Tag: hackers

Researchers expose large-scale YouTube malware distribution network

Check Point researchers have uncovered, mapped and helped set back a stealthy, large-scale malware distribution operation on YouTube they dubbed the “YouTube Ghost Network.”

The network published more than 3,000 videos across compromised or fake channels, luring viewers with game cheats, cracked software, or pirated tools, but instead delivering malware or phishing pages. 

The YouTube Ghost Network

The YouTube Ghost Network is strikingly similar to the Stargazers Ghost Network, a previously uncovered network of fake or hijacked GitHub accounts that served as a malware and phishing link Distribution-as-a-Service.

In the Stargazers Ghost Network, different accounts filled different roles. Some accounts directed targets to malicious downloads, others served malware, and others still starred, forked, and subscribed to malicious repositories, in an obvious attempt to make the other accounts appear legitimate to potential victims.

Similarly, the YouTube Ghost Network consists of video accounts, post accounts, and interact accounts.

Video accounts, which are either hijacked or created by the malware peddlers, upload videos that promise something appealing, e.g., a free/cracked version of Adobe Photoshop, or game hacks for popular games like Roblox. The descriptions contain download links or direct viewers to password-protected archives on services like Dropbox, Google Drive or MediaFire, and they often tell users to temporarily disable Windows Defender before installing the downloaded cracked software.

Post accounts publish community posts with the same links and passwords, and interact accounts flood comment sections with fake endorsements, creating a false sense of trust.

Keep reading

China Escalates Cyberattacks That Are Increasingly Hard To Detect

AChinese hacking group is reportedly behind a significant espionage campaign targeting U.S. technology firms and legal services, highlighting a worrisome escalation in China’s cyber “Cold War” with the United States.

Since March 2025, Google’s Threat Intelligence Group and its cybersecurity subsidiary, Mandiant, have tracked suspicious activities, delivered over a backdoor malware known as “BRICKSTORM.” This sophisticated campaign is targeting a variety of sectors, including law firms, software-as-a-service providers, and other technology companies. Following extensive monitoring and analysis, Google has linked these hacking efforts to UNC5221, a long-suspected Chinese Advanced Persistent Threat (APT) actor, alongside other “threat clusters” associated with China.

The BRICKSTORM campaign is especially disturbing for two primary reasons. Firstly, it was crafted to ensure “long-term stealthy access” by embedding backdoors into targeted systems, enabling hackers to dodge conventional detection and response methods. The stealth campaign has proven so adept that, on average, these intruders remain undetected in targeted systems for nearly 400 days, as revealed by a Google report.

Secondly, the motivations behind these cyberattacks transcend the theft of trade secrets and national security data. Google suspects that these hackers are also probing for “zero-day vulnerabilities targeting network appliances,” as well as “establishing pivot points for broader access” to additional victims. This indicates a strategy to gather intelligence that could be pivotal to the Chinese military should tensions escalate between the U.S. and China.

Xi Jinping, the leader of Communist China, has consistently expressed his ambition for the nation to become a “cyber superpower.” With this goal in mind, the Chinese government has invested significant resources in building a formidable cyber army.

The People’s Liberation Army (PLA) considers cyber warfare to be a crucial aspect of both its defensive and offensive strategies, alongside traditional military forces. Cyberattacks are viewed as a cost-effective means to undermine an opponent’s will to fight by targeting its economic, political, scientific, and technological systems.

Thus, the PLA reportedly employs as many as 60,000 cyber personnel, ten times larger than the U.S. Cyber Command’s Cyber Mission Force. Additionally, a higher proportion of the PLA’s cyber force is dedicated to offensive operations compared to the United States (18.2 percent versus 2.8 percent).

Alongside China’s official cyber force, the Ministry of State Security and the Ministry of Public Security have adopted a “pseudo-private” contractor model that allows them to hire civilian hackers to conduct cyber espionage abroad while obscuring the Chinese government’s involvement.

