Daily Digest

German authorities have just pulled back the curtain on one of the most notorious figures in cybercrime. They've publicly identified "UNKN," the elusive mastermind behind the devastating REvil and GandCrab ransomware gangs, as 31-year-old Russian national Daniil Shchukin. This isn't just a name drop—it's a major doxing operation by a state. It reveals the human face behind attacks that extorted millions and pioneered "double extortion" tactics. If your organization was hit by these gangs, the man allegedly responsible now has a public profile.

In a bold and unusual move, Germany's Federal Criminal Police (BKA) has turned the tables on a top cybercriminal. They've publicly named, shamed, and displayed mugshots of the man they say operated under the handle "UNKN." He is identified as Daniil Shchukin, the alleged leader of the GandCrab and REvil ransomware cartels. This action goes far beyond a typical press release. It's a strategic doxing, stripping away the anonymity that shields such actors. The BKA accuses Shchukin of directing at least 130 acts of digital sabotage and extortion within Germany alone between 2019 and 2021. The impact was severe. These gangs, under his alleged leadership, perfected "double extortion." First, they encrypted a victim's data and demanded a ransom for the decryption key. Then, they threatened to publish the stolen data online unless a second payment was made. This model caused immense damage. The BKA links Shchukin and an associate to 24 attacks that extracted nearly 2 million Euros in ransom and caused over 35 million Euros in total economic fallout. The pain rippled across businesses and critical services. Technically, these groups operated as "Ransomware-as-a-Service" (RaaS). Shchukin and his team maintained the core malicious software, while "affiliates" paid to use it in their own attacks. This franchising model scaled their reach and devastation exponentially. For potential victims, the key takeaway is resilience. This revelation doesn't mean the threat is gone. It reinforces the critical need for robust backups, kept offline and regularly tested. A solid recovery plan is your best defense against encryption attacks. Furthermore, segment your networks and enforce strict access controls. This can limit an intruder's ability to move laterally and deploy ransomware across your entire system. Always patch known vulnerabilities promptly. In the broader landscape, this move by Germany signals a shift. When arrest and extradition are politically fraught, law enforcement may increasingly resort to dismantling a criminal's operational security instead. They are attacking the reputation and anonymity these actors rely on. While Shchukin remains at large in Russia, his identity is now burned. This complicates his ability to recruit, collaborate, or live a normal life without scrutiny. It's a psychological and operational blow, showing that even the most hidden handlers can be exposed.

A shocking breach of trust has rocked the cybersecurity world. A former ransomware negotiator has pleaded guilty to secretly working with the very criminals he was hired to fight. Angelo Martino, along with two colleagues from top incident response firms, fed confidential victim details to the notorious BlackCat gang. This insider betrayal helped extort tens of millions from U.S. companies, turning defenders into attackers.

The line between defender and criminal has horrifyingly blurred. Angelo Martino, a former negotiator for cybersecurity firm DigitalMint, has admitted to a stunning double-cross. While hired to help companies recover from ransomware attacks, he was secretly aiding the enemy. Martino and two accomplices—fellow negotiators from Sygnia and DigitalMint—pleaded guilty to federal extortion and computer damage charges. They face up to 20 years in prison. Their crime was a profound violation of trust at the most vulnerable moment. While officially negotiating for five victims, Martino acted as a mole. He leaked confidential details like the victims' negotiation strategies and insurance coverage limits directly to the BlackCat (ALPHV) ransomware operators. This inside information allowed the criminals to calibrate their demands for maximum payout. The impact was devastating. Their known victims include a financial services firm forced to pay over $25 million and a nonprofit that handed over nearly $27 million. Law firms, schools, and medical facilities were also targeted in this insider-enabled scheme. Technically, the trio operated as BlackCat affiliates. They used the gang's ransomware and extortion portal, paying the core operators a 20% cut of all ransoms. They not only encrypted files but also stole data, threatening to leak it—a classic double-extortion tactic that Martino would have been intimately familiar with from his "day job." For organizations, this is a nightmare scenario. It underscores the critical importance of vetting everyone in your incident response chain. When engaging negotiators or response firms, demand transparency on their conflict-checking and confidentiality protocols. DigitalMint has stated it fired Martino and another involved employee immediately upon discovery, condemning their actions. However, the damage to industry trust will take far longer to repair. This case matters because it exploits the fundamental trust that makes crisis response possible. If the experts you call during a breach might be working for the other side, the entire cybersecurity ecosystem fractures. It’s a stark reminder that human risk remains the most unpredictable and dangerous vulnerability of all.

