What’s This Scam All About?

These emails come with dramatic subject lines like “Your personal data has leaked due to suspected harmful activities.” The message basically says a professional hacker cracked your device, spied on you for months, and caught you in compromising positions. Now they want Bitcoin, or else.

Different versions exist, but they all follow the same script: scare you, claim to have dirt on you, demand payment. It’s like a bad movie plot that somehow keeps getting remade.

The Opening Act: Scary Tech Jargon

The email starts with impressive-sounding claims about “hacking your operating system” or “gaining full access to your account.” To tech-savvy folks, this sounds like someone who learned hacking terminology from a 90s movie. To everyone else, it sounds just scary enough to keep reading.

They throw around phrases that sound technical but make actual IT professionals snort coffee through their nose. It’s the digital equivalent of a kid wearing a trench coat and claiming to be an adult.

The Middle: “I’ve Been Watching You”

Next comes the creepy part – claims about monitoring your activities for months. According to these “hackers,” they installed malware through adult websites you supposedly visited. This explanation conveniently plays on shame and embarrassment, making victims less likely to discuss the email with others.

In reality, mass-sending these emails is far more profitable than actually spying on random people for months. These scammers are lazy by design – why hack one person when you can scare thousands?

The Password Twist: “Here’s Proof I Hacked You”

Some versions of this scam include a particularly clever trick – they show you one of your actual passwords. Suddenly, their claims seem a lot more credible, right? “If they have my password, maybe they really did hack my computer!”

Here’s what’s actually happening: The scammer purchased your email and password from a data breach. Major sites get hacked all the time, with millions of credentials dumped on dark web marketplaces. These scammers buy these lists in bulk for pennies per thousand emails.

The password they show you is likely from a breach that happened years ago. If you still use that password anywhere, that’s the real security problem – not their imaginary spyware. These scammers have no access to your computer; they just have an old password from a completely different website.

The Climax: The Webcam Recording Claim

The knockout punch is always about your webcam. Supposedly, they recorded you watching “adult content” and captured your reaction on camera. They even claim to have created a split-screen video showing both you and what you were watching.

It’s a clever claim because it’s nearly impossible to disprove and plays on universal fears about privacy. The email also specifically mentions sextortion – threatening to share the non-existent explicit content unless you pay up.

The Technical Mumbo-Jumbo

To sound legitimate, these emails include technical gibberish about driver-level malware that “refreshes signatures every 4 hours” to avoid detection. This is like claiming your invisible car also makes great espresso – impressive but nonsensical.

Actual malware doesn’t need hourly updates to avoid detection. That would be like a burglar changing disguises every hour while hiding in your closet – unnecessarily complicated and risky.

The Grand Finale: Pay Up or Else

The conclusion is always a ransom demand, typically between $850-2000 in Bitcoin. They set an artificial deadline of 48-72 hours to create urgency. And they always include a Bitcoin wallet address that looks like alphabet soup had a fight with a calculator.

Some versions even warn that if you share the email with anyone else, they’ll immediately release the non-existent videos. Convenient way to isolate potential victims, isn’t it?

Known Scammer Bitcoin Wallets

These scams use numerous Bitcoin wallet addresses. If you receive an email demanding payment to any of these addresses, it’s 100% a scam:

• bc1qzxzazuz7twfx4e0mzfg97606d5dytksue9j3ag
• 1N6TYc2FFJmjMDPnAKQgjRh65ou58EfQNM
• bc1qz3hct7u9x6tfh4guk3e7wyjaxa2gnalzfgr3kh
• 12nEVuGNtRFMVjeVmLtD4nt2sHX68S47yH
• 1Er1bTsfVpy2uZ88hBDJf1i66SuYxQCRKb
• 1HBiRxpSxekVND1Rqwqh1gbUKeZiYBsDkt
• 19AEV6b6SMVTByErnpaQUDCUWK5cN8gYqh

If you spot one of these addresses (or any similar Bitcoin address) in a threatening email, report it to IC3.gov (FBI’s Internet Crime Complaint Center) and your local authorities. Never send money to these addresses – the scammers will likely just demand more once they know you’re willing to pay.

A Real Example of This Nonsense

These scam emails often begin with subjects like “Your personal data has leaked” or “Ihre persönlichen Daten sind wegen des Verdachts auf schädliche Aktivitäten nach außen gelangt” (for German recipients). The messages are often available in multiple languages because scammers are thoughtful like that.

Typical example of a sextortion email

So Is This Real or What?

No, it’s not real. Not even slightly. It’s just a mass-sent scare tactic banking on statistics – send enough emails and eventually you’ll find someone worried enough to pay.

Any professional hacker who managed to compromise your system wouldn’t announce it with a dramatic email. That would be like a burglar sending you a postcard saying “Hey, I stole your TV yesterday!” Real attackers prefer to stay undetected as long as possible.

The technical claims in these emails fall apart under even casual scrutiny. Anyone with basic IT knowledge can spot the nonsense about “driver-based malware” with “4-hourly signature updates.” It’s the cybersecurity equivalent of claiming your unicorn needs special rainbow feed.

The Psychology Behind The Scam

These scammers are amateur hackers but professional manipulators. They use several psychological tricks designed to bypass your rational thinking.

The Authority Card

They open by establishing themselves as “professional hackers” with technological superpowers. This appeal to authority works because most people don’t know exactly what hackers can and can’t do. It’s like claiming to be a “professional ghost hunter” – if you don’t know the field, you might just believe it.

They load the email with technical-sounding terms to reinforce this perceived expertise. Most people won’t recognize that these terms make actual security experts laugh their coffee out.

Shame As A Weapon

The scammers specifically mention adult websites and compromising recordings to trigger embarrassment. They know embarrassed people make poor decisions and are less likely to seek help. It’s a classic manipulation tactic – make someone feel shame, and they’re easier to control.

The genius part is mentioning something many people do privately, making the victim think “But how did they know?” The answer: they didn’t. They just made a good guess.

The Urgency Trigger

The 48-72 hour countdown creates artificial urgency to force quick, emotional decisions. This is the same trick used in those “limited time offer” commercials, except with more blackmail.

When people feel rushed, they make mistakes. The scammers know this and use time pressure to override your critical thinking.

What To Do If You Get This Email

First, take a deep breath. Your secrets are safe, your camera hasn’t been hacked, and no one has been spying on you. This is just digital junk mail with extra intimidation.

Mark the email as spam and delete it. Never respond to these messages – even clicking “unsubscribe” links just confirms your email is active, bringing more spam your way.

If the email includes one of your actual passwords, change that password anywhere you still use it immediately. Then check if your email has been involved in data breaches using services like Have I Been Pwned. This is a good reminder to use unique passwords for every site and enable two-factor authentication on important accounts.

If you’re worried about webcam security, put a piece of tape over it when not in use. It’s low-tech but effective – even Mark Zuckerberg does it.

For extra peace of mind, run a malware scan on your system. Contrary to what the email claims, good security software can detect actual threats. GridinSoft Anti-Malware will spot and remove genuine malware – unlike the imaginary super-stealth malware in the scam email.

Protect Yourself From Real Threats

While this specific email is fake, real cybersecurity threats do exist. Update your software regularly and use strong, unique passwords for important accounts. Consider using a password manager to keep track of them all.

Be skeptical of unsolicited emails, especially those with attachments. A legitimate company rarely sends unexpected attachments, and your bank will never ask for your password via email.

Enable two-factor authentication on important accounts. It’s like having a second lock on your door – even if someone gets your password, they still can’t get in without your phone.

These simple habits will protect you from actual threats, not imaginary hackers with magical malware. And if you ever receive another “professional hacker” email, you can have a good laugh before hitting delete.

The post Professional Hacker Email Scam: How to Identify and Avoid Sextortion Threats appeared first on Gridinsoft Blog.

The data tells a striking story: while media headlines scream about ransomware attacks, infostealers quietly dominate the threat landscape, accounting for nearly a quarter of all cybersecurity incidents. This silent majority operates without flashy ransom notes or system lockdowns, making them even more dangerous. As the defensive focus shifts to stopping ransomware, these stealthy data thieves slip through the cracks, reaping massive rewards with far less attention. The trend is clear – attackers have realized that stealing your data offers better ROI than holding it hostage.

What Even Is an Infostealer?

Infostealers are exactly what they sound like – malware designed to quietly extract sensitive information from your device. They target passwords, credit card details, cryptocurrency wallets, browser cookies, and pretty much anything that could be valuable on the digital black market. Think of them as the cybercriminal’s Swiss Army knife – versatile, reliable, and exceedingly popular.

