Tag: Cyber Security

With the FIFA World Cup coming to the United States, Canada, and Mexico this year, cybersecurity experts are warning that the risks are rising from rapidly evolving threats such as drones and wireless surveillance.

Wireless communications have grown in importance and criticality, with connections to security systems, operational technology (OT), and application connectivity all expanding dramatically over the past decade. One major application for wireless communications are drones, which have been used increasingly in conflict zones and pose potentially greater dangers for civilian populations.

The concern is that threat actors will translate what they have learned to civilian settings, says Cordell Bennigson, CEO for the US market at R2 Wireless, a company focused on real-time radio-frequency monitoring.

“There’s definitely a risk of disruption to operational technology (OT), such as stadium systems, traffic management, or public safety communications, particularly when those systems have wireless components,” he says. “The key issue is not having visibility, because cities can’t defend what they can’t see.”

Related:PCI Council Says Threats to Payments Systems Are Speeding Up

In 2026, the FIFA World Cup is expanding to 16 stadiums in cities peppered throughout Canada, Mexico, and the US. The tournament will be bigger in every way from past events, with 48 teams playing 104 games, and will require a massive increase in reliance on technology and automation.

At the same time, physical cyber threats have matured rapidly since Russia invaded Ukraine four years ago. First-person-view (FPV) drones regularly surveil the battlefield in Ukraine, making tank and troop movements a far more deadly gamble and drone the primary cause of casualties, with current estimates attributing 80% of deaths and injuries to drones, compared to less than 10% at the start of the war, according to Reuters.

A Complex Wireless Environment

During major events like the FIFA World Cup, host cities will face “one of the most complex radio-frequency (RF) environments a city will ever experience,” R2 Wireless’s Bennigson says. “You’re looking at hundreds of thousands of people, thousands of devices, broadcast infrastructure, public safety communications, temporary networks, and increasingly autonomous systems, which all operate simultaneously in a compressed geographic area.”

Active wireless threats include attempts to hijack or jam the command-and-control (C2) signals used by event managers to operate and secure the venues, while the wireless networks can also be used to compromise event systems. Modern wireless networks, such as 5G cellular, have suffered increasing attacks, with wireless equipment provider Nokia concluding, “Breaches are the rule, not the exception.”

Related:Attackers Now Need Just 29 Minutes to Own a Network

Finally, drone operations rely almost exclusively on wireless signals and can carry sensors to conduct wireless surveillance and harvest communications. While the drones are vulnerable to jamming, many operate over commercial cellular networks and others use onboard AI to make wireless connectivity unnecessary.

In many cases, local civilian law enforcement lack the authority to fight back against such threats, says Krishna Vishnubhotla, vice president of product strategy at Zimperium, a mobile security solutions firm.

“Most local law enforcement can’t even use basic counter-drone tools,” he says. “The 2026 World Cup … is a prime target, [and] drones, wireless surveillance, and cascading infrastructure failures are all credible threats at an event of that scale.”

Passive Cyber Aggression

Such active threats are not the only concerns. Using wireless to monitor and map the location of a device, harvest metadata, and conduct airborne or ground-based surveillance are all concerns at large events, says R2 Wireless’s Bennigson. Because large events rely heavily on temporary communications infrastructure and fast deployment of broadcast technology, public safety radios, and Internet of Things (IoT) deployments, attackers have a plethora of targets, he says.

Related:Spitting Cash: ATM Jackpotting Attacks Surged in 2025

“The RF spectrum becomes both the battlefield and the blind spot,” he says. “In a high-density RF environment, we can expect malicious actors to hide within legitimate traffic. The noise becomes their cover.”

Overall, event managers need to have the wireless spectrum locked down in the region of any major events like the FIFA World Cup, says Vishnubhotla.

“Effective defense requires layering RF, radar, acoustic, and optical detection together, since adversaries actively exploit any single system’s blind spots,” he says, adding that both the EU and US are adopting AI-driven spectrum monitoring and putting controls in place to limit cellular control of drones and other anti-drone technology.

Vishnubhotla adds that training personnel to operate in hostile wireless environments is critical to minimizing risks at major events in the future.

