The notorious LockBit ransomware operation has resurfaced with a vengeance after months of dormancy following Operation Cronos takedown efforts in early 2024.
Despite law enforcement disruptions and infrastructure seizures, the group’s administrator, LockBitSupp, has successfully rebuilt the operation and launched LockBit 5.0, internally codenamed “ChuongDong.”
This latest variant represents a significant evolution in the group’s ransomware capabilities, targeting organizations across multiple platforms with enhanced technical sophistication.
Throughout September 2025, the revived operation demonstrated its operational recovery by compromising a dozen organizations across Western Europe, the Americas, and Asia.
Half of these incidents involved the newly released LockBit 5.0 variant, while the remainder utilized LockBit Black.
The attacks primarily focused on Windows environments, accounting for approximately 80% of infections, with ESXi and Linux systems comprising the remaining 20%.
Check Point analysts identified these campaigns as clear evidence that LockBit’s Ransomware-as-a-Service model has successfully reactivated its affiliate network.
The rapid return highlights the resilience of established cybercriminal enterprises.
After announcing its comeback on underground forums in early September, LockBitSupp recruited new affiliates by requiring roughly $500 in Bitcoin deposits for access to the control panel and encryption tools.
Enhanced Encryption and Evasion Capabilities
LockBit 5.0 introduces several technical improvements designed to maximize impact while minimizing detection.
The malware now supports multi-platform deployments with dedicated builds for Windows, Linux, and ESXi environments.
Its encryption routines have been optimized to reduce the response window available to defenders, enabling faster system-wide file encryption.
The variant employs randomized 16-character file extensions to evade signature-based detection mechanisms.
Enhanced anti-analysis features obstruct forensic investigation and reverse engineering attempts, making it significantly more challenging for security researchers to analyze the malware’s behavior.
Updated ransom notes identify themselves as LockBit 5.0 and provide personalized negotiation links with a 30-day deadline before stolen data publication.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A sophisticated backdoor named Android.Backdoor.Baohuo.1.origin has been discovered in maliciously modified versions of Telegram X messenger, granting attackers complete control over victims’ accounts while operating undetected.
The malware infiltrates devices through deceptive in-app advertisements and third-party app stores, masquerading as legitimate dating and communication platforms.
With more than 58,000 infected devices spread across approximately 3,000 smartphone models, tablets, TV boxes, and even Android-based vehicle systems, this threat represents a significant escalation in mobile malware sophistication.
The backdoor’s distribution began in mid-2024, primarily targeting Brazilian and Indonesian users through Portuguese and Indonesian language templates.
Victims encounter advertisements within mobile applications that redirect them to counterfeit app catalogs featuring fake reviews and promotional banners advertising “free video chats” and dating opportunities.
These fraudulent websites deliver trojanized APK files that appear indistinguishable from legitimate Telegram X installations.
One of the malicious sites from which the trojan version of Telegram X is downloaded (Source – Dr.WEB)
Beyond malicious websites, the backdoor has infiltrated established third-party app repositories including APKPure, ApkSum, and AndroidP, where it was deceptively posted under the official messenger developer’s name despite having different digital signatures.
Dr.Web analysts identified the malware’s exceptional capability to steal confidential information including login credentials, passwords, and complete chat histories.
The backdoor conceals compromised account indicators by hiding third-party device connections from active Telegram session lists.
Additionally, it autonomously adds or removes users from channels, joins chats on behalf of victims, and disguises these actions entirely, transforming compromised accounts into tools for artificially inflating Telegram channel subscribers.
What distinguishes Android.Backdoor.Baohuo.1.origin from conventional Android threats is its unprecedented use of Redis database for command-and-control operations.
Earlier versions relied exclusively on traditional C2 servers, but malware authors progressively integrated Redis-based command reception while maintaining C2 server redundancy.
This represents the first documented instance of Redis database utilization in Android malware control mechanisms.
