Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin’s most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia’s full-scale invasion.
For members of Russia’s most notorious black ops unit, they look like children. Even their photographs on the FBI’s “wanted” poster show a group of spies born around the time Vladimir Putin came to power in Russia. But then, hacking is a young man’s business.
In August 2024, the U.S. Justice Department indicted Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin, Amin Stigal and Yuriy Denisov for conducting “large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion,” using malware to wipe data from systems connected to Ukraine’s critical infrastructure, emergency services, even its agricultural industry, and masking their efforts as plausibly deniable acts of “ransomware” – digital blackmail. Their campaign was codenamed “WhisperGate.”
The hackers posted the personal medical data, criminal records, and car registrations of untold numbers of Ukrainians. The hackers also probed computer networks “associated with twenty-six NATO member countries, searching for potential vulnerabilities” and, in October 2022, gained unauthorized access to computers linked to Poland’s transportation sector, which was vital for the inflow and outflow of millions of Ukrainians – and for the transfer of crucial Western weapons systems to Kyiv.
More newsworthy than the superseding indictment of this sextet of hackers was the organization they worked for: Unit 29155 of Russia’s Main Intelligence Directorate of the General Staff, or GRU. In the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian ex-spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, an abortive coup in Montenegro, and a series of explosions of arms and ammunition depots in Bulgaria and Czechia.
Unit 29155 is Russia’s kill and sabotage squad. But now they were being implicated for the first time as state hackers. Moreover, the U.S. government made a compelling case that Unit 29155 was engaged in cyber attacks designed to destabilize Ukraine in advance of Russian tanks and soldiers stealing across the border – if this were true, it would mean that at least one formidable arm of Russian military intelligence knew about a war that other Russian special services were famously kept in the dark about. This hypothesis is consistent with prior findings by The Insider showing that members of 29155 were deployed into Ukraine a few days before the full-scale invasion.
Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025.
The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome. To safeguard Chrome’s users, and preserve the integrity of the Chrome Root Store, we are taking the following action.
Upcoming change in Chrome 139 and higher:
Transport Layer Security (TLS) server authentication certificates validating to the following root CA certificates whose earliest Signed Certificate Timestamp (SCT) is dated after July 31, 2025 11:59:59 PM UTC, will no longer be trusted by default.
OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW
CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW
CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before July 31, 2025 11:59:59 PM UTC, will be unaffected by this change.
This approach attempts to minimize disruption to existing subscribers using a previously announced Chrome feature to remove default trust based on the SCTs in certificates.
Key Findings:
On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.
The Takedown on the Dark Web
According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.
Lovable is accused of failing to fix security flaws that exposed information about users, a growing vulnerability as vibe coding’s popularity surges.
Lovable, the popular vibe coding app that describes itself as the fastest-growing company in Europe, has failed to fix a critical security flaw, despite being notified about it months ago, according to a new report by an employee at a competitor.
The service offered by Lovable, a Swedish startup that bills its product as “the last piece of software,” allows customers without any technical training to instantly create websites and apps using only natural language prompts.
The employee at AI coding assistant company Replit who wrote the report, reviewed by Semafor, says he and a colleague scanned 1,645 Lovable-created web apps that were featured on the company’s site. Of those, 170 allowed anyone to access information about the site’s users, including names, email addresses, financial information and secret API keys for AI services that would allow would-be hackers to run up charges billed to Lovable’s customers.
The vulnerability, which was made public on the National Vulnerabilities Database on Thursday, highlights a growing security problem as artificial intelligence allows anyone to become a software developer. Each new app or website created by novices is a potential sitting duck for hackers with automated tools that target everything connected to the internet. The advent of amateur vibe coding raises new questions about who is responsible for securing consumer products in an era where developers with zero security know-how can build them.
Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
he Czech Republic on Wednesday accused China of being responsible for a "malicious cyber campaign" targeting a network used for unclassified communication at its Foreign Affairs ministry, but China rejected the accusations.
China's embassy in Prague called on the Czech side to end its "microphone diplomacy".
The attacks started during the country's 2022 EU presidency and were perpetrated by the cyber espionage group APT31, the Czech government said in a statement. The Czech Republic, an EU state and NATO member, said APT31 was publicly associated with the Chinese Ministry of State Security.
Foreign Minister Jan Lipavsky said that after the attack was detected, the ministry implemented a new communications system with enhanced security in 2024.