This past week brought hospital ransomware attacks to the forefront of public media, for better and for worse, with a major incident in Mississippi and a fictional one on HBO.

On Feb. 19, an epsiode of the popular drama series The Pitt featured a subplot about a cyberthreat against its fictional trauma center. Ransomware attacks struck nearby hospitals and, suspecting that his own might be next, the CEO of Pittsburgh Trauma Medical Center preemptively orders that all their IT systems be taken offline.

Cybersecurity experts debate the realism of HBO’s depiction, but there’s no questioning its relevance and timeliness. As if to underscore the point, early in the morning that same day the episode aired, the University of Mississippi Medical Center (UMMC) suffered a ransomware attack that was all too real. Its IT systems were impacted, including its electronic medical records platform, Epic. Life imitated art, and UMMC went dark at all 35 clinics in its network to prevent further damage.

Related:The Case for Why Better Breach Transparency Matters

Was HBO’s Depiction of Healthcare Ransomware Realistic?

The Pitt followed through on the ransomware plot in its latest episode — Season 2, Episode 8 — which aired Feb. 26. The staff at Pittsburgh Trauma carry on with their work, only they have to rely on paper and pens, fax machines, and one staff member’s conveniently photographic memory.

“This episode follows the patient care continuum from intake to discharge and shows every point where it breaks: dry-erase boards, triplicate paper orders, a pharmacist manually unlocking medication cabinets one at a time,” says Mick Coady, field chief technology officer (CTO) of Elisity. “That’s the picture every CISO I talk with is trying to paint for their board. Not ransom amounts. Not recovery timelines. What actually happens to patients.”

The single most authentic detail in the episode, in Coady’s view, was utterly mundane: when staff are told to use ballpoint pens, because felt-tip ink doesn’t press through triplicate carbon copies. “Someone in that writers room has been through a real downtime event. That’s an operational detail you only know if you’ve actually run paper processes in a clinical environment,” he says.

For Ross Filipek, chief information security officer (CISO) at Corsica Technologies, “What rang true to me was the operational chaos once systems went dark. Healthcare really is that dependent on IT. When digital charting, tracking boards, and core systems disappear, efficiency drops fast, and risk creeps in. I’ve seen that in real incidents.”

Related:Chinese Police Use ChatGPT to Smear Japan PM Takaichi

What HBO Got Wrong

While experts agree that the general tone of Episode 8 was spot on, they all caveat that it wasn’t without its small missteps and exaggerations. Most glaring for Coady, for example, were the patient monitors that kept running normally, and the uninterrupted stream of patients who might have otherwise been diverted to other facilities in a real-life scenario.

In Filipek’s view, the CEO’s crucial, preemptive decision to shut down all IT systems was implausible. “In a real hospital, executives would be heavily weighing patient safety and operational continuity alongside cyber-risk. That decision wouldn’t happen without heavy input from IT and security leadership, and it certainly wouldn’t be made lightly,” he says. “While I understand the show is predominantly about the clinician experience, the episode glossed over what would be happening behind the scenes. In reality, it would be all hands on deck. Technical investigation, targeted mitigations, maybe third-party support. You don’t just pull the plug and hope 24 hours fixes it.”

Coady, too, worries that the show might necessarily overlook certain aspects of real hospitals’ experiences, due to dramatic constraints. “Some systems take months to fully restore,” he says. “If the show makes that look like one bad shift, it undersells what six weeks on paper actually does to a hospital’s staff, its patients, and its finances.”

Related:Malicious Next.js Repos Target Developers Via Fake Job Interviews

How Hospitals Should Address Ransomware

The latest episode ended with everything still in analog. In parallel this week, on Feb. 25, UMMC announced that although it was making “significant progress in responding to the cyberattack and restoring our systems,” it’s still struggling to return to normal operation. Regularly scheduled clinic appointments and elective procedures have been cancelled at least through Feb. 27, its telephone line is being overwhelmed, and individuals in need of care have been expressing their confusion online.

“The most concerning trend [in healthcare] isn’t just the volume of attacks, but how disruptive they have become,” says Ryan Witt, Proofpoint’s vice president of industry solutions, citing how 70% of victimized healthcare facilities report disruptions to patient care. “Ransomware can become a full operational shutdown. It results in deferred care, delayed diagnoses, and real clinical consequences for patients and their families.”

