What Happened

Researchers at Push Security have uncovered a new social engineering campaign that exploits one of the most normalized behaviors in modern software development: copying an install command from a webpage and running it in your terminal without reading it.

The technique is called InstallFix — a deliberate evolution of ClickFix — and in its current form, it’s targeting developers searching for Claude Code, Anthropic’s fast-growing agentic CLI tool. Attackers built near-identical clones of the official Claude Code installation page — same layout, same branding, same documentation sidebar — and promoted them through Google-sponsored search results for queries like “Claude Code,” “Claude Code install,” and “Claude Code CLI.”

The only difference between the real page and the fake: the install command points to an attacker-controlled server, not Anthropic’s. One copy, one paste, one Enter key. That’s the entire attack surface.

The payload is Amatera, a subscription-based infostealer that first appeared in 2025 and is considered the successor to ACR Stealer. It’s sold as a service to criminal operators and targets both Windows and macOS.

Why Claude Code? Why Now?

This campaign isn’t random. Claude Code is, by several measures, the fastest-growing AI developer tool in enterprise environments right now. Push Security co-founder Jacques Louw put it directly: “I suspect this campaign is targeting Claude Code specifically, because it’s one of the tools — if not the tool — being adopted the fastest across the board.”

Attackers follow adoption curves. When a tool reaches the threshold where both experienced engineers and first-time “vibe-coders” are Googling how to install it, it becomes a high-value impersonation target. Claude Code crossed that threshold.

The attack also exploits a specific behavioral vulnerability that has quietly normalized over the last decade: the curl-to-bash install command. There was a time when pasting a command from a website into your terminal was considered reckless. That norm has eroded. Legitimate tools — Homebrew, Claude Code, dozens of others — ship with one-liner install commands designed to be copied and run. Attackers have simply recognized that developers now do this instinctively, without reading what they’re executing.

The Attack Chain

Stage 1 — Malvertising

The fake pages are distributed exclusively through Google Ads. Sponsored search results for Claude Code-related queries surface the cloned installation pages at the top of results — above the legitimate Anthropic documentation. The domains are hosted on infrastructure from Cloudflare Pages, Squarespace, and Tencent EdgeOne, all legitimate providers, making the hosting itself look credible.

Stage 2 — The Clone

The fake installation page is a pixel-perfect replica of the real thing. Layout, branding, documentation sidebar — all present. The only modification is the install command itself, which replaces the legitimate Anthropic endpoint with an attacker-controlled domain. Push Security confirmed the C2 domain claude[.]update-version[.]com was used to deliver the Amatera payload.

Stage 3 — Platform-Specific Execution

On macOS, the malicious one-liner pulls a second-stage script from an attacker-controlled domain using a base64-encoded payload — designed to look like noise rather than a readable command string.

On Windows, the command abuses mshta.exe — a legitimate Microsoft utility for executing HTML applications — to retrieve the malware and triggers conhost.exe to support execution of the final Amatera payload.

Stage 4 — Amatera: Full Credential Harvest

Amatera is not a blunt instrument. It targets specifically:

• Browser saved passwords, cookies, and session tokens

• Autofill data

• Cryptocurrency wallet contents and keys

• General system profiling data

The session token theft is the critical capability. With active session cookies, attackers can authenticate directly to cloud dashboards, AWS consoles, internal admin panels, CI/CD platforms, and SaaS tools — without ever needing a password. No phishing required. No MFA prompt triggered. The session is already authenticated.

Amatera communicates with its C2 using hardcoded IP addresses belonging to legitimate CDNs, making the traffic nearly impossible to block without also disrupting legitimate services. Its evasion techniques include direct NTSockets for C2 communication, dynamic API resolution with WoW64 Syscalls, and multi-stage infection chains with dynamic payload delivery.

Stage 5 — The Cover-Up

After infection, the fake page redirects the victim to the legitimate Claude Code site. A developer who followed the instructions and then sees the real Anthropic documentation loads normally has no reason to believe anything went wrong. The infection is silent. The redirect is seamless. The attacker moves on.

This Is Bigger Than One Page

Push Security identified this as a campaign architecture, not a single incident. Beyond the Claude Code clone, researchers found:

• Fake Homebrew installation pages delivering the Cuckoo infostealer using the same copy-paste install command mechanic

• Malicious npm packages impersonating Claude Code’s official package name, targeting developers who trust or mistype a package name

• Fake Claude artifacts posted directly to claude.ai’s own domain — user-generated content that inherits the domain’s trust — containing malicious terminal commands disguised as macOS utilities, promoted via Google Ads and viewed over 15,000 times before takedown

The pattern is structural. Four out of five ClickFix-style lures are now distributed via search engines, according to Push. Any popular tool with a copy-paste install command and a clonable documentation page is a target.

The Underlying Problem

The current web security model, as Push frames it, “boils down to ‘trust the domain.’” Developers have been trained to validate the URL and trust the content. InstallFix operates entirely within that trust boundary — the malicious page lives on a clean domain, uses legitimate CDN hosting, and serves content that is visually indistinguishable from the real thing.

The threat is compounded by the democratization of developer tooling. Claude Code, like many CLI tools, is now being installed by non-developers — product managers, analysts, operators — who have even less context for evaluating whether an install command looks suspicious. The attack surface is expanding as the tools expand their audience.

What To Do Now

For developers and engineers:

• Never trust Google sponsored results for CLI tool installation. Navigate directly to the official documentation domain — for Claude Code, that’s docs.anthropic.com. Treat any sponsored link for a developer tool as potentially malicious.

• Read the install command before running it. If the domain in the command isn’t the official one, stop. The legitimate Claude Code install command points to Anthropic infrastructure — not to update-version[.]com or any other third-party host.

• Audit your active sessions. If you’ve recently installed Claude Code or any CLI tool via a command copied from a search result, rotate your credentials, invalidate active sessions, and treat your browser credential store as potentially compromised.

For security teams:

• Hunt for mshta.exe spawning unexpected child processes — a reliable indicator of InstallFix execution on Windows endpoints.

• Monitor for outbound connections to claude[.]update-version[.]com and flag base64-encoded payloads being piped through curl on macOS endpoints.

• Treat npm package installs and curl-to-bash commands as execution events worth logging, especially in developer environments with cloud credential access.

What Happened

In December 2025, Zscaler ThreatLabz uncovered a new campaign by APT37 — the DPRK-backed espionage group also known as ScarCruft, Ruby Sleet, and Velvet Chollima. The campaign, named Ruby Jumper, introduces five previously undocumented malware tools designed to do one thing: move data and commands between internet-connected machines and systems that have never touched a network.

Air-gapped computers — the kind used in military installations, nuclear facilities, classified R&D labs, and critical infrastructure — are isolated at the hardware level. No Wi-Fi. No Ethernet. No Bluetooth. The only way in has always been physical. APT37 built an entire automated toolkit around that fact.

The result is a fully operational framework that turns any shared USB drive into a covert two-way command channel — invisible to network monitoring tools, invisible to cloud security stacks, and nearly invisible to the users carrying the drive between machines.

The Attack Chain

Stage 1 — Initial Access: The LNK File

The infection begins with a malicious Windows shortcut (.LNK) file, APT37’s signature entry vector. When opened, it silently launches PowerShell and a two-stage shellcode loader. Each stage decrypts the next using a single 1-byte XOR key, injecting code into a legitimate Windows system process to evade detection.

Stage 2 — RESTLEAF: The First Implant

RESTLEAF establishes the first foothold. It connects to Zoho WorkDrive — a legitimate cloud storage service — using hardcoded OAuth tokens to authenticate and pull further shellcode. This is the first documented instance of APT37 abusing Zoho’s platform. Because the traffic looks like routine SaaS usage, it blends seamlessly into enterprise environments. RESTLEAF creates timestamped “lion”-prefixed beacon files in a WorkDrive folder named “Second” to signal operator availability.

