North Korean state-sponsored hackers from the Lazarus APT group launched a cyberespionage campaign targeting European companies involved in unmanned aerial vehicle development.

Starting in late March 2025, attackers compromised three defense organizations across Central and Southeastern Europe, deploying advanced malware to steal proprietary UAV technology.

The campaign, tracked as Operation DreamJob, employed social engineering using fraudulent job offers to gain initial access.

The attacks focused on companies manufacturing drone components and developing UAV software, aligning with North Korea’s efforts to expand its drone program.

Researchers discovered compromised systems contained malicious droppers with the internal DLL name DroneEXEHijackingLoader.dll, providing evidence of the campaign’s focus on drone technology theft.

Targets received fake job descriptions with trojanized PDF readers that initiated multi-stage infection processes.

Welivesecurity analysts identified the main payload as ScoringMathTea, a sophisticated remote access trojan serving as Lazarus’s flagship malware since late 2022.

The RAT provides comprehensive control over compromised machines through approximately 40 commands, enabling file manipulation, process control, and data exfiltration.

ScoringMathTea maintains communication with command-and-control infrastructure through compromised servers hosted within WordPress directories.

The malware’s C&C traffic employs multiple encryption layers, utilizing the IDEA algorithm followed by base64 encoding.

Network analysis revealed connections to compromised domains including coralsunmarine[.]com, mnmathleague[.]org, and spaincaramoon[.]com.

Advanced Infection Mechanism and Evasion Tactics

The Lazarus group demonstrated technical sophistication by incorporating malicious loading routines into legitimate open-source projects from GitHub.

Attackers trojanized software including TightVNC Viewer, MuPDF reader, and plugins for WinMerge and Notepad++.

This provides dual advantages: the malware inherits legitimate appearance of trusted applications while executing malicious payloads.

The infection chain employs DLL side-loading and proxying techniques. Legitimate executables such as wksprt.exe and wkspbroker.exe side-load malicious libraries like webservices.dll and radcui.dll.

These compromised DLLs contain two export sets: functions for proxying to preserve application behavior, and malicious code loading subsequent stages.

The malware employs robust encryption throughout the infection lifecycle. Early-stage droppers retrieve encrypted payloads from file system or registry, decrypt them using AES-128 or ChaCha20 algorithms, then load them into memory.

This leverages the MemoryModule library for reflective DLL injection, allowing code execution entirely in-memory without writing decrypted components to disk.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Hackers Attacking Unmanned Aerial Vehicle Industry to Steal Confidential Data appeared first on Cyber Security News.

A sophisticated phishing campaign leveraging randomly generated Universal Unique Identifiers (UUIDs) has emerged, successfully bypassing Secure Email Gateways (SEGs) and evading perimeter defenses.

The attack employs an advanced JavaScript-based phishing script combining random domain selection, dynamic UUID generation, and server-driven page replacement to steal credentials.

Unlike conventional phishing operations relying on static redirects, this campaign demonstrates tactical precision.

The phishing script operates by embedding malicious code within HTML attachments or spoofed file-sharing platforms such as Microsoft OneDrive, SharePoint Online, DocuSign, and Adobe Acrobat Sign.

When victims interact with seemingly legitimate documents, the script activates and selects one .org domain at random from nine predefined addresses.

These domains appear bulk-generated without recognizable word patterns, deliberately designed to evade blocklists and machine learning detection systems.

The script generates a dynamic UUID to track individual victims while utilizing a hardcoded UUID as a campaign identifier.

Cofense researchers identified this unusual tactic in early February 2025, noting its ongoing nature and sophistication.

The dual UUID mechanism stands out as particularly uncommon in phishing operations.

After domain selection and UUID generation, the script sends an HTTPS POST request to the chosen server’s API endpoint.

The server responds with dynamically generated content tailored to the victim’s context, such as personalized corporate login pages.

This approach enables threat actors to replace webpage content without changing URLs.

Dynamic Page Replacement

The most deceptive aspect involves dynamic page replacement capability, manipulating browser sessions to deliver credential phishing pages without traditional redirects.

Rather than using window.location.href redirects changing visible URLs, this script employs DOM manipulation techniques to replace page content with server-provided HTML.

The server-driven nature allows real-time customization based on victim context. When users enter email addresses, the script extracts domains and signals backend infrastructure to generate corresponding branded login pages.

This personalization significantly increases victim trust while reducing suspicion. The seamless experience maintained throughout proves critical for successful credential harvesting, demonstrating how modern attacks have evolved beyond simple email deception into sophisticated browser-based manipulation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways appeared first on Cyber Security News.

In 2025, ransomware attacks against the public sector continue to accelerate at an alarming rate, showing no signs of slowing down despite increased cybersecurity awareness and defensive measures.

Throughout the year, approximately 196 public sector entities worldwide have fallen victim to ransomware campaigns, resulting in crippling service outages, massive data loss, erosion of public trust, and substantial financial damages.

These attacks have caused widespread disruptions to critical government services and infrastructure, with operational downtime costs between 2018 and 2024 reaching $1.09 billion for government entities alone.