Witt, who authored Proofpoint’s 2025 “Cyber Insecurity in Healthcare” report, suggests that healthcare facilities need to focus in three main areas. First: securing credentials, the primary means by which attackers gain access to healthcare IT systems in the first place.

“Second, hospitals are encouraged to plan for clinical resilience. While it’s important to restore IT systems quickly, it’s equally important to ensure patient care remains as safe as possible while systems are down. That means practical downtime plans that address medication management, lab communications, triage, and patient prioritization,” he says.

Lastly, he advises, “Resilience needs to be tested, not assumed. Tabletop exercises and downtime drills should simulate real clinical stress. Leadership teams should practice making difficult real-time decisions about diversion, communications, and patient prioritization before they have to do it in a real crisis.”

On a positive note, Witt says more hospital executives now understand cyber-risk is a patient safety issue. “Boards are starting to ask how an incident could affect patient care, not only how fast can systems can be restored,” he says. “That shift in mindset is important and, frankly, long overdue.”

Ravie LakshmananFeb 27, 2026Network Security / Vulnerability

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025.

Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France.

The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.

“The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host,” FreePBX said in an advisory for the flaw in November 2025. “An attacker could leverage this to obtain remote access to the system as the asterisk user.”

The vulnerability affects FreePBX versions higher than and including 17.0.2.36. It was resolved in version 17.0.3. As mitigations, it’s advised to add security controls to ensure that only authorized users have access to the FreePBX Administrator Control Panel (ACP), restrict access from hostile networks to the ACP, and update the filestore module to the latest version.

The vulnerability has since come under active exploitation in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog earlier this month.

Source: The Shadowserver Foundation

In a report published late last month, Fortinet FortiGuard Labs revealed that the threat actor behind the cyber fraud operation codenamed INJ3CTOR3 has been exploiting CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP.

“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment,” the cybersecurity company noted.

FreePBX users are recommended to update their FreePBX deployments to the latest version as soon as possible to counter active threats.

Ravie LakshmananFeb 27, 2026Financial Crime / Social Engineering

The U.S. Department of Justice (DoJ) this week announced the seizure of $61 million worth of Tether that were allegedly associated with bogus cryptocurrency schemes known as pig butchering.

The confiscated funds were traced to cryptocurrency addresses used for the laundering of criminally derived proceeds stolen from victims of cryptocurrency investment scams, the department added.

“Criminal actors and professional money launderers use cyber-enabled fraud schemes to swindle their victims and conceal their ill-gotten gains,” said HSI Charlotte Acting Special Agent in Charge Kyle D. Burns.

“HSI special agents work diligently to trace the illicit proceeds of crime across the globe to disrupt and dismantle the transnational criminal organizations that seek to defraud hardworking Americans.”

As is the norm in such cybercrime operations, threat actors are known to target individuals by cultivating romantic relationships after approaching them on dating and social media messaging apps. These activities are carried out by individuals who are trafficked into scam compounds operating primarily in Southeast Asia with promises of high-paying jobs.

The cybercrime syndicates behind the scams then confiscate their passports and are coerced into conning victims online by posing as charming strangers or brokers on investment platforms, or face brutal consequences. The end goal is to coax unsuspecting users into parting with their hard-earned money in fraudulent cryptocurrency investment schemes.

According to the DoJ, the fake platforms displayed made-up investment portfolios displaying unusually high returns in a deliberate attempt to make victims invest more of their funds. The reality hits when users try to withdraw their funds, at which point they are asked to pay an extra fee as a way to extract even more money from them.

“Once the victims’ money transferred to a cryptocurrency wallet under the scammers’ control, the crooks quickly routed that money through many other wallets to hide the nature, source, control, and ownership of that stolen money,” the department added.

In a coordinated announcement, Tether said it has frozen around $4.2 billion in assets linked to illicit activity to date, including nearly $250 million related to scam networks since June 2025 alone.

Ravie LakshmananFeb 28, 2026National Security / Artificial Intelligence

Anthropic on Friday hit back after U.S. Secretary of Defense Pete Hegseth directed the Pentagon to designate the artificial intelligence (AI) upstart as a “supply chain risk.”