Stage 3 — SNAKEDROPPER: The Ruby Trojan

RESTLEAF loads SNAKEDROPPER, which silently installs a fully self-contained Ruby 3.3.0 runtime into %PROGRAMDATA%\usbspeed. The legitimate rubyw.exe binary is renamed to usbspeed.exe to masquerade as a USB utility. SNAKEDROPPER then:

• Hijacks Ruby’s auto-loaded operating_system.rb so malicious logic runs every time the interpreter starts

• Establishes a scheduled task named rubyupdatecheck that fires every five minutes for persistence

• Drops additional Ruby-named binaries that actually contain shellcode payloads

Stage 4 — THUMBSBD: The Air Gap Bridge

This is the operational centerpiece of Ruby Jumper. THUMBSBD acts as a covert relay, using removable media as a bi-directional command channel between the infected internet-connected machine and any air-gapped system.

When a USB drive is inserted into the infected internet-facing machine, THUMBSBD copies staged command files into a hidden $RECYCLE.BIN directory on the drive — a location invisible under default Windows Explorer settings. When that same drive is plugged into an air-gapped machine (also running THUMBSBD), the implant:

1. Reads files from the hidden $RECYCLE.BIN

2. Decrypts them using XOR key 0x83

3. Executes the operator’s commands: file exfiltration, system reconnaissance, arbitrary execution

4. Stages results back into $RECYCLE.BIN on the drive

When the USB is returned to the internet-connected machine, THUMBSBD exfiltrates the results to the cloud C2. The USB drive has become a fully automated, human-unaware command-and-control relay.

Stage 5 — VIRUSTASK: The Spreader

VIRUSTASK ensures the infection doesn’t stop at one air-gapped machine. When removable media is inserted, it:

• Checks for at least 2GB of free space before proceeding

• Creates a hidden folder named $RECYCLE.BIN.USER at the drive root (mimics Windows Recycle Bin, invisible by default)

• Hides all legitimate user files and replaces them with identically named LNK shortcuts

• When an unsuspecting user on a new machine opens what they believe is their own file, they launch the Ruby runtime — infecting the new host

Stage 6 — FOOTWINE + BLUELIGHT: Full Surveillance

Once access is established, THUMBSBD delivers FOOTWINE — a Windows backdoor disguised as an Android APK (foot.apk). FOOTWINE provides full surveillance capability:

• Keylogging

• Screenshot capture

• Audio and video recording (microphone + camera)

• File and registry manipulation

• Remote shell access

• Encrypted C2 over a custom XOR-based TCP protocol

The older BLUELIGHT backdoor — a long-standing APT37 tool — also deploys here, using Google Drive, OneDrive, pCloud, and Backblaze as C2 channels. Its use confirmed Zscaler’s attribution to APT37.

Why This Is Different

Air gap attacks are not new. Stuxnet did it in 2010. What makes Ruby Jumper operationally significant is the automation and scale.

Most air gap attacks require a human insider to physically carry a compromised device. Ruby Jumper removes the human element from the relay. Any shared USB drive — carried by a well-intentioned IT staffer, a contractor, or an engineer transferring files for patching — becomes an automated C2 relay without the carrier ever knowing. The malware self-propagates to new air-gapped hosts through VIRUSTASK, meaning a single infected drive can compromise an entire secure enclave over time.

The choice of cloud services as C2 — Zoho, Google Drive, OneDrive — is equally deliberate. These are services that organizations actively whitelist. Blocking them would break business operations. APT37 is exploiting the operational dependency organizations have on legitimate SaaS platforms.

Who Is APT37?

APT37 (ScarCruft / Ruby Sleet / Velvet Chollima) is a DPRK state-sponsored cyber espionage group active since at least 2012. Historically focused on South Korean government entities, defense organizations, and individuals of interest to Pyongyang, the group has expanded its targeting to include critical infrastructure operators, research institutions, and international policy organizations.

Ruby Jumper represents a significant capability investment — the development of five entirely new malware tools, each engineered for a specific role in a complex multi-stage chain. This is not opportunistic crime. This is a deliberate, patient, state-funded operation targeting organizations that believed their air gap made them unreachable.

Indicators of Compromise

Certainly! Here is the list in a standard Markdown list format, with the indicators formatted as code blocks for easy individual copying:

Host Indicators

• Indicator: 709d70239f1e9441e8e21fcacfdc5d08

  • Filename: (None)

  • Description: Windows shortcut

• Indicator: ad556f4eb48e7dba6da14444dcce3170

  • Filename: viewer.dat

  • Description: Binary (Shellcode+RESTLEAF)

• Indicator: 098d697f29b94c11b52c51bfe8f9c47d

  • Filename: (None)

  • Description: Binary (Shellcode+SNAKEDROPPER)

• Indicator: 4214818d7cde26ebeb4f35bc2fc29ada

  • Filename: ascii.rb

  • Description: Binary (Shellcode+ThmubsBD)

• Indicator: 5c6ff601ccc75e76c2fc998o8d8cc9a9

  • Filename: bundler_index_client.rb

  • Description: Binary (Shellcode+VIRUSTASK)

• Indicator: 476bce9b9a387c5f39461d781e7e22b9

  • Filename: foot.apk

  • Description: Binary (Shellcode+FOOTWINE)

• Indicator: 585322a931a49f4e1d78fb0b3f3c6212

  • Filename: footaaa.apk

  • Description: Binary (Shellcode+BLUELIGHT)

What To Do Now

For air-gapped / high-security environments:

• Implement hardware-level USB port controls — restrict which devices can connect and to which systems

• Enforce a clean USB policy: drives that touch internet-connected systems must never enter air-gapped environments without a sanitization workflow

• Monitor for the rubyupdatecheck scheduled task and audit all newly created scheduled tasks

• Hunt for %PROGRAMDATA%\usbspeed and hidden $RECYCLE.BIN.USER directories on endpoints and removable media

For all enterprise environments:

• Audit cloud storage access from endpoints — Zoho WorkDrive, Google Drive, OneDrive, pCloud, Backblaze are all being abused as C2

• Inspect LNK files in email attachments and downloaded content — APT37 consistently uses malicious shortcut files as the first entry point

• Monitor for usbspeed.exe, unusual Ruby runtime processes, and operating_system.rb modifications

• Block or alert on HKCU\SOFTWARE\Microsoft\TnGtp registry key creation
  

Source: Zscaler ThreatLabz

There is a category of threat that keeps national security officials awake at night — not the nation-state hacker probing systems from a Moscow apartment, but the cleared insider who walks through the front door every morning, past the badge reader, into the vault. Peter Williams was that threat.

A 39-year-old Australian national and former senior employee at L3Harris — one of the United States’ premier defense technology contractors — Williams has been sentenced to 87 months in federal prison for selling eight zero-day exploits to Operation Zero, a Russian exploit broker, over a three-year period between 2022 and 2025. The price: up to $4 million in cryptocurrency, spent on properties, luxury watches, clothing, and jewelry.

The tools he sold were not his to sell. They were developed exclusively for the U.S. government and select allies. And according to the DOJ sentencing memorandum, they were capable of being “used against any manner of victim, civilian or military around the world” — enabling everything from ransomware to “state directed spying and offensive cyber operations against military targets.”

He didn’t steal a spreadsheet. He sold the cyber equivalent of a loaded gun pointed at millions of devices — and handed it to Russia.

Who Is Operation Zero?

Operation Zero — now officially sanctioned by both the U.S. State Department and Treasury’s OFAC — is not a shadowy dark-web forum. It is a structured, commercially operating exploit brokerage based in Russia, run by Sergey Sergeyevich Zelenyuk, who also created a parallel entity called Special Technology Services LLC (STS) registered in the UAE — almost certainly to circumvent sanctions on Russian banking.

The numbers on Operation Zero’s published bounty board tell you everything about who their customers are:

• $4 million for Telegram exploits

• $20 million for full-chain Android or iPhone remote code execution

These are not bug bounty prices. These are nation-state prices. Zelenyuk has openly stated Operation Zero sells exclusively to non-NATO countries — a business model that is, in plain terms, the commercialization of offensive cyber capability for foreign intelligence services.