Over time, the Communist regime has also significantly advanced its cyber operation capabilities. Today, China’s cyber operations are increasingly sophisticated, utilizing advanced tactics, techniques, and procedures to infiltrate victim networks, according to a U.S. government report.

The BRICKSTORM attack is part of a long series of high-profile cyberattacks originating from China in recent years. Between 2023 and 2024, Salt Typhoon, a Chinese hacking group linked to the Ministry of State Security accessed U.S. wireless networks operated by companies such as AT&T and Verizon, “as well as systems used for court-appointed surveillance.” This breach resulted in the compromise of telecommunication data for over a million American users, including individuals involved in both Trump’s and then-Vice President Kamala Harris’s presidential campaigns.

Keep reading

Roughly 70,000 Government ID Photos Potentially Stolen in Discord Hack

Government ID photos of around 70,000 Discord users, collected for age verification purposes, may have been stolen in a hack, the company said in an Oct. 9 update. Discord is a group chat app used largely by programmers and gamers.

Initially announced on Oct. 3, the data breach occurred on the systems of third-party vendor 5CA, which Discord uses for customer support efforts. The malicious actor aimed to extort a financial ransom from Discord, the company stated.

According to Discord, the unauthorized party “gained access to information from a limited number of users who had contacted Discord through our Customer Support and/or Trust & Safety teams.”

“No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents,” the company said.

“Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”

Age-related appeals refer to instances when users were locked out of the app due to being reported as underage and then had to submit photo IDs to verify their age and unlock their accounts.

Keep reading

The country that inspired Keir Starmer’s digital ID card fiasco: Labour’s blueprint for Britain is a ‘goldmine for hackers and scammers to steal your money’

Estonia’s digital identity system has been beset by blunders and security issues that  allow hackers to steal data and help scammers take money, we can reveal.

The digital ID system used by 1.4million people in the Baltic state country is said to be the blueprint for Keir Starmer‘s so-called Brit Card. 

Digital ID cards showing a resident’s picture, name, unique number and date of birth, and including a microchip storing more personal information, have been used in the former Soviet republic for more than 20 years.

Estonians can hold their cards in e-wallets on mobile phones and use them to vote, check on bank accounts, e-sign contracts and invoices, file tax returns, claim benefits, book medical appointments, access health records, shop online, and even collect supermarket loyalty points.

But the much-praised scheme in Estonia has suffered security lapses that have allowed fraudsters to bypass encryption systems to con victims out of their savings and leak the names and photographs of citizens.

The Daily Mail can reveal that users have also repeatedly fallen victim to phishing emails and calls from scammers who have persuaded them to disclose PIN numbers for their cards and stolen cash from their bank accounts in a grim warning of what could happen in the UK.

Official figures reveal that citizens of so-called ‘E-Stonia’ lost more than 7million euros to fraud last year with 837 ‘significant’ incidents recorded, up from 546 in 2023, although the true figure is thought to be much higher due to many cases being unreported.

Reports suggest that the amount lost to fraud in Estonia has soared since last year with a total of 7.5million euros lost in the first six months this year.

A large number of the cases reported by Estonia’s Police and Border Guard are thought to involve personal information from ID cards being stolen due to people being tricked into revealing PIN codes.

Keep reading

Discord Support Data Breach Exposes User IDs, Personal Data

A data breach affecting a third-party customer service provider used by Discord has exposed personal information from users who had contacted the platform’s support teams and among the data accessed were some images of government-issued IDs submitted by users.

The incident will amplify growing concerns around online ID verification, a practice increasingly mandated by governments as a way to enforce age restrictions online.

While Discord confirmed that the attacker did not breach its internal systems, the compromise of a vendor handling sensitive user data shows how collecting official identification, even in limited cases, creates serious and lasting privacy risks.

The compromised vendor had supported Discord’s Customer Support and Trust & Safety teams, and the attacker targeted it in an effort to extort money.