“This action follows months of negotiations that reached an impasse over two exceptions we requested to the lawful use of our AI model, Claude: the mass domestic surveillance of Americans and fully autonomous weapons,” the company said.

“No amount of intimidation or punishment from the Department of War will change our position on mass domestic surveillance or fully autonomous weapons.”

In a social media post on Truth Social, U.S. President Donald Trump said he was ordering all federal agencies to phase out the use of Anthropic technology within the next six months. A subsequent X post from Hegseth mandated that all contractors, suppliers, and partners doing business with the U.S. military cease any “commercial activity with Anthropic” effective immediately.

“In conjunction with the President’s directive for the Federal Government to cease all use of Anthropic’s technology, I am directing the Department of War to designate Anthropic a Supply Chain Risk to National Security,” Hegseth wrote.

The designation comes after weeks of negotiations between the Pentagon and Anthropic over the use of its AI models by the U.S. military. In a post published this week, the company argued that its contracts should not facilitate mass domestic surveillance or the development of autonomous weapons.

“We support the use of AI for lawful foreign intelligence and counterintelligence missions,” Anthropic noted. “But using these systems for mass domestic surveillance is incompatible with democratic values. AI-driven mass surveillance presents serious, novel risks to our fundamental liberties.”

The company also called out the U.S. Department of War’s (DoW) position that it will only work with AI companies that allow “any lawful use” of the technology, while removing any safeguards that may exist, as part of efforts to build an “AI-first” warfighting force and bolster national security.

“Diversity, Equity, and Inclusion and social ideology have no place in the DoW, so we must not employ AI models which incorporate ideological ‘tuning’ that interferes with their ability to provide objectively truthful responses to user prompts,” a memorandum issued by the Pentagon last month reads.

“The Department must also utilize models free from usage policy constraints that may limit lawful military applications.”

Responding to the designation, Anthropic described it as “legally unsound” and said it would set a dangerous precedent for any American company that negotiates with the government. It also noted that a supply chain risk designation under 10 USC 3252 can only extend to the use of Claude as part of DoW contracts, and that it cannot affect the use of Claude to serve other customers.

Hundreds of employees at Google and OpenAI have signed an open letter urging their companies to stand with Anthropic in its clash with the Pentagon over military applications for AI tools like Claude.

The standoff between Anthropic and the U.S. government comes as OpenAI CEO Sam Altman said OpenAI reached an agreement with the U.S. Department of Defense (DoD) to deploy its models in their classified network. It also asked DoD to extend those terms to all AI companies.

“AI safety and wide distribution of benefits are the core of our mission. Two of our most important safety principles are prohibitions on domestic mass surveillance and human responsibility for the use of force, including for autonomous weapon systems,” Altman said in a post on X. “The DoW agrees with these principles, reflects them in law and policy, and we put them into our agreement.”

Ravie LakshmananFeb 27, 2026Online Scam / Digital Advertising

Meta on Thursday said it’s taking legal action to tackle scams on its platforms by filing lawsuits against what it calls deceptive advertisers based in Brazil, China, and Vietnam.

As part of the effort, the advertisers’ methods of payment have been suspended, related accounts have been disabled, and the website domain names used to pull off the scams have been blocked.

Concurrently, the social media giant said it has also issued cease and desist letters to eight marketing consultants who advertised the ability to bypass its ad policy enforcement systems. This included fake “un-ban” or account restoration services and renting access to trusted accounts so as to help clients bypass its controls.

At least three advertisers, two from Brazil and one from China, were found to engage in celeb-bait scams, which often involve misusing the image of well-known figures to trick people into clicking on bogus ads that lead to scam sites. These websites are designed to harvest sensitive data or dupe unsuspecting users into sending money or investing in fake platforms.

