Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
The Go ecosystem, valued for its simplicity, transparency, and flexibility, has exploded in popularity. With over 2 million modules available, developers rely heavily on public repositories like GitHub. However, this openness is precisely what attackers exploit.
No Central Gatekeeping: Developers freely source modules directly from GitHub repositories, trusting the naming conventions implicitly.
Prime Target for Typosquatting: Minimal namespace validation enables attackers to masquerade malicious modules as popular libraries.
Introduction: The Silent Threat#
In April 2025, we detected an attack involving three malicious Go modules which employ similar obfuscation techniques:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Despite appearing legitimate, these modules contained highly obfuscated code designed to fetch and execute remote payloads. Socket’s scanners flagged the suspicious behaviors, leading us to a deeper investigation.
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.
Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.
Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.
An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a CMS used to manage and remotely control digital signage displays.
As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.
This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication.
Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.
Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security.
Key Points:
The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive.
easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare.
Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software.
*Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved.
The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
CVE-2025-3248 Langflow Missing Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
DragonForce ransomware group is targeting major UK retailers. Learn about this evolving threat and what steps can be taken to mitigate risk.
In recent weeks, the DragonForce ransomware group has been targeting UK retailers in a series of coordinated attacks causing major service disruptions. Prominent retailers such as Harrods, Marks and Spencer, and the Co-Op have all reported ongoing incidents affecting payment systems, inventory, payroll and other critical business functions.
DragonForce has previously been attributed for a number of notable cyber incidents including attacks on Honolulu OTS (Oahu Transit Services), the Government of Palau, Coca-Cola (Singapore), the Ohio State Lottery, and Yakult Australia.
In this post, we offer a high-level overview of the DragonForce group, discuss its targeting, initial access methods, and payloads. We further provide a comprehensive list of indicators and defensive recommendations to help security teams and threat hunters better protect their organizations.
Background
DragonForce ransomware operations emerged in August 2023, primarily out of Malaysia (DragonForce Malaysia). The group originally positioned itself as a Pro-Palestine hacktivist-style operation; however, over time their goals have shifted and expanded.
The modern-day operation is focused on financial gain and extortion although the operation still targets government entities, making it something of a hybrid actor, both politically aligned and profit-motivated. The group operates a multi-extortion model, with victims threatened with data leakage via the group’s data leak sites, alongside reputational damage.
Recent DragonForce victims have included government institutions, commercial enterprises, and organizations aligned with specific political causes. The group is also known to heavily target law firms and medical practices. Notably, the group has targeted numerous entities in Israel, India, Saudi Arabia, and more recently several retail outlets in the United Kingdom.
Some components of the UK retail attacks have been attributed to an individual affiliated with the loose threat actor collective ‘The Com’, with claims that members are leveraging DragonForce ransomware. Our assessment indicates that the affiliate in question exhibits behavioral and operational characteristics consistent with those previously associated with The Com. However, due to the lack of strong technical evidence and shifting boundaries of The Com, that attribution remains inconclusive and subject to further analysis.
Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.
Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.
Vendor Package
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.
This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.
We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
Research into a global phishing-as-a-service operation will take you through:
Hundreds of thousands of victims spanning the globe
A glimpse into the lifestyle of the operators
Technical insight into the phishing toolkit
The backend of a phishing threat actor operating at scale
The scam industry has seen explosive growth over the past several years. The types of scams and methods used are constantly evolving as scammers adapt their techniques to continue their activities. They often capitalise on new technologies and target areas where our societies have yet to build mechanisms to protect themselves.
This story begins in December 2023 when people all over the world – including a large portion of the Norwegian population - started to receive text messages about packages waiting for them at the post office. The messages would come in the form of an SMS, iMessage or RCS message. What we were witnessing was the rise of a scam technique known as smishing or SMS phishing.
Such messages have one thing in common: they impersonate a brand that we trust to create a credible context for soliciting some kind of personal information, thus tricking us into willfully giving away our information.
Some scams are easier to spot than others. Spelling errors, poor translations, strange numbers or links to sketchy domains often give them away. But even tell-tale signs can be easy to miss on a busy day. When a large number of people are targeted, some will be expecting a package. And the tactic is obviously working. If it wasn’t worth their while, the scammers wouldn’t have invested so much time, money and effort.
StealC V2 enhances information stealing, introduces RC4 encryption, and provides a new control panel for more targeted payloads.
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts. A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.
This blog post focuses on the recent changes in StealC V2, describing the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.
Key Takeaways
Kandji researchers uncovered and disclosed key macOS vulnerabilities over the past year. Learn how we protect customers through detection and patching.
When we discover weaknesses before attackers do, everyone wins. History has shown that vulnerabilities like Gatekeeper bypass and TCC bypass zero-days don't remain theoretical for long—both of these recent vulnerabilities were exploited in the wild by macOS malware. By investing heavily in new security research, we're helping strengthen macOS for everyone.
Once reported to Apple, the fix for these vulnerabilities is not always obvious. Depending on the complexity, it can take a few months to over a year, especially if it requires major architectural changes to the operating system. Apple’s vulnerability disclosure program has been responsive and effective.
Of course, we don't just report issues and walk away. We ensure our products can detect these vulnerabilities and protect our customers from potential exploitation while waiting for official patches.
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
A hacker has breached and stolen customer data from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the U.S. government to archive messages, 404 Media has learned. The data stolen by the hacker contains the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat. TeleMessage was recently the center of a