"I summoned the Chinese ambassador to make clear that such hostile actions have serious consequences for our bilateral relations," he said.
Lipavsky said the attacks centered on email and other documents and focused on information concerning Asia.
"The Government of the Czech Republic strongly condemns this malicious cyber campaign against its critical infrastructure," the government said in its statement.
China's embassy in the Czech Republic expressed "strong concern and decisive disagreement" with the Czech accusations.
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
Earth Lamia has primarily targeted organizations in Brazil, India, and Southeast Asia since 2023. Initially focused on financial services, the group shifted to logistics and online retail, most recently focusing on IT companies, universities, and government organizations.
Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One also provides hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Earth Lamia.
Introduction
We have been tracking an active intrusion set that primarily targets organizations located in countries including Brazil, India, and Southeast Asia since 2023. The threat actor mainly targets the SQL injection vulnerabilities discovered on web applications to access the SQL servers of targeted organizations. The actor also takes advantage of various known vulnerabilities to exploit public-facing servers. Research reports have also mentioned their aggressive operations, including REF0657, STAC6451, and CL-STA-0048. Evidence we collected during our research indicates this group is a China-nexus intrusion set, which we now track as Earth Lamia.
Earth Lamia is highly active, but our observation found that its targets have shifted over different time periods. They targeted many organizations but focused only on a few specific industries during each time period. In early 2024 and prior, we observed that most of their targets were organizations within the financial industry, specifically related to securities and brokerage. In the second half of 2024, they shifted their targets to organizations mainly in the logistics and online retail industries. Recently, we noticed that their targets have shifted again to IT companies, universities, and government organizations.
Map of targeted countries
Figure 1. Map of targeted countries
download
Earth Lamia continuously develops customized hacking tools and backdoors to improve their operations. While the actor highly leverages open-source hacking tools to conduct their attacks, they also customized these hacking tools to reduce the risk of being detected by security software. We also discovered they have developed a previously unseen backdoor, which we named PULSEPACK. The first version of PULSEPACK was identified in Earth Lamia's attacks during August 2024. In 2025, we found an upgraded version of PULSEPACK, which uses a different protocol for C&C communication, showing they are actively developing this backdoor. In this report, we will reveal the details of Earth Lamia’s operations and share the analysis of their customized hacking tools and backdoors.
Initial access and post-exploitation TTPs
We found that Earth Lamia frequently conducted vulnerability scans to identify possible SQL injection vulnerabilities on the targets' websites. With an identified vulnerability, the actor tried to open a system shell through it to gain remote access to the victims' SQL servers. We suspect they are likely using tools like "sqlmap" to carry out these attacks against their targets. Besides the SQL injection attempts, our telemetry shows the actor also exploited the following vulnerabilities on different public-facing servers:
CVE-2017-9805: Apache Struts2 remote code execution vulnerability
CVE-2021-22205: GitLab remote code execution vulnerability
CVE-2024-9047: WordPress File Upload plugin arbitrary file access vulnerability
CVE-2024-27198: JetBrains TeamCity authentication bypass vulnerability
CVE-2024-27199: JetBrains TeamCity path traversal vulnerability
CVE-2024-51378: CyberPanel remote code execution vulnerability
CVE-2024-51567: CyberPanel remote code execution vulnerability
CVE-2024-56145: Craft CMS remote code execution vulnerability
organizations.
Victoria’s Secret hit by outages as it battles security incident
Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.
Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website.
“We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident.
“We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open.
Victoria’s Secret closed down 7% on the news of the security incident.
Executive Summary:
Censys has been tracking this botnet’s global footprint in partnership with findings from both GreyNoise and Sekoia researchers.
To aid in ongoing tracking and research, we’ve launched a live dashboard that tracks exposed ASUS routers showing indicators of AyySSHush compromise. The data updates daily and provides real-time insight into global trends.
CYFIRMA’s research team discovered Lyrix Ransomware while monitoring underground forums as part of our Threat Discovery Process. Developed in Python and compiled with PyInstaller — allowing it to run as a standalone executable with all dependencies—Lyrix targets Windows systems using strong encryption and appends a unique file extension to encrypted files. Its advanced evasion techniques and persistence mechanisms make it challenging to detect and remove. This discovery underscores the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data and reduce the risk of breaches.