The three advertisers against whom Meta has filed lawsuits are listed below –

• Brazil-based Vitor Lourenço de Souza and Milena Luciani Sanchez are being sued for using altered images and voices of celebrities to promote fraudulent healthcare products.
• Brazil-based B&B Suplementos e Cosméticos Ltda. (Brites Corp), Brites Academia de Treinamento Ltda., Daniel de Brites Macieira Cordeiro, and José Victor de Brites Chaves de Araújo for being part of a scam operation that leveraged synthetic imagery of a prominent physician to advertise healthcare products without regulatory approval and sold courses teaching the same tactics.
• China-based Shenzhen Yunzheng Technology Co., Ltd for using celeb-bait ads to target people in various countries, including the U.S. and Japan, as part of a fraud scheme designed to lure them into joining investment groups.

“To fight celeb-bait scams, we developed protections for celebrities whose images are repeatedly used in these schemes,” Meta said. “This program currently protects the images of more than 500,000 celebrities and public figures around the world.”

In addition, the company noted that it sued Vietnam-based advertiser Lý Văn Lâm for using cloaking techniques to get around its review process. Cloaking refers to an adversarial technique that aims to conceal the true nature of a website linked to an ad in an attempt to fool ad review systems by serving one version of its content during the review and showing an entirely different and malicious content to real users.

In this case, the advertiser is said to have used scam ads to offer discounted items from well-known brands in exchange for completing a survey. People who interacted with these ads were taken to phony websites where they were asked to enter credit card information to purchase items that were never delivered. Their credit cards also incurred unauthorized, recurring fees, a practice known as subscription fraud.

The development comes months after a Reuters investigation found that 19% of Meta’s $18 billion in ad sales in China in 2024 came from ads for scams, illegal gambling, pornography, and other banned content. The report also uncovered agencies that allow businesses to run banned advertisements, prompting the company to put its Badged Partners program under review.

In an analysis of 14.5 million ads running on Meta platforms across the E.U. and U.K. over a 23-day period, Gen Digital found that nearly one in three of those ads (about 30.99%) pointed to a scam, phishing, or malware link.

“In total, scam ads generated more than 300 million impressions in less than a month,” the cybersecurity company said earlier this month. “The activity was highly concentrated, with just 10 advertisers responsible for over 56% of all observed scam ads. Repeated campaign clusters were traced to shared payment and infrastructure linked to China and Hong Kong, indicating organized, industrial-scale operations rather than isolated bad actors.”

These findings also coincide with the discovery of malicious infrastructure and underground services that have been used to peddle various kinds of scams –

• Scams have been found to combine malvertising and pig butchering fraud models to defraud victims, primarily those in Japan, by tricking them into clicking on investment-themed ads on social media. These ads redirect victims to websites that prompt them to engage with a supposed expert via messaging apps by scanning a QR code.
• Once victims are added to one-on-one and group chats with these so-called experts, who are nothing but artificial intelligence (AI)-powered chatbots in some cases, they are persuaded to invest progressively larger amounts of money, only to demand a “release fee” to unlock non-existent profits. More than 23,000 domains within this ecosystem have been discovered.
• Threat actors are compromising routers to alter DNS settings to use shadow resolvers hosted in Aeza International, a bulletproof hosting company (BPH) sanctioned by the U.S. Government in July 2025. This unauthorized modification is engineered to selectively alter DNS responses associated with Okta and Shopify, allowing the operators to direct users to scam and malware content by means of an HTTP-based traffic distribution system (TDS).
• A malicious push notification network has been observed using a network of malicious domains to target Android Chrome users all over the world with a steady stream of unwanted push notifications (e.g., “Android infected with malware!” or “System needs a scan”) after obtaining permissions in a bid to direct to scam sites and adult content. According to data from Infoblox, Bangladesh, India, Indonesia, and Pakistan represented 50% of all the traffic.
• A network of over 150 cloned, fake websites has been identified impersonating real law firms based in the U.S. and the U.K., and targeting users looking for legal advice and representation to promote a business impersonation scam.
• “The sites used the firm’s name, branding, and publicly available attorney identities, presenting themselves as legitimate legal and asset-recovery services, offering to help victims recover funds lost to prior fraud,” Sygnia said. “The campaign targeted individuals who had already suffered financial fraud.”

The proliferation of scams, fueled by a booming pig butchering‑as‑a‑service (PBaaS) economy, has not escaped law enforcement’s attention, as evidenced by the dismantling of scam compounds in Southeast Asia in recent months.