When initialized, the backdoor connects to its C2 server to retrieve configuration parameters including Redis connection credentials, enabling threat actors to issue commands and update trojan settings remotely.
Advanced Control Mechanisms and Data Exfiltration
The backdoor employs multiple techniques to manipulate messenger functionality without detection.
For operations that don’t interfere with core app features, cybercriminals utilize pre-prepared “mirrors” of messenger methods—separate code blocks responsible for specific tasks within Android program architecture.
These mirrors facilitate displaying phishing messages within windows that perfectly replicate authentic Telegram X interfaces.
For non-standard operations requiring deeper integration, the malware leverages the Xposed framework to dynamically modify app methods, enabling capabilities such as hiding specific chats, concealing authorized devices, and intercepting clipboard contents.
Through Redis channels and C2 servers, Android.Backdoor.Baohuo.1.origin receives extensive commands including uploading SMS messages, contacts, and clipboard contents whenever users minimize or restore the messenger window.
This clipboard monitoring enables sophisticated data theft scenarios where victims inadvertently expose cryptocurrency wallet passwords, mnemonic phrases, or confidential business communications.
The backdoor systematically collects device information, installed application data, message histories, and authentication tokens, transmitting this intelligence to attackers every three minutes while maintaining the appearance of normal messenger operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Southeast Asia’s online gambling ecosystem has become a breeding ground for sophisticated cyber threats, with criminal networks leveraging seemingly legitimate platforms to distribute malicious software to millions of unsuspecting users.
A recently uncovered operation demonstrates how threat actors exploit the region’s thriving illegal gambling market by deploying a weaponized browser disguised as a privacy tool.
The campaign centers on Universe Browser, a modified Chromium-based application distributed through online gambling websites operated by criminal networks across Southeast Asia.
Marketed as a privacy-friendly solution capable of bypassing censorship, the browser routes all user connections through actor-controlled servers in China while covertly installing multiple programs that execute silently in the background.
Behind this infrastructure lies Vault Viper, a threat actor tracked to the Baoying Group and its BBIN white label iGaming platform.
The group maintains extensive operations throughout Cambodia and the Philippines, servicing both legitimate operators and criminal networks engaged in cyber-enabled fraud.
Infoblox researchers identified the malicious browser after investigating illegal gambling platforms, uncovering connections between the software distribution network and transnational organized crime syndicates.
The browser exhibits behavior consistent with remote access trojans, incorporating key logging capabilities, surreptitious network connections, and device configuration modifications.
Analysis reveals sophisticated anti-analysis techniques including virtual machine detection, debugger evasion, and encrypted communication protocols designed to obstruct security research.
Infoblox analysts noted that while Universe Browser cannot be definitively confirmed for overtly malicious use beyond privacy violations, the hidden technical elements and criminal distribution context raise significant security concerns.
The browser’s ability to intercept all network traffic, coupled with distribution through criminal platforms documented in fraud cases, positions it as a high-risk exploitation tool.
Technical Analysis: Installation and Persistence Mechanisms
The Windows installer, distributed as UB-Launcher.exe, initiates the infection chain by performing environment checks before downloading the malicious payload.
The installer validates victim locale settings and conducts virtual machine detection routines to evade analysis in sandboxed environments.
# VM detection logic observed in Universe Browser
def check_vm_environment():
vm_indicators = ['VBOX', 'VirtualBox', 'VMware', 'QEMU']
return any(indicator in system_info for indicator in vm_indicators)
Once validation succeeds, the installer downloads two components to %APPDATA%/local/UB: a legitimate Chrome installation and Application.7z containing dynamic link libraries and five binaries.
The dropper replaces Chrome.exe with UB-Launcher.exe, transforming a legitimate browser into the malicious Universe Browser.
Persistence is established through registry modification, adding UB-Launcher.exe to the Windows startup registry key.
