hacking group Archives

TrendTechie

April 24, 2025

Clair Obscur: Expedition 33 даже не пришлось взламывать — игра уже на торрентах

The game Clair Obscur: Expedition 33 has been released without protective measures against piracy, making it accessible to the public, as announced by the hacking group RUNE. The game's objective is to reach the Goddess Artist and disrupt a recurring curse that erases individuals whose ages match a specific number on a monolith.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

AppWizard

March 25, 2025

Signal is ‘as safe as messaging apps get’, but not for national security

End-to-end encrypted messaging app Signal is recognized for its security features but is advised against for use by government officials discussing national security. A breach occurred when members of former President Donald Trump's national security team mistakenly included a journalist in a group chat sharing sensitive military information. Cybersecurity experts express concerns about the potential legal implications of using apps like Signal for classified communications, as it could violate the Espionage Act. High-ranking officials were involved in this incident, which exposed sensitive details, including air-strike targets and the identity of a CIA officer. Typically, government officials use Secure Compartmentalized Information Facilities (SCIFs) for classified information, and there are specific government-approved systems for transmitting such information that do not include Signal.

Winsage

March 18, 2025

New Windows zero-day exploited by 11 state hacking groups since 2017

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows vulnerability tracked as ZDI-CAN-25373 since 2017 for data theft and cyber espionage. Microsoft has classified this vulnerability as "not meeting the bar for servicing," meaning no security updates will be released. The flaw allows attackers to execute arbitrary code on affected Windows systems by concealing malicious command-line arguments within .LNK shortcut files, using padded whitespaces to evade detection. Nearly 70% of the analyzed attacks linked to this vulnerability were related to espionage, while 20% aimed for financial gain. Various malware payloads, including Ursnif, Gh0st RAT, and Trickbot, have been associated with these attacks. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. Microsoft has not assigned a CVE-ID to this vulnerability but is tracking it internally as ZDI-CAN-25373. A Microsoft spokesperson mentioned that the company is considering addressing the flaw in the future.

AppWizard

March 12, 2025

Not for the first time: North Korean hackers used fake apps to spread spyware on Android

Malware, specifically a new spyware variant called KoSpy, has been linked to a North Korean hacking group known as ScarCruft (APT37). Researchers at Lookout Threat Lab discovered KoSpy concealed within deceptive applications like file managers and security software. Once installed, it can extract sensitive information such as SMS messages, call logs, device location, and access files. It can also record audio and video, capture screenshots, and log keystrokes. The data collected is transmitted to Command and Control servers encrypted with a hardcoded AES key and utilizes Firebase Firestore for configuration data. At least one malicious application associated with KoSpy was found on the Google Play Store, downloaded over ten times, and similar apps were also on third-party app store APKPure. Google has since removed the identified applications and deactivated the related Firebase projects.

AppWizard

March 12, 2025

Spyware in bogus Android apps is attributed to North Korean group

Researchers from Lookout have identified a malware strain named KoSpy, linked to North Korean state-sponsored hackers, specifically the advanced persistent threat group ScarCruft (APT37). KoSpy targets Android devices to surveil Korean and English-speaking users and has been found on the Google Play Store and third-party app stores, disguised as utility applications. The malware can harvest sensitive information, including call logs, text messages, files, audio recordings, screenshots, and user location data. Google has removed all infected applications from its platform, confirming that the latest version was taken down before installations occurred. KoSpy first emerged in March 2022, with new samples appearing as recently as last year. The applications associated with KoSpy often have Korean titles and support both English and Korean languages. KoSpy shares infrastructure with another North Korean hacking group, Kimsuky (APT43), which has conducted spearphishing attacks. ScarCruft has targeted South Korean users and expanded its reach to countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. In January, ScarCruft was linked to an espionage campaign against media organizations and academics, and in October, it was connected to a malware operation in Southeast Asia.

TrendTechie

March 7, 2025

Split Fiction от авторов It Takes Two слили на торренты

The cooperative adventure game Split Fiction was released without anti-piracy measures, leading to its breach by the hacking group Rune within thirty minutes of launch. Despite this, the game has achieved a 97% positive rating on Steam and peak online player counts exceeding 50,000. There is currently no Russian language option, but Mechanics VoiceOver is working on professional voiceover and has started a crowdfunding campaign. A neural translation mod is available for the PC version, which can be installed by placing it in the specified directory. The game is designed for cooperative play, allowing a second player to join without purchasing the game again, and supports cross-platform play.

AppWizard

February 19, 2025

Warning over privacy of encrypted messages as Russia targets Signal…

Russia-backed hacking groups have advanced their techniques to infiltrate encrypted messaging platforms like Signal, WhatsApp, and Telegram, posing a threat to journalists, politicians, and activists. These hackers are targeting Signal's "linked devices" feature using malicious QR codes to gain real-time access to victims' messages. Incidents have included compromised Signal accounts leading to military strikes. The Sandworm group has been linked to compromising Signal accounts on devices captured in Ukraine, utilizing a Russian-language website to provide instructions for linking accounts to their infrastructure. Successful breaches often go undetected for long periods, with attackers using modified Signal group invite pages and phishing kits. Additionally, threat actors have stolen Signal database files from Android and Windows devices, with malware like Infamous Chisel extracting sensitive data. Attacks on Signal and other messaging services are increasing, with Russia-aligned groups employing social engineering tactics against users of WhatsApp. In response, Signal has enhanced security measures, including a new interface to alert users of unauthorized device links and additional authentication steps.

Tech Optimizer

February 19, 2025

Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc

Trend Micro's Threat Hunting team has identified a new tactic used by the Chinese hacking group Earth Preta (Mustang Panda), which employs the Microsoft Application Virtualization Injector to evade antivirus detection. The malware checks for ESET antivirus on the target system and, if absent, exploits the waitfor.exe function to inject malicious code into legitimate processes. Earth Preta uses Setup Factory to deliver its payloads, utilizing MAVInject.exe to inject harmful code. After injection, the malware connects to a command and control (C2) server controlled by the attackers. The attack shares similarities with previous campaigns, supporting attribution to Earth Preta.

Winsage

February 13, 2025

Russian Hackers Leverages Weaponized Microsoft KMS to Hack Windows Systems

The Russian state-sponsored hacking group Sandworm, affiliated with the GRU, has been using pirated Microsoft Key Management Service (KMS) activation tools to infiltrate Ukrainian Windows systems since late 2023. They distribute a harmful ZIP file named “KMSAuto++x64_v1.8.4.zip” on torrent platforms, which, when executed, deploys the BACKORDER loader and disables Windows Defender. The BACKORDER loader then downloads the Dark Crystal Remote Access Trojan (DcRAT) from attacker-controlled domains, allowing data theft, including keystrokes and browser credentials. The campaign exploits Ukraine's high prevalence of unlicensed software, estimated at 70% in the public sector, increasing vulnerability to cyberattacks. Researchers have linked this activity to Sandworm through shared infrastructure and tactics, highlighting its role in Russia's hybrid warfare strategy against Ukraine. Cybersecurity experts recommend avoiding pirated software and implementing robust security measures to mitigate these threats.