A new cyber threat is weaponizing the cloud itself. A financially motivated group called TeamPCP has unleashed a self-spreading "worm" that targets poorly secured cloud services. Their latest twist? A wiper attack designed to destroy data specifically on systems in Iran. This isn't just another data breach. The attack automatically spreads through misconfigured Docker, Kubernetes, and Redis servers. If you manage cloud infrastructure, especially on Azure or AWS, you need to check your configurations now. The group is also poisoning open-source tools, making the supply chain a new battlefield.

A significant shift is happening in the cybercrime world. The group known as TeamPCP has moved from pure data theft and extortion to launching a politically-tinged wiper attack against Iran. This marks a dangerous escalation in their capabilities and intentions. Their weapon of choice is a worm dubbed "CanisterWorm." It doesn't rely on fancy new exploits. Instead, it automates attacks on glaring, well-known security gaps in cloud infrastructure. Exposed Docker APIs, Kubernetes clusters, and Redis servers are its primary entry points. The worm's latest payload is particularly destructive. Upon infection, it checks the system's time zone and language settings. If it detects Iran's time zone or Farsi as the default language, it activates a data-wiping function, destroying information on the machine. Who's most at risk? Any organization with misconfigured cloud services on platforms like Azure or AWS, which account for 97% of TeamPCP's compromises. The real-world impact is dual: financial loss from extortion for most, and complete data destruction for targets in Iran. Technically, TeamPCP’s power comes from scale, not sophistication. They've industrialized basic attacks. Their platform automatically scans for and exploits common cloud misconfigurations, turning exposed servers into springboards for further infection. But the threat doesn't stop at direct cloud attacks. In a worrying supply chain twist, TeamPCP also compromised a popular security tool. They pushed malicious code into the GitHub Action for the KICS vulnerability scanner from Checkmarx, potentially infecting anyone who used it during a critical window. So, what should you do? Immediate action is required. Security teams must audit their cloud environments for exposed management APIs. Ensure services like Docker, Kubernetes, and Redis are not publicly accessible without strict authentication. Furthermore, this incident underscores the critical importance of software supply chain security. Organizations must verify the integrity of open-source tools and CI/CD pipelines, as even security scanners can become attack vectors. This campaign matters because it signals a new era of automated, cloud-native crime. It proves that old misconfigurations, when left unpatched and combined with automation, can fuel devastating, wide-scale attacks. The blend of financial motive with disruptive geopolitical action also sets a concerning precedent for future cyber conflicts.

A new, cunning version of the NGate malware is on the prowl, turning your phone's tap-to-pay feature into a data theft machine. It hides inside a corrupted version of a legitimate payment app called HandyPay. If you're an Android user, especially in Brazil, and you download apps from sketchy websites or fake app stores, you're at risk. This malware can silently steal your credit card details the moment you tap your card to your phone.