Earlier this month, the Cambodian government promised to crack down and dismantle cyber scam networks operating within its borders, adding that police officials launched 48 operations in the first nine months of 2025 to combat cyber fraud, arrested 168 people, and deported 2,722 people back to their home countries.

The ongoing efforts have cut scam activity in half since the start of this year, Senior Minister Chhay Sinarith, chairman of the Secretariat of the Commission for Combating Technology Crimes, was quoted as saying this week. Cambodian Prime Minister Hun Manet also acknowledged that online scam centres operating in the country are damaging its reputation and undermining its economy.

Ravie LakshmananFeb 27, 2026Endpoint Security / Windows Security

Threat actors are luring unsuspecting users into running trojanized gaming utilities that are distributed via browsers and chat platforms to distribute a remote access trojan (RAT).

“A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.”

The attack chain is also designed to evade detection by deleting the initial downloader and by configuring Microsoft Defender exclusions for the RAT components.

Persistence is achieved by means of a scheduled task and Windows startup script named “world.vbs,” before the final payload is deployed on the compromised host. The malware, per Microsoft, is a “multi-purpose malware” that acts as a loader, runner, downloader, and RAT.

Once launched, it connects to an external server at “79.110.49[.]15” for command-and-control (C2) communications, allowing it to exfiltrate data and deploy additional payloads.

As ways to defend against the threat, users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints, and reset credentials for users active on compromised hosts.

The disclosure comes as BlackFog disclosed details of a new Windows RAT malware family called Steaelite that was first advertised on criminal forums in November 2025 as a “best Windows RAT” with “fully undetectable” (FUD) capabilities. It’s compatible with both Windows 10 and 11.

Unlike other off-the-shelf RATs sold to criminal actors, Steaelite bundles together data theft and ransomware, packaging them into one web panel, with an Android ransomware module on the way. The panel also incorporates various developer tools to facilitate keylogging, client-to-victim chat, file searching, USB spreading, wallpaper modification, UAC bypass, and clipper functionality. 

Other notable features include removing competing malware, disabling Microsoft Defender, or configuring exclusions, and installing persistence methods.

As for its main capabilities, Steaelite RAT supports remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password theft, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.

“The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration, and ransomware deployment from a single dashboard,” security researcher Wendy McCague said.

“A single threat actor can browse files, exfiltrate documents, harvest credentials, and deploy ransomware from the same dashboard. This enables complete double extortion from one tool.”

In recent weeks, threat hunters have also discovered two new RAT families tracked as DesckVB RAT and KazakRAT that enable comprehensive remote control over infected hosts and even selectively deploy capabilities post-compromise. According to Ctrl Alt Intel, KazakRAT is suspected to be the work of a suspected state-affiliated cluster targeting Kazakh and Afghan entities as part of a persistent campaign ongoing since at least August 2022.

Ravie LakshmananFeb 27, 2026Malware / Surveillance

The North Korean threat actor known as ScarCruft has been attributed to a fresh set of tools, including a backdoor that uses Zoho WorkDrive for command-and-control (C2) communications to fetch more payloads and an implant that uses removable media to relay commands and breach air-gapped networks.

The campaign, codenamed Ruby Jumper by Zscaler ThreatLabz, involves the deployment of malware families, such as RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, FOOTWINE, and BLUELIGHT to facilitate surveillance on a victim’s system. It was discovered by the cybersecurity company in December 2025.

“In the Ruby Jumper campaign, when a victim opens a malicious LNK file, it launches a PowerShell command and scans the current directory to locate itself based on file size,” security researcher Seongsu Park said. “Then, the PowerShell script launched by the LNK file carves multiple embedded payloads from fixed offsets within that LNK, including a decoy document, an executable payload, an additional PowerShell script, and a batch file.”

One of the lure documents used in the campaign displays an article about the Palestine-Israel conflict that’s translated from a North Korean newspaper into Arabic.

All three remaining payloads are used to progressively move the attack to the next stage, with the batch script launching PowerShell, which, in turn, is responsible for loading shellcode containing the payload after decrypting it. The Windows executable payload, named RESTLEAF, is spawned in memory, and uses Zoho WorkDrive for C2, marking the first time the threat actor has abused the cloud storage service in its attack campaigns.

