Global crackdown on Kidflix, a major child sexual exploitation platform with almost two million users | Europol
Kidflix, one of the largest paedophile platforms in the world, has been shut down in an international operation against child sexual exploitation. The investigation was supported by Europol and led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB). Over 35 countries worldwide participated in the operation. almost 1 400 suspects worldwide. So far, 79 of these individuals have been arrested...
Russian Hacktivists Target Energy And Water Infrastructure
Russian hacktivist groups Z-Pentest and People’s Cyber Army escalate attacks on U.S. energy and water systems. Learn about their tactics and how to mitigate risks
Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks
New malware targets Apache Tomcat servers, hijacking resources through stealthy payloads & lateral movement. What to watch for to protect your workloads
Apple belatedly fixes exploited flaws in older OSes
Apple has delivered a big batch of OS updates, some of which belatedly patch older versions of its operating systems to address exploited-in-the-wild flaws the iGiant earlier fixed in more recent releases.
Analyzing open-source bootloaders: Finding vulnerabilities faster with AI
By leveraging Microsoft Security Copilot to expedite the vulnerability discovery process, Microsoft Threat Intelligence uncovered several vulnerabilities in multiple open-source bootloaders, impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices. The vulnerabilities found in the GRUB2 bootloader (commonly used as a Linux bootloader) and U-boot and Barebox bootloaders (commonly used for embedded systems), could allow threat actors to gain and execute arbitrary code.
Enterprise file transfer solutions are critical infrastructure for many organizations, facilitating secure data exchange between systems and users. CrushFTP, a widely used multi-protocol file transfer server, offers an extensive feature set including Amazon S3-compatible API access. However, a critical vulnerability (CVE-2025-2825) was discovered in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 that allows unauthenticated attackers to bypass authentication and gain unauthorized access
Key Takeaways The threat actor gained initial access by a fake Zoom installer that used d3f@ckloader and IDAT loader to drop SectopRAT. After nine days of dwell time, the SectopRAT malware dropped …
Apple finally adds TCC events to Endpoint Security! Since the majority of macOS malware circumvents TCC through explicit user approval, it would be incredibly helpful for any security tool to detect this — and possibly override the user’s risky decision. Until now the best (only?) option was to ingest log messages generated by the TCC subsystem. This approach was implemented in a tool dubbed Kronos, written by Calum Hall Luke Roberts (now, of Phorion fame). Unfortunately, as they note, this approach did have it drawbacks:
Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor
Dubbed “BlackLock” (aka "El Dorado" or "Eldorado"), the ransomware-as-a-service (RaaS) outfit has existed since March 2024. In Q4 of last year, it increased its number of data leak posts by a staggering 1,425% quarter-on-quarter. According to independent reporting, a relatively new group has rapidly accelerated attacks and could become the most dominant RaaS group in 2025. Fortunately, it will not happen due to certain events happening "behind the scenes." As you may know, Christmas and Winter Holidays are the best times for cybercriminals to attack, defraud, and extort victims globally. But in some cases, they may expect unexpected gifts too. Around that time, Resecurity identified a vulnerability present at the Data Leak Site (DLS) of BlackLock in the TOR network - successful exploitation of which allowed our analysts to collect substantial intelligence about their activity outside of the public domain.
Why are North Korean hackers such good crypto-thieves?
FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm’s accounts, a “typical manoeuvre” performed while servicing more than 60m users around the world. Half an hour later he got a phone call. “Ben, there’s an issue,” his chief financial officer said, voice shaking. “We might be hacked…all of the Ethereum is gone.”
SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries
Any service using xml-crypto or a Node.js SAML implementation using it, should update immediately to the latest version. WorkOS customers are safe and were not impacted.
Lucid is a sophisticated Phishing-as-a-Service (PhaaS) platform operated by Chinese-speaking threat actors, targeting 169 entities across 88 countries globally. With 129 active instances and 1000+ registered domains, Lucid ranks among prominent PhaaS platforms, alongside Darcula and Lighthouse. Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud. The platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures. To enhance effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates. Lucid incorporates advanced anti-detection and evasion techniques, such as IP blocking and user-agent filtering, to prolong the lifespan of its phishing sites. Additionally, it features a built-in card generator, enabling threat actors to validate and exploit stolen payment data efficiently. Given its advanced infrastructure and persistent activity, Lucid poses a significant and ongoing cyber threat. Its operations underscore the growing reliance on PhaaS platforms to facilitate payment fraud and financial cybercrime, necessitating heightened vigilance and proactive mitigation efforts.
Next.js is an open-source web framework built by Vercel that powers React-based apps with features like server-side and static rendering. Recently, a critical vulnerability (CVE) was disclosed that lets attackers bypass middleware-based authorization checks. The issue was originally discovered and analyzed by Rachid Allam (zhero). In this blog, we’ll break down the vulnerability and walk through their research and will create a Nuclei template to help you detect it across your assets.
Troy Hunt: A Sneaky Phish Just Grabbed my Mailchimp Mailing List
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog. I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP, then I'll update the post with more details.
VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%. The only rule is not to target the Commonwealth of Independent States (CIS). Check Point Research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in its advertisement, it provides more offerings “targeting Linux, BSD, ARM, and ESXi systems”. The program provides an intuitive control panel that simplifies operating ransomware attacks. Check Point Research obtained two variants of the VanHelsing Ransomware, compiled just five days apart. The newest variant shows significant updates, highlighting the fast-paced evolution of this ransomware. In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. During negotiations, they demanded $500,000 to be paid to a specified Bitcoin wallet.
Weaver Ant: Tracking a China-Nexus Cyber Espionage Operation
Sygnia investigates Weaver Ant, a stealthy China-nexus threat actor targeting telecom providers. Learn how web shells enable persistence and espionage.
orums as part of our Threat Discovery Process. Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks. Target Technologies: Windows Target Geography: France, USA. Target Industry: Government, Manufacturing, Pharma. Encrypted file extension: .vanhelsing Observed First: 2025-03-16 Threat actor Communication mode: Tor
