Wondershare Filmora, using which you can easily transform your podcasts into must-watch videos. This AI audio-to-video generator provides you with an effortless solution to implement your audio content alongside compelling visual features that maximize your podcast effects. Through its simple interface together with multiple features, Filmora enables users to manage dynamic graphics along with audio enhancement and animations easily and with enjoyment.

**Key Features of Filmora**

**AI Audio to Video**: Users can easily turn their audio files into dynamic video content using a basic automated, multi-step procedure. Filmora’s AI analysis evaluates your audio as it generates exceptional visual content to match your content perfectly.

**AI Image to Video**: Through its AI tool, Filmora converts ordinary images into lively video content. This feature matches the needs of users who need exceptional media content for social promotions or product visuals along with slide decks.

**AI Video Enhancer:** Filmora enables users, through its great functionality, to modify video elements like brightness, contrast, and saturation to achieve professional results.

**AI Video Translation**: Filmora contains an advantageous feature that benefits people who operate beyond national borders. The tool enables the translation of video content into various languages at once.

**AI text-to-speech**: The software enables users to convert written content into lifelike speech via AI technology.

Using the above-mentioned features in Filmora, users can easily edit their videos in a professional manner.

**Step-by-step guide to transform your audio content into video:**

**Step 1**: When you download the latest version of Filmora from its official website and open it up, you will see an option “Audio to Video” in the toolbox. Tap on it.

**Step 2**: Now you can upload the media file of size up to 1 GB with a duration of 10 seconds to 120 minutes.

**Step 3**: Users must specify their video language selection after uploading. Users must choose their video content type first, then add specified ratio and duration parameters for a defined number of generated videos. Users have the option to adjust screen settings.

**Step 4**: When the setup is complete, tap on Generate.

**Step 5**: Now you will see the multiple results of videos generated by the system. Press the play button to experience the generated results. You may export the video right away after ensuring you like how it turned out. Click “Edit” from the interface to transition to Filmora’s main editing timeline if you wish to implement more modifications.

**Step 6**: Click on the “Export” button located in the top-right section to finalize your video. Users access social media sharing through the top-right corner of the interface. Select the “Local” option to save the video to your device and set parameters for its title and description as well as category and resolution.

And that’s all it takes! The audio-to-video AI converter, together with powerful editing features from Filmora, makes it effortless to convert audio into video content at no cost. Using this tool will enable you to generate exceptional video content in a short period.

**Conclusion**

Converting audio content into video means more engagement and views! All you need is a tool like Filmora and the rest is just the magic it will create. Your content will get better when you use high-quality visuals and clear audio. Also, include subtitles, eye-catching thumbnails, and unique brand elements. Begin utilizing Filmora right now and discover how audio conversion creates videos that improve your podcasting capabilities significantly. 

Image by AstralEmber from Pixabay

Convert Audio to Video: How to Transform Your Podcasts into Must-Watch Videos

360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government,…

360XSS campaign exploits Krpano XSS to hijack search results & distribute spam ads on 350+ sites, including government, universities, and news outlets.

A widespread campaign exploiting a vulnerability within a virtual tour framework Krpano has been uncovered by cybersecurity researcher Oleg Zaytsev. The attack, dubbed “360XSS,” involved search engine manipulation and mass advertisement distribution.

For your information, Krpano is a widely used software tool that enables the creation of immersive 360° experiences, allowing users to explore panoramic images and videos in a virtual environment.

Zaytsev’s research, shared with Hackread.com, revealed that the attack leverages a reflected cross-site scripting (XSS) flaw in the Krpano VR library tracked as CVE-2020-24901. The vulnerability resided in a configuration setting within the Krpano framework (passQueryParameter) that, by default, allowed query parameters to be passed directly into the framework’s configuration.

This enabled attackers to inject arbitrary XML, leading to the reflected XSS. The default setting enabled this flaw, leading to widespread exploitation until patches were released. Unfortunately, it remained unpatched on numerous websites, including the framework developer’s own site.

The campaign’s discovery began with an unexpected search result for adult content appearing under a prestigious university’s domain. Further investigation revealed that the site was utilizing the Krpano framework for virtual tours and that a specific parameter within the URL was being exploited to inject malicious code. This code redirected users to spam advertisements, indicating a sophisticated attack beyond simple website defacement.

The scale of the campaign was significant, with hundreds of websites, including government portals, educational institutions, news outlets, and major corporations, being compromised. Attackers used the XSS vulnerability to inject malicious scripts that manipulated search engine results, pushing spam advertisements to the top of search listings. This technique, known as SEO poisoning, allowed them to leverage the authority of compromised domains to boost the visibility of their advertisements.

The campaign had a wide-reaching impact, compromising over 350 websites across diverse sectors. This included sensitive government portals and state government sites, major American universities, prominent hotel chains, reputable news outlets like CNN and Geo.tv, car dealerships and Fortune 500 companies. Attackers’ focus on advertisement distribution, rather than direct attacks on user data, suggested a calculated approach probably by an Arab group.

Image via Oleg Zaytsev

“The people behind this campaign remain a mystery, but from what I’ve seen, many clues suggest it was run by an Arab group—based on the ads, patterns, and random breadcrumbs I found during my investigation,” Zaytsev noted in their blog post.

He further notes that efforts to report the vulnerability to affected organizations proved challenging, with many lacking formal disclosure programs. However, some organizations responded positively, and the Krpano developers addressed the issue with a patch in a subsequent release. Organizations using the Krpano framework are advised to update to the latest version and disable the vulnerable configuration setting.

Eran Elshech, Field CTO at Seraphic Security, highlights that attackers are shifting from malware to exploiting browser vulnerabilities and web frameworks. The 360XSS campaign demonstrates how easily a known XSS flaw was used to compromise trusted sites, manipulate search results, and hijack web properties for spam ads.

