A sophisticated campaign that pre-installs malware onto budget Android smartphones, targeting cryptocurrency users through a technique known as “clipping” has been discovered by Doctor Web’s virus lab. Its findings reveal that malefactors have embedded a trojanized version of WhatsApp directly into the system partition of newly manufactured devices, exposing users to stealthy financial theft from the moment they activate their phones. Starting in June 2024, Dr Web began receiving reports from users who installed its Security Space antivirus on new Android devices. Investigations confirmed that these phones — usually sold under names resembling popular brands like “S23 Ultra,” “Note 13…
Kirsten Doyle
Kirsten Doyle
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
Towards the end of March, OpenAI debuted image generation features for its ChatGPT-4o and ChatGPT-4o mini models. Less than a week later, the tool was made available for free to all users, and since then, users have reported that the feature can be used to create convincing fake documents—including receipts and passports. According to the 2025 Cato CTRL Threat Report, generative AI (GenAI) tools like ChatGPT are lowering the barrier to entry for malicious actors. The report highlights the growing threat of so-called “zero-knowledge threat actors”—people with no technical expertise who are now able to carry out advanced fraud using…
The Office of the Comptroller of the Currency (OCC) has alerted Congress to a “major information security incident” following unauthorized access to its email systems, including messages containing sensitive financial data. The breach was discovered on 11 February 2025, and confirmed the following day. According to the OCC, the incident involved unusual activity by a system administrator account accessing user mailboxes without authorization. Once detected, the OCC shut down the compromised accounts and activated its incident response protocols. The breach was reported to the Cybersecurity and Infrastructure Security Agency and publicly disclosed on 26 February. The investigation, involving internal teams…
APT29—also known as “Cozy Bear,” a notorious threat actor linked to Russia’s Foreign Intelligence Service (SVR)—has launched a new phishing campaign aimed at European diplomatic missions. This was revealed in a new report from Check Point Research. This latest campaign marks a continuation of the group’s long-running cyber espionage activities, with signs of both increased sophistication and strategic targeting. Phishing Lures Masquerade as Diplomatic Event Invitations The phishing attacks, which started in January this year, use cunning email lures pretending to be invitations to exclusive diplomatic events. One example included an invitation to a wine-tasting evening, purportedly sent by a…
In a bold and unconventional move, cybersecurity intelligence firm Prodaft has debuted a new initiative called “Sell Your Source” (SYS) aimed at acquiring aged, verified accounts from underground hacking forums. The goal is to gain covert access to adversarial networks and uncover malicious operations from within. Through this initiative, Prodaft is offering to buy accounts created before December 2022—as long as they haven’t been used for cybercrime or unethical activity. These accounts, once vetted and verified, will serve as human intelligence (HUMINT) assets for the firm’s threat intelligence efforts. “We want to ensure our coverage does not hit any limitations,”…
Fortinet discovered a new technique used by threat actors to maintain access to FortiGate devices, even after known vulnerabilities were patched. The company has since taken action to notify affected customers and provide mitigation guidance. What Happened? Fortinet’s internal security team found that malicious actors were exploiting known vulnerabilities—specifically FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015—to gain access to devices. While targeting unpatched systems is not new, Fortinet observed a novel post-exploitation method that allowed bad actors to maintain read-only access to FortiGate systems even once the initial vulnerabilities were addressed. The attackers created a symbolic link—a kind of shortcut—that connected the user…
The U.S. remained the top target for Initial Access Brokers (IABs), with 31% of all access listings aimed at American entities. But in 2024, Brazil (7%) and France (5%) have emerged as fast-rising targets. Analysts believe this shift could be due to expanding digital infrastructure and relatively weaker cybersecurity defenses in these countries. This was revealed in a new report compiled by Cyberint, a Check Point company. Initial Access Brokers (IABs) are threat actors who specialize in breaking into networks, systems, or organizations and then selling that access to other malicious actors on underground forums. Rather than carrying out full-scale…
Authorities across North America and Europe have launched a coordinated enforcement action against users of the Smokeloader botnet, marking a significant development in the ongoing Operation Endgame. The latest actions follow the major takedown of five key malware droppers in May 2024—IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee—under the operation codenamed Operation Endgame. This operation disrupted large-scale malware distribution infrastructure and targeted the operators behind these services. Earlier this year, law enforcement focused on the customers of the pay-per-install Smokeloader botnet, which was operated by a threat actor dubbed ‘Superstar’. These customers used the service to gain unauthorized access to victims’…
A notorious Russian-linked cyber espionage group dubbed Shuckworm has intensified its operations in Ukraine by targeting the military mission of a Western country based in the region. This latest campaign, which ran from late February through March 2025, demonstrates a concerning evolution in the group’s methods and a renewed focus on military intelligence gathering. Shuckworm, also known as Gamaredon or Armageddon, has been active since 2013 and is believed to be closely tied to Russia’s Federal Security Service (FSB). The group has consistently focused its attacks on the Ukrainian government and defense sectors. However, its latest campaign is targeting a…
Following over a year of work on the agreement, twenty-one nations signed The Pall Mall Process in Paris to govern the use of spyware. The Pall Mall Process is an international, multi-stakeholder initiative aimed at identifying and implementing political commitments to counter the proliferation and irresponsible use of commercially available cyber intrusion capabilities—which often manifest as cyber mercenary activity. On 3 and 4 April 2025, France and the UK co-hosted the second Pall Mall Process conference in Paris. The event brought 45 States, international organizations, and a broad coalition of private sector actors, civil society representatives, and researchers together. During…