Unlike ransomware’s dramatic hostage-taking approach, infostealers prefer to work in the shadows. They slip in, grab what they want, and often leave without you noticing anything’s wrong. By the time you realize your accounts have been compromised, your data is already being sold on dark web marketplaces or used for follow-up attacks.

Why Infostealers Are Booming in 2025

According to IBM’s X-Force Threat Intelligence Index 2025, credential harvesting now occurs in 29% of all cybersecurity incidents. That’s a massive slice of the cybercrime pie. The Verizon 2025 DBIR found that 54% of ransomware victims had their domains appear in infostealer logs first – meaning these stealers often serve as the appetizer before the main ransomware course.

Cryptocurrency remains a major driver behind infostealer popularity. With traditional banking fraud becoming harder to pull off, crypto wallets represent a softer target with potentially massive payoffs. Plus, the rise of BYOD (Bring Your Own Device) policies has created a perfect storm – personal devices often have both work and personal credentials, making them information goldmines.

The Fab Five: 2025’s Most Notorious Infostealers

Not all infostealers are created equal. Some have risen to the top through a combination of advanced features, reliability, and aggressive marketing on cybercrime forums. Here’s the current leaderboard of data thieves keeping security professionals up at night.

1. Lumma Stealer (LummaC2)

Lumma has climbed to the #1 spot in 2025, a remarkable rise for malware first detected in late 2022. Its success comes from its stealthy approach to data exfiltration – sending information in small fragments to avoid triggering security alerts. The developers offer tiered pricing plans ranging from $250 to $1,000, with premium features like network sniffing functionality reserved for big spenders.

What makes Lumma particularly dangerous is its comprehensive targeting. It captures browser data, cryptocurrency wallets, two-factor authentication apps, email clients, and even Telegram sessions. For cybercriminals willing to shell out $20,000, Lumma’s developers will even provide source code access and reselling rights – talk about customer service.

2. StealC Stealer

StealC has rocketed to second place this year, proving that sometimes the new kid on the block can outshine the veterans. Released in early 2023, StealC combines the best features of other top infostealers with an aggressive development cycle – releasing new features weekly. Unlike many competitors, StealC offers free testing periods and unusually responsive customer support on darknet forums.

Security researchers at Trac Labs noted StealC’s botched v2 release in 2024, but the developers quickly recovered with v2.1, which improved its ability to evade detection while expanding its targeting capabilities. Its growing market share makes it clear that stumbles haven’t impeded its rise to prominence.

3. RedLine Stealer

RedLine has held onto a top-three position since 2020, demonstrating impressive staying power in a fickle malware market. Written in C#, this veteran infostealer excels at grabbing credentials from over 60 browsers, VPN configs, cryptocurrency wallets, and FTP clients. Its relatively user-friendly control panel and reasonable pricing (starting around $150-$200) have maintained its popularity among less technical cybercriminals.

Despite being one of the older contenders, FortiGuard Labs reports that RedLine continues to receive regular updates. Recent versions have improved its ability to bypass Windows Defender and added capabilities to steal gaming accounts – because apparently, your Steam inventory is now worth stealing too.

4. Raccoon Stealer

If infostealers had an old guard, Raccoon would be part of it. Around since 2019, this digital veteran has somehow managed to stay relevant in the ever-changing malware landscape. While newer threats come and go, Raccoon keeps adapting and evolving – kind of like that one friend who somehow stays cool despite getting older.

What’s interesting about Raccoon isn’t just its staying power but how it’s run like an actual business. The developers offer round-the-clock customer support through Telegram (better service than my internet provider, honestly) and roll out updates more consistently than most legitimate software companies. They’ve recently added Telegram Desktop theft capabilities and expanded their crypto wallet targeting – because apparently stealing your Bitcoin wasn’t enough, now they want your obscure altcoins too.

At $275 monthly, it’s not exactly budget-friendly for aspiring cybercriminals, but you get what you pay for. Raccoon has earned its reputation for reliability in the underground markets. Hunt.io researchers recently caught it using fileless infection techniques – basically operating in your computer’s memory without leaving obvious traces on disk. It’s like a burglar who not only doesn’t break your windows but somehow manages to avoid leaving footprints on your carpet.

5. Vidar Stealer

Vidar is what happens when malware developers embrace the “build-your-own-adventure” model. Born as an offshoot of another stealer called Arkei back in 2018, Vidar gives its criminal users a modular, mix-and-match approach to data theft. Want to steal passwords but not cookies? No problem. Need crypto wallets but not browser history? They’ve got you covered.

What makes security pros lose sleep over Vidar is its chameleon-like ability to disappear after doing its dirty work. Once it’s grabbed what it came for, Vidar can completely remove itself from your system – like a thief who not only steals your valuables but also washes the dishes and vacuums before leaving, just to make you question if you’ve been robbed at all.

The U.S. Department of Health and Human Services didn’t mince words when they called Vidar “exceptionally potent.” It’s frequently deployed alongside ransomware like STOP/Djvu in tag-team attacks. The latest versions have even figured out how to steal MFA seed values – those supposedly “unbreakable” second factors protecting your accounts. It’s basically telling your two-factor authentication, “That’s cute, hold my beer.”

Data Targeted by Information Stealers

The visualization reveals a disturbing truth: modern infostealers don’t just target one type of data—they’re designed for comprehensive digital identity theft. Lumma leads the pack in browser data collection, which shouldn’t surprise anyone considering we practically live in our browsers. Meanwhile, the crypto wallet targeting reflects attackers’ preference for assets that are both valuable and irreversible once stolen. The pattern is clear: these tools are becoming increasingly sophisticated in their ability to extract everything from your digital life worth stealing.

Real-World Impact: When Infostealers Strike

The damage from infostealers extends far beyond individual victims. Major breaches in early 2025 demonstrate their growing threat to organizations of all sizes. Samsung Tickets suffered a massive leak in March when a hacker exploited credentials stolen by an infostealer infection from 2021, exposing 270,000 customer records.

Even more alarming, the HELLCAT ransomware group has made infostealers central to their strategy, successfully breaching Jaguar Land Rover, Telefónica, and several other major companies using stolen credentials from infostealer logs. These incidents highlight how a single compromised device can lead to enterprise-wide breaches months or even years later.

How to Keep Your Data From Being Stolen

Protecting yourself against infostealers doesn’t require a cybersecurity degree. Focus on these essentials:

• Update everything – Patch your system and apps promptly
• Use a password manager – Create unique passwords for every site
• Enable MFA everywhere possible – Preferably using authenticator apps
• Avoid pirated software – That “free” Photoshop is a trojan horse
• Run security software – Choose solutions that detect behavioral anomalies

For more detailed information, check out our comprehensive guide on how to detect, remove, and prevent infostealer infections.

The Bottom Line

Here’s the uncomfortable truth that cybersecurity professionals don’t always articulate clearly: in 2025, it’s not a question of if your credentials will be targeted, but when. Infostealers have evolved from crude data-grabbing tools into digital espionage platforms that operate with unsettling efficiency. They’re the silent assassins of the cybersecurity world – no flashy techniques, no dramatic demands, just quiet theft that often goes unnoticed until the damage is done.

The reality is that cybercriminals have realized a fundamental truth about human behavior: we’re creatures of habit and convenience, routinely sacrificing security for simplicity. Password reuse, postponed updates, and clicking without thinking aren’t just bad habits – they’re open invitations to these digital thieves. The brutal economics also can’t be ignored: why would criminals bother with complex ransomware operations when they can extract cryptocurrency wallet contents directly, without the messy negotiations?

The cybersecurity landscape is constantly evolving, but one principle remains stubbornly consistent – attackers will always follow the path of least resistance to valuable data. By implementing even some of the protection measures outlined above, you’re essentially making yourself a harder target. In the digital wilderness, you don’t need to outrun the bear – you just need to outrun the other hikers. Make your digital presence secure enough that attackers look for easier pickings elsewhere, and you’ve won half the battle.

Want to stay protected without a computer science degree? Gridinsoft Anti-Malware today and let us handle the technical heavy lifting while you get back to whatever you were doing before you started worrying about digital pickpockets.

The post Top 5 Infostealer Malware of 2025: The Silent Data Snatchers appeared first on Gridinsoft Blog.

What’s the Deal with This Vulnerability?