The Treasury has now sanctioned Zelenyuk, Operation Zero, STS, and four associated individuals and entities — including Oleg Kucherov, suspected of TrickBot gang membership, and Azizjon Mamashoyev, who ran a parallel exploit brokerage called Advance Security Solutions offering bounties for U.S.-built software vulnerabilities.

At least one of the tools Williams sold has already been transferred to an unauthorized user.

The Scale of What Was Lost

L3Harris has quantified its losses at $35 million. That is the financial damage — the cost of rebuilding, revoking, and replacing eight compromised exploit tools that were supposed to be among the U.S. government’s most closely held offensive capabilities.

The true cost cannot be measured in dollars. Zero-day exploits developed for national defense represent years of research, sophisticated vulnerability discovery, and controlled operational security. Once sold, they cannot be unsold. Once in Russian hands, they can be:

• Repurposed for espionage operations against U.S. allies

• Analyzed to understand how U.S. offensive capabilities work and how to defend against them

• Resold to additional state actors — Operation Zero’s business model is brokerage, not exclusivity

Williams didn’t just betray his employer. He inverted his entire professional purpose. These tools existed to protect — and he converted them into weapons for sale.

The Sanctions Web

The U.S. State Department’s designation of Operation Zero under the Protecting American Intellectual Property Act (PAIPA) and Treasury’s OFAC sanctions represent a coordinated whole-of-government response that goes beyond the criminal prosecution. The message is structural: not just “we jailed the seller,” but “we are dismantling the buyer.”

The sanctions freeze assets, block transactions, and expose anyone doing business with Operation Zero to secondary sanctions risk. The UAE-based STS entity being included in the designation signals that the U.S. is willing to pursue the sanctions evasion infrastructure, not just the primary actors.

Source: U.S. Department of Justice - https://www.courtlistener.com/docket/71644575/united-states-v-williams/

Figure Technology Solutions, a fintech giant leveraging the Provenance blockchain for lending and securities, has just become the latest trophy for the notorious ShinyHunters extortion group. While the company boasts about “unlocking $22 billion in home equity” with cutting-edge tech, their perimeter was breached by the oldest trick in the book: Social Engineering.

The result? 967,200 accounts exposed.

The “Low-Tech” Hack

According to reports confirmed by BleepingComputer and Have I Been Pwned, the breach wasn’t a result of a cracked private key or a smart contract failure. It was a human failure.

An employee was tricked—likely through a targeted voice phishing (vishing) or spear-phishing campaign—into handing over the keys to the kingdom. This mirrors ShinyHunters’ recent modus operandi, where they impersonate IT support to trick staff into entering credentials and MFA codes on fake portals.

Once inside, the attackers didn’t need to break encryption; they just needed to “authorized” access to download the files.

The Loot: A Phisher’s Goldmine

The data, which dates back to January 2026, is a complete starter kit for identity theft. The 2.5GB leak includes:

• Full Names

• Physical Addresses

• Phone Numbers

• Dates of Birth

• 900,000+ Unique Email Addresses

While Figure claims only a “limited number of files” were taken, the nature of this data means the victims are now prime targets for secondary attacks. If you were a customer, expect your phone to start ringing with very convincing scammers who know exactly who you are.

The SSO Weakness

This breach is part of a larger, disturbing trend targeting Single Sign-On (SSO) infrastructure. Attackers like ShinyHunters have realized that breaking into Okta or Microsoft 365 accounts via an employee is significantly easier than finding a zero-day vulnerability in the software stack.

The Lesson: You can build your castle on the blockchain, but if the gatekeeper opens the door for a stranger in a nice suit, you are still getting robbed.

• Verify the Caller: IT support will never ask for your MFA code.

• Hardware Keys: It is time to move beyond SMS and App-based MFA to FIDO2 hardware keys (YubiKeys) that are phishing-resistant.

• Assume Breach: If you are a Figure user, lock your credit reports now.
  

CodeAintel Insight: The Figure breach proves that in 2026, the most dangerous vulnerability in the fintech ecosystem isn’t in the code—it’s in the cubicle. We are seeing a shift where “hacking” is becoming synonymous with “asking nicely.”

Your biometric data isn’t the only thing the Oura ring can connect to anymore—now, it might be the gateway for an infostealer.

A sophisticated new SmartLoader campaign has been uncovered, targeting the emerging world of AI agents. By poisoning the trust-based infrastructure of Model Context Protocol (MCP) servers, threat actors have found a way to turn developer-focused health-tech tools into delivery vehicles for the StealC infostealer.

This isn’t just a malware drop; it’s a long-con in supply chain poisoning.

Manufactured Credibility: The Four-Stage Heist

Unlike low-effort phishing, the SmartLoader operators invested months into building a “reputation” on GitHub. According to Straiker’s STAR Labs, the attack exploited the trust heuristics developers use when evaluating new AI tools.

The Blueprint of Deception:

1. Identity Farming: The attackers created at least five fake GitHub personas (including YuzeHao2023 and punkpeye) to fork the legitimate Oura MCP server repository.

2. The Payload Shell: A new account, SiddhiBagul, was established to host the “poisoned” version of the server containing the malicious SmartLoader code.

3. Contributor Laundering: The fake personas were added as “contributors” to the rogue repository, creating a false sense of community activity and legitimacy.

4. Marketplace Poisoning: The trojanized server was then submitted to MCP Market, a legitimate registry. Users searching for ways to connect their AI assistants to their Oura Health data found the rogue server listed alongside benign options.

   

The Payload: StealC Infostealer

Once a developer or high-value target downloads the ZIP archive and launches the server, an obfuscated Lua script executes. This drops the SmartLoader malware, which in turn deploys StealC.

StealC is a highly efficient infostealer designed to vacuum up:

• Browser Credentials: Saved passwords and cookies.

• Crypto Wallets: Direct targeting of browser-based and desktop wallet files.

• Developer Assets: The true “prize” in this campaign—API keys, cloud credentials, and access to production environments.

The AI Attack Surface

The SmartLoader campaign marks a pivotal shift in threat actor strategy. They are moving away from users looking for pirated software and moving toward developers and AI enthusiasts.

• The Trust Gap: Legitimate registries like MCP Market often lack the rigorous automated vetting found in more mature ecosystems (like the App Store), allowing “patient” threat actors to slip through.

• Targeting the Architect: Developers hold the keys to the kingdom. By infecting a developer’s machine, an attacker gains a foothold into entire corporate infrastructures and production pipelines.

• AI Tooling as a Blind Spot: Organizations are rushing to integrate AI agents (like Claude or GPT-4) with local data via MCP. This rush creates a “security vacuum” where tools are installed without formal review.

CodeAintel Insight: The Oura MCP attack proves that “credibility” can be manufactured with a few fake accounts and enough time. In the age of AI agents, your security is only as strong as the most obscure server in your registry. Verify the origin, inventory your MCPs, and never trust a contributor list at face value.

A new mobile spyware platform, dubbed ZeroDayRAT, has emerged on Telegram, offering a suite of surveillance tools that were once the exclusive domain of elite nation-state signal intelligence (SIGINT) units. For a fee, any buyer can now gain full, real-time access to a target’s digital and physical life through a self-hosted browser panel.

It’s not just a data stealer. It’s a total takeover of the person behind the screen.

The “Everywhere” Exploit: Android 5 to iOS 26

The technical reach of ZeroDayRAT is staggeringly broad. While many RATs (Remote Access Trojans) struggle with version updates, ZeroDayRAT is built for longevity:

• Android: Supports version 5 all the way through the upcoming Android 16.

• iOS: Supports versions up to iOS 26, leveraging enterprise provisioning profiles to bypass the App Store’s “Walled Garden.”

Distributed via social engineering and malicious “updates” on Telegram and fake marketplaces, the malware generates a custom binary for each target. Once installed, the attacker doesn’t just see files—they see a live dashboard of the victim’s existence.