Target Technologies Windows Operating System
Written In Python
Encrypted file extension Original file names appended with ‘.02dq34jROu’ extension
Observed First 2025-04-20
Problem Statement
Lyrix Ransomware targets Windows operating systems using advanced evasion and anti-analysis techniques to reduce the likelihood of detection. Its tactics include obfuscating malicious behavior, bypassing rule-based detection systems, employing strong encryption, issuing ransom demands, and threatening to leak stolen data on underground forums.
Lyrix Ransomware
Basic Details
Filename Encryptor.exe
Size 20.43 MB
Signed Not signed
File Type Win32 EXE
Timestamp Sun Apr 20 09:04:34 2025 (UTC)
SHA 256 Hash fcfa43ecb55ba6a46d8351257a491025022f85e9ae9d5e93d945073f612c877b
Defence Secretary announces new Cyber and Eletromagnetic Command and £1 billion investment in pioneering battlefield system.
Defence Secretary John Healey personnel at MoD Corsham. MoD Crown Copyright.
More than £1 billion to be invested in pioneering ‘Digital Targeting Web’ to spearhead battlefield engagements, applying lessons learnt from Ukraine to the UK Armed Forces.
New Cyber and Electromagnetic Command will oversee cyber operations for Defence as careers pathway accelerated.
Innovation delivers on the Government’s Plan for Change by bolstering national security and creating skilled jobs.
Pinpointing and eliminating enemy targets will take place faster than ever before, as the Government invests more than £1 billion to equip the UK Armed Forces with a pioneering battlefield system.
A new Cyber and Electromagnetic Command will also be established to put the UK at the forefront of cyber operations as part of the Strategic Defence Review (SDR). The announcements were made by Defence Secretary, John Healey MP on a visit to MOD Corsham, the UK military’s cyber HQ.
The Ministry of Defence will develop a new Digital Targeting Web to better connect Armed Forces weapons systems and allow battlefield decisions for targeting enemy threats to be made and executed faster.
This pioneering digital capability will give the UK a decisive advantage through greater integration across domains, new AI and software, and better communication between our Armed Forces. As an example, a threat could be identified by a sensor on a ship or in space before being disabled by an F-35 aircraft, drone, or offensive cyber operation.
This follows the Prime Minister’s historic commitment to increase defence spending to 2.5% of GDP, recognising the critical importance of military readiness in an era of heightened global uncertainty.
Delivering this new Digital Targeting Web is central to UK efforts to learn lessons directly from the front line in Ukraine. When the Ukrainians achieved a step-change in lethality early in the war – by being able to find the enemy, target them and attack quickly and at scale - it allowed them to stop the encircling Russian advance.
The Ministry of Defence will establish a Cyber and Electromagnetic Command. It will sit under General Sir James Hockenhull’s Command and follows the MOD having to protect UK military networks against more than 90,000 ‘sub-threshold’ attacks in the last two years. The Command will lead defensive cyber operations and coordinate offensive cyber capabilities with the National Cyber Force.
The new Command will also harness all the Armed Forces’ expertise in electromagnetic warfare, helping them to seize and hold the initiative in a high-tempo race for military advantage - for example, through degrading command and control, jamming signals to drones or missiles and intercepting an adversary’s communications.
UPDATE 2 (7:41 PM UTC): Access to consoles has been restored for all customers following today’s platform outage and service interruption. We continue to validate that all services are fully operational.
UPDATE 1 (6:10 PM UTC): Services are actively being restored and consoles are coming online.
On May 29, 2025, SentinelOne experienced an outage that is impacting commercial customer consoles. The following message has been sent to all customers and partners. Communications are being updated real-time in our support portal and will be updated here as necessary.
We are aware of ongoing console outages affecting commercial customers globally and are currently restoring services. Customer endpoints are still protected at this time, but managed response services will not have visibility. Threat data reporting is delayed, not lost. Our initial RCA suggests this is not a security incident. We apologize for the inconvenience and appreciate your patience as we work to resolve the issue.
ConnectWise did not disclose information about when the data breach occurred, as well as the number of MSPs or end users impacted by the breach.
‘ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,’ ConnectWise said in a statement.
ConnectWise has confirmed it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure.
“ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement. “We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.”
No further signs of malicious activity have been detected since the update was applied, a source familiar with the situation, who asked for anonymity, told CRN.
