The Russia-aligned Sandworm threat group has intensified its destructive cyberattacks against Ukrainian organizations, deploying sophisticated data wiper malware designed to cripple critical infrastructure and economic operations.

Unlike traditional cyberespionage campaigns, Sandworm’s recent operations focus exclusively on destruction, targeting governmental entities, energy providers, logistics companies, and the grain sector with malicious tools named ZEROLOT and Sting.

These attacks aim to weaken Ukraine’s economic stability during an ongoing geopolitical conflict, demonstrating the group’s strategic shift from intelligence gathering to causing maximum disruption.

The campaign specifically targets critical sectors vital to Ukraine’s economy and national security.

The threat actor has concentrated efforts on governmental organizations responsible for administrative functions, energy companies managing power infrastructure, logistics operations supporting supply chains, and agricultural entities within the grain sector.

Welivesecurity security researchers identified this coordinated assault as part of Sandworm’s broader strategy to destabilize Ukrainian operations through permanent data loss.

The deployment of data wipers represents a dangerous escalation in cyber warfare tactics, as these tools are designed to render systems completely inoperable by permanently erasing data and corrupting file systems.

The malware operates by exploiting vulnerabilities in target networks through spearphishing campaigns and compromised credentials.

Once inside the network, ZEROLOT and Sting execute destructive routines that overwrite critical system files, partition tables, and stored data with random values, making recovery virtually impossible without offline backups.

Wiper Deployment

The data wipers employ advanced techniques to maximize damage before detection.

ZEROLOT specifically targets Master Boot Records and file allocation tables, ensuring that operating systems cannot boot after the attack completes.

The malware includes anti-forensic capabilities that delete event logs and system restore points, eliminating evidence of the intrusion.

Sting operates with elevated privileges obtained through credential theft and privilege escalation exploits, allowing unrestricted access to protected system areas.

Both wipers incorporate timing mechanisms that delay execution until achieving maximum network propagation, ensuring widespread impact across connected infrastructure before security teams can respond effectively to the threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Sandworm Hackers Attacking Ukranian Organizations with Data Wiper Malwares appeared first on Cyber Security News.

The emergence of advanced AI browsing platforms such as OpenAI’s Atlas and Perplexity’s Comet has created a sophisticated challenge for digital publishers worldwide.

These tools leverage agentic capabilities designed to execute complex, multistep tasks that fundamentally transform how content is accessed and consumed online.

Unlike traditional search engines, AI browsers can navigate paywalls and content restrictions with remarkable precision, posing significant risks to publishers’ revenue models and content distribution strategies.

The attack methodology employed by these systems is particularly concerning because their operational profiles closely resemble legitimate human browser behavior.

When these agents interact with websites, they present themselves indistinguishably from standard Chrome browser users, effectively circumventing traditional detection mechanisms.

This behavioral mimicry creates an environment where publishers cannot reliably differentiate between genuine human traffic and automated AI systems without risking legitimate user access disruption.

Security researchers and journalists at Columbia Journalism Review identified that these AI browsers employ multiple sophisticated techniques to defeat content protection mechanisms.

The platforms successfully extract full text from subscriber-exclusive articles despite active crawler-blocking protocols and paywalls designed to prevent unauthorized access.

Understanding Paywall Bypass Mechanisms

The technical breakdown reveals two distinct approaches used by Atlas and Comet.

First, client-side overlay paywalls, commonly used by MIT Technology Review and National Geographic, render content within the browser but hide it visually behind authentication overlays.

AI agents directly access the underlying DOM elements, reading hidden content invisible to human users.

Second, when encountering blocked content, these systems employ digital breadcrumb reconstruction—aggregating information from tweets, syndicated versions, and related coverage across the web to reverse-engineer blocked articles.

This sophisticated technique demonstrates how traditional security measures prove insufficient against determined agentic systems.

Publishers utilizing server-side paywalls offer marginally better protection, though determined agents continue finding alternative pathways through the digital landscape.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post AI Browsers Bypass Content PayWall Mimicking as a Human-User appeared first on Cyber Security News.

The cybersecurity landscape continues to evolve as new ransomware variants emerge from the remnants of previous campaigns.

Midnight ransomware represents one such development, drawing substantial inspiration from the notorious Babuk ransomware family that first appeared in early 2021.

Like its predecessor, Midnight employs sophisticated encryption techniques and targeted file selection strategies to maximize damage across infected systems.

However, what distinguishes this particular strain is the unintentional introduction of cryptographic weaknesses that have created a rare opportunity for victims to recover their data without paying extortion demands.

The journey from Babuk to Midnight traces back to 2021 when Babuk’s operators suddenly ceased operations and released their complete source code, triggering a cascade of derivative ransomware families.

GenDigital security analysts and researchers identified Midnight as one such evolution, noting that while the malware retains Babuk’s fundamental architecture, it incorporates modified encryption schemes that inadvertently compromise file protection.

This discovery proved instrumental in enabling the development of a functional decryptor, transforming what could have been a catastrophic scenario into a recoverable situation for affected organizations.

Cryptographic Design and Implementation Flaws

The technical implementation of Midnight reveals the source of its vulnerability. The ransomware employs ChaCha20 for encrypting file contents while utilizing RSA encryption to protect the ChaCha20 keys.

Critically, the RSA-encrypted key and its corresponding SHA256 hash are appended directly to the end of each encrypted file, maintaining consistent formatting across all known samples.

This design choice, while simplifying the attack mechanism, creates predictable patterns that security researchers successfully exploited during decryptor development.

Midnight demonstrates operational flexibility through command-line arguments that control its behavior. The /e parameter appends file extensions like .Midnight to file content rather than modifying filenames directly.

The /n argument enables encryption of network-mounted volumes, while –paths=PATHS targets specific directories for selective encryption.

Early variants prioritized high-value targets including databases, backups, and archives with extensions like .sql, .mdf, .bak, and .dbf.

More recent iterations have broadened their scope, encrypting nearly all file types except executables such as .exe, .dll, and .msi files.

Affected systems display characteristic indicators including ransom notes titled “How To Restore Your Files.txt,” file extensions of .Midnight or .endpoint, and a mutex named “Mutexisfunnylocal” that prevents multiple malware instances from executing simultaneously.

Organizations recognizing these signatures can immediately implement containment measures and leverage available decryption tools to restore their systems without capitulating to attacker demands.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Midnight Ransomware Decrypter Flaws Opens the Door to File Recovery appeared first on Cyber Security News.