Redis developers recently disclosed CVE-2025-21605, which is basically Redis forgetting to check how much it’s eating. The vulnerability allows unauthenticated clients to trigger unlimited growth of output buffers, eventually exhausting server memory. It’s like your teenager’s appetite, but for RAM.

The technical classification is CWE-770 (Allocation of Resources Without Limits or Throttling), which is a fancy way of saying “this program doesn’t know when to stop.” This affects all Redis versions from 2.6 to just before 7.4.3. And yes, if you’re reading that correctly, that’s practically all versions in common use.

Why Should You Care?

If you’re running Redis exposed to the internet (which hopefully you’re not), this is especially bad news. Even if you’ve set a password, the “NOAUTH” responses can still trigger buffer growth. So your password protection is about as effective as a screen door on a submarine.

For those unfamiliar, Redis is an open-source database that’s incredibly popular for caching, session management, and message brokering. It’s fast because it works in memory – which also makes this vulnerability particularly nasty. When Redis runs out of memory, it doesn’t gracefully degrade – it crashes, taking down whatever services rely on it. This can create cascade failures across your infrastructure, similar to what we see in many modern cyber attacks.

How Bad Is It Really?

On a scale of “mildly annoying” to “oh no, call the incident response team,” this is firmly in the “weekend-ruining” category. The vulnerability requires minimal skill to exploit – no elaborate hacking sequences like in the movies. An attacker just needs to find your Redis instance and send some carefully crafted requests. Even script kiddies with basic automated tools could pull this off.

What makes this particularly concerning is that over 23,000 companies use Redis, with about half in the United States. Many are still running older versions, because upgrading databases is about as fun as a root canal. AWS and Google Cloud users are still deploying outdated Redis versions (6.x, 5.0, 4.0), so there’s a good chance many instances are vulnerable.

The real-world impact? Your e-commerce site goes down during a sales event. Your users get logged out randomly. Your metrics and monitoring disappear. All while you’re frantically trying to figure out why Redis keeps crashing. Fun times.

The sneakier concern is that attackers might use this as a distraction. While you’re busy restarting services and putting out fires, they could be exploiting other vulnerabilities elsewhere in your infrastructure. It’s a classic misdirection play that we’ve seen in sophisticated DDoS attacks before.

Fixing the Problem

The most obvious solution is to upgrade to Redis 7.4.3 or later. This version properly enforces output buffer limits, preventing the unchecked memory consumption. If you follow basic security best practices, keeping software updated should already be on your to-do list anyway.

But let’s be realistic – sometimes immediate upgrades aren’t possible. Maybe you’re running a legacy application that depends on a specific Redis version, or perhaps your change management process moves at the speed of continental drift. In that case, you have a few options:

• Block unauthenticated access using firewalls, iptables, or cloud security groups
• Enable TLS with client-side certificate authentication
• Isolate Redis instances in their own network segments
• Set up monitoring to detect unusual memory usage patterns

These mitigations aren’t perfect – they’re more like putting a band-aid on a leaky pipe. You’ll still want to plan that upgrade, but at least you won’t be completely exposed in the meantime. This vulnerability is just one example of why implementing a solid vulnerability management strategy is crucial for modern organizations.

The Bottom Line

CVE-2025-21605 is a perfect example of how even simple vulnerabilities in popular software can create significant security risks. The fact that it affects unauthenticated users makes it particularly dangerous in today’s interconnected landscape.

So check your Redis versions, plan that upgrade, and while you’re at it, maybe review what else in your infrastructure might be exposed to the internet unnecessarily. Security is rarely about big, dramatic threats – it’s usually these mundane, easily-fixable issues that end up causing the most problems.

The post CVE-2025-21605 Redis DoS Vulnerability Discovered, Patch Now appeared first on Gridinsoft Blog.

Slopsquatting – New Techniques Against AI Assisted Devs

Slopsquatting is a supply chain attack that leverages AI-generated “hallucinations” — instances where AI coding tools recommend non-existent software package names. The term draws parallels with typosquatting, where attackers register misspelled domain names to deceive users.

In slopsquatting, however, the deception stems from AI errors rather than human mistakes. The term combines “slop”, referring to low-quality or error-prone AI output, and “squatting”, the act of claiming these hallucinated package names for malicious purposes.

It is a rather unexpected cybersecurity threat that exploits the limitations of AI-assisted coding tools, particularly large language models. As developers increasingly rely on these tools to streamline coding processes, the risk of inadvertently introducing malicious code into software projects grows. Hackers can then create malicious packages with these fake names and upload them to public code repositories.

Mechanics of Slopsquatting

The process of slopsquatting unfolds in several stages. First, LLMs, such as ChatGPT, GitHub Copilot, or open-source models like CodeLlama, generate code or suggest dependencies. In some cases, they recommend package names that do not exist in public repositories like PyPI or npm. These hallucinated names often sound plausible, resembling legitimate libraries (e.g., “secure-auth-lib” instead of an existing “authlib”).

Stage 2 begins when the developers, fully trusting the AI’s recommendations, run the code, assuming all the packages it refers to are legitimate. Normally, this ends up with build failures or broken functionality of certain parts of the resulting program. Developers might waste time debugging errors, searching for typos, or trying to figure out why a dependency isn’t resolving, but it is only about AI assistants being delusional about certain packages existing.

In the worst case scenario, which becomes more and more prevalent, the hallucinated name is already taken by a malicious repository. Con actors specifically target false names that appear in AI generated code, or try picking a name similar to what AI can generate, hoping to get their prey in future. As a result, what may look like a flawless build process in fact installs malware to the developer’s system.

The bad part about it is that these hallucinations are not random, and thus predictable. A study by researchers analyzed 16 LLMs, generating 576,000 Python and JavaScript code samples. They found that 19.7% (205,000) of recommended packages were non-existent. Notably, 43% of these hallucinated packages reappeared in 10 successive runs of the same prompt, and 58% appeared more than once, suggesting a level of predictability that attackers can exploit.

This is where the fun begins. Cybercriminals identify these hallucinated package names, either by analyzing AI outputs or predicting likely hallucinations based on patterns. They then create malicious packages with these names and upload them to public repositories. This is the worst version of the scenario described in the two paragraphs above.

As a result, this introduces malware into developer’s projects, which can compromise software security, steal data, or disrupt operations. In some cases, it can even serve as a backdoor for future attacks, allow lateral movement across systems, or lead to the compromise of an entire software supply chain.

Prevalence and Variability Across AI Models

The frequency of package hallucinations varies a lot depending on the AI model. Open-source models, such as CodeLlama and WizardCoder, tend to hallucinate more often, with an average hallucination rate of 21.7%. For example, CodeLlama hallucinated over 33% of the time. On the other hand, commercial models like GPT-4 Turbo perform much better, with a hallucination rate of just 3.59%. In general, GPT models are about four times less likely to hallucinate compared to open-source ones.

When it comes to how believable these hallucinations are, around 38% of the fake package names are moderately similar to real ones, and only 13% are just simple typos. That makes them pretty convincing to developers. So, even though commercial models are more reliable, no AI is completely immune to hallucinations—and the more convincing these fakes are, the bigger the risk.

Potential Impact

Despite the fact that massive human downsizing is underway in favor of using AI, slopsquatting shows that the complete replacement of humans by artificial intelligence is unlikely to happen anytime soon. If a widely-used AI tool keeps recommending a hallucinated package, attackers could use that to spread malicious code to numerous developers, making the attack much more effective.

Another issue is trust — developers who rely on AI tools might not always double-check if the suggested packages are legit, especially when they’re in a hurry. That trust makes them more vulnerable.

While there haven’t been any confirmed slopsquatting attacks in the wild as of April 2025, the technique is seen as a real threat for the future. It’s similar to how typosquatting started out as just a theoretical concern and then became a widespread problem. The risk is made worse by things like rushed security checks—something OpenAI has been criticized for. As AI tools become a bigger part of development workflows, the potential damage from slopsquatting keeps growing.

Preventive Measures Against Slopsquatting

To reduce the risk of slopsquatting, developers and organizations can take several practical steps. First, it’s important to verify any package recommended by an AI — check if it actually exists in official repositories and review things like download numbers and the maintainer’s history.

Continuing the previous paragraph, good code review practices are essential too. Catching weird or incorrect suggestions before the code goes live can save a lot of headaches. On top of that, developers should be trained to stay aware of the risks that come with AI hallucinations and not blindly trust everything the AI spits out.