While the breach did not involve Discord’s internal systems, sensitive user data was exposed.

The company stated that the attacker accessed information from a “limited number of users” who had interacted with support staff.

Keep reading

US Cyber Agency Issues Emergency Directive Amid Major Hacking Campaign Targeting Cisco

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive asking federal agencies to take immediate action to identify and mitigate system vulnerabilities to protect their devices from a major hacking campaign, the agency said in a Sept. 25 statement.

This widespread campaign poses a significant risk to victims’ networks by exploiting zero-day vulnerabilities that persist through reboots and system upgrades,” CISA said.

Zero-day vulnerabilities refer to unknown or unaddressed security flaws in computer hardware, firmware, or software. Such vulnerabilities are called “zero-day” since the software or device with such flaws has zero days to fix the issue, thus enabling hackers to immediately exploit them.

According to the directive, Cisco has assessed that the hacking campaign is linked to the threat actor ArcaneDoor.

A May 2024 post by computer and network security company Censys said an investigation of IPs controlled by ArcaneDoor suggested “the potential involvement of an actor based in China, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software.”

Four out of five IP hosts analyzed by Censys were found to be in China, with some linked to Chinese conglomerate Tencent and Chinese telecom company ChinaNet.

Networks like Tencent and ChinaNet have extensive reach and resources, so they would make sense as an infrastructure choice for a sophisticated global operation like this one,” Censys said in its post.

In a Sept. 25 statement, Cisco said it had been engaged by multiple government agencies in May to provide support to an investigation into attacks targeting the company’s ASA devices.

The company said it has “high confidence” that the hacking activity was related to ArcaneDoor.

Cisco assesses with high confidence that upgrading to a fixed software release will break the threat actor’s attack chain and strongly recommends that all customers upgrade to fixed software releases,” the company said.

Keep reading

John Bolton’s personal email account was hacked by foreign entity, FBI docs reveal

Former National Security Adviser John Bolton allegedly used a private email account that was at one point hacked by a “foreign entity,” an FBI search warrant affidavit released Friday revealed. 

The 41-page document –  used by federal investigators to justify the raid of Bolton’s Maryland home last month – suggests the hacking incident gave the FBI reason to believe the former Trump administration official mishandled classified records. 

The Post previously reported that Bolton allegedly used his personal email account to send “highly sensitive” documents to his family while working in the White House.

“Hack of Bolton AOL Account by Foreign Entity,” reads a section of the affidavit, where investigators explained the probable cause for the searches. 

The roughly 10 pages detailing the hacking incident are completely redacted. It’s unclear which foreign nation may have been responsible. 

Keep reading

U.S. places $11 million bounty on Ukrainian ransomware mastermind — Tymoshchuk allegedly stole $18 billion from large companies over 3 years

The United States has placed an $11 million bounty on Volodymyr Tymoshchuk, a Ukrainian man wanted for his involvement with a string of ransomware cybercrimes. Tymoshchuk faces severe federal charges for his part in reportedly masterminding the theft of a combined $18 billion over a three year period.

Tymoshchuk is accused of being the kingpin behind the MegaCortex, LockerGoga, and Nefilim attacks, a string of attacks that were active from Dec. 2018 to Oct. 2021. The MegaCortex attack, which we covered in 2019, changes the Windows passwords and encrypts the files of a host computer, threatening to make sensitive files public if the ransom went unpaid.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms,” said U.S. Attorney Joseph Nocella Jr. in a statement from the Justice Department. One of the highest-profile thefts linked to Tymoshchuk and LockerGoga was the attack on Norsk Hydro, a renewable energy company based in Norway. The attack on Norsk caused a reported $81 million in damages as all of its 170 sites were impacted at some level.