The ransomware landscape targeting public institutions has become increasingly fragmented and sophisticated, with numerous threat groups employing double-extortion tactics that combine file encryption with data theft.

The most active threat actors include Babuk with 43 confirmed victims, followed by Qilin with 21 victims, INC Ransom with 18 victims, FunkSec with 12 victims, and Medusa with 11 victims.

Additional groups such as Rhysida, SafePay, RansomHub, and DragonForce have also claimed multiple public sector attacks, indicating a diversification in the ransomware ecosystem that complicates attribution and defense strategies.

Government organizations face unique vulnerabilities that make them particularly attractive targets for ransomware operators.

Public institutions often store critical data, provide essential services that cannot afford disruption, and frequently lack the resources or technical depth necessary to maintain robust cybersecurity defenses.

Services such as police dispatch systems, court operations, and public health portals face immense pressure to restore functionality quickly, creating leverage that attackers exploit through aggressive timelines and threats of public data exposure.

Trustwave analysts identified that the United States has experienced the highest number of attacks with 69 confirmed public sector ransomware victims in 2025, reflecting both its extensive digital infrastructure and strong breach reporting standards.

Canada recorded 7 attacks, the United Kingdom faced 6 incidents, while France, India, Pakistan, and Indonesia each reported 5 attacks.

The first half of 2025 witnessed a dramatic surge in ransomware activity, with government sector attacks increasing by 60 percent compared to the same period in 2024, and total global ransomware incidents rising by 47 percent to reach 3,627 recorded cases.

Double-Extortion Tactics and Data Leak Strategies

The evolution of ransomware methodologies has shifted from traditional encryption-based attacks to sophisticated data extortion campaigns.

Modern ransomware groups increasingly employ double-extortion techniques where files are both encrypted and exfiltrated, allowing attackers to threaten victims with public exposure even if decryption keys are obtained through other means.

This tactical evolution was exemplified when the Everest ransomware group claimed an attack against a governmental department in Abu Dhabi, demonstrating the global reach of these operations.

This shows threat actors publicly announce their government targets on leak sites to maximize pressure.

The consequences extend beyond immediate financial impact, as public confidence in digital government services erodes when sensitive citizen data is exposed.

During the first quarter of 2025, government organizations faced the highest average ransom demands across all sectors, reaching $6.7 million per incident, while more than 17 million records were confirmed breached during the first half of the year.

Organizations that pay ransoms inadvertently fund broader criminal networks and potentially state-aligned cyber operations, prompting governments to shift toward policies that discourage ransom payments while emphasizing proactive defense mechanisms, incident response readiness, and cross-agency information sharing to combat this transnational cybercrime threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ransomware Actors Targeting Global Public Sectors and Critical Services in Targeted Attacks appeared first on Cyber Security News.

A sophisticated supply chain attack has emerged targeting cryptocurrency developers through the NuGet package ecosystem.

Cybersecurity researchers have uncovered malicious packages impersonating Nethereum, a widely trusted .NET library for Ethereum blockchain interactions with tens of millions of downloads.

The counterfeit packages, identified as Netherеum.All and NethereumNet, employ advanced obfuscation techniques to exfiltrate sensitive wallet credentials including private keys, mnemonics, keystore JSON files, and signed transaction data.

The attack leverages a homoglyph typosquatting technique, replacing the Latin letter “e” with a visually identical Cyrillic character (U+0435) in the package name Netherеum.All.

This subtle Unicode substitution makes the fraudulent package nearly indistinguishable from the legitimate Nethereum library during casual inspection.

The malicious package was first published on October 16, 2025, and remained active until NuGet removed it on October 20, 2025, after receiving security reports.

Socket.dev analysts identified the threat during routine scanning operations, uncovering a coordinated campaign by a single threat actor operating under two NuGet publisher aliases: nethereumgroup and NethereumCsharp.

Both malicious packages incorporated identical exfiltration mechanisms and utilized artificial download inflation tactics, with Netherеum.All displaying an implausible 11.6 million downloads within days of publication.

This manufactured popularity metric created a false sense of legitimacy, potentially deceiving developers during package selection.

The packages appeared functional, referencing genuine Nethereum dependencies such as Nethereum.Hex, Nethereum.Signer, and Nethereum.Util, ensuring normal compilation and expected Ethereum operations.

However, the malicious code remained dormant until specific wallet-related functions were invoked, activating the concealed exfiltration mechanism.

Technical Mechanism and Payload Analysis

The malware’s core functionality resides within EIP70221TransactionService.Shuffle, which implements a position-based XOR decoding routine to reveal the command-and-control endpoint at runtime.

The obfuscated seed string undergoes XOR operations with a 44-byte mask, decoding to https://solananetworkinstance[.]info/api/gads.

When wallet operations are executed, the malicious method captures sensitive data and transmits it via HTTPS POST request with a form field named “message”, effectively stealing credentials while maintaining the appearance of legitimate blockchain interactions.

The attack demonstrates sophisticated supply chain compromise tactics, combining Unicode homoglyphs, download manipulation, and runtime obfuscation to bypass security controls and target cryptocurrency assets.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious NuGet Packages Mimic as Popular Nethereum Project to Steal Wallet Keys appeared first on Cyber Security News.