Having runtime security measures in place can help detect and stop malicious activity from any compromised dependencies that do sneak through. I recommend GridinSoft Anti-Malware as a reliable solution for personal security: its multi-component detection system will find and eliminate even the most elusive threat, regardless of the way it is introduced. Download it by clicking the banner below and get yourself a proper protection today.

The post Slopsquatting: New Malware Spreading Technique Targeting AI Assisted Developers appeared first on Gridinsoft Blog.

WordPress Ad-Fraud Plugins and the Scallywag Operation

Recently, cybersecurity firm HUMAN has uncovered a massive ad fraud operation known as “Scallywag”. This scheme used specially crafted WordPress plugins to hijack traffic from pirating and URL shortening sites, generating up to 1.4 billion fake ad requests per day at its peak.

The operation relied on a vast network of 407 domains, which were mapped out during the investigation. While Scallywag’s activity has since dropped by 95% thanks to aggressive blocking and takedown efforts, the threat actors behind it are proving annoyingly persistent. They are rotating domains and shifting to new monetization tactics, like digital cockroaches refusing to die.

Operation Details

Scallywag operates as a “fraud-as-a-service” model, utilizing specific WordPress extensions to monetize digital piracy and URL-shortening services. The WordPress plugins involved in the operation include Soralink, which is claimed to have been created in 2016, Yu Idea, with documentation dating back to 2017, WPSafeLink, reportedly developed in 2020, and Droplink, which appeared in 2022 and was distributed for free through various cashout blogs.

These plugins facilitate the insertion of intermediary pages loaded with ads, deceptive buttons, and artifacts, often requiring users to navigate through CAPTCHAs or wait times to access promised content. This method maximizes ad impressions and revenue, particularly from piracy catalog sites and URL shorteners, which are typically shunned by legitimate advertisers due to legal and brand safety risks.

The operation employs cloaking techniques, where direct visits from advertisers show benign blog content, while traffic from piracy or URL-shortening domains triggers ad-heavy pages. Additionally, open redirectors, such as those from Google or X, are used to sanitize referrer data, obscuring the fraudulent nature of the traffic.

Scale and Impact

As said above, at its peak in early 2024, Scallywag accounted for 1.4 billion fraudulent bid requests daily. The operation’s network spanned 407 cashout domains, with detailed lists available as of February 2025. Detecting Scallywag involves analyzing traffic patterns, such as high ad impression volumes, cloaking behavior, forced wait times, and CAPTCHA usage. The operation’s use of deep linking to decloak content and open redirects complicates attribution.

The monetization strategy involves selling access to these WordPress extensions, empowering independent cybercriminals to launch their own ad fraud campaigns. Some threat actors have even shared instructional videos on YouTube, coaching others on maximizing the use of Scallywag extensions, further amplifying the operation’s reach.

After traffic analysis and domain blocking, have led to a 95% reduction in Scallywag’s traffic from its peak, dropping daily ad fraud requests to nearly zero. However, the threat actors also have shown resilience, adapting by rotating domains and introducing new cashout sites to evade mitigations. Some have pivoted to content discovery networks, indicating ongoing evolution in their tactics.

How to Protect Against Fraudulent Sites?

To avoid such sites and malicious ads, you just need to do the following two rules. First and most importantly, avoid visiting pirate sites. Apart from the fact that in most cases it can cause legal problems, as we can see, it is also a source of all sorts of threats, from advertising questionable things to spreading malware. If you doubt the reliability of a website, you can use our free Website Reputation Checker to quickly check the reliability of a website.

The second fundamental recommendation is to use anti-malware software. I recommend GridinSoft Anti-Malware because it contains an Internet Security module that blocks potentially dangerous sites. Of course, this does not cancel the previous point and does not give you permission to browser dubious sites. Rather, this item complements the previous one by ensuring that in case of an unintentional visit to a malicious site, this solution will notify the user of the potential risk and block access to the site.

The post WordPress Ad-Fraud Plugins and the Scallywag Operation appeared first on Gridinsoft Blog.

MITRE’s Warning on CVE Program Funding Expiry

MITRE, through a letter from Vice President and Director Yosry Barsoum at the Center for Securing the Homeland, warned that the current contracting pathway for developing, operating, and modernizing the CVE program, along with related programs like the Common Weakness Enumeration (CWE), will expire today, April 16, 2025. This warning was shared on several platforms. In a post on X/Twitter, which was linked in the letter, Barsoum said that a break in service could have several consequences.

These include a decline in national vulnerability databases and advisories, slower responses from vendors to new vulnerabilities, limited capabilities for incident response, and a broader impact on various types of critical infrastructure. The uncertainty about funding comes from the fact that the US government hasn’t confirmed whether the contract will be renewed. Reports suggest that the Trump administration is cutting federal spending, which could affect contracts like this one.

MITRE Corporation, a not-for-profit organization operating federal research and development centers, has raised significant concerns about the funding status of the Common Vulnerabilities and Exposures (CVE) program, which is set to expire on April 16, 2025. The CVE program, launched in 1999, is foundational for cataloging publicly disclosed cybersecurity vulnerabilities.

It is maintained by MITRE with funding primarily from the National Cyber Security Division of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It serves as a vital resource for hackers, vendors, and organizations, enabling the sharing of accurate and consistent information about cybersecurity risks. The program has cataloged nearly 275,000 records and stores historical data on GitHub.

Why is MITRE Critical?

The potential impacts are hard to underestimate. The CVE program is described as the de-facto global standard for vulnerability identification and management, relied upon by organizations across industry, government, national security, and critical infrastructure.

Without funding, no new CVEs will be added after today, and the program website will eventually cease, though historical records will remain accessible on GitHub. Experts have noted that losing CVE could lead to mis-prioritized software updates and increased security risks due to the lack of a centralized, standardized severity description. Jen Easterly, former CISA Director, compared CVE to the Dewey Decimal System for cybersecurity.

Casey Ellis, founder of Bugcrowd, highlights that a sudden interruption could become a national security problem, as CVE underpins vulnerability management, incident response, and critical infrastructure protection efforts. Another policy researcher branded the potential end as “tragic,” a sentiment echoed by many in the cybersecurity community. In the end, transparent vulnerability disclosure helps developers to acknowledge bad coding practices and understand how things should not be done.

Some may argue that vulnerability disclosure may be a bad thing, as this allows threat actors to target the new flaw before the fixes are available. Thing is – hackers can find the flaw before security researchers or the developers do, develop the exploit, and use it as hard as they can. And without a proper publication of the issue, companies will remain clueless about a potential hazard.

Can MITRE Come Back?

Despite the expiry, the government is making “considerable efforts” to continue MITRE’s role. CISA has stated they are “urgently working to mitigate impact and maintain CVE services on which global stakeholders rely,” though they declined to answer questions about why the contract wasn’t renewed or future plans. This uncertainty is compounded by reports of CISA facing significant budget and staffing cuts, potentially linked to broader Trump administration policies.

MITRE remains committed to the CVE as a global resource, but without confirmed funding, the program’s future is at risk. The layoffs of over 400 employees in MITRE’s Virginia office, due to canceled contracts worth more than $28 million, indicate the financial pressures already at play. Additionally, CISA’s decision to end funding for other programs like MS-ISAC and Election ISAC, announced last month, suggests a broader trend of funding cuts affecting cybersecurity initiatives.

The post MITRE Warns CVE Program Funding Expires on April 16 appeared first on Gridinsoft Blog.

D0glun ransomware emerged in January 2025 as a new crypto-ransomware variant with direct links to the Babuk and Cheng Xilun ransomware families. This sophisticated threat encrypts files using AES-256 encryption, appends the “.@D0glun@” extension to compromised files, and demands Bitcoin payment for decryption. This technical analysis explores D0glun’s infection mechanisms, encryption techniques, and provides actionable protection strategies based on the latest threat intelligence.

Technical Overview

D0glun ransomware shares significant code similarities with the leaked Windows version of Babuk and is a direct descendant of Cheng Xilun (Babuk→Cheng Xilun→D0glun). Security researchers have confirmed these connections through analysis of execution patterns, encryption methods, and ransom note formats. The March 2025 crypto crime report indicates that this family was responsible for several incidents within a broader trend of $124 million stolen across 25 separate ransomware incidents in Q1 2025.