A sophisticated Android malware campaign is exploiting the very technology designed for convenient payments. Security researchers at ESET have uncovered a new variant of the NGate malware that hijacks Near-Field Communication (NFC) to drain bank accounts. This isn't its first appearance. The original NGate malware used a tool called NFCGate to capture payment card data. But this latest iteration has evolved into something stealthier and more cost-effective for the criminals behind it. The hackers have weaponized a legitimate app named HandyPay. By injecting it with malicious code, they created a trojan horse. This app normally facilitates NFC data transfers, a feature the malware abuses to exfiltrate your sensitive financial information. The shift in tactics is a masterclass in criminal efficiency. Professional NFC relay tools are expensive and draw attention. HandyPay is cheap, requires minimal permissions, and looks innocent, making it perfect for evasion. The campaign has been active since November 2025, primarily targeting users in Brazil. It spreads through two deceptive channels: a fake "card protection" app on a spoofed Google Play page, and a fraudulent lottery prize scheme that funnels victims via WhatsApp. Here’s how the theft works. Once installed, the malicious app tricks you into making it your default payment application. It then asks for your card's PIN and instructs you to tap your card on the phone. In that single tap, the malware reads and steals all the card data from the chip. This information is then emailed directly to the attackers, who use it to create cloned virtual cards for fraudulent purchases and ATM withdrawals. For protection, only download apps from the official Google Play Store. Be extremely wary of APK files from other sources. Consider disabling NFC when you're not actively using it for payments. Also, ensure Google Play Protect is enabled on your device. It is already capable of detecting and blocking this specific NGate variant. This incident is a stark reminder of the evolving threat landscape. It shows how cybercriminals are constantly innovating, repurposing legitimate tools to lower costs and improve stealth. As contactless payments become ubiquitous, our phones' NFC chips will remain a high-value target for these kinds of financially motivated attacks.

A massive $290 million crypto heist has struck the KelpDAO project, and the fingerprints point to a notorious state-sponsored actor: North Korea's Lazarus Group. This isn't just another hack; it's a sophisticated, cross-chain attack that exploited the very infrastructure designed to secure assets moving between blockchains. If you're involved with DeFi protocols like Compound, Euler, or Aave—especially if you used the rsETH token—you need to pay attention. The breach shows how attackers are now targeting the connective tissue of the crypto world, putting vast sums at risk through clever technical manipulation.

The crypto world was rocked by a near-$300 million theft from KelpDAO, a decentralized finance (DeFi) project. The prime suspect? The infamous Lazarus Group, a hacking arm of North Korea known for funding its regime through digital heists. This attack didn't just hit one protocol in isolation. It created ripple effects, impacting major lending platforms like Aave and Compound, which were forced to freeze activities involving the stolen token. This incident underscores a chilling trend: state-level attackers are systematically targeting the most complex parts of the crypto ecosystem. So, what exactly was stolen? The target was rsETH, a "liquid restaking" token. Users deposit Ethereum (ETH) with KelpDAO to earn rewards, and in return, they get rsETH, which they can use elsewhere in DeFi. The hackers didn't breach KelpDAO's core vaults. Instead, they attacked the bridge that moves rsETH between different blockchains. The technical heart of the hack was a clever deception on the verification layer. Attackers compromised specific data nodes (RPC nodes) that validate cross-chain messages. They then flooded healthy nodes with traffic (a DDoS attack) to disable them, forcing the system to rely on their poisoned data sources. This tricked the system into approving a fake transaction. It believed a massive amount of rsETH was legitimately being moved, when in reality, it was being stolen. The stolen tokens were then immediately sent through Tornado Cash, a crypto-mixing service, in a classic attempt to launder the funds and obscure their trail. For users, the immediate action is to check if you hold rsETH or used it as collateral on affected platforms like Aave. Follow official communications from those protocols regarding the freeze. For projects, this is a stark lesson in "trust minimization." Relying on a small set of external data providers creates a single point of failure. The broader implication is profound. Lazarus Group is executing long-term, patient campaigns. As LayerZero's analysis noted, this attack shared hallmarks of their "TraderTraitor" subgroup. They are not just exploiting code bugs, but the entire operational stack—from social engineering at conferences to manipulating network infrastructure. This heist, following a similar $280 million attack on Drift Protocol, signals a dangerous escalation. Critical DeFi infrastructure is now in the crosshairs of well-funded nation-states. The security of the entire space increasingly depends on fortifying these connective protocols against such sophisticated, resource-rich adversaries.