He warns that the scalability and stealth of such attacks make them highly effective, as attackers infiltrate high-traffic sites with minimal effort, reaching large audiences without direct access to user devices.

Over 350 High-Profile Websites Hit by 360XSS Attack

Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow's content delivery network (CDN) to deliver the Lumma stealer malware.
Netskope Threat Labs said it discovered 260 unique domains hosting 5,000 phishing PDF files that redirect victims to malicious websites.
"The attacker uses SEO to trick victims into

5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs

Louis Donald Mendonsa, 62, was sentenced following a guilty plea for distributing child sexual abuse materials (CSAM) via…

Louis Donald Mendonsa, 62, was sentenced following a guilty plea for distributing child sexual abuse materials (CSAM) via Dark Web and other online networks after 6,5000 explicit images were found on his devices.

A California resident, Louis Donald Mendonsa (62), has been sentenced to 24 years and four months in federal prison for his involvement in managing four illegal websites on the dark web that shared explicit images and videos of children.

Mendonsa, a Sacramento native, played a key role in maintaining these platforms, which were active from December 2021 until his arrest in November 2022. He received his sentence on February 27, 2025, after pleading guilty in April 2024 to seven counts of distributing CSAM and one count of possession.

The websites, which operated on the dark web, a hidden part of the internet often used for illegal activities only accessible through the Tor browser, allowed users to advertise, distribute, and trade disturbing content involving children. According to the US Department of Justice’s press release, one of the sites even featured material depicting infants and toddlers.

Mendonsa not only managed these platforms but also actively promoted and shared illegal content himself. His activities came to light after law enforcement discovered his actions while he was using public Wi-Fi at a local coffee shop.

Upon arrest, a search of Mendonsa’s electronic devices revealed approximately 6,500 explicit images, confirming the identities of several known victims. This case is part of Project Safe Childhood, a nationwide initiative launched by the Department of Justice in 2006 to combat the alarming rise in child sexual exploitation. 

The project brings together federal, state, and local law enforcement agencies to track down, arrest, and prosecute individuals who exploit children online, while also working to rescue victims.

Man Jailed 24 Years for Running Dark Web CSAM Sites from Coffee Shop

Malicious Google ads are redirecting PayPal users looking for assistance to fraudulent pay links embedding scammers' phone numbers.

We recently identified a new scam targeting PayPal customers with very convincing ads and pages. Crooks are abusing both Google and PayPal’s infrastructure in order to trick victims calling for assistance to speak with fraudsters instead.

Combining official-looking Google search ads with specially-crafted PayPal pay links, makes this scheme particularly dangerous on mobile devices due to their screen size limitation and likelihood of not having security software.

**Overview**

Scammers are creating ads impersonating PayPal from various advertiser accounts that may have been hacked. The ad displays the official website for PayPal, yet is completely fraudulent.

A weakness within Google’s policies for landing pages (also known as final URLs), allows anyone to impersonate popular websites so long as the landing page and display URL (the webpage shown in an ad) share the same domain.

The page victims are directed to has the following format:

paypal.com/ncp/payment/\[unique ID\]

This is PayPal’s “no-code checkout”, a feature for merchants to have a simple and yet secure option to take payments:

> Small businesses that want to accept payments online or in person can set up pay links, buttons, and QR codes to accept payments on the website. You don’t need a developer, coding knowledge, or a website to accept payments

Essentially, crooks are abusing this feature to create a bogus pay link. They can customize the page by creating various fields with text designed to trick users, such as promoting a fraudulent phone number as “PayPal Assistance”.

**Mobile experience**

Phones are the best medium for this type of scams due to the device’s constraints, but more than anything because that’s how victims will get in touch with bogus tech support agents.

In the screenshot below taken on an iPhone, we can see the top sponsored result from a Google search is impersonating PayPal. During our investigation, we often encountered more than one malicious ad, although they redirected to different kinds of pages, not abusing the same scheme.

Due to the reduced screen size, it would require scrolling past the ads and the AI Overview to see organic search results. This is not a coincidence of course, and is why search advertising is worth billions of dollars.

Screen size plays a factor again when users click on the ad and look at the browser’s address bar correctly identifying that the site is “**paypal.com**“. As we saw above, pay links are on the same domain as _paypal.com_, from which they inherit trust.

We did not follow-up with the provided phone number; however we believe it likely ends with victims handing over their personal information to scammers and getting fleeced.

**Conclusion**

Tech support scammers are like vultures circling above the most popular Google search terms, especially when it comes to any kind of online assistance or customer service.

We saw how easy it is to get an ad that mimics an official brand as long as the destination URL is on the same domain as the ad URL. The rest is just a matter of creativity on the part of scammers to forcefully inject their lure as spam, search queries, shopping lists, and more…

Whenever looking up an official phone number or website, it is safer to scroll past the ads and choose a more trusted organic link. There are also security solutions that can block ads and malicious links, such as Malwarebytes for mobile devices.

We have reported this campaign to Google and PayPal, but urge caution as new ads using the same trick are still appearing.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**Indicators of Compromise**

Archived example:

https://urlscan.io/result/3ea0654e-b446-4947-b926-b549624aa8b0

Malicious pay links:

hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/8X7JHDGLK9Z46  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/7QUEXNXR84X3L  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/BHR4AMJAPWNZW  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/FTJBPVUQFEJM6  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/2X92RZVSG8MUJ  
hxxps\[://\]www\[.\]paypal\[.\]com/ncp/payment/D8X74WYAM3NJJ

Scammers’ phone numbers:

1-802\[-\]309-1950  
1-855\[-\]659-2102  
1-844\[-\]439-5160  
1-800\[-\]782-3849

Tag

#web