According to MITRE, Browser-in-the-Middle (BitM) is an attack where “an adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim’s browser to the adversary’s system.” This attack has been used by many attackers to trick victims into unknowingly entering credentials and providing sensitive information on an attacker controlled window. The attack was first disclosed in a paper by researchers from the University of Salento in 2021, and we have seen many cases of BitM being used in the wild since then.
However, one key flaw of the BitM attack is that it still requires the victim to land on a malicious site and perform an action to open up the noVNC pop-up window. As the parent window still has a malicious URL in its address bar, this will likely raise suspicion among more security aware users at the point of credential entry.
SquareX’s research team has observed multiple instances of the browser’s FullScreen API being exploited to address this flaw by displaying a fullscreen BitM window that covers the parent window’s address bar, as well as a limitation specific to Safari browsers that makes fullscreen BitM attacks especially convincing. The article below will recap how BitM attacks work, explore the Fullscreen API requirements and why Safari browsers are particularly vulnerable to fullscreen BitM attacks.
Traditional Browser-in-the-Middle (BitM) Attacks
To illustrate how a typical BitM attack works, we will use a real attack that targeted Counter-Strike 2 gamers. Incentivized by cryptocurrency and skin giveaways, victims were tricked into entering their Steam credentials. These compromised accounts were then sold on the black market for up to $300,000. Here is how it works:
Note: The case study below actually used the Browser-in-the-Browser (BitB) technique, where instead of using remote desktop, the attackers uses HTML, CSS and JavaScript most commonly to mimic login pop-ups of popular SaaS or Single Sign-On (SSO) services. We chose this example as it is a well documented attack and because the social engineering and principles behind this attack can also be used in BitM attacks.
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database.
Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database.
Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them.
According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites.
“It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads.
German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries.
Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia.
Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks.
“An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads.
“It’s completely unprecedented.”
The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
Oasis Security's research team uncovered a flaw in Microsoft's OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp–meaning millions of users may have already granted these apps access to their OneDrive. This flaw could have severe consequences, including customer data leakage and violation of compliance regulations.
Upon discovery, Oasis reported the flaw to Microsoft and advised vendors using OneDrive File Picker of the issue. In response, Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires.
Below are details of the flaw and mitigation strategies. You can read the Oasis Security Research team’s full report here.
The Flaws
Excessive Permissions in the OneDrive File Picker
The official OneDrive File Picker implementation requests read access to the entire drive – even when uploading just a single file – due to the lack of fine-grained OAuth scopes for OneDrive.
While users are prompted to provide consent before completing an upload, the prompt’s vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks.
The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option.
Insecure Storage of Sensitive Secrets
Sensitive secrets used for this access are often stored insecurely by default.
The latest version of OneDrive File Picker (8.0) requires developers to take care of the authentication themselves, typically using the Microsoft Authentication Library (MSAL) and most likely using the Authorization Flow.
Security risks ensue:
MSAL stores sensitive Tokens in the browser’s session storage in plain text.
With Authorization Flows a Refresh Token may also be issued, which lengthens the access period, providing ongoing access to the user's data.
Notably, OpenAI uses version 8.0.
Mitigation Steps
The lack of fine-grained OAuth scopes combined with Microsoft’s vague user prompt is a dangerous combination that puts both personal and enterprise users at risk. Oasis Security recommends that individuals and technology leaders review the third-party access they’ve granted to their account to mitigate the potential risks raised by these issues.
Check Whether or Not You’ve Previously Granted Access to a Vendor
How to for Private Accounts
Log in to your Microsoft Account.
In the left or top pane, click on "Privacy".
Under "App Access", select the list of apps that have access to your account.
Review the list of apps, and for each app, click on “Details” to view the specific scopes and permissions granted.
You can “Stop Sharing” at any time. Consider that an Access Token takes about an hour to expire regardless of when you clicked stopped sharing. This would however revoke a Refresh Token if present.
A LinkedIn message drew a former waitress in Minnesota into a type of intricate scam involving illegal paychecks and stolen data
Christina Chapman looked the part of an everyday American trying to make a name for herself in hustle culture.
In prolific posts on her TikTok account, which grew to more than 100,000 followers, she talked about her busy life working from home with clients in the computer business and the fantasy book she had started writing. She posted about liberal political causes, her meals and her travels to see her favorite Japanese pop band.