Russian military hackers just pulled off a massive, silent digital heist. By exploiting old, forgotten routers, they stole Microsoft Office login tokens from over 18,000 networks without installing a single piece of malware. This isn't just spycraft; it's a stark warning. If your organization uses outdated networking gear or relies on cloud services like Microsoft 365, you could be an unwitting participant in this global espionage campaign. The risk extends from government agencies right down to consumer devices.

A Russian state hacking group, known as Forest Blizzard or APT28, has executed a remarkably simple yet devastatingly effective espionage campaign. Their target? The digital keys that keep you logged into Microsoft Office and other 365 services. Instead of breaking into computers directly, they turned their attention to the internet's plumbing. The hackers exploited known vulnerabilities in thousands of old, unsupported routers sitting on the edge of networks. These forgotten devices became their perfect listening posts. From this vantage point, they performed a "man-in-the-middle" attack. As authentication data flowed between users and Microsoft's servers, the compromised routers silently copied it. This stolen data included precious session cookies and tokens. Possessing these tokens is like having a master key. The hackers could impersonate legitimate users, accessing emails, documents, and shared drives in cloud services like Outlook and SharePoint. All without needing passwords or triggering login alerts. The scale is immense. At its peak, this dragnet ensnared over 18,000 routers, impacting more than 200 organizations and 5,000 consumer devices. Primary targets included government bodies—ministries, law enforcement, and their supply chains. The real-world consequence is a severe, stealthy intelligence breach. Foreign affairs communications, sensitive law enforcement data, and corporate secrets could have been siphoned away for months, completely undetected by the victims. Mitigation requires a two-pronged approach. First, organizations must inventory and urgently update or replace end-of-life routers and network equipment. Letting these devices languish is an open invitation. Second, for Microsoft 365 tenants, enabling "Continuous Access Evaluation" (CAE) is critical. This security feature can instantly revoke stolen tokens, rendering them useless to attackers the moment a threat is detected. This incident highlights a dangerous shift in the cyber landscape. Attackers are increasingly targeting the foundational layers of the internet—the routers and appliances we often take for granted. It underscores that perimeter security is only as strong as its weakest, most overlooked link. Ultimately, it’s a powerful lesson in supply chain risk. A vulnerability in a single, outdated router model can cascade into a breach affecting thousands of networks worldwide, proving that what you don't know *can* hurt you.

A major international law enforcement operation has just taken down four massive IoT botnets responsible for record-breaking cyberattacks. The "Aisuru," "Kimwolf," "JackSkid," and "Mossad" botnets had enslaved over three million everyday devices—like home routers and security cameras—turning them into weapons for devastating DDoS attacks and extortion schemes. This disruption by U.S., Canadian, and German authorities stops an immediate threat, but it also exposes a much bigger problem. If you own an IoT device with a default password or outdated software, you could be part of the next digital siege. The fight for control of vulnerable smart devices is far from over.