The Real-Time Panopticon

ZeroDayRAT transforms a smartphone into a 24/7 surveillance beacon. The command-and-control (C2) panel provides:

• Live Eyes and Ears: Remote activation of camera streaming and microphone feeds.

• GPS Stalking: Real-time location plotting on Google Maps with a full historical breadcrumb trail.

• Keystroke Logging: Every password, message, and search query is recorded before it’s even sent.

• Identity Mapping: The “Accounts Tab” enumerates every registered service—WhatsApp, Google, Facebook, Amazon, and banking apps—linking the device to the victim’s entire digital footprint.

Financial Warfare: Bypassing 2FA and Draining Wallets

ZeroDayRAT isn’t content with just watching; it’s designed to loot. The toolkit includes a sophisticated Bank Stealer and Crypto-Wallet Hijacker.

1. OTP Interception: By monitoring SMS in real-time, the malware intercepts One-Time Passwords (OTPs), effectively neutralizing Two-Factor Authentication (2FA).

2. Clipboard Substitution: The malware scans for wallet apps like MetaMask and Binance. When a user copies a crypto address, the RAT replaces it with the attacker’s address in the clipboard.

3. Payment App Takeover: It targets mobile payment ecosystems like Apple Pay, Google Pay, PayPal, and regional giants like India’s PhonePe (UPI).

The emergence of ZeroDayRAT represents a dangerous shift in the threat landscape.

Why this matters:

• The Zero-Trust Necessity: If you are not verifying the origin of every “update” or “enterprise profile,” you are inviting an adversary into your pocket.

• Biometrics vs. Keystrokes: While biometrics (FaceID/TouchID) are secure, the RAT logs the interaction after the vault is open.

• The Telegram Shadow Market: The transition of these tools from private “zero-day” exploits to Telegram-accessible subscription models means the number of potential attackers has increased by an order of magnitude.

  
  Source: https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios

When SpaceX and the Ukrainian government finally pulled the plug on unauthorized Starlink terminals used by Russian forces, the frontline went dark. Communications collapsed, drone feeds flickered out, and Russian units—desperate to restore the one Western technology they can’t live without—started looking for a workaround.

They found one. Or so they thought.

The “Activation” Trap

Ukrainian hacktivists from the 256th Cyber Assault Division, working alongside InformNapalm, didn’t just wait for the Russians to scramble; they built the net.

They launched a network of fake Telegram channels and “activation bots” promising a way to bypass the new Ukrainian “whitelist” registration system. For a modest fee, the bots promised to register illicit terminals under “safe” Ukrainian identities, keeping the dishes online.

The Russians took the bait. In less than seven days:

• 2,420 data packages were harvested, containing serial numbers and precise GPS coordinates of Russian Starlink terminals.

• $5,870 in “fees” was siphoned directly from Russian soldiers’ pockets into funds for the Ukrainian Defense Forces.

• 31 local collaborators (potential “drops”) were identified and handed over to law enforcement.

  

From “Online” to “Brick Mode”

The operation didn’t just harvest data—it weaponized it. The 256th Division confirmed they passed the technical identifiers to Ukrainian drone logistics advisor Serhiy Sternenko.

The goal? “Brick Mode.” By identifying the exact digital signatures of the terminals being used by the enemy, Ukraine and SpaceX can remotely disable the hardware permanently. But before the “kill switch” is flipped, those GPS coordinates are being used for something much more immediate: kinetic strikes. In the world of electronic warfare, if you can see the terminal, you can see the command post.

The Fatal Breach: Why OPSEC is Must

In the intelligence community, there is a saying: “The easiest way to get into a locked building is to have the owner open the door.” This operation succeeded because Russian frontline units prioritized immediate tactical convenience over long-term Operational Security (OPSEC).

By engaging with unverified third-party bots to register military hardware, Russian forces violated the most fundamental rules of digital warfare:

1. Trusting the “Grey Market”: In a conflict zone, there is no such thing as a “friendly” unauthorized service. By seeking a workaround for SpaceX’s restrictions, the users handed their hardware’s unique identifiers directly to the adversary.

2. GPS as a Weapon: A Starlink terminal is a beacon. By attempting to “spoof” location data through an unsecure bot, the operators inadvertently confirmed their exact positions. In the age of precision artillery, Location Data = Targeting Data.

3. The “Convenience Trap”: The desire to maintain a high-bandwidth connection for drone feeds created a psychological blind spot. The 256th Division exploited the “user experience” of a soldier—making the fake bot look and feel like a standard service—to bypass their survival instincts.

CodeAintel Warning: OPSEC isn’t just about hiding secrets; it’s about managing the digital footprint of your hardware. When a soldier treats a military comms device like a personal smartphone, they aren’t just compromised—they are categorized and neutralized.

Technical Brief: The Link Between Identity and Location

For a Starlink terminal to function, it must maintain a constant handshake with the satellite constellation. This process creates a “Digital ID” that is nearly impossible to fake once it is flagged:

• Terminal ID (Hardware SN): Each dish has a unique serial number burnt into its hardware.

• GNSS Integration: Every terminal contains a GPS/GNSS module to orient its phased-array antenna.

• The Handshake: SpaceX sees which Serial Number is requesting data from which GPS Coordinate.

By submitting their SN to the fake Ukrainian bot, the Russian operators essentially signed their own death warrants, allowing the SBU to cross-reference that ID with active satellite pings.

The Vulnerability That Refused to Stay Dead

On January 26, 2026, Microsoft issued an urgent out,of,band update to address a high,severity security bypass in multiple Office releases. This wasn’t a garden,variety bug, it undermines the way Office makes trust decisions when handling untrusted inputs, creating an opening for attackers to slip malicious content past built,in mitigations.

The patch was pushed rapidly, and in some modern Office builds the fix was applied server,side, meaning users often only needed to restart the app to be protected.

But the flaw’s “death” was greatly exaggerated.

Weaponizing the Patch Window

Within just three days, seasoned operators linked to Russia’s GRU,associated APT28 (a.k.a. Fancy Bear) had already weaponized the bug in a multi,stage espionage campaign observed in the wild.

CERT,UA, Ukraine’s Computer Emergency Response Team, first reported malicious DOC emails exploiting the flaw arriving in government networks mere days after Microsoft’s alert. Some lures spoofed EU COREPER consultations while others masqueraded as messages from official meteorological services.

This wasn’t opportunistic spam, it was timed precision targeting:

• The exploit chain begins with carefully crafted Office documents.

• A WebDAV,based fetch mechanism triggers a malicious DLL via classic COM/OLE hijacking.

• Shellcode, hidden inside innocuous images, unpacks and runs a COVENANT,based loader.

• From there, persistent backdoors and additional espionage tools can be deployed.

In campaign forensics, this constellation of techniques , WebDAV, COM hijack, image,embedded shellcode, and a COVENANT framework , mirrors methods APT28 has used before.

More Than “Just Another Exploit”

What makes this episode notable isn’t simply that attackers exploited a patched bug, it’s how fast and how seamlessly. In past eras, patch deployment alone might have bought defenders weeks of head,start. Here, defenders were already playing catch,up before the ink on Microsoft’s advisory dried.

This dynamic underscores a broader shift in nation,state cyber operations:

• Speed over stealth: Exploiting known patches painlessly expands attacker reach while keeping operational risk low.

• Infrastructure recycling: The evidently reused loader components from prior campaigns show how adversaries optimize toolchains rather than reinvent them.

• Hybrid lure engineering: Phishing documents themed to real geopolitical events aren’t random, they increase credibility and click,rates.

This is state espionage at its most refined: agile, opportunistic, and procedurally normalized.

APT28: Back in the Cyberespionage Fast Lane

APT28 has been a fixture in Russia’s cyber arsenal for nearly two decades, with documented operations spanning from DNC breaches to European defense,sector intrusions. Their consistent ability to pivot between sophisticated intrusion sets and rapid exploit adoption makes them a bellwether for adversary behavior.

Now, with a newly minted exploit chain under their belt , retooled within days of disclosure , APT28 is demonstrating that “patched” is no longer reliable shorthand for “safe.”

