Internet threat news

An unknown leaker, going by the alias ExploitedWhispers, has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation. Now removed, the stolen messages were originally uploaded to the MEGA file-sharing platform.

Since their removal from MEGA, ExploitedWhispers has uploaded them to a dedicated Telegram channel. It is unclear if ExploitedWhispers is a security researcher who gained access to Black Basta's infrastructure or a disgruntled affiliate.

According to a recent report by Sysdig, threat actors employing a new hacking technique known as LLMJacking are actively targeting DeepSeek's latest Large Language Model (LLM) and those using the model for their specific GenAI needs.

Last week, the world was stunned by the performance offered by DeepSeek's R1 Large Language Model, and for a fraction of the cost, it took Open AI and others to develop a model. Along with news regarding how DeepSeek impacted US markets and its possible "Sputnik" moment, DeepSeek also made cybersecurity headlines for the wrong reasons.

Even now, in 2025, ransomware is still one of the most profitable cyber threats for threat actors with the skills to implement attacks. Due in part to this profitability, the threat's evolution continues at breakneck speeds, leaving organizations struggling to defend their digital assets.

This is only fueled further by ransomware developers' rapid adoption of Ransomware-as-a-Service (RaaS), promising affiliates an impressive share of the profit for gaining access to enterprise networks and encrypting data.

According to a recent report published by Lumen's Black Lotus Labs, researchers discovered an attack campaign using a carefully crafted backdoor to target enterprise-grade Juniper routers. Briefly, the attack begins with a passive agent that continuously monitors for a "magic packet" sent by the attacker in TCP traffic. Once the agent detects the "magic packet," the backdoor will be opened.

In mid-November 2024, Microsoft Threat Intelligence observed a Russian-speaking threat actor, tracked by Microsoft as Star Blizzard, abusing WhatsApp to supplement spear-phishing tactics that target high-value diplomats. As a phishing delivery vehicle, WhatsApp changes the threat actor's long-standing techniques and tactics.

In a joint statement issued by the United States, Japan, and the Republic of Korea and published in English on the U.S. Department of State's website.

According to a recent blog post by Scam Sniffer, a cryptocurrency monitoring service specializing in tracking illicit activity across blockchains, wallet drainers have been used to steal 494 million USD from crypto wallets in 2024.

Wallet drainers are a family of malware typically deployed on phishing websites that steal crypto assets by tricking users into signing off on malicious transactions.

According to a report by cybersecurity firm Cleafy, a new Malware-as-a-Service has begun operating, with much evidence pointing to the malware's developers operating within Turkey. Cleafy has called the malware itself DroidBot, based on the domain used to host the malware's infrastructure.

According to a recent article published by McAfee, security researchers have noticed a significant spike in the use of predatory loan apps by malicious actors.

These Potentially Unwanted Programs (PUPs) are referred to as SpyLoan applications and typically use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions,  which can lead to extortion, harassment, and financial loss.

According to Trend Micro, Chinese state-sponsored threat actor Salt Typhoon, also tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, has been seen deploying a new backdoor malware. Called "GhostSpider" by Trend Micro researchers, the malware has been used in attacks against Southeast Asian telecommunications companies.

Cybersecurity researcher g0njxa recently discovered a cyberattack campaign leveraging fake AI video generators to infect machines with info-stealing malware. The attacker installed the Lumma and AMOS stealers on both Windows and macOS machines.

Lumma targets Windows machines, while AMOS targets macOS machines. Both are used to steal cryptocurrency wallets, cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.

In a recent article by security firm Gen Digital, researchers detailed a new campaign delivering Glove Stealer as its primary malware payload.

The new stealer was discovered as the payload has been named Glove by Gen Digital and uses ClickFix social engineering tactics to gain high privileges and install the malware. This is another instance of threat actors favoring info-stealing malware recently while relying on ClickFix or FakeCapthca tactics for distribution.

In a recently published blog article by Check Point's research team, an attack campaign was discovered spreading the Rhadamanthys info stealer. The infection chain starts with victims receiving fake copyright infringement emails to act as the lure.