In a significant cross-border cyber takedown, authorities from the United States, Canada, and Germany have dismantled the core infrastructure of four notorious IoT botnets. These networks, with names like Aisuru and Kimwolf, had compromised more than three million internet-connected devices, transforming ordinary home gadgets into a powerful army for hire. The impact was severe and widespread. The botnets are accused of launching hundreds of thousands of distributed denial-of-service (DDoS) attacks. These digital barrages can overwhelm and knock virtually any website or online service offline. The operators often used this destructive power to extort money from victims, some of whom faced tens of thousands in losses. The U.S. Department of Defense was a specific target, prompting involvement from its investigative service. But the threat extended far beyond government systems to any business or service reliant on a stable online presence. Technically, these botnets represented an evolving threat. Aisuru, the oldest, emerged in late 2024 and quickly began shattering DDoS records. Its variant, Kimwolf, introduced a dangerous new trick in 2025: the ability to worm its way into devices hidden *inside* private home networks, bypassing traditional perimeter defenses. This clever propagation method, later publicly detailed by security researchers, became a blueprint for copycats. The JackSkid botnet, for instance, adopted the same technique, showing how criminal innovation rapidly spreads. So, what's being done? The joint operation executed seizure warrants for domains and servers, aiming to sever the botnets' command centers. This action prevents already infected devices from receiving new attack orders and halts further spread. Authorities also targeted the alleged human operators behind the scenes. For device owners, the mandate is clear: action is required. You must change default passwords on all IoT devices immediately. Regularly check for and install firmware updates from the manufacturer. Isolate smart devices on a separate guest network if possible, preventing them from accessing your more sensitive computers and phones. This operation matters because it's a tactical win in a strategic war. Taking down these four botnets removes immediate firepower, but the battlefield—millions of insecure IoT devices—remains. The case highlights how cybercriminals are constantly refining their tools to exploit the weakest links in our connected world. The real takeaway? Defending the internet now depends on securing the often-overlooked gadgets at its very edge. Until manufacturers and consumers prioritize IoT security, botnets will continue to rise, fall, and reemerge from our own homes.

A cybersecurity researcher has exposed a critical blind spot in a powerful class of automated bug-hunting tools. The very technique designed to find the deepest, most complex software flaws can sometimes get stuck, missing critical vulnerabilities. This isn't just an academic problem. The findings impact how organizations test everything from web browsers to document parsers. If your software security relies on "fuzzing," you need to understand this gap.

The digital world relies on "fuzzing" to find software bugs before attackers do. One of its most advanced forms is mutational grammar fuzzing. This technique uses a rulebook, or grammar, to generate complex, structured test data—like mimicking a perfect webpage or document. The fuzzer then mutates this data intelligently, ensuring every change still follows the rules. When a new mutation triggers unexplored code paths in the target software, it’s saved for further testing. This method has famously uncovered deep flaws in browser components and Just-In-Time (JIT) compilers. However, new research reveals a fundamental flaw in this approach. The fuzzer's primary goal—maximizing code coverage—can become its own trap. It prioritizes samples that unlock new branches of code, relentlessly mutating them to go deeper. The problem? It often neglects older, foundational samples in its corpus. These earlier tests might be simpler, but they are crucial for exploring different, potentially vulnerable, code states. The fuzzer gets stuck in a local maximum, endlessly refining a few paths while ignoring a wider attack surface. This blind spot means serious bugs can remain hidden, even after extensive automated testing. The flaw isn't limited to one tool; it's a structural issue affecting any coverage-guided, structure-aware fuzzer. So, what's the fix? The researcher proposes a brilliantly simple mitigation: periodically "reseeding" the fuzzer. This involves injecting fresh, unmutated grammar samples back into the test pool at regular intervals. Think of it as hitting a reset button to regain breadth. This forces the tool to explore from new starting points, breaking it out of repetitive loops. In tests, this simple tweak helped find bugs in libraries like libxslt faster than default settings. The key takeaway is powerful. Cutting-edge security tools are not set-and-forget solutions. Their effectiveness depends on understanding their limitations and tuning them for your specific target. This research underscores a broader truth in cybersecurity. Automation is essential, but human insight—questioning how our tools work—is what truly closes the gaps attackers will eventually exploit.

A seemingly minor Windows API has been hiding a major security flaw for years. The `GetProcessHandleFromHwnd` function, designed as a convenience tool, could be abused to bypass critical security barriers like User Interface Privilege Isolation (UIPI). This vulnerability allowed malicious applications to grab powerful handles to other processes, potentially leading to data theft or system manipulation. Any Windows user, especially before the latest 24H2 update, could have been at risk from exploits leveraging this oversight.