The malware initiates a process chain with UBMaintenanceservice.exe invoking UBService.exe, the core component managing proxy connections and command-and-control communication.
Simplified folder schema (Source – Infoblox)
UBService handles encrypted communications with C2 domains including ac101[.]net and ub66[.]com, managing SOCKS5 proxy traffic routes in an encrypted SQLite database.
This enables dynamic network behavior adjustment based on remote server instructions, using DNS TXT records for encryption key distribution and domain generation algorithms for evasion.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cybercriminals have adopted a sophisticated social engineering strategy that exploits the trust inherent in job hunting, according to a recent security advisory.
A financially motivated threat cluster operating from Vietnam has been targeting digital advertising and marketing professionals through fake job postings on legitimate employment platforms and custom-built recruitment websites.
The campaign, which leverages remote access trojans and credential-harvesting phishing kits, represents a growing threat to corporate advertising and social media accounts across multiple industries.
The attack methodology centers on creating fake company profiles masquerading as digital media agencies on popular job boards.
When unsuspecting applicants submit their resumes and contact information for these fabricated positions, they unknowingly establish a foundation of trust that threat actors later exploit.
The self-initiated nature of the victim’s first contact makes subsequent communications from the attacker appear legitimate, as targets believe they are engaging with a potential employer about a position they actively pursued.
The vulnerability extends beyond immediate exploitation. Threat actors can retain collected victim information for future cold email campaigns about additional fabricated opportunities or monetize curated lists of active job seekers by selling them to other criminal groups.
This creates a persistent threat environment where a single job application can result in repeated targeting over extended periods.
Google Threat Intelligence Group researchers identified the operation as UNC6229, noting the cluster primarily targets remote workers in contract or part-time positions who may actively seek employment while currently employed.
Attack flow (Source – Google Cloud)
The campaign specifically focuses on individuals with legitimate access to high-value corporate advertising and social media accounts, which threat actors can either use to sell advertisements or directly sell the compromised accounts to other criminal entities.
Delivery Mechanisms and Technical Infrastructure
Following the initial contact phase, UNC6229 employs two primary payload delivery methods depending on campaign specifics.
The first approach involves sending password-protected ZIP attachments disguised as skills assessments, application forms, or preliminary hiring tasks.
These archives contain remote access trojans that grant attackers complete device control, enabling subsequent account takeovers.
The second method utilizes obfuscated phishing links, often shortened through URL services, directing victims to fraudulent interview scheduling portals or assessment platforms.
The phishing infrastructure demonstrates technical sophistication, with analyzed kits configured to specifically target corporate email credentials while handling various multi-factor authentication schemes including Okta and Microsoft implementations.
Google researchers noted that UNC6229 abuses legitimate customer relationship management platforms, including Salesforce, to send initial communications and manage campaigns.
This abuse of trusted services increases email deliverability rates and bypasses traditional security filters, making malicious messages appear authentic to recipients.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A sophisticated cyberattack campaign targeting Microsoft Internet Information Services (IIS) servers has emerged, exploiting decades-old security vulnerabilities to deploy malicious modules that enable remote command execution and search engine optimization fraud.
The operation, which came to light in late August and early September 2025, leverages publicly exposed ASP.NET machine keys to compromise servers worldwide, affecting approximately 240 server IP addresses and 280 domain names across diverse sectors including government agencies, small businesses, and e-commerce platforms.
The attackers exploit a critical weakness in ASP.NET viewstate deserialization by utilizing machine keys that have been publicly available since 2003.
These cryptographic secrets, originally published in a Microsoft Developer Network help page as configuration examples, were inadvertently adopted by countless administrators who implemented them verbatim in production environments.
Microsoft had previously identified over 3,000 such exposed machine keys in code repositories and programming forums, creating a substantial pool of vulnerable targets.
Once attackers obtain these keys, they can manipulate viewstate data to execute arbitrary code on targeted servers without requiring any additional credentials.