What Defenders Must Do Now

Patch quickly, but verify thoroughly. Applying Microsoft’s updates is necessary but not sufficient. Many environments still lag behind or fail to restart affected applications, leaving gaps in protection.

Harden Office workflows:

• Disable legacy protocols where possible.

• Alert on abnormal WebDAV fetch behavior.

• Restrict Office document macros and isolated content execution.

Monitor for C2 and beaconing traffic. The use of cloud services tied to COVENANT infrastructure, if present, should be flagged and evaluated.

Assume exploitation windows are shrinking. This incident is more than a patch story, it’s a warning: the time between disclosure and exploitation is now measured in days, not weeks or months.

The Last Word

This wasn’t just another Office bug, it was a tactical foothold seized by one of the world’s most persistent espionage groups. In the evolving threat landscape, the real vulnerability isn’t just in the code, it’s in the assumption that patching buys safety.

In the age of rapid exploit chaining and agile nation,state actors, defenders must treat every vulnerability as already weaponized and every patch as the starting signal for the next attack.

In the days leading up to the UN General Assembly, the Secret Service’s Advanced Threat Interdiction Unit executed a coordinated takedown :

• 300+ SIM servers seized
  

• 100,000 SIM cards pulled from circulation
  

• Safehouses raided across New York, New Jersey, Connecticut

The network wasn’t tucked away in dark-web forums. It was staged inside apartments, offices, and storage units within a 35-mile radius of Manhattan. Right where heads of state were converging:

What the Network Was For

At minimum, it was already used to push anonymous threats against U.S. officials. But the architecture suggests more than harassment:

• Telecom disruption. SIM farms at this scale can flood towers, overload signaling channels, or degrade service across a region.

• Anonymized C2. Rotating SIM cards in hundreds of servers = perfect cover for command-and-control, blending into the noise of carrier traffic.

• Spoofed identities. From SMS phishing to fake caller IDs, the infrastructure could impersonate anyone, anywhere.

This was less about “SIM fraud” and more about bending the backbone of communications.

Nation-State Shadows

The Hacker News cites investigators linking the traffic to known state operators and persons of interest to law enforcement . The Secret Service avoided naming a country, but the inference is clear: hostile intelligence services were active in the loop.

Think about it:

• Renting dozens of properties across tri-state costs money.

• Procuring, shipping, and syncing 300 SIM servers costs even more.

• Stashing 100,000 SIMs requires logistics networks, shell companies, laundering.

This wasn’t a hobbyist farm. It was a funded project, staged near one of the highest-value diplomatic events on the planet.

The Bigger Play

Ask the harder questions:

• Were these SIM safehouses meant to blind or jam networks during a UN crisis?

• Were they serving as covert comms nodes for agents in-country?

• Or were they a masking layer, allowing hostile actors to deliver threats and misinformation while hiding behind U.S. phone numbers?

Whatever the intent, the optics are the same: pre-positioning telecom weapons inside the host city of the UN is escalation.

Why It Matters

• Telecom is soft underbelly. We secure endpoints, patch servers, scan emails, but the SIM layer remains an afterthought. This case shows it’s an exploitable battlefield.

• Hybrid ops, cheap tools. A SIM farm is deniable, disposable, and globally scalable. Pair it with state sponsorship, it turns into infrastructure terrorism.

• Signal to adversaries. The takedown isn’t just enforcement, it’s deterrence. The U.S. just drew a line: deploy infrastructure near critical diplomatic events, expect it to be burned.

The Last Word

300 servers, 100,000 SIMs, empty safehouses — all hidden in plain sight. The Secret Service dismantled this one, but it won’t be the last.

The blueprint is simple: weaponize telecom, cloak operations in fraud infrastructure, and wait for the right moment to flip the switch.

We’ve entered a new phase where the real threat isn’t malware in your inbox, it’s the phantom network humming quietly in a storage unit down the block.

Two arrests in the UK, teenagers accused in the Transport for London hack, should change how we describe modern cybercrime. This isn’t a story about glorified script kiddies, it’s about a business model: fast, modular, global, and run by people who learned to scale damage before they turned 20.

What happened, at a glance

• UK law enforcement arrested two young men linked to the August 2024 attack on Transport for London (TfL). One suspect, already on the radar, now faces fresh allegations tying him to dozens of other intrusions.

• U.S. prosecutors have also filed charges alleging involvement in wide ranging intrusions across hundreds of victims and $100M+ in criminal proceeds.

• TfL initially downplayed impact, later disclosures admitted names, contact info and addresses were accessed, a public service breach that hits trust more than ticketing.

This is not noise, it’s a pattern.

Why the arrests matter

We’ve been telling a familiar story for a decade: criminals are organized, attacks are professional, and nation state tradecraft is being repurposed for profit. These arrests flip the script in two ways:

1. Youth as capability vector. Teenagers aren’t just being radicalized by forums, they’re building, operating, and monetizing criminal infrastructure. Tools, access, and money move fast, age no longer limits impact.

2. Transnational markets are maturing. The alleged scope, cross border breaches, laundering, and payoffs, reads like a corporate operation. Wallets, comms, clean up teams. This is not ad hoc vandalism, it’s a service economy.

   

Read the signals, not the headlines

A few cautious points that matter for defenders:

• Scope vs. role. Arrests of individuals don’t always equal disruption of the whole network. Were these actors operators, facilitators, or hired muscle? Expect more indictments, the infrastructure trails money.

• Data vs. disruption. Public transit hacks are reputational poison. Even if core systems weren’t destroyed, access to passenger PII and operational telemetry is enough to sow chaos and blackmail.

• Legal complexity. Cross border prosecutions, evidence chains, and extraditions are messy. The DOJ’s involvement signals seriousness, and that investigators found forensic breadcrumbs tying activity to U.S. victims.

The tactical picture (what they likely did)

We don’t have a full playbook from the indictments yet, but patterns repeat:

• Phishing and credential stuffing are default first steps, low cost, high yield.

• Ransomware and double extortion are now services: encrypt, and threaten to leak PII.

• Money funnels: crypto mixers, layered transfers, and cashouts through complicit vendors.

• Specialized roles: initial access brokers, extortion managers, money laundering facilitators. Teens can play any of these roles, and often do several at once.

Systemic consequences (not just for TfL)

• Public infrastructure is soft prey. Transit systems, hospitals, utilities, high social impact, weak incentives to fully modernize security. Attackers know this balance.

• The youth problem won’t be solved by arrests alone. The on ramp is information: marketplaces, leak forums, and permissive comms channels. Arrests remove actors, not the platform economy that trains them.

• Insurance and regulation will harden. Expect supply side shock: insurers tighten policies, governments demand stricter baseline controls for critical services. That’s necessary, and insufficient without enforcement.

  

  
  

The last word

This isn’t a morality tale about kids who made bad choices, it’s a systems failure: marketplaces that teach, profit structures that reward scale, and public services that still treat cybersecurity as a checkbox.

Arrests are necessary, but they are not a cure. If we want fewer headlines like this one, we must treat cybercrime as a full spectrum societal problem, technical, legal, financial, and social, and act like it.

It Was Never About Firewalls

You can bolt a vault door to your server room,
hire a million-dollar SOC to watch the blinking lights,
write policies that look good on paper.
But the weakest link isn’t in your stack,
it’s wearing your lanyard.

One underpaid, overlooked IT guy,
one signal on Telegram,
one number that makes his rent go away.

That’s how $140 million walks, not hacks,
straight out the front door.

The Setup

No custom malware, no sophisticated exploit,
just a soft spot nobody locked down.

C&M Software, boring middleware shop,
the bridge wiring six banks into Brazil’s instant payment rails, PIX.
One guy on their payroll, João Roque, had the keys,
the only exploit they needed.

They slid him R$15,000, barely a few months’ pay,
he handed over root,
they waited for the 4 AM lull,
pumped fake wires,
by sunrise R$800M — $140M USD — gone across six banks.