A deep dive into a Windows API reveals a classic case of documentation not matching reality, leading to a persistent security vulnerability. The `GetProcessHandleFromHwnd` function was documented as a safe, user-mode tool that required specific privileges. In practice, it was far more powerful and dangerous. The core issue was a mismatch between what Microsoft's docs said and what the code actually did. The API was supposed to work only under strict conditions, like the caller having "UIAccess." However, researchers found its implementation in the kernel allowed it to bypass those very checks. This meant a lower-integrity application could obtain a powerful handle to a higher-integrity process. Once an attacker had that handle, they could potentially read its memory or manipulate its execution. It was a direct bypass of User Interface Privilege Isolation (UIPI), a key Windows security boundary. Technically, the function was implemented in the kernel (`win32k`), not in user mode as implied. The kernel code would directly open a process handle, but it forgot to check if the target was a "protected process." This omission created the loophole. The vulnerability was notably exploited in a UAC bypass involving the Quick Assist application. This showed a clear path for malware to escalate privileges silently, moving from a limited user context to a more powerful one without triggering standard security prompts. For mitigation, the primary fix is updating to Windows 11 24H2. This version includes a general overhaul of UIPI and has corrected this specific API's behavior. Users on older systems should ensure they are applying all security updates, as Microsoft may have issued patches. This incident matters because it underscores a critical weakness: outdated or incorrect documentation. Security models are only as strong as their implementation. When developers and defenders rely on docs that don't reflect the code, hidden flaws can persist for years. It also highlights the ongoing cat-and-mouse game in OS security. Features added for convenience, like this API, can often become exploitation vectors. The eventual fix in 24H2 shows a positive trend of hardening core Windows security boundaries, making them permanent and less prone to bypass.

A critical security feature designed to lock down Windows has been cracked wide open. A researcher discovered nine separate ways to bypass Microsoft's new "Administrator Protection" before it even launched, exploiting a long-ignored flaw in how Windows handles user interface access. This isn't just a theoretical hack. It reveals a fundamental weakness that could have let malware or a standard user account hijack administrator-level processes. If you're on Windows, this core security boundary you rely on was fundamentally flawed.

Microsoft's latest attempt to fortify Windows security, a feature called Administrator Protection, arrived with a dangerous secret. A security researcher found and reported nine distinct methods to bypass it before its official release. The root cause? A deeply embedded issue with a component called UI Access. This flaw wasn't new; it was a ghost from Windows' past. The problem stems from how different applications on your desktop are allowed to "talk" to each other's windows. A legacy feature, designed for accessibility tools, was granting too much power. The core vulnerability is in a flag called `uiAccess`. When set, it allows a process to bypass critical User Interface Privacy Isolation (UIPI) restrictions. UIPI normally acts as a barrier, preventing a low-privilege app from manipulating the windows of a high-privilege one, like an administrator prompt. Attackers found they could abuse this `uiAccess` privilege. By crafting a malicious process with this flag, they could send commands directly to secure administrator windows. This allowed them to simulate clicks, input commands, and effectively hijack the elevated process from a lower privilege level. The impact is severe. It could enable a piece of malware running as a standard user to silently elevate its own privileges to administrator or even SYSTEM level. All without triggering the usual User Account Control (UAC) consent prompt that users see and trust. Fortunately, all nine bypasses have now been patched by Microsoft. The fix involved a significant overhaul, completely removing the shared user profile that allowed these UI Access exploits to work. Administrator processes now run in a truly isolated environment. For users and admins, ensuring your Windows systems are fully updated is the primary mitigation. This patch is a mandatory one. The bigger takeaway is a lesson in defense-in-depth: no single security boundary is perfect. This incident underscores why rigorous, adversarial testing during development is crucial. It also shows that old architectural decisions can haunt new security features. While the immediate holes are plugged, it reminds us that the walls around our most privileged processes need constant scrutiny.