HarfangLab analysts identified the malicious module, designated HijackServer, during routine security monitoring of compromised IIS servers.
The infection chain demonstrates considerable sophistication, beginning with initial exploitation through POST requests targeting ASP.NET applications.
Logs from compromised systems revealed multiple suspicious requests with Chinese language settings (zh-tw) hitting root pages of vulnerable applications.
The attackers subsequently deployed a comprehensive toolkit archived as sys-tw-v1.6.1-clean-log.zip, containing 32-bit and 64-bit variants of the malicious IIS modules, installation scripts, and a customized rootkit derived from the open-source Hidden project.
Google SEO results (Source – Harfanglab)
Following initial access, threat actors employed privilege escalation techniques known as EfsPotato and DeadPotato to create hidden local administrator accounts.
They then installed two malicious DLL files, scripts.dll and caches.dll, as IIS modules named ScriptsModule and IsapiCachesModule respectively.
These modules operate at the earliest processing stage of HTTP requests, intercepting traffic before legitimate applications can respond.
The installation process included establishing a working directory at C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C and configuring the modules to download additional components from staging servers at c.cseo99[.]com and f.fseo99[.]com.
Persistence and Detection Evasion Through Rootkit Deployment
The attackers demonstrated advanced operational security awareness by deploying a customized Windows kernel driver rootkit to conceal their presence.
The Wingtb.sys driver, a modified version of the publicly available Hidden rootkit, operates as a signed kernel component using an expired certificate from Anneng Electronic Co. Ltd.
Despite the certificate’s expiration in 2014, it remains loadable on modern Windows systems due to Microsoft’s driver signing policy exceptions for certificates issued before July 2015.
The rootkit provides comprehensive hiding capabilities for files, registry keys, and processes, managed through a companion command-line tool WingtbCLI.exe with commands translated into Chinese transliteration.
The post-installation script lock.bat systematically conceals critical artifacts including the deployed IIS module files, modified application configuration files, and the rootkit’s registry service key.
Perhaps most notably, the script executes a sweeping deletion of all Windows Event log files using the command: for /f "tokens=*" %%1 in ('wevtutil el') do wevtutil cl "%%1".
This noisy anti-forensics technique contradicts the otherwise stealthy approach of using a rootkit, potentially indicating operational security inconsistencies or the work of less experienced operators deploying pre-packaged tools.
The HijackServer module’s primary purpose appears focused on search engine optimization fraud for cryptocurrency investment schemes.
When Google’s web crawler requests pages from compromised servers, the module dynamically generates HTML content containing numerous links to dubious cryptocurrency websites.
These generated pages successfully appear in legitimate Google search results, demonstrating the effectiveness of the poisoning technique.
However, the module also exposes an unauthenticated remote command execution capability through the /scjg URL path, creating a persistent backdoor that any third party could exploit regardless of whether they coordinated with the original attackers.
This functionality transforms what might appear as financially motivated SEO fraud into a far more serious security compromise with potential espionage implications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The cloud landscape in 2025 continues its unprecedented growth, with organizations of all sizes rapidly migrating critical workloads to public, private, and hybrid cloud environments. While cloud providers meticulously secure their underlying infrastructure, the onus of protecting everything within that infrastructure from virtual machines (VMs) and containers to serverless functions and data squarely falls on […]
Cybercriminals are increasingly using a technique known as “ClickFix” to deploy the NetSupport remote administration tool (RAT) for malicious purposes. According to a new report from eSentire’s Threat Response Unit (TRU), threat actors have shifted their primary delivery strategy from fake software updates to the ClickFix initial access vector throughout 2025. This method abuses a […]
North Korean state-sponsored hackers from the Lazarus APT group launched a cyberespionage campaign targeting European companies involved in unmanned aerial vehicle development.
Starting in late March 2025, attackers compromised three defense organizations across Central and Southeastern Europe, deploying advanced malware to steal proprietary UAV technology.