The Escape Route

Money didn’t sit in a checking account,
it moved fast.
Crypto is the getaway car,
USDT, Bitcoin, mixers, Latin American OTC desks.
The Central Bank slammed the door, froze some wallets,
but $40 million is still floating in dark pockets.
João confessed, now he’s in handcuffs,
but the money won’t walk back.

Why It Hurts

Everyone talks big about APTs, ransomware, zero-days.
But the real APT is a pissed-off human who knows your system better than you do.
The dev who built it knows where the logs don’t reach,
which switches no one ever looks at,
how to bury the bomb under your nose.

They just need the right number on a burner phone.

Burn This In

This isn’t fear porn,
it’s reality for anyone touching money at scale.

Root is gold,
your auditors check configs and firewalls,
but who checks who really has root?
And why?
Prune it, rotate it, kill it when they walk out the door.

Vendors equal blast radius,
C&M wasn’t malicious, just convenient.
One vendor wired six banks straight to the treasury,
good for uptime, great for a heist.
Segment trust, add kill switches,
your outsourced bridge should never hold your entire lifeline.

4 AM should scream,
$140 million bled out when nobody was looking.
Big, weird flows in the dead zone should never clear on autopilot,
wake up a human, make them sign off.

Crypto forensics is survival,
“crypto is untraceable” is a bedtime story.
If you don’t have a chain sleuth ready to go,
you’re too late.

The CodeAIntel Take

$140 million didn’t get hacked,
it got invited out by someone trusted, bored, and broke.
Your next breach won’t come from the dark web,
it’ll come from the guy you gave root and forgot to watch.

Stay paranoid,
trust slow,
audit deep,
and remember, nobody needs a mask when they have the keys.

This new FBI/NSA/CISA/DoD alert doesn’t break new ground — it confirms what everyone paying attention already knew:
Hack-and-leak ops are still the game. And they’re not stopping just because the front page did.

How It Went Down

No fancy zero-days, no nation-state black magic.
Same old playbook:

1. Find internet-facing OT boxes, water plants, energy, food supply, hospitals.
2. Poke at them with Shodan, default creds, dusty CVEs from 2017.
3. Pull the data, deface the site, dump the leaks on Telegram.

Instant headlines.

You don’t need an APT toolkit when your target is running factory passwords in 2025.

Why It Hits Harder Than You Think

These “hacktivists” aren’t random kids with a Telegram channel,
They’re IRGC units with a playbook:

• Shake public trust

• Embarrass anyone tied to Israel or U.S. critical infrastructure

• Use leaks and defacements as cheap PR to look bigger than they are

It’s propaganda, but it works. People see a water utility or a hospital pop up in a dump and suddenly every local news outlet picks up the “cyber attack” angle.

The Part No One Wants to Admit

The pivot’s the killer,
They don’t just grab what’s easy, they move sideways:

• From one vendor to an entire supply chain

• From old IT boxes into ICS gear no one’s watching

• From one breach to the next, reusing your stolen creds until you notice

They know half the market’s not watching OT telemetry. They know you’ll probably chase the ransomware noise instead of the real persistence.

Don’t Celebrate Too Soon

The ceasefire banners don’t mean your logs are clean,
If you’re in critical infra, water, food, energy, hospitals, this is your sign to get loud, not quiet.

Next up:

• More “patriotic leak groups” fronting for the IRGC

• More vendor chains popping like dominos

• More hack-and-leak distractions for actual hands-on persistence

The CodeAIntel Take

This is the cheapest version of hybrid warfare, and it works because we keep giving them the same old gaps: forgotten edge gear, default creds, zero segmentation.

So patch the edge gear,
Pull a Shodan on yourself before they do,
Hunt for your name in places you wish you didn’t have to,
And stop pretending OT doesn’t touch your brand, because when the water stops flowing, you’re on the front page, not them.

Silence helps them, don’t give it to them.

China’s New Weapon: SMS Phishing at Scale

While the world obsesses over advanced malware, zero-day exploits, and AI-driven reconnaissance tools, a new report reminds us that sometimes, low-tech attacks, executed at scale, can be just as devastating. Cybersecurity researchers have uncovered a China-linked smishing-as-a-service (SaaS) kit that’s being used in widespread campaigns targeting mobile users across telecom networks in Europe, Asia, and North America.

This isn’t the usual poorly-written scam. What we’re dealing with is a professionally developed infrastructure, designed to harvest credentials, session cookies, OTP codes, and forward them in real time to attacker-controlled Telegram bots.

This kit transforms phishing from a manual effort to a fully automated business model. It’s fast. It’s scalable. And it’s frighteningly effective.

How It Works: Simplicity with Speed

The attack begins with a single SMS message—clean, localized, and believable. It might impersonate your telecom provider, a delivery service, or your bank. The link inside redirects to a phishing page that’s been tailored to mimic the mobile site of the spoofed brand with near-pixel perfection.

As soon as the victim enters their information—be it login credentials, PINs, or verification codes—the data is forwarded immediately to the attacker's bot. No delays. No time to second-guess.

The result? In many cases, attackers are able to bypass MFA protections before the user even realizes they’ve been compromised. Real-time relay means the attack window is small, but lethal.

Infrastructure: Mass-Produced Deception

The kit includes:

• Dozens of pre-built phishing templates for common targets (banks, telcos, couriers)

• Real-time Telegram bot integration for automated credential forwarding

• Dynamic URL generation to evade filters and domain blacklists

• Hosting rotation scripts to keep infrastructure one step ahead of takedowns

In essence, it offers turnkey cybercrime. Even low-skilled threat actors can now run sophisticated smishing campaigns that rival state-level operations in speed and efficacy.

The kit’s infrastructure is being repurposed in campaigns that impersonate legitimate U.S. entities like toll road services, drawing unsuspecting victims into fake payment portals. The messages are short, urgent, and geographically personalized, which makes them especially convincing.

Researchers also noted the use of link shortening services, redirection layers, and geographic IP filtering to further obfuscate detection and maximize victim engagement.

Researchers discovered monetization features embedded into the kit—meaning its creators have a secondary revenue stream by selling stolen credentials on the dark web, in addition to providing "smishing kits for hire."

Attribution: A Familiar Shadow

The smishing kit contains language artifacts, Telegram handles, and behavioral patterns that strongly suggest a Chinese-speaking developer or group. This actor has been previously tied to:

• SIM-swapping crews

• Credential stuffing operations

• Dark web marketplaces selling telecom logins and OTP bypass methods

Although the motive here appears financial, the implications are geopolitical. Stolen telecom credentials can be a gateway to espionage-grade intelligence. Imagine the value of gaining access to accounts tied to government employees, executives, or infrastructure engineers.

Global Targeting, Local Deception

The key to this campaign’s success is localization. Each phishing template is tailored to:

• Match the language and branding of regional telecom operators

• Use regional SMS sender IDs to appear legitimate

• Evade detection by anti-spam filters that rely on global indicators

This regional customization leads to exponentially higher click-through and credential submission rates.

Researchers also observed that the actors use domain names closely resembling the original entities (e.g., misspelled toll road names, slight alterations to domain suffixes) which add credibility at a glance and evade common filter logic.

What You Can Do

For Security Teams:

• Implement anomaly detection for real-time token use and rapid credential changes

• Use threat intelligence feeds to block known Telegram bot endpoints and phishing domains

• Deploy SMS firewalls to inspect and block malicious message patterns

• Monitor for domain spoofing or look-alike domains registered in bulk

For Users:

• Never click links from unknown senders—even if the message appears urgent or legitimate

• Use official apps instead of browser-based logins

• Report suspicious SMS messages to your mobile provider or national CERT

• Be especially cautious with messages involving toll payments, banking updates, or delivery confirmations
  

  

This isn’t just another phishing campaign—it’s a mass production engine for mobile compromise. The combination of real-time exfiltration, bot automation, and localized deception makes this threat one of the most operationally advanced smishing campaigns we’ve seen to date.

The tech is simple. The execution is not.