Yet in reality the 50-year-old was the operator of a “laptop farm,” filling her home with computers that allowed North Koreans to take jobs as U.S. tech workers and illegally collect $17.1 million in paychecks from more than 300 American companies, according to federal prosecutors.
In a June 2023 video, she said she didn’t have time to make her own breakfast that morning—“my clients are going crazy,” she said. Then she describes the açaí bowl and piña colada smoothie she bought. As she talks, at least 10 open laptops are visible on the racks behind her, their fans audibly whirring, with more off to the side.
In 2023, Christina Chapman posted a TikTok that had racks of laptops visible in the background. The Wall Street Journal highlighted the laptops in this clip of the video.
Chapman was one of an estimated several dozen “laptop farmers” that have popped up across the U.S. as part of a scam to infiltrate American companies and earn money for cash-strapped North Korea. People like Chapman typically operate dozens of laptops meant to be used by legitimate remote workers living in the U.S.
What the employers—and often the farmers themselves—don’t realize is that the workers are North Koreans living abroad but using stolen U.S. identities. Once they get a job, they coordinate with someone like Chapman who can provide some American cover—accepting deliveries of the computer, setting up the online connections and helping facilitate paychecks. Meanwhile the North Koreans log into the laptops from overseas every day through remote-access software.
Chapman fell into her role after she got a request on LinkedIn to “be the U.S. face” for a company that got jobs for overseas IT workers, according to court documents. There’s no indication that she knew she was working with North Koreans.
Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
Sophos MDR recently responded to a targeted attack involving a Managed Service Provider (MSP). In this incident, a threat actor gained access to the MSP’s remote monitoring and management (RMM) tool, SimpleHelp, and then used it to deploy DragonForce ransomware across multiple endpoints. The attackers also exfiltrated sensitive data, leveraging a double extortion tactic to pressure victims into paying the ransom.
Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025:
CVE-2024-57727: Multiple path traversal vulnerabilities
CVE-2024-57728: Arbitrary file upload vulnerability
CVE-2024-57726: Privilege escalation vulnerability
DragonForce
DragonForce ransomware is an advanced and competitive ransomware-as-a-service (RaaS) brand that first emerged in mid-2023. As discussed in recent research from Sophos Counter Threat Unit (CTU), DragonForce began efforts in March to rebrand itself as a “cartel” and shift to a distributed affiliate branding model.
Coinciding with this effort to appeal to a wider range of affiliates, DragonForce recently garnered attention in the threat landscape for claiming to “take over” the infrastructure of RansomHub. Reports also suggest that well-known ransomware affiliates, including Scattered Spider (UNC3944) who was formerly a RansomHub affiliate, have been using DragonForce in attacks targeting multiple large retail chains in the UK and the US.
The incident
Sophos MDR was alerted to the incident by detection of a suspicious installation of a SimpleHelp installer file. The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients. The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.
One client of the MSP was enrolled with Sophos MDR and had Sophos XDR endpoint protection deployed. Through a combination of behavioral and malware detection and blocking by Sophos endpoint protection and MDR actions to shut down attacker access to the network, thwarting the ransomware and double extortion attempt on that customer’s network. However, the MSP and clients that were not using Sophos MDR were impacted by both the ransomware and data exfiltration. The MSP engaged Sophos Rapid Response to provide digital forensics and incident response on their environment.
The Central Criminal Police and the Office of the Prosecutor General have initiated an international search for a Moroccan citizen suspected of last year unlawfully accessing and downloading data from a customer card system managed by Allium UPI.
Allium UPI is the parent company of the Apotheka pharmacy chain.
Based on evidence collected in the criminal proceedings, 25-year-old Moroccan citizen Adrar Khalid is suspected of illegally downloading data from the Allium UPI database, in February 2024.
Reemo Salupõld, head of the investigation group at the Central Criminal Police's cybercrime bureau, said there is reason to suspect that Khalid gained access to the database by logging in with an account that came with administrator privileges. How the suspect came to obtain the password for that account is still under investigation.
Salupõld said: "Regardless of how long and complex a password is, this case clearly shows that this is no longer sufficient on its own today. Cybercriminals are finding increasingly ingenious ways to access accounts, which is why we recommend everyone use two-factor authentication – this adds an extra layer of protection that can be crucial if a password does get leaked or ends up in the wrong hands."