The campaign, tracked as Operation DreamJob, employed social engineering using fraudulent job offers to gain initial access.
The attacks focused on companies manufacturing drone components and developing UAV software, aligning with North Korea’s efforts to expand its drone program.
Researchers discovered compromised systems contained malicious droppers with the internal DLL name DroneEXEHijackingLoader.dll, providing evidence of the campaign’s focus on drone technology theft.
Targets received fake job descriptions with trojanized PDF readers that initiated multi-stage infection processes.
Welivesecurity analysts identified the main payload as ScoringMathTea, a sophisticated remote access trojan serving as Lazarus’s flagship malware since late 2022.
The RAT provides comprehensive control over compromised machines through approximately 40 commands, enabling file manipulation, process control, and data exfiltration.
ScoringMathTea maintains communication with command-and-control infrastructure through compromised servers hosted within WordPress directories.
The malware’s C&C traffic employs multiple encryption layers, utilizing the IDEA algorithm followed by base64 encoding.
Examples of 2025 Operation DreamJob execution chains delivering BinMergeLoader and ScoringMathTea (Source – Welivesecurity)
Network analysis revealed connections to compromised domains including coralsunmarine[.]com, mnmathleague[.]org, and spaincaramoon[.]com.
Advanced Infection Mechanism and Evasion Tactics
The Lazarus group demonstrated technical sophistication by incorporating malicious loading routines into legitimate open-source projects from GitHub.
Attackers trojanized software including TightVNC Viewer, MuPDF reader, and plugins for WinMerge and Notepad++.
This provides dual advantages: the malware inherits legitimate appearance of trusted applications while executing malicious payloads.
The infection chain employs DLL side-loading and proxying techniques. Legitimate executables such as wksprt.exe and wkspbroker.exe side-load malicious libraries like webservices.dll and radcui.dll.
These compromised DLLs contain two export sets: functions for proxying to preserve application behavior, and malicious code loading subsequent stages.
The malware employs robust encryption throughout the infection lifecycle. Early-stage droppers retrieve encrypted payloads from file system or registry, decrypt them using AES-128 or ChaCha20 algorithms, then load them into memory.
This leverages the MemoryModule library for reflective DLL injection, allowing code execution entirely in-memory without writing decrypted components to disk.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cyber attackers are using new ways to breach systems, making threats hard to detect. Traditional tools like firewalls alone can’t keep up.
That’s where cyber deception steps in!
Using traps and decoys that lure and mislead attackers, deception technology allows security teams to capture attackers even before intrusion, speed up the response, and reduce damage.
Why Deception Technology Matters
Deception tricks attackers into fake targets, letting defenders quickly learn their tactics and respond effectively.
Key benefits include:
Detect lateral movement and privilege escalation early
See attacker behavior and intent in real time
High-fidelity alerts with few false positives
Faster detection and response times
Stronger security with adaptive, environment-aware decoys
How to Choose the Right Deception Solution
When evaluating deception platforms, organizations should consider the following factors:
Easy deployment: Works across on-prem and cloud without disruption.
Scalable: Expands with hybrid and multi-cloud setups.
Integrated: Connects smoothly with SIEM, EDR, and SOAR tools.
Accurate: Uses behavior analytics and ML to cut false alerts.
Comprehensive: Covers endpoints, servers, apps, and identities.
Automated: Supports response actions and forensic analysis.
With these criteria in mind, let’s look at five leading deception solutions transforming proactive cybersecurity.
The Top 5 Deception Solutions Redefining Cyber Defense
1. Attivo Networks ThreatDefend
Attivo Networks, now part of SentinelOne, is a leader in deception defense. Its ThreatDefend platform provides early attack detection and active protection using decoys and endpoint deceptions.
Highlights:
Modular design combining BOTsink® engagement servers, ThreatStrike endpoint suite, and ThreatPath for attack-path analysis.
Self-learning engine that automatically proposes deception campaigns based on environmental context.