The ransomware features:

• Fast encryption process using AES-256 symmetric encryption for file content
• File extension modification to “.@D0glun@[original_extension]” with additional variant patterns of “@zero_d0glun_[original_extension]”
• Three distinct ransom notes including desktop wallpaper modification
• Chinese-language ransom instructions that appear as corrupted text on systems without Chinese character support
• TOR communication channel for ransom payment and negotiation
• Bitcoin wallet for transaction processing (identified address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH)
• Additional communication channels via QQ (424714982) and Telegram (https://t.me/CXL13131)

The first samples of D0glun were identified in January 2025, nearly five years after Cheng Xilun’s initial appearance in April 2020. This timing suggests strategic redeployment of the codebase either by the original threat actor under a new alias or a different group with access to the Cheng Xilun source code.

Infection Vectors

D0glun employs multiple distribution methods to infect systems, with recent research from March 2025 identifying exploitation of the Confluence Data Center vulnerability (CVE-2023-22518) as a newly observed attack vector:

Source: WatchGuard’s Ransomware Tracker, combined with GridinSoft Threat Intelligence data, 2025

The most prevalent infection vectors include:

1. Phishing campaigns: Emails containing malicious attachments or links that, when opened, download and execute the ransomware payload through PowerShell scripts
2. Remote Desktop Protocol (RDP) exploitation: Targeting systems with weak or default credentials or unpatched RDP vulnerabilities
3. Fake software updates: Posing as legitimate application updates that actually contain the ransomware payload
4. Confluence CVE-2023-22518 exploitation: Targeting the improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset Confluence and create administrator accounts
5. Supply chain attacks: Compromising legitimate software distribution channels to deliver the payload
6. Malicious torrent files: Hiding within pirated software, games, or media distributed through P2P networks

According to security reports, organizations in manufacturing, healthcare, and business services sectors are primary targets, with most infections occurring in North America and Europe, but also reported cases in Brazil, Argentina, South Africa, and Japan.

Technical Capabilities and Execution Flow

When executing on a compromised system, D0glun follows a methodical process:

1. Initial setup: Creates mutex “hsfjuukjzloqu28oajh727190” to prevent multiple instances from running
2. System reconnaissance: Collects system information, installed software details, and network configuration
3. Credential harvesting: Attempts to extract credentials from FTP clients, VNC software, browsers, and email applications
4. Defense evasion: Disables Windows Defender, modifies security settings, and employs anti-debugging techniques
5. Persistence establishment: Creates registry entries to ensure execution after system restart
6. Backup destruction: Executes “vssadmin delete shadows /all /quiet” to remove shadow copies
7. File encryption: Systematically encrypts over 200 file types including documents, images, databases across local drives and network shares
8. Ransom note deployment: Drops ransom notes in each directory and changes desktop wallpaper
9. Self-cleanup: Deletes artifacts and potentially removes itself after encryption is complete

D0glun avoids encrypting files with specific extensions to maintain system functionality:

• .dat – Common data files needed by many applications
• .dll – Dynamic Link Libraries required for system operation
• .exe – Executable files that may be needed to run processes
• .ini – Configuration files for Windows and applications
• .log – System log files that track events
• .sys – System files critical for operating system function

Analysis of sample hash a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a reveals that D0glun uses a sophisticated multi-stage infection process linked to the Confluence exploit:

1. Initial exploitation of CVE-2023-22518 to create admin credentials
2. Execution of PowerShell scripts to download the main ransomware payload (typically named “svcPrvinit.exe”)
3. Deployment via C&C servers at 193.176.179.41 and 193.43.72.11
4. Execution with command-line parameters for silent operation

Encryption Methodology

D0glun employs a sophisticated encryption strategy:

1. Generates a unique AES-256 symmetric key for file encryption
2. Encrypts the AES key using an embedded RSA-2048 public key
3. Only the threat actors possess the corresponding private RSA key needed for decryption
4. Creates identifiable patterns in encrypted files to verify ownership during ransom negotiation

This approach makes decryption impossible without obtaining the private key from the attackers, as the asymmetric RSA encryption securely protects the symmetric AES key used for file encryption.

Ransom Note Analysis

The D0glun ransom note appears in Chinese, creating additional complications for victims without Chinese language support on their systems. Translation reveals several notable elements:

Your files are encrypted.

What's wrong with my computer?
I've encrypted some of your files.
File types include ZIP|TXT|PNG|JPG|PDF|DOC|and other common file formats.
---------- ---------- ------
Please do not try any antivirus software before decryption, otherwise I can not guarantee the safety of your files!
-------------------------------------------------------
How do I recover my important files?
--------------------------------------
Files with @D0GLUN@+source file suffix.
Such files can only be decrypted by our decryption service.
Trying any other decryption method will be futile.
Please visit our Dark Web site and we will provide you with a specialized decryption service.
Of course, there is a fee for this service
======================================
Can we really decrypt it?
======================================
We will honor our word of honor
We can decrypt a small part of your file for free
to prove that we can actually decrypt it!

---------- ----------
Please download the Tor Browser to your right


Then visit the following address
-
Contact us for help
In the lower right corner is my BTC collection address

Key ransom note elements include:

• Claims that antivirus will damage encrypted files (false intimidation tactic)
• TOR onion address: hxxp://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
• Bitcoin wallet address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH
• QQ communication channel: 424714982
• Telegram contact: https://t.me/CXL13131

The ransom note follows patterns similar to Cheng Xilun, further confirming the relationship between these ransomware families. The attackers typically offer to decrypt a small sample file to demonstrate their capability to restore data.

MITRE ATT&CK Techniques

D0glun employs various techniques mapped to the MITRE ATT&CK framework:

• T1486: Data Encrypted for Impact – Primary ransomware function to encrypt victim files
• T1490: Inhibit System Recovery – Deletion of shadow copies and backup mechanisms
• T1082: System Information Discovery – Collection of system details to tailor the attack
• T1562.001: Disable or Modify Tools – Disabling security software to evade detection
• T1083: File and Directory Discovery – Enumeration of files for targeting
• T1112: Modify Registry – Creation of registry entries for persistence
• T1059.001: PowerShell – Use of PowerShell scripts for execution
• T1047: Windows Management Instrumentation – Leveraging WMI for system manipulation

Protection and Remediation

If your system becomes infected with D0glun ransomware, follow these essential steps:

Immediate Response

1. Immediately disconnect from all networks to prevent spread to other systems
2. Disconnect external storage devices
3. Document the ransomware attack details (ransom note, encrypted file examples, contact information)
4. Report the incident to local law enforcement and national cybersecurity agencies

Ransomware Removal

To remove D0glun ransomware, use specialized security software that can detect and eliminate this threat:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Note that removing the ransomware only prevents further file encryption; it does not recover already encrypted files.

File Recovery Options

Currently, no free decryptor exists for D0glun ransomware. Your recovery options include:

• Restore from backups: The most reliable recovery method is restoring from clean, disconnected backups
• Shadow Volume Copies: If not deleted by the ransomware, Windows Shadow Copies might contain previous versions of files
• Cloud storage versions: Services like OneDrive, Google Drive, and Dropbox may have previous file versions if versioning was enabled
• Data recovery tools: In some cases, specialized tools like EaseUS Data Recovery might be able to recover fragments of files

Security experts and law enforcement agencies strongly advise against paying the ransom, as payment:

• Does not guarantee file recovery
• Finances criminal operations
• Marks you as a willing payer, potentially leading to future attacks

Prevention Strategies

Implement these security measures to protect against D0glun and similar ransomware:

• Patch management: Apply security updates promptly, especially for Confluence and remote access technologies
• Immutable backups: Maintain 3-2-1 backup strategy (3 copies, 2 different media types, 1 off-site) on write-once media
• Email security: Implement advanced anti-phishing protection and user awareness training
• Network security: Secure RDP access with multi-factor authentication and limit external exposure
• Endpoint protection: Deploy modern anti-malware solutions with behavioral detection capabilities
• Least privilege: Restrict user permissions to reduce the impact of successful attacks
• Network segmentation: Isolate critical systems to limit lateral movement
• Application control: Implement application whitelisting to prevent unauthorized executables
• Network monitoring: Deploy intrusion detection systems to identify unusual activity

Organizations should also develop and regularly test incident response plans specific to ransomware attacks to minimize recovery time and data loss.