Once it’s successfully authenticated with the Zoho WorkDrive infrastructure by means of a valid access token, RESTLEAF downloads shellcode, which is then executed via process injection, eventually leading to the deployment of SNAKEDROPPER, which installs the Ruby runtime, sets up persistence using a scheduled task, and drops THUMBSBD and VIRUSTASK.

THUMBSBD, which is disguised as a Ruby file and uses removable media to relay commands and transfer data between internet-connected and air-gapped systems. It’s capable of harvesting system information, downloading a secondary payload from a remote server, exfiltrating files, and executing arbitrary commands. If the presence of any removable media is detected, the malware creates a hidden folder and uses it to stage operator-issued commands or store execution output.

One of the payloads delivered by THUMBSBD is FOOTWINE, an encrypted payload with an integrated shellcode launcher that comes fitted with keylogging and audio and video capturing capabilities to conduct surveillance. It communicates with a C2 server using a custom binary protocol over TCP. The complete set of commands supported by the malware is as follows –

• sm, for interactive command shell
• fm, for file and directory manipulation
• gm, for managing plugins and configuration
• rm, for modifying the Windows Registry
• pm, for enumerating running processes
• dm, for taking screenshots and captures keystrokes
• cm, for performing audio and video surveillance
• s_d, for receiving batch script contents from C2 server, saving it to the file %TEMP%SSMMHH_DDMMYYYY.bat, and executing it
• pxm, for setting up a proxy connection and relaying traffic bidirectionally.
• [filepath], for loading a given DLL

THUMBSBD is also designed to distribute BLUELIGHT, a backdoor previously attributed to ScarCruft since at least 2021. The malware weaponizes legitimate cloud providers, including Google Drive, Microsoft OneDrive, pCloud, and BackBlaze, for C2 to run arbitrary commands, enumerate the file system, download additional payloads, upload files, and remove itself.

Also delivered as a Ruby file, VIRUSTASK functions similar to THUMBSBD in that it acts as a removable media propagation component to spread the malware to non-infected air-gapped systems. “Unlike THUMBSBD which handles command execution and exfiltration, VIRUSTASK focuses exclusively on weaponizing removable media to achieve initial access on air-gapped systems,” Park explained.

“The Ruby Jumper campaign involves a mult-stage infection chain that begins with a malicious LNK file and utilizes legitimate cloud services (like Zoho WorkDrive, Google Drive, Microsoft OneDrive, etc.) to deploy a novel, self-contained Ruby execution environment,” Park said. “Most critically, THUMBSBD and VIRUSTASK weaponize removable media to bypass network isolation and infect air-gapped systems.”

Ravie LakshmananFeb 27, 2026Malware / Linux Security

Cybersecurity researchers have disclosed details of a malicious Go module that’s designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe.

The Go module, github[.]com/xinfeisoft/crypto, impersonates the legitimate “golang.org/x/crypto” codebase, but injects malicious code that’s responsible for exfiltrating secrets entered via terminal password prompts to a remote endpoint, fetches a shell script in response, and executes it.

“This activity fits namespace confusion and impersonation of the legitimate golang.org/x/crypto subrepository (and its GitHub mirror github.com/golang/crypto),” Socket security researcher Kirill Boychenko said. “The legitimate project identifies go.googlesource.com/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com/xinfeisoft/crypto look routine in dependency graphs.”

Specifically, the backdoor has been placed within the “ssh/terminal/terminal.go” file, so that every time a victim application invokes ReadPassword() – a function supposedly meant to read input like passwords from a terminal – it causes that information to capture interactive secrets.

The main responsibility of the downloaded script is to function as a Linux stager, appending a threat actor’s SSH key to the “/home/ubuntu/.ssh/authorized_keys” file, set iptables default policies to ACCEPT in an attempt to loosen firewall restrictions, and retrieve additional payloads from an external server while disguising them with the .mp5 extension.

Of the two payloads, one is a helper that tests internet connectivity and attempts to communicate with an IP address (“154.84.63[.]184”) over TCP port 443. The program likely functions as a recon or loader, Socket noted.