Agentless, out-of-band deployment for fast and scalable implementation.
Provides detailed forensics, automation playbooks, and integration with security orchestration tools for accelerated response.
With a reputation for innovation and over 70 global awards, Attivo’s approach simplifies deployment while offering precision detection across diverse environments — from on-prem networks to cloud workloads.
2. Fidelis Deception — Active Defense for the Hybrid Enterprise
Fidelis Deception® (part of Fidelis Cybersecurity’s unified Elevate platform) extends deception across hybrid infrastructures — providing deep visibility and real-time threat detection through decoys, breadcrumbs, and false artifacts.
Why it stands out:
Creates an immersive deception environment that mirrors real IT assets.
Integrates with Fidelis Network and Endpoint modules for correlated insights.
Identifies lateral movement, privilege abuse, and reconnaissance attempts.
Offers automatic attacker engagement for safe observation and threat hunting.
Fidelis combines deception, network analytics, and endpoint monitoring to detect threats early and track attacker behavior. Its smooth integration works well for hybrid and multi-cloud environments.
3. TrapX DeceptionGrid — Deception Without Limits
TrapX DeceptionGrid provides large-scale deception across IT, OT, and IoT systems, using patented tech to deploy hundreds of realistic traps across networks, creating a virtual minefield for attackers.
Key capabilities:
Supports cloud, virtual, and physical environments
TrapX uniquely detects compromised remote users, monitors both internal lateral movement and malicious outbound traffic, and enables fast, automated incident response. Its scalability and low-touch architecture make it an excellent fit for large, distributed organizations.
4. Smokescreen IllusionBLACK — Adaptive Deception at Scale
Smokescreen IllusionBLACK provides adaptive deception for enterprises, helping simulate attacks and understand attacker behavior. Key points:
Uses dynamic decoys to create realistic attack scenarios.
Supports attack simulation for testing security readiness.
Helps security teams observe attacker tactics and patterns.
Smokescreen’s approach makes deception realistic and visible to defenders, enabling faster containment and better insights into threats.
Proofpoint’s acquisition of Illusive Networks introduced identity-focused deception. Its Identity Threat Defense stops lateral movement and credential misuse using identity visibility and deception-based detection.
Notable features:
Agentless discovery of identity vulnerabilities across endpoints and hybrid environments.
Continuous monitoring of identity exposures and lateral movement attempts.
Automated deployment of deceptive credentials and identity traps.
Tight integration with Proofpoint’s ecosystem for people-centric threat defense.
It helps organizations fix hidden identity risks and catch intrusions in real time, ensuring attackers hitting compromised credentials get trapped in decoys instead of real systems.
Why Deception Will Define the Next Era of Cyber Defense
Modern enterprises are complex, but deception turns that complexity into an advantage by trapping curious attackers.
In the coming years, deception technologies will evolve to:
Work closely with AI analytics and threat intelligence.
Extend to serverless and containerized environments.
Enhance identity deception and behavioral analysis capabilities.
Automate coordinated response actions across the entire security stack.
Conclusion
Cyber deception is now essential for proactive defense. It misleads attackers, gathers threat insights, and enables fast responses, helping organizations stay ahead of threats.
Whether through Attivo’s automated deception, Fidelis’s hybrid visibility, TrapX’s large-scale coverage, Smokescreen’s adaptive simulations, or Proofpoint’s identity-driven protection — each solution showcases how deception is redefining modern cybersecurity.
In a world where every second counts, the best defense might just be a smartly placed illusion.
Cybersecurity firm Wordfence has uncovered a renewed wave of mass exploitation targeting critical vulnerabilities in two popular WordPress plugins, allowing unauthenticated attackers to install malicious software and potentially seize control of websites. The flaws, first disclosed in late 2024, affect GutenKit and Hunk Companion plugins, which boast over 40,000 and 8,000 active installations respectively. Despite […]
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
