hacking group Archives

TrendTechie

April 16, 2026

Девочка-андроид не нужна: хакеры сами справились со взломом Pragmata за двое суток до релиза игры

Capcom's game Pragmata was hacked by the group DenuvOwO, which dismantled the Denuvo protection system just two days before its scheduled launch on April 17. A pirated version of the game is now circulating online. This incident follows a significant data leak from Capcom's servers and poses challenges for the gaming community regarding piracy and its impact on sales and future development. Pragmata is Capcom's first original franchise in many years.

AppWizard

April 14, 2026

Rockstar Games hack shows why GTA 6 isn’t releasing on PC and console simultaneously

Rockstar Games experienced a security breach involving a third-party service, leading to the public release of stolen data after the company declined a ransom demand. The leaked information suggests that PC players contribute only 3% to the weekly bookings of GTA Online, amounting to approximately 4,273, while PlayStation 5 players account for 476,346 in bookings with a weekly active user count of 3,474,021. The weekly active user counts are 894,621 for PC and 3,474,021 for PlayStation 5. This financial disparity may influence Rockstar's release strategies, particularly regarding the anticipated Grand Theft Auto 6.

AppWizard

April 11, 2026

Hackers demand ransom from GTA6 studio Rockstar, threaten to leak stolen data

Rockstar Games is facing a security breach involving the hacking group ShinyHunters, which has issued a ransom demand for sensitive data. A Rockstar spokesperson confirmed that a limited amount of non-material company information was accessed due to a third-party data breach, stating it has no impact on the organization or its players. This incident follows a similar breach in 2022 when a 17-year-old hacker infiltrated Rockstar's systems. ShinyHunters has targeted various high-profile companies in the past, including Microsoft and AT&T. The breach highlights that many security incidents can result from simple human errors rather than sophisticated hacking techniques.

AppWizard

February 15, 2026

Max Messenger: A fake data breach with genuine consequences?

A user claimed to have breached Max but later clarified that no large-scale breach or critical vulnerabilities were found. False claims about data breaches can cause significant reputational damage, as demonstrated by a Russian hacking group that falsely claimed to have accessed Epic Games' data, which was later admitted to be a ruse. Similarly, EuroCar reported that fake breach reports may have been generated by ChatGPT, misleading customers. Russian users are distrustful of the Max app, perceived as buggy and insecure. The Russian Federal Security Service blocked its integration with government services due to encryption concerns. Although the government pressures citizens to adopt Max, many may install it without using it regularly. There is skepticism among Russian citizens regarding the app's security, making them susceptible to damaging rumors. Future claims about Max Messenger data breaches are anticipated. Recommendations for organizations to protect against misinformation include maintaining a good reputation, being transparent if a breach occurs, and investing in digital forensics to counter false claims.

Winsage

February 13, 2026

Microsoft: New Windows LNK spoofing issues aren’t vulnerabilities

Security researcher Wietze Beukema revealed vulnerabilities in Windows LK shortcut files at the Wild West Hackin' Fest, which could allow attackers to deploy harmful payloads. He identified four undocumented techniques that manipulate these shortcut files, obscuring malicious targets from users. The vulnerabilities exploit inconsistencies in how Windows Explorer handles conflicting target paths, allowing for deceptive file properties. One technique involves using forbidden Windows path characters to create misleading paths, while another manipulates LinkTargetIDList values. The most sophisticated method alters the EnvironmentVariableDataBlock structure to present a false target in the properties window while executing malicious commands in the background. Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, stating that exploitation requires user interaction and does not breach security boundaries. They emphasized that Windows recognizes shortcut files as potentially dangerous and provides warnings when opening them. However, Beukema noted that users often ignore these warnings. The vulnerabilities share similarities with CVE-2025-9491, which has been exploited by various state-sponsored and cybercrime groups. Microsoft initially did not address CVE-2025-9491 but later modified LNK files to mitigate the vulnerability after it was widely exploited.

Tech Optimizer

December 18, 2025

Chinese hackers fake Teams downloads in false flag ploy

A cybersecurity investigation by ReliaQuest has revealed that a Chinese state-linked hacking group, Silver Fox (also known as Void Arachne), is using search engine optimization tactics to create a counterfeit Microsoft Teams download site at "teamscn[.]com." This site targets Chinese-speaking users and employs a typo-squatting strategy. Victims attempting to download the software receive a trojanized installer labeled "Setup.exe," which checks for the presence of antivirus software and executes obfuscated PowerShell commands to modify Windows Defender exclusion lists. The malware also drops a file named "Verifier.exe" and installs a functional version of Microsoft Teams to disguise its activities. The compromised system communicates with the domain "Ntpckj[.]com" to deliver the ValleyRAT payload, allowing remote access for data exfiltration and command execution. Silver Fox is linked to both state-sponsored espionage and financially motivated activities, having previously conducted similar SEO poisoning campaigns. The campaign primarily targets Chinese-speaking personnel in global organizations, particularly those with ties to China, and poses a significant risk to organizations lacking robust security measures. Security teams are advised to enhance logging and monitoring practices to detect suspicious activities.

