Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.
Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.
Vendor Package
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.
This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.
We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
Research into a global phishing-as-a-service operation will take you through:
Hundreds of thousands of victims spanning the globe
A glimpse into the lifestyle of the operators
Technical insight into the phishing toolkit
The backend of a phishing threat actor operating at scale
The scam industry has seen explosive growth over the past several years. The types of scams and methods used are constantly evolving as scammers adapt their techniques to continue their activities. They often capitalise on new technologies and target areas where our societies have yet to build mechanisms to protect themselves.
This story begins in December 2023 when people all over the world – including a large portion of the Norwegian population - started to receive text messages about packages waiting for them at the post office. The messages would come in the form of an SMS, iMessage or RCS message. What we were witnessing was the rise of a scam technique known as smishing or SMS phishing.
Such messages have one thing in common: they impersonate a brand that we trust to create a credible context for soliciting some kind of personal information, thus tricking us into willfully giving away our information.
Some scams are easier to spot than others. Spelling errors, poor translations, strange numbers or links to sketchy domains often give them away. But even tell-tale signs can be easy to miss on a busy day. When a large number of people are targeted, some will be expecting a package. And the tactic is obviously working. If it wasn’t worth their while, the scammers wouldn’t have invested so much time, money and effort.
StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.
This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.
Key Takeaways
Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.
Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.
Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.
The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.
MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.
Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.
Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.
Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
La France condamne avec la plus grande fermeté le recours par le service de renseignement militaire russe (GRU) au mode opératoire d’attaque APT28, à l’origine de plusieurs cyber-attaques contre des intérêts français.
Depuis 2021, ce mode opératoire d’attaque (MOA) a été utilisé dans le ciblage ou la compromission d’une dizaine d’entités françaises. Ces entités sont des acteurs de la vie des Français : services publics, entreprises privées, ainsi qu’une organisation sportive liée à l’organisation des Jeux olympiques et paralympiques 2024. Par le passé, ce mode opératoire a également été utilisé par le GRU dans le sabotage de la chaîne de télévision TV5Monde en 2015, ainsi que dans la tentative de déstabilisation du processus électoral français en 2017.
APT28 est aussi employé pour exercer une pression constante sur les infrastructures ukrainiennes dans le contexte de la guerre d’agression menée par la Russie contre l’Ukraine, notamment lorsqu’il est opéré par l’unité 20728 du GRU. De nombreux partenaires européens ont également été visés par APT28 au cours des dernières années. À ce titre, l’UE a imposé des sanctions aux personnes et entités responsables des attaques menées à l’aide de ce mode opératoire.
Europol has launched a new Operational Taskforce (OTF) to tackle the rising trend of violence-as-a-service and the recruitment of young perpetrators into serious and organised crime. Known as OTF GRIMM, the Taskforce, led by Sweden, brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway, with Europol providing operational support, threat analysis and coordination.
The exploitation of young perpetrators to carry out criminal acts has emerged as a fast-evolving tactic used by organised crime. This trend was underlined in the European Union Serious and Organised Crime Threat Assessment 2025 (EU-SOCTA), which identified the deliberate use of youngsters as a way to avoid detection and prosecution.
Violence-as-a-service refers to the outsourcing of violent acts to criminal service providers — often involving the use of young perpetrators to carry out threats, assaults, or killings for a fee.
Investigations show that these acts are often orchestrated remotely, with young people recruited and instructed online. There is a clear demand from the criminal underworld for youngsters willing to carry out violent tasks — and a supply of vulnerable young people being groomed or coerced into doing so.
Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.
The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.
The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.
Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom.
In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online.
"On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.
"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.
"We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."
Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected.
NCSC CEO Dr Richard Horne said:
“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.
“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
April 28, 2025
HALIFAX, Nova Scotia--(BUSINESS WIRE)-- Emera Inc. and Nova Scotia Power today announced, on April 25, 2025 they discovered and are actively responding to a cybersecurity incident involving unauthorized access into certain parts of its Canadian network and servers supporting portions of its business applications.
Immediately following detection of the external threat, the companies activated their incident response and business continuity protocols, engaged leading third-party cybersecurity experts, and took actions to contain and isolate the affected servers and prevent further intrusion. Law enforcement officials have been notified.
There remains no disruption to any of our Canadian physical operations including at Nova Scotia Power’s generation, transmission and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s U.S. or Caribbean utilities.
Emera will release its Q1 Financial Statements and Management Disclosure and Analysis on May 8, 2025, as planned. At this time, the incident is not expected to have a material impact on the financial performance of the business.