Technical Indicators of Compromise (IOCs)

Security teams should monitor for these D0glun indicators:

File Hashes (SHA-256):
3eb7f1dd0274bd4ffcdf463876ab547503f9e6120db22c5e1923fe16cab71b50
a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a
d6d55a8fbd1c603719fe611e572e2431512e7063c44896f705524dab66234d45
f549ae8d509dab97f2d8b12ecf344c72ab2e715b2667e78d8fdd892eb6a459de
bec9d2dcd9565bb245f5c8beca4db627390bcb4699dd5da192cc8aba895e0e6a

IP Addresses:
193.176.179.41
193.43.72.11
45.145.6.112

File Extensions:
.@D0glun@<original extension>
.<original extension>.@d0glun@<original extension>
.<original extension>.@zero_d0glun_<original extension>

Ransom Note Files:
@[email protected]
Desktopcxl.txt
help.exe

Mutex:
hsfjuukjzloqu28oajh727190

Communication:
TOR: http://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
QQ: 424714982
Telegram: https://t.me/CXL13131
BTC: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH

Process Names:
svcPrvinit.exe

Conclusion

D0glun ransomware represents a continuing evolution of the Babuk/Cheng Xilun ransomware lineage with significant technical enhancements. Its emergence in 2025 and recent exploitation of Confluence vulnerabilities demonstrates how threat actors recycle, modify, and improve existing ransomware code to create new threats. The Chinese language elements and possible connection to North Korean actors (based on similar TTPs observed in other campaigns) suggest a complex attribution picture that continues to evolve.

Organizations must maintain strong security postures, implement comprehensive backup strategies, and deploy modern endpoint protection solutions like GridinSoft Anti-Malware to defend against these evolving threats. For additional protection against online threats, consider using the Website Reputation Checker to verify the safety of web resources before access.

The post D0glun Ransomware: Analysis and Protection Guide appeared first on Gridinsoft Blog.

CVE-2025-32395 Vite Vulnerability Exposes Sensitive Files

A recent post by a cybersecurity researcher drew attention to a newly identified vulnerability CVE-2025-32395 in Vite, a popular frontend development server. The vulnerability may affect more than 286,000 exposed Vite services worldwide. Despite being described in some places as a Denial of Service flaw, technical evidence confirms that this is more accurately an information disclosure vulnerability.

Vite is a modern front-end development tool designed to provide a fast and efficient development experience for web applications. It features a development server that serves source files over native ES modules, with Hot Module Replacement (HMR) for quick updates, and uses Rollup for production builds.

Vite Arbitrary File Read Vulnerability Details

The vulnerability, tracked as CVE-2025-32395, affects Vite’s development server when running on Node or Bun runtimes and exposed to the network. According to the National Vulnerability Database, the issue allows the contents of arbitrary files to be returned to the browser, bypassing the server.fs.deny configuration. The issue arises from how Vite handles malformed HTTP requests containing the # symbol in the request target.

According to the HTTP/1.1 standard (RFC 9112), the # character is not permitted in the request target and should be rejected by compliant servers. However, when Vite runs on Node or Bun, these platforms do not properly validate or reject such malformed requests. Instead, they pass them through to the application layer, allowing unexpected behavior.

Vite’s internal file-serving mechanism uses the configuration option server.fs.deny to block access to sensitive files. However, when handling requests that contain invalid characters like #, this validation is bypassed. As a result, an attacker can craft a request to access files that should be restricted. These may include environment configuration files, source code, or any other files located outside the permitted directory scope.

Proof of Concept Exploit Released

The flaw instantly got much more dangerous, as a PoC exploit was released to demonstrate the significant potential behind the flaw. Published on GitHub, it shows how an attacker could exploit it to read arbitrary files. The process begins by creating a new Vite project using npm create vite@latest, moving into the project directory, installing dependencies with npm install, and starting the development server with npm run dev.

Once the server is running, the attacker can send a specially crafted HTTP request—for example, using curl –request-target /@fs/../../../../../etc/passwd http://127.0.0.1:5173. This demonstrates that by manipulating the request-target with relative paths and a # character, the attacker can bypass the server.fs.deny restriction and gain access to sensitive files like /etc/passwd. This also confirms the issue as an information disclosure vulnerability, not a denial-of-service problem.

Potential Impact and Risks

Reports suggest a significant number of services may be affected, with claims of over 286,000 services potentially exposed yearly. This statistic likely stems from scans using platforms, which can identify Vite development servers online by searching for patterns like “body=”/@vite/client”” in HTTP responses. Given Vite’s widespread use, especially in development environments, this number seems plausible.

CVE-2025-32395 Flaw Short Description

The exposure of development servers to the internet poses a confidentiality risk, as attackers could access sensitive files such as configuration files, source code, API keys, or other confidential data. This is particularly dangerous for applications explicitly configured with –host or server.host options, making them accessible over the network. The impact is less about service disruption and more about unauthorized data access.

Controversy About DoS Attack

Despite the clear classification as an information disclosure vulnerability, some publications have labeled it as a Denial-of-Service attack. A DoS attack typically aims to disrupt service availability, such as by overwhelming the server or causing it to crash. On the other hand, CVE-2025-32395 allows unauthorized file access, which is a confidentiality breach. The confusion may arise from the potential secondary effect: if an attacker sends a large number of requests exploiting this vulnerability, it could lead to resource exhaustion, indirectly causing a denial of service. However, the primary nature of the vulnerability is information disclosure, as confirmed by the NVD and GitHub sources.

Mitigation Strategies & Protection

To mitigate this vulnerability, users should start by updating Vite to one of the fixed versions — 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13 — as these versions include a patch that properly blocks invalid requests. It’s also important to make sure the Vite development server isn’t accessible from the public internet. Ideally, it should only be reachable via localhost or be protected behind a firewall within a secure network.

Additionally, users should scan for any unintentional exposure by using search tools. Finally, it’s a good practice to regularly audit server configurations, especially in development environments, to catch anything that might have been accidentally left open.

The post CVE-2025-32395 Vite Vulnerability Exposes Sensitive Files appeared first on Gridinsoft Blog.

Google Releases Fixes for Two Android Zero-Day Flaws

On April 8, 2025, Google released its monthly Android security bulletin, patching 62 vulnerabilities, with a focus on two zero-day flaws that were under active exploitation. Zero-day vulnerabilities are particularly concerning as they are exploited before developers can identify and patch them, often by sophisticated actors such as government agencies or cybercriminals. The timing of this update, aligning with the first Monday of April, follows Google’s standard practice, as noted in Android Security Bulletins Overview.

The vulnerabilities, tracked as CVE-2024-53150 and CVE-2024-53197, were part of the Linux kernel’s USB-audio driver, a critical component handling audio over USB connections. This location in the kernel makes them especially dangerous, as kernel-level exploits can bypass many security layers, potentially leading to full device compromise. As Android itself is a derivative of Linux, such flaws touch it as well.

New Android Vulnerabilities: Key Facts

To understand these vulnerabilities, we looked into the National Vulnerability Database (NVD) and related reports. Here’s a breakdown of each issue, including technical details and potential impact.

The first one, CVE-2024-53150, is an out-of-bounds read in the USB-audio driver, specifically in the ALSA (Advanced Linux Sound Architecture) component of the Linux kernel. Its CVSS score is 7.8, so it’s considered high severity. The problem occurs when the driver traverses clock descriptors—it doesn’t properly check the length (bLength) of each descriptor. A malicious device can exploit this by sending a bogus descriptor that’s too short, causing the driver to read beyond the allocated memory.

According to the vulnerability list entry, this was fixed by adding sanity checks to the validator functions to skip descriptors that don’t meet the minimum length requirements. Out-of-bounds reads can leak sensitive memory data, including user info or system-level secrets. This type of attack would typically be launched through a malicious USB device. Although there aren’t many details on real-world exploitation, reports indicate it’s been used in targeted attacks—likely alongside other bugs for greater effect.

The second vulnerability, CVE-2024-53197, is an out-of-bounds write—again in the USB-audio driver. Like the previous CVE, this one also scores a 7.8 on the CVSS scale, and worse—it’s a zero-click exploit. This one involves handling certain devices like the Extigy and Mbox. Here, an attacker can manipulate the bNumConfigurations value to exceed what the driver expects. That leads to out-of-bounds writes during configuration allocation.

The issue was patched by implementing proper bounds checks in the usb_get_configuration function. This flaw can be used for privilege escalation, potentially letting attackers inject and run arbitrary code in the kernel—yes, with full system privileges. No user interaction is required.