In a turn of events that feels ripped from a Cold War reboot, new intelligence reveals that a China-linked APT group is actively targeting Russian government entities using an upgraded strain of Remote Access Trojan (RAT) malware known as PhantomCore.

The Malware: PhantomCore, Reinvented

PhantomCore isn’t a new name in the APT arsenal, but this version is anything but ordinary. Security researchers observed its use in recent spear-phishing campaigns directed at Russian government institutions, masked in ZIP file lures.

Once executed, the malware leverages DLL side-loading to blend into legitimate software environments. The payload is encrypted, obfuscated, and stealthy—making it exceptionally hard to detect by traditional endpoint defenses.

Key capabilities of PhantomCore include:

• File exfiltration

• Keylogging

• Screen capture

• Remote command execution

• Persistence via scheduled tasks and registry edits

In essence: full-spectrum digital surveillance.

Delivery: Classic Yet Evolving

The attack vector starts simple: spear-phishing emails. Victims receive emails containing malicious ZIP attachments, which house the malware payload. Once extracted and executed, the real work begins.

PhantomCore establishes contact with command-and-control (C2) servers masquerading as domestic Russian services—a clever camouflage tactic. This not only helps the RAT avoid detection, but also minimizes suspicion during exfiltration and beaconing activity.

Implications: When Friends Play Enemies

What makes this story particularly intriguing is the geopolitical context. Despite public alignment between Beijing and Moscow, this attack signals distrust and a need for intelligence superiority—even among strategic partners.

This raises a key question: What else is going on behind the digital curtains of these alliances?

Whether it’s economic agendas, military coordination, or simply state-level paranoia, one thing is clear—cyberespionage knows no borders. Even friends are fair game when the stakes are this high.

What’s Next?

This campaign serves as a wake-up call to governments and organizations alike: relying on presumed diplomatic safety is a cyber death wish. Defenders need to:

• Harden endpoint detection against DLL side-loading

• Monitor unusual C2 infrastructure connections

• Educate users on phishing awareness

• Perform regular threat hunting focused on RAT behaviors

As the global chessboard shifts, one rule remains: Trust no one. Monitor everyone.

Stay paranoid. Stay secure.

Who Is 8Base?

If you haven’t been paying attention, 8Base operates like a ghost in the machine—a ransomware group known for its ruthless tactics, high-profile breaches, and sheer unpredictability. Emerging in mid-2022, they made waves by targeting businesses of all sizes with double extortion tactics—encrypting data and threatening public leaks if ransoms weren’t paid.
The group deployed Phobos ransomware against 17 Swiss companies between April 30, 2023, and October 26, 2024.

Their operation involved unauthorized access to victims’ networks, data theft, and encryption of files. The hackers demanded cryptocurrency payments for decryption keys and threatened to publish stolen data if ransoms weren’t paid.  They also used cryptocurrency mixing services to obscure transaction trails.

The operation has affected over 1,000 victims worldwide, causing damages estimated at $16 million (approximately 560 million baht). While the suspects are in custody with evidence, their identities remain undisclosed as investigations continue.

• Their MO? They operated fast, loud, and highly opportunistic, targeting finance, legal, manufacturing, and tech sectors with precision.

• Their ransomware? Built off RansomHouse and Phobos, borrowing the best of both to maximize damage.

• Their victims? Thousands worldwide, including governments, enterprises, and critical infrastructure—no one was safe.

How Did Law Enforcement Take Them Down?

It wasn’t easy. 8Base thrived in the chaos, blending tactics from established ransomware groups while masking their origins. But law enforcement tracked their network, mapped their attack infrastructure, and moved in at the right time.

Thailand and Switzerland played a key role in coordinating arrests and seizing infrastructure, while U.S. cyber teams helped trace financial transactions linked to ransomware payments.

Why This Takedown Matters

8Base wasn’t just another gang—they represented a new breed of ransomware operators:

• Brutal efficiency. They didn’t waste time with negotiations—either pay, or your data goes public.

• Rapid deployment. They used pre-encrypted payloads, skipping the usual infection delay.

• Anonymity. Even in the ransomware world, no one truly knew who was running 8Base—until now.
  

  

What Happens Next?

Ransomware doesn’t die—it evolves. With 8Base out of the picture, others will scramble to take their place.

• Will more arrests follow?

• Did the takedown compromise other ransomware groups?

• And most importantly—who's next?

For now, 8Base is down—but the ransomware war is far from over.

Spotify Podcast Link: Here

What Happened?

Scam Sniffer, a web3 anti-scam platform, has been tracking wallet drainer activity and recently reported that these sneaky digital pickpockets made off with a whopping $494 million in 2024. That's a 67% increase from 2023, and though the number of victims only rose by 3.7%, it means those victims had deeper pockets.

Why This Matters

This isn't some college kids messing around in their dorm room. We're talking about sophisticated scammers siphoning millions from unsuspecting crypto holders. It's like we're living in a sci-fi movie where your digital assets can vanish into thin air.

The Bigger Picture

These wallet drainers are like digital traps, often lurking on fake or hacked websites. They're designed to swipe your precious crypto and other digital valuables. Think of it as a virtual minefield where one wrong click can cost you a fortune.

Lessons Learned

• Don't Trust Your Eyes: With scammers becoming more sophisticated, we can't just blindly trust any website, especially when dealing with crypto. We need to be skeptical, question everything, and double-check URLs with official project websites. Think of it as a crash course in online self-defense.

• Protect Yourself: It's time to brush up on your digital literacy skills. Learn about the latest scams and phishing tactics so you can spot the fakes and protect yourself from manipulation. Many wallets offer built-in warnings for phishing or malicious transactions, so make sure to enable those.

Call to Action

We're in a fight for the future of our digital assets, and the battlefield is online. The lines between safe and scam are blurring, and the bad guys are using increasingly clever tricks. But we can fight back. Stay vigilant, question everything, and don't let them win. Your crypto's safety is out there, but we need to be smart enough to protect it.

First Episode (Spotify Podcast):

What Happened

This week, the Treasury Department decided it was time to play hardball. They slapped sanctions on a bunch of shady operators in Iran and Russia who were caught with their hands in the digital cookie jar, trying to influence the 2024 election. Their weapon of choice? Cutting-edge AI technology. We're talking about deepfakes so real they could fool your grandma, and disinformation campaigns designed to spread like wildfire across social media.

Why This Matters

This isn't some college kids messing around in their dorm room. We're talking about state-sponsored actors, with deep pockets and sophisticated technology, deliberately trying to undermine our democracy. Think about it: if they can create convincing fake videos of candidates saying or doing things they never did, how can we trust anything we see online? This stuff has the potential to completely erode public trust and throw the entire election into chaos.

The Bigger Picture

Remember when "fake news" was just badly photoshopped images and ridiculous clickbait headlines? Those were the good old days. Now, with AI in the mix, we're entering a whole new era of disinformation. These AI algorithms can churn out incredibly realistic content, making it harder than ever to tell fact from fiction. It's like we're living in a sci-fi movie where reality itself is under attack.

Lessons Learned

• Don't Trust Your Eyes (or Your Ears): With AI-generated content becoming more and more sophisticated, we can't just blindly trust what we see or hear online. We need to be skeptical, question everything, and double-check our sources.

• Become an AI Detective: It's time to brush up on your digital literacy skills. Learn about the latest AI developments and disinformation tactics so you can spot the fakes and protect yourself from manipulation. Think of it as a crash course in online self-defense.

• Support the Truth Tellers: Reliable, independent journalism is more important than ever in this age of AI-powered propaganda. Support the news organizations that are fighting for truth and holding those in power accountable. They're the front line in the battle against disinformation.

Call to Action

We're in a fight for the future of our democracy, and the battlefield is online. The lines between reality and fiction are blurring, and the bad guys are using AI to exploit that. But we can fight back. Stay vigilant, question everything, and don't let them win. The truth is out there, but we need to be smart enough to find it.

Share

What Happened?