Our IT team is working diligently with cyber security experts to bring the affected portions of our IT system back online.
The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.
The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come.
Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below.
I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below.
Source: Cybersecurity and Infrastructure Security Agency
DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime.
While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention.
Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.
Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.
“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.
The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.
The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.
The 84 attacks seen from January to March were more than double the number seen in Q1 2024.
Another day, another edge device being targeted - it’s a typical Thursday!
In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while.
Specifically, today, we’re going to be analyzing and reproducing:
CVE-2024-38475 - Apache HTTP Pre-Authentication Arbitrary File Read
Discovered by Orange Tsai
Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's usage of the vulnerable version.
This makes the situation confusing for those responding to CISA's KEV listing - CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices.
You can see this evidenced in SonicWall's updated PSIRT advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
CVE-2023-44221 - Post-Authentication Command Injection
Discovered by "Wenjie Zhong (H4lo) Webin lab of DBappSecurity Co., Ltd”
As of the day this research was published, CISA had added these vulnerabilities to the Known Exploited Vulnerabilities list.
Do you know the fun things about these posts? We can copy text from previous posts about edge devices:
Luxury department store is forced to shut some systems but website and shops continue to operate.
Harrods has been hit by a cyber-attack, just days after Marks & Spencer and the Co-op were targeted.
The luxury department store is understood to have been forced to shut down some systems, but said its website and all its stores, including the Knightsbridge flagship, H beauty and airport outlets, continued to operate. It is understood the retailer first realised it was being targeted earlier this week.
Harrods said in a statement: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”
The retailer said it was not asking customers to take any action, indicating that it did not suspect data had been accessed. It added: “We will continue to provide updates as necessary.”
Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous.
Note added April 30 2025:
Originally posted October 16, 2024 in a very different global geopolitical context, this analysis remains relevant today. Subsequent revelations, especially a set of leaked messages from the Black Basta group – a successor to the Conti group – reaffirm the complexity of relations between Russian ransomware actors and security officials. (The Natto Team discussed the value of leaks here). The Black Basta leaks show that group's members as:
Receiving Protection: Black Basta chief “Tramp” – who chose as his moniker the Russian version of the current US president’s name – boasted of receiving high-level help from Russian authorities after Armenian officials arrested him in June 2024.
But Still Vulnerable: Tramp speculated in July 2024 that someone from their circle had snitched on him, “tempted” by the rewards the US State Department has offered for information on Tramp. He also received tipoffs from criminal acquaintances and from “my law enforcement people,” telling him that Russian officials faced international pressure to crack down on Russian cybercriminals: “those who get paid by Interpol here will start making our lives hell.” In September 2024, Black Basta coder “YY” told Tramp that Russian officials had raided YY's home, impounded his car, and “marinated” him in custody for a time.
Under Pressure to Work for the Russian State: In a November 14 2022 chat, “Tramp” said, “I have guys in Lubyanka [FSB headquarters] and the GRU [military intelligence agency] – I have been “feeding” them for a long time. They only want to take people on to work for them. They won’t even talk about [prison] sentences or anything. You can go in to work every day at 8 am and leave at 6 pm, just like in a ‘white’ [legitimate] job.”
Tracking Geopolitics: In May 2024, after Black Basta paralyzed IT systems at US-based Ascension Healthcare, Black Basta ransom negotiator “Tinker” pondered the group's extortion strategy in light of US election-year politics. He mused that, if anyone died as a result of the group’s attack on a healthcare entity – particularly a Christian hospital system like Ascension – US citizens would demand that their government do whatever it took to induce Russia to crack down on the criminals. Tinker speculated that the Joe Biden administration might make serious concessions to Russia, such as reducing military aid to Ukraine, in return for Russia’s cracking down on the criminals. For the Natto Team’s own assessment of Russian-US “ransomware diplomacy,” see here and here.
It will be interesting to observe how Russian cybercriminals interpret recent developments in US-Russian relations.
Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites.
Ledger has warned that scammers are mailing letters that appear to be from the company to users of its hardware wallets in an attempt to swipe crypto.
Scammers are mailing physical letters to the owners of Ledger crypto hardware wallets asking them to validate their private seed phrases in a bid to access the wallets to clean them out.
In an April 29 X post, tech commentator Jacob Canfield shared a scam letter sent to his home via post that appeared to be from Ledger claiming he needed to immediately perform a “critical security update” on his device.
The letter, which uses Ledger’s logo, business address, and a reference number to feign legitimacy, asks to scan a QR code and enter the wallet’s private recovery phrase under the guise of validating the device.