Amnesty International reported that this Android zero-day vulnerability was part of a real-world exploit chain used by Serbian authorities in December 2024. The target? A student activist’s Android phone. But more on that next. The exploit chain included this CVE along with CVE-2024-53104 and CVE-2024-50302, both of which had been patched earlier. This points to a coordinated attack likely involving commercial surveillance tools, such as those provided by Cellebrite.

Real-World Exploitation and Targeted Attacks Suggested

Some reports confirm that both Android zero-day vulnerabilities were used in “limited, targeted exploitation,” likely by state actors or advanced persistent threat groups. The case of the Serbian student activist is particularly notable, where local authorities used these flaws to attempt spyware installation, highlighting the geopolitical implications of such vulnerabilities.

So, government-backed actors are leveraging these flaws for surveillance—adding a layer of complexity, especially for activists and journalists who may be targeted. It also raises questions about the role of forensic tool providers like Cellebrite, which was implicated in developing the exploit chain, leading to their banning Serbia from using their products, as noted in Candid Technology.

From a technical standpoint, both Android zero-day vulnerabilities highlight the challenges of securing kernel-level components, particularly those interfacing with hardware like USB. The USB-audio driver’s complexity, handling various device types, makes it a frequent target, as seen with previous vulnerabilities like CVE-2024-53104, patched in February 2025. Policy-wise, the exploitation by state actors raises concerns about digital rights and privacy, especially in authoritarian contexts.

Mitigation and User Guidance

Google acted quickly in response to these vulnerabilities, releasing patches as part of the April 2025 security update. Devices that have been updated to this patch level are protected. The update includes two patch levels: 2025-04-01 and 2025-04-05.

To stay safe, users are strongly encouraged to take a few important steps. First, check for and install the latest security updates on your Android device. Make sure your patch level is 2025-04-05 or later to ensure you’re covered.

Second, be extra cautious with USB connections — especially when plugging into unfamiliar or untrusted devices. These Android zero-day vulnerabilities are tied to the USB stack, so it’s not the best time to be adventurous with random charging stations.

The post Google Releases Two Android Zero-Day Fixes, Exploited in the Wild appeared first on Gridinsoft Blog.

GorillaBot Overview: Key Threat Information

GorillaBot is a recently identified botnet, classified as a variant of the Mirai botnet, which gained notoriety for its role in large-scale Distributed Denial of Service (DDoS) attacks. Mirai, first discovered in 2016, primarily targets internet-connected devices like IoT cameras and routers, exploiting weak or default passwords to build its botnet.

The release of Mirai’s source code has led to numerous variants, with GorillaBot emerging as a significant threat in 2023, launching over 300,000 attacks across more than 100 countries between September 4 and September 27, 2023. These attacks targeted critical sectors including telecommunications, financial institutions, and education.

This malware appears to reuse Mirai’s core logic for DDoS attacks, such as command parsing and communication with control servers. However, it enhances these with custom encryption methods and includes anti-debugging features to evade detection. This makes it a more sophisticated threat compared to the original Mirai.

Technical Analysis of GorillaBot

Security researchers at ANY.RUN have published a detailed analysis of this threat. Our focus here is on the key technical aspects that differentiate GorillaBot from the original Mirai while making it more dangerous and difficult to detect.

Code Reuse and Architecture Support

GorillaBot inherits much of its functionality from Mirai, focusing on DDoS attacks. Analysis of its binary reveals that it supports multiple system architectures:

• ARM – Common in routers and IoT devices
• MIPS – Found in older network devices
• x86_64 – Standard 64-bit PC architecture
• x86 – 32-bit PC architecture

This multi-architecture support enables GorillaBot to infect a wide range of devices, maximizing its potential botnet size and DDoS capability.

Command and Control Infrastructure

The botnet establishes connections with command and control (C2) servers, a practice mirrored from Mirai, but with significant modifications:

• Raw TCP Socket Communication – Uses raw TCP sockets instead of HTTP requests for enhanced stealth
• 32-byte Buffer Protocol – Sends a 32-byte buffer length followed by the buffer itself
• Custom Encryption – Implements proprietary encryption methods not present in original Mirai

The communication protocol between bot and C2 server follows this pattern:

// Simplified representation of GorillaBot's C2 communication
uint32_t buffer_len = htonl(packet_length);
send(fd, &buffer_len, sizeof(uint32_t), MSG_NOSIGNAL);
send(fd, encrypted_packet, packet_length, MSG_NOSIGNAL);

Attack Command Parsing

GorillaBot reuses Mirai’s core logic for parsing attack commands. It implements a function similar to Mirai’s attack_parse that processes incoming commands from the C2 server:

// Pseudocode based on analysis of GorillaBot's attack parsing
void attack_parse(char *buf) {
    int argc = 0;
    char *args[MAX_ARGS+1];
    
    // Tokenize command
    args[argc++] = buf;
    while (argc <= MAX_ARGS) {
        char *delim = strchr(args[argc-1], ' ');
        if (delim == NULL)
            break;
        *delim++ = 0;
        args[argc++] = delim;
    }
    
    // Process attack command
    if (!strcmp(args[0], "UDP"))
        attack_udp(args);
    else if (!strcmp(args[0], "TCP"))
        attack_tcp(args);
    // Additional attack types...
}

This function supports both simple commands and those with extended options, allowing the botnet operators to fine-tune attack parameters.

DDoS Attack Capabilities

GorillaBot’s primary purpose is launching DDoS attacks. It supports up to 19 different attack vectors, significantly more than the original Mirai:

Key Enhancements Over Mirai

Despite its Mirai heritage, GorillaBot introduces several sophisticated enhancements that make it more dangerous and difficult to detect.

Custom Encryption Methods

GorillaBot implements multiple layers of encryption not present in the original Mirai:

• XTEA-like Cipher – Custom implementation with a 128-bit key for C2 communications
• Caesar Cipher – Simple substitution cipher with a shift of 3 for string obfuscation
• SHA-256 Token – Used for authentication with C2 servers

The Caesar cipher implementation for string obfuscation:

// Simplified representation of GorillaBot's Caesar cipher
char* decrypt_string(char* encrypted) {
    char* decrypted = malloc(strlen(encrypted) + 1);
    
    for(int i = 0; encrypted[i] != '\0'; i++) {
        // Shift of 3 in Caesar cipher
        decrypted[i] = encrypted[i] - 3;
    }
    
    decrypted[strlen(encrypted)] = '\0';
    return decrypted;
}

Anti-Analysis and Evasion Techniques

GorillaBot employs several sophisticated techniques to evade detection and analysis:

• Anti-Debugging Checks – Inspects the /proc/self/status file for TracerPid to detect when being analyzed

// Anti-debugging implementation in GorillaBot
int detect_debugger() {
    FILE *f = fopen("/proc/self/status", "r");
    char line[256];
    
    while (fgets(line, sizeof(line), f)) {
        if (strncmp(line, "TracerPid:", 10) == 0) {
            int pid = atoi(line + 10);
            if (pid != 0) {
                fclose(f);
                return 1; // Debugger detected
            }
            break;
        }
    }
    
    fclose(f);
    return 0; // No debugger
}

• Container Detection – Checks /proc/1/cgroup for “kubepods” to detect containerized environments
• Honeypot Evasion – Exits when common sandbox or analysis environments are detected
• Process Name Obfuscation – Disguises its process name to avoid detection by system monitoring tools

Advanced Authentication Mechanism

GorillaBot implements a more sophisticated authentication system than Mirai:

// Pseudocode of GorillaBot's authentication mechanism
int authenticate_with_c2(int sock) {
    uint8_t magic_value[4];
    recv(sock, magic_value, 4, 0);
    
    uint8_t hardcoded_array[32] = { /* 32-byte hardcoded array */ };
    uint8_t token[32];
    
    SHA256_CTX ctx;
    SHA256_Init(&ctx);
    SHA256_Update(&ctx, hardcoded_array, 32);
    SHA256_Update(&ctx, magic_value, 4);
    SHA256_Final(token, &ctx);
    
    send(sock, token, 32, MSG_NOSIGNAL);
    
    uint8_t response;
    recv(sock, &response, 1, 0);
    return response == 0; // 0 means success
}

This authentication process uses a SHA-256 token generated from a 32-byte hardcoded array and a 4-byte magic value received from the C2 server, making it more secure and difficult to impersonate.