Tech Optimizer

November 17, 2025

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, has been observed using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan Gh0st RAT, primarily targeting Chinese-speaking users. The campaign employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams. The infection chain utilizes various evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies, and manipulation of the Microsoft Defender binary. RONINGLOADER's attack chain involves delivering a DLL and an encrypted file labeled "tp.png," which contains shellcode. It attempts to neutralize security products by terminating processes associated with popular antivirus solutions in the region. Specific actions are taken against Qihoo 360 Total Security, including blocking network communication, injecting shellcode into the Volume Shadow Copy service, and restoring firewall settings. For other security processes, RONINGLOADER directly writes a driver to disk to perform process termination. The malware aims to inject a rogue DLL into "regsvr32.exe" to conceal its activities and launch a next-stage payload into high-privilege system processes. The final payload is a modified version of Gh0st RAT, capable of communicating with a remote server, configuring Windows Registry keys, clearing Windows Event logs, and capturing keystrokes and clipboard contents. Additionally, two interconnected malware campaigns identified by Palo Alto Networks Unit 42 employed brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The first campaign, Campaign Trio, occurred between February and March 2025, while the second, Campaign Chorus, detected in May 2025, impersonated over 40 applications. Both campaigns utilized complex infection chains and trojanized installers hosted on domains that circumvented network filters. The second campaign also involved an embedded Visual Basic Script for launching the final payload through DLL side-loading.

Winsage

November 4, 2025

Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection

A Russian-linked hacking group, Curly COMrades, is using Microsoft’s Hyper-V to conceal malware within compromised Windows systems. They install a small Alpine Linux virtual machine (VM) to run custom malware, evading endpoint detection and response (EDR) software since July. The group exploits Hyper-V's native features, enabling it on victim systems while disabling management clients to avoid detection. The VM, named “WSL,” hosts two C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy, both designed to maintain persistence and obfuscate their activities. The VM occupies only 120MB of disk space and uses Hyper-V’s Default Switch for network traffic, making malicious communication appear to originate from the legitimate host. Additionally, Curly COMrades employs malicious PowerShell scripts for persistence and lateral movement, including creating local user accounts and using a modified TicketInjector for authentication across networks.

Winsage

October 31, 2025

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

A China-affiliated threat actor, UNC6384, has been conducting cyber attacks targeting diplomatic and governmental entities in Europe, including Hungary, Belgium, Italy, the Netherlands, and Serbia. These attacks exploit an unpatched Windows shortcut vulnerability (CVE-2025-9491) through spear-phishing emails that appear relevant to diplomatic events. The emails deliver malicious LNK files that deploy PlugX malware via DLL side-loading. PlugX is a remote access trojan that allows extensive control over compromised systems and has been linked to another hacking group, Mustang Panda. Microsoft Defender can detect these attacks, and Smart App Control provides additional protection. The LNK file executes a PowerShell command to extract a TAR archive containing a legitimate utility, a malicious DLL, and an encrypted PlugX payload. The size of the malicious artifacts has decreased significantly, indicating ongoing evolution. UNC6384 has also begun using HTML Application files to load external JavaScript for retrieving malicious payloads, aligning with Chinese intelligence objectives regarding European defense policies.

Winsage

October 31, 2025

Windows zero-day actively exploited to spy on European diplomats

A China-linked hacking group, identified as UNC6384 or Mustang Panda, is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats, particularly in Hungary, Belgium, Serbia, Italy, and the Netherlands. The attacks are initiated through spearphishing emails that disguise malicious LNK files as legitimate invitations to NATO and European Commission events. Once activated, these files allow the deployment of the PlugX remote access trojan (RAT), enabling persistent access to compromised systems for surveillance and data extraction. The vulnerability requires user interaction to exploit and resides in the handling of .LNK files, allowing attackers to execute arbitrary code remotely. As of March 2025, the vulnerability is being exploited by multiple state-sponsored groups and cybercrime organizations, but Microsoft has not yet released a patch for it. Network defenders are advised to restrict the use of .LNK files and block connections from identified command-and-control infrastructure.