The second downloaded payload has been assessed to be Rekoobe, a known Linux trojan that has been detected in the wild since at least 2015. The backdoor is capable of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been put to use by Chinese nation-state groups like APT31.

While the package still remains listed on pkg.go.dev, the Go security team has taken steps to block the package as malicious.

“This campaign will likely repeat because the pattern is low-effort and high-impact: a lookalike module that hooks a high-value boundary (ReadPassword), uses GitHub Raw as a rotating pointer, then pivots into curl | sh staging and Linux payload delivery,” Boychenko said.

“Defenders should anticipate similar supply chain attacks targeting other ‘credential edge’ libraries (SSH helpers, CLI auth prompts, database connectors) and more indirection through hosting surfaces to rotate infrastructure without republishing code.”

Cybersecurity researchers have disclosed details of a new botnet loader called Aeternum C2 that uses a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts.

“Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain,” Qrator Labs said in a report shared with The Hacker News.

“This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.”

This is not the first time botnets have been found relying on blockchain for C2. In 2021, Google said it took steps to disrupt a botnet known as Glupteba that uses the Bitcoin blockchain as a backup C2 mechanism to fetch the actual C2 server address.

Details of Aeternum C2 first emerged in December 2025, when Outpost24’s KrakenLabs revealed that a threat actor by the name of LenAI was advertising the malware on underground forums for $200 that grants customers access to a panel and a configured build. For $4,000, customers were allegedly promised the entire C++ codebase along with updates.

A native C++ loader available in both x32 and x64 builds, the malware works by writing commands to be issued to the infected host to smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints.

All of this is managed via the web-based panel, from where customers can select a smart contract, choose a command type, specify a payload URL and update it. The command, which can target all endpoints or a specific one, is written into the blockchain as a transaction, after which it becomes available to every compromised device that’s polling the network.

“Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder,” Qrator Labs said. “The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner.”

According to a two-part research published by Ctrl Alt Intel earlier this month, the C2 panel is implemented as a Next.js web application that allows operators to deploy smart contracts to the Polygon blockchain. The smart contracts contain a function that, when called by the malware via the Polygon RPC, causes it to return the encrypted command that’s subsequently decoded and run on the victim machines.

Besides using the blockchain to turn it into a takedown-resistant botnet, the malware packs in various anti-analysis features to extend the lifespan of infections. This includes checks to detect virtualized environments, in addition to equipping customers with the ability to scan their builds via Kleenscan to ensure that they are not flagged by antivirus vendors.

“The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions,” the Czechian cybersecurity vendor said. “The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel.”

The threat actor has since attempted to sell the entire toolkit for an asking price of $10,000, claiming a lack of time for support and their involvement in another project. “I will sell the entire project to one person with permission for resale and commercial use, with all ‘rights,’” LenAI said. “I will also give useful tips/notes on development that I did not have time to implement.”

It’s worth noting that LenAI is also behind a second crimeware solution called ErrTraffic that enables threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions.

The disclosure comes as Infrawatch published details of an underground service that deploys dedicated laptop hardware into American homes to co-opt the devices into a residential proxy network named DSLRoot that redirects malicious traffic through them.

The hardware is designed to run a Delphi-based program called DSLPylon that’s equipped with capabilities to enumerate supported modems on the network, as well as remotely control the residential networking equipment and Android devices via an Android Debug Bridge (ADB) integration.

“Attribution analysis identifies the operator as a Belarusian national with residential presence in Minsk and Moscow,” Infrawatch said. “DSLRoot is estimated to operate roughly 300 active hardware devices across 20+ U.S. states.”

The operator has been identified as Andrei Holas (aka Andre Holas and Andrei Golas), with the service promoted on BlackHatWorld by a user operating under the alias GlobalSolutions, claiming to offer physical residential ADSL proxies for sale for $190 per month for unrestricted access. It is also available for $990 for six months and $1,750 for annual subscriptions.

“DSLRoot’s custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS) and Android devices via ADB, enabling IP address rotation and connectivity control,” the company noted. “The network operates without authentication, allowing clients to route traffic anonymously through U.S. residential IPs.”