international operation Archives

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Tech Optimizer

November 13, 2025

Emotet: The horse returns to a gallop more dangerous than ever

Emotet is a Trojan Horse malware that emerged in 2014, impacting over 1.6 million devices and originally designed to steal banking credentials. Developed by the MealyBug criminal organization, it evolved into a modular Trojan-dropper, enabling it to download various payloads and act as Malware-as-a-Service on the dark web. Emotet spreads primarily through spam emails, often using malicious Word or Excel files, and has been disseminated via local area networks and password-protected zip folders. The malware operates through botnets categorized into epochs, with Epochs 1, 2, and 3 dismantled in 2021 by a coordinated international operation. Following this, Emotet resurfaced in November 2021 as Epochs 4 and 5, incorporating a Cobalt Strike beacon for enhanced propagation. Recommended precautions include keeping software updated, using two-factor authentication, and educating employees about email threats. Network administrators are advised to block unscannable email attachments, configure specific email filters, and maintain secure backups.

Tech Optimizer

June 2, 2025

International authorities dismantle AVCheck in cybercrime operation

International authorities have dismantled AVCheck, a platform used by cybercriminals to test malware against antivirus software. The website avcheck.net now displays a seizure notice from the US Department of Justice, FBI, US Secret Service, and Dutch police. AVCheck was one of the largest counter antivirus services globally, aiding cybercriminals in evaluating their malware's stealth capabilities. Investigators found links between AVCheck's administrators and crypting services like Cryptor.biz and Crypt.guru. Law enforcement had placed a fake login page on AVCheck to warn users about legal risks before its shutdown on May 27, 2025. Undercover agents confirmed the illegal nature of AVCheck through transactions and connections to ransomware attacks. The FBI has also warned about the Silent Ransom Group, which has targeted law firms in the US using social engineering tactics.

Winsage

November 29, 2024

Breach Roundup: Microsoft Tries Again With Windows Recall

Microsoft has unveiled a preview of its Windows Recall feature, designed to capture screenshots of active windows using on-device AI and store them in an SQLite database. The feature will be opt-in and requires users to enable BitLocker full-disk encryption, activate Secure Boot, and enroll in Windows Hello. Recall aims to avoid capturing sensitive information and allows users to delete snapshots or exclude specific applications. Microsoft has implemented safeguards to protect against brute-force attacks, and the data collected remains encrypted locally. The preview is currently available to participants in the Windows Insider Program for Developers. The U.S. Federal Trade Commission (FTC) reported that nearly 90% of smart device manufacturers lack clear update policies, with 161 out of 184 products reviewed not disclosing software update durations. This lack of transparency may violate the Magnuson-Moss Warranty Act and the FTC Act. Ping Li, a Florida IT professional, was sentenced to four years in prison for acting as an agent for China's Ministry of State Security, providing sensitive information since at least 2012. He pleaded guilty and was fined ,000. Operation "Serengeti" led to the arrest of over 1,000 individuals suspected of cybercrime across 19 African countries, resulting in nearly million in financial losses and the confiscation of around million in stolen funds. The U.S. Department of Justice indicted nine individuals linked to a multi-state money laundering scheme associated with internet fraud, allegedly laundering over million since 2016. NVIDIA released a critical firmware update to address a high-severity vulnerability (CVE-2024-0130) that could allow attackers to steal data and compromise systems. Cybersecurity firm McAfee discovered "spyloan" Android apps on the Google Play Store that aim to steal users' personal data, targeting users in Mexico, Colombia, and Indonesia. An international law enforcement operation dismantled a pirate streaming network serving over 22 million users and generating approximately million monthly, resulting in 102 arrests. Nicholas Michael Kloster, a 31-year-old from Kansas City, was indicted for allegedly hacking into computer networks to promote his cybersecurity services, facing multiple charges with a potential 15-year prison sentence. HDFC Life Insurance in India is investigating a potential data breach involving the sharing of certain data fields with malicious intent.

AppWizard

September 18, 2024

“Computer geek” in Australia accused of creating Ghost encrypted messaging app for criminal underworld

A 32-year-old Australian, suspected of developing the Ghost app—an encrypted messaging platform used for illicit activities by criminals worldwide—was recently arrested. The app, marketed as "unhackable," attracted users from various regions, unaware their communications were monitored. A coordinated international law enforcement operation led to multiple arrests in nine countries, including Italy, Ireland, Sweden, Canada, and Australia, and dismantled a drug lab in Australia, seizing weapons, drugs, and cash. French police traced the app's creator, who was arrested after police hijacked software updates to gain access to encrypted messages. Over two years, law enforcement intercepted thousands of messages, including 50 death threats, and noted the app had about 1,000 messages exchanged daily among several thousand users globally. The creator, lacking a criminal history and motivated by profit, has been charged with five offenses and denied bail, awaiting further court proceedings alongside others arrested.