Indicators of Compromise (IoCs)

YARA Rule for GorillaBot Detection

The following YARA rule can help detect GorillaBot samples:

rule GorillaBot_Mirai_Variant {
    meta:
        description = "Detects GorillaBot Mirai variant"
        author = "GridinSoft Security Team"
        date = "2023-10-15"
        version = "1.0"
        
    strings:
        $caesar_shift = { 83 ?? 03 } // Caesar cipher with shift of 3
        $proc_status = "/proc/self/status" ascii
        $tracer_pid = "TracerPid:" ascii
        $kubepod_check = "kubepods" ascii
        $attack_cmd1 = "UDP" ascii
        $attack_cmd2 = "TCP" ascii
        $attack_cmd3 = "SYN" ascii
        $attack_cmd4 = "ACK" ascii
        
    condition:
        uint32(0) == 0x464c457f and // ELF header
        $caesar_shift and
        $proc_status and
        $tracer_pid and
        2 of ($attack_cmd*) and
        $kubepod_check
}

How To Protect Against GorillaBot Infection

Given GorillaBot’s sophistication, protecting against such threats requires a multi-layered approach:

For IoT Device Owners

• Change default credentials – Many IoT devices come with factory-set usernames and passwords that are well-known to attackers. Always change these immediately.
• Keep firmware updated – Regularly check for and install firmware updates for all network-connected devices.
• Disable unnecessary services – Turn off Telnet and other unneeded services that could be exploited.
• Implement network segmentation – Place IoT devices on a separate network from critical systems.
• Use strong authentication – Where possible, implement SSH with key-based authentication instead of password login.

For Network Administrators

• Deploy traffic monitoring – Implement systems to detect unusual traffic patterns that could indicate botnet activity.
• Filter vulnerable ports – Block inbound access to commonly exploited ports like Telnet (23) at the network perimeter.
• Implement egress filtering – Prevent compromised devices from participating in DDoS attacks by filtering outbound traffic.
• Configure rate limiting – Implement bandwidth caps or connection rate limits for IoT devices.
• Use intrusion detection systems – Deploy IDS/IPS solutions capable of recognizing botnet command and control traffic.

For End Users

• Use reliable security software – Solutions like GridinSoft Anti-Malware can help detect and remove malware infections.
• Monitor device behavior – Watch for unusual signs like excessive network activity or performance degradation.
• Perform regular security scans – Schedule periodic security scans of all devices connected to your network.
• Update all software – Keep operating systems and applications up-to-date with security patches.

Conclusion: The Evolution of IoT Threats

GorillaBot represents the continued evolution of IoT-targeted malware, building on established frameworks like Mirai while adding sophisticated evasion techniques and enhanced attack capabilities. As IoT devices continue to proliferate across homes and businesses, the threat from such botnets will likely increase.

The most effective defense against these threats remains a combination of basic security hygiene (changing default passwords, keeping devices updated) and advanced protection measures (network monitoring, security software). By implementing these practices, both individual users and organizations can significantly reduce their risk of becoming part of a botnet like GorillaBot.

The post GorillaBot: Advanced Mirai Variant Targeting IoT Devices with Enhanced DDoS Capabilities appeared first on Gridinsoft Blog.

CrushFTP’s Unauthenticated Access Flaw Warning

CrushFTP, a widely used file transfer protocol server, has recently issued a critical warning to its users, urging them to patch an unauthenticated access flaw immediately. This warning addresses a significant security vulnerability that affects all versions of v11, with potential implications for v10 as well.

On March 21, 2025, the company emailed customers, warning of an unauthenticated HTTP(S) port access vulnerability. The email emphasized the urgency, stating, “Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon.”

CrushFTP Flaw Description

The vulnerability is described as an unauthenticated HTTP(S) port access flaw. This means attackers can potentially gain access to unpatched servers without authentication if the HTTP(S) port is exposed on the internet. This is particularly dangerous for servers accessible online, as it could lead to unauthorized access, data exfiltration, or further exploitation. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access.

The severity is underscored by the potential for ransomware and other adversaries to target file transfer technologies. This vulnerability is especially concerning given historical exploitation of similar flaws in CrushFTP, such as the 2024 zero-day (CVE-2024-4040), which allowed complete server compromise.

It will hapdly be different this time, especially considering the availability of the PoC exploit on GitHub. It was posted merely hours after the original disclosure from the developers, and will surely act as an additional push for this flaw exploitation.

Mitigation and Patch Details

To address this flaw, CrushFTP released version 11.3.1. The change log, accessible via version history, mentions an “Authentication fix” for v11.3.1. Users are urged to update immediately, without waiting for regular patch cycles.

An important mitigation strategy is the use of the DMZ feature. This is particularly relevant for users with exposed servers, as it reduces the attack surface. For users still on older versions, the update process involves downloading the latest version from CrushFTP download, with options for Java21 and without Java17, ensuring compatibility across platforms.

The email notification explicitly states that no earlier versions than v11 are affected, focusing solely on v11. However, the advisory’s mention of v10 in some sources, introduces uncertainty. Given the lack of specific patch information for v10 in the recent updates, it seems that the focus is on v11. So, v10 users need to ensure they are on the latest patch for previous vulnerabilities, such as those addressed in v10.7.1 and v11.1.0 for CVE-2024-4040.

Users should prioritize updating to v11.3.1, ensuring their servers are not exposed to the internet without the DMZ feature. For those unsure of their version, checking the dashboard on the CrushFTP website and following the upgrade guide is recommended.

The post CrushFTP’s Unauthenticated Access Flaw Discovered appeared first on Gridinsoft Blog.

Jaguar Land Rover Breached

In early March 2025, Jaguar Land Rover (JLR), a UK-based luxury car manufacturer, reportedly suffered a significant data breach. This breach involved two distinct threat actors: the HELLCAT ransomware group, also referred to as “Rey,” and a second hacker identified as “APTS.”

While the exact date of the breach is not explicitly stated, it is clear that the incident was recent. On the other hand, the credentials exploited by APTS dated back to 2021, suggesting a long-term vulnerability. For instance, a report corroborates the exposure of source code and employee details, while another website mentions the leak of 700 internal documents by Rey.

Threat Actors and Their Methods

As I said above, the breach involved two primary actors: HELLCAT (Rey) and APTS. HELLCAT employs its “infostealer-playbook” strategy, using infostealer malware to collect credentials. It focuses on Jira systems, which are integral to enterprise operations, making the stolen data highly valuable for further attacks.

Infostealer malware, such as Lumma, infects devices through phishing, malicious downloads, or compromised websites, exfiltrating login credentials that are often sold or hoarded on the Darknet. APTS followed a similar approach, exploiting the same type of credentials to access JLR’s systems.

The article also specifies that the credentials used were from a compromised LG Electronics employee (his email ending with «on@lge.com») with third-party access to JLR’s Jira server. These credentials, detected in Hudson Rock’s database since at least 2018, were viable as of 2021. Hudson Rock, a cybercrime intelligence provider, reported over 30,000,000 computers infected with infostealers, with thousands of companies, including JLR, having compromised Jira credentials from these infections.

Data Leaked and Scale

How about scale, the scale of the data breach is significant, with Rey leaking hundreds of internal files and gigabytes of Jira issues, though the exact size is not specified. APTS, on the other hand, leaked an additional 350 gigabytes of data, including proprietary documents, source codes, employee data, and partner information.

This additional leak was confirmed through a screenshot of a Jira dashboard shared by APTS. Some reports mention approximately 700 internal documents leaked by Rey, including development logs and tracking data.

Implications and Broader Context

The breach has significant implications for JLR and the broader cybersecurity landscape, which is obvious. The leaked data, particularly source codes and employee details, poses risks for further attacks, such as phishing campaigns or intellectual property theft.

AI could amplify the impact of such large breaches, making stolen data more valuable for cybercriminals. And it’s all given JLR’s size, with nearly 39,000 employees and over $37 billion in revenue in the previous year. The incident also shows the vulnerability of Jira systems for enterprise operations. And it is worth holding in mind, considering how widespread it is in modern day software engineering.

Among JLR, there are previous victims of infostealer campaigns, including Telefónica, Schneider Electric, and Orange. For example, the Telefónica breach discusses similar tactics. One detail is the longevity of the exploited credentials, dating back to 2018 and remaining viable until at least 2021.

This long-term vulnerability, detected by Hudson Rock’s database, illustrates how stolen credentials can persist for years if not monitored, posing a continuous risk to organizations. This is particularly relevant for companies relying on third-party access, as seen with the LG Electronics employee’s credentials.

The post Jaguar Land Rover Data Breach Involved Two Attacks appeared first on Gridinsoft Blog.