The breach reportedly exploited a weakness in a widely-used remote support software, granting attackers unauthorized access to Treasury systems. This type of attack is especially dangerous because it bypasses direct perimeter defenses, leveraging trusted third-party platforms to infiltrate sensitive networks.

While details remain classified, here’s what we know:

• Attack Vector: A vulnerability in remote access software allowed the attackers to enter undetected.

• Targets Identified: Treasury systems, potentially exposing sensitive financial and economic data critical to U.S. operations.

• Threat Actors: Speculation leans toward nation-state groups, given the high-value target and sophistication of the attack.

Why This Matters

This isn’t just about one agency—it’s a blueprint for future attacks. Remote support platforms are the backbone of many organizations, and their compromise can ripple across entire industries.

Key risks include:

1. Escalated Privileges: Once inside the platform, attackers can impersonate legitimate users, accessing sensitive data or deploying malware.

2. Supply Chain Domino Effect: Breaching a widely-used service gives attackers a foothold into countless organizations dependent on the same software.

3. Critical Infrastructure Exposure: Agencies like the Treasury are integral to national security, and their compromise can destabilize financial markets or undermine trust in government systems.

The Bigger Picture

This attack is part of a growing trend of targeting third-party platforms as entry points:

• Kaseya Ransomware Attack (2021): Hackers exploited a vulnerability in Kaseya’s IT management software, impacting thousands of businesses worldwide.

• SolarWinds Breach (2020): Nation-state actors infiltrated SolarWinds to plant malware in updates, compromising multiple U.S. agencies.

• MOVEit Vulnerabilities (2023): File transfer software flaws exposed sensitive data across numerous organizations.

The Treasury breach is yet another reminder that no system—no matter how secure—is immune to the weakest link in its chain.

Lessons for Organizations

This breach underscores the urgent need to secure third-party access and evaluate supply chain risks. Here’s what every organization can learn:

1. Audit Third-Party Platforms: Regularly review and patch any software used for remote access or critical operations.

2. Implement Zero Trust: Assume that every platform, device, or user is compromised until verified.

3. Monitor for Unusual Activity: Continuous monitoring of access logs and user behavior can help detect early signs of an attack.

4. Limit Access: Remote support tools should only be active when necessary, with strict access control policies in place.

Why This Breach Is a Wake-Up Call

The Treasury Department isn’t just another agency—it’s the financial nerve center of the U.S. This attack highlights:

• The Fragility of Trust: When trusted platforms are breached, they don’t just compromise one organization—they threaten the entire ecosystem.

• The Sophistication of Threat Actors: Whether it’s cybercriminals or nation-states, attackers are leveraging increasingly advanced techniques to exploit overlooked vulnerabilities.

• The Need for Proactive Defense: Waiting until after an incident to act is no longer an option.

  

The Bottom Line

This breach is more than a headline—it’s a clear warning. Third-party vulnerabilities are the soft underbelly of even the most secure networks. The question isn’t if this will happen again, but who’s next?

At CodeAIntel, we’re tracking every detail. Stay informed. Stay secure. And always watch your back(end).

The underground Telegram scene just got messier. The enigmatic lucid (eepy), owner of SiegedSec, is at it again—this time digging into uhg.com data leaks. If you’ve been following the drama, SiegedSec has made waves with hacktivist antics and brazen data breaches, and now lucid’s latest move targets one of the largest healthcare entities in the world.

What’s Going Down?

In newly surfaced Telegram screenshots, lucid used an illicit bot to query for “/s uhg.com,” pulling a file labeled 92.results.txt packed with over 1,000 entries of sensitive UHG data. The file contains:

• Email addresses, names, and identifiers tied to UHG personnel.

• Enough breadcrumbs to open doors for phishing attacks, social engineering, and worse.

  

  
  

But this isn’t just a casual scroll-through-data moment. lucid’s Telegram profile confirms their ownership of SiegedSec, an infamous hacking collective known for its mix of hacktivism and chaos. And, by chaos, we’re talking about taking aim at high-profile targets like the Heritage Foundation and other major players.

SiegedSec 101: Hacktivism Meets Anarchy

If you’re new to SiegedSec, here’s the cheat sheet:

• The Heritage Foundation Hit: SiegedSec leaked 2GB of sensitive data from this high-profile think tank, including donor lists and internal files.

• Hacktivist Origins: The group claims to target corruption, corporate greed, and authoritarian regimes—often mixing political messaging with their data breaches.

• Disbandment Drama: They briefly “shut down” after the Heritage Foundation breach, only to reemerge stronger, with lucid leading the charge.

Now, their focus has shifted toward corporate behemoths like UHG, using Telegram bots and other tools to harvest sensitive data and weaponize it.

Why It Matters

SiegedSec isn’t just some script kiddie group—they’re a rapidly evolving threat actor leveraging:

• Automation Tools: Bots to locate and exploit leaked data faster than ever.

• Targeted Campaigns: Strategic focus on high-value entities like UHG.

• Hacktivist Spin: Their actions are often draped in political messaging, but the consequences are real and devastating.

lucid’s latest activity highlights the alarming ease with which hackers can access sensitive corporate data, turning it into ammunition for phishing campaigns, ransomware, and more.

What’s Next?

UHG and other corporations targeted by SiegedSec need to:

1. Monitor the Underground: If your data’s showing up on Telegram bots, it’s already too late.

2. Harden Defenses: Ramp up vulnerability scans and tighten access controls across your systems.

3. Prepare for Fallout: Phishing campaigns, insider threats, and public embarrassment are just the beginning if this data is weaponized.

The SiegedSec Playbook

SiegedSec’s ability to straddle hacktivism and raw exploitation makes them a unique threat in the cybercrime ecosystem. Whether targeting political organizations or healthcare giants, their tactics are a wake-up call for companies across every sector.

This article was published with the support of RAKIA.AI!

RAKIA Group has pioneered technology operations globally to help solve today's most complex and harmful criminal challenges including terrorism, money laundering, fraud, illegal immigration, and human trafficking.

We empower real-world heroes by unifying more of what you need to know in real-time to stay ahead and act faster.

It’s big data for good.

What’s Going Down?

"Salt Typhoon," a hacking group with ties to the Chinese government. These guys have been playing the long game, quietly infiltrating at least eight major U.S. telecom companies. Think AT&T, Verizon, Lumen Technologies—the heavy hitters.

Their prize? Access to call logs, text message content, and anything else riding through unencrypted channels. That “can we talk later?” text? Someone might be reading it—someone you didn’t text.

Why Does This Matter?

This isn’t some random breach of cat memes and emoji chains. These attacks have real-world implications, like:

• Targeting High-Profile Figures: From government officials to corporate executives, these hacks aim to eavesdrop on power players.

• Weaponizing Data: The content of intercepted messages could fuel espionage, blackmail, or influence campaigns.

• Global Impact: This isn’t just about the U.S. Dozens of countries have been hit, making this a full-scale cyber-espionage operation.

  

  ---

What’s the Fix?

The good news? You don’t have to sit idly by while your texts become state secrets. Here’s how you fight back:

1. Use End-to-End Encryption
   Apps like Signal and WhatsApp aren’t just trendy—they’re built to keep prying eyes out. Even if someone snags the data, it’ll look like gibberish.

2. Update Your Devices
   Those annoying update prompts? They patch vulnerabilities hackers exploit. Don’t ignore them.

3. Lock It Down with MFA
   Multi-Factor Authentication is your digital bouncer. Make it part of your life.

   

Why Now?

This breach highlights how vulnerable even our most trusted infrastructure can be. If telecom giants can get breached, what about your small-business server or personal email? The attack also shows just how far nation-states are willing to go to control the information game.

The Bottom Line

China’s latest espionage campaign is a wake-up call: digital privacy is under siege. Whether you’re a CEO or just trying to plan dinner, your communications deserve protection. Take the steps, stay secure, and remember—the safest text is the one you didn’t send.

I’ve shared my expert opinion about that with one of Israel’s largest tech magazines: https://tech.walla.co.il/item/3710392