Nocella continued, “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

Tymoshchuk is alleged to have run the LockerGoga and MegaCortex offensives from July 2019 and June 2020, at which point the two ransomware viruses went largely dark. From then on, Tymoshchuk is accused of having helped to engineer and administrate the Nefilim ransomware strain, selling access to it to attackers in exchange for 20% of the ransomed funds received from each successful attack.

An unsealed indictment, archived by The Register, lists a number of unnamed victim companies from across the United States and Europe. Tymoshchuk is on the hook for seven total charges relating to intentional damage to a private computer and threatening to disclose private information. If found guilty Tymoshchuk faces a maximum sentence of life in prison.

Keep reading

Malware found hidden in image files, can dodge antivirus detection entirely — VirusTotal discovers undetected SVG phishing campaign

Scalable vector graphics (.svg) files are lightweight, XML-based images that render at any resolution. They’re usually harmless, but they can also contain active code, and hackers appear to be relying on them more often as a means to stealthily deliver malware.

A new report from VirusTotal shows just how far that tactic has evolved, unearthing a campaign that used weaponized SVGs to drop malware, spoof a government agency, and dodge antivirus detection entirely.

44 previously undetected phishing SVG

In its report published September 4, the Google-owned scanning platform said its Code Insight system had flagged an SVG file masquerading as a legal notification from Colombia’s judicial system.

When opened, the file rendered a realistic-looking web portal in-browser, complete with a fake progress bar and download button. That button then delivered a malicious ZIP archive containing a signed Comodo Dragon browser executable, along with a malicious .dll file that would be sideloaded if the .exe was run. This would then install more malware on the system.

The attack relied on a known but often overlooked feature that SVGs support embedded HTML and JavaScript. This means that they can be used like mini web pages — or, as in this case, full phishing kits — even when attached to an email or hosted on cloud storage. VirusTotal’s retrospective scan tied 523 SVG files to the same campaign, with 44 completely undetected by any antivirus engine at the time of submission.

Keep reading

Mystery Hacker Used AI To Automate ‘Unprecedented’ Cybercrime Rampage

A hacker allegedly exploited Anthropic, the fast-growing AI startup behind the popular Claude chatbot, to orchestrate what authorities describe as an “unprecedented” cybercrime campaign targeting nearly 20 companies, according to a report released this week.

The report, published by Anthropic and obtained by NBC News, details how the hacker manipulated Claude to pinpoint companies vulnerable to cyberattacks. Claude then generated malicious code to pilfer sensitive data and cataloged information that could be used for extortion, even drafting the threatening communications sent to the targeted firms.

NBC News reports:

The stolen data included Social Security numbers, bank details and patients’ sensitive medical information. The hacker also took files related to sensitive defense information regulated by the U.S. State Department, known as International Traffic in Arms Regulations.

It’s not clear how many of the companies paid or how much money the hacker made, but the extortion demands ranged from around $75,000 to more than $500,000, the report said.

Jacob Klein, head of threat intelligence for Anthropic, said the campaign appeared to be the work of a hacker operating outside the U.S., but did not provide any additional details about the culprit.

We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein said.

Anthropic’s findings come as an increasing number of malicious actors are leveraging AI to craft fraud that is more persuasive, scalable, and elusive than ever. A SoSafe Cybercrime Trends report reveals that 87% of global organizations encountered an AI-driven cyberattack over the past year, with the threat gaining momentum.

AI is dramatically scaling the sophistication and personalization of cyberattacks,” said Andrew Rose, Chief Security Officer at SoSafe. “While organizations seem to be aware of the threat, our data shows businesses are not confident in their ability to detect and react to these attacks.”

Artificial intelligence is not only a tool for cybercriminals – it is also broadening the vulnerabilities within organizations. As companies rush to adopt AI-driven tools, they may inadvertently expose themselves to new risks.

Even the benevolent AI that organisations adopt for their own benefit can be abused by attackers to locate valuable information, key assets or bypass other controls,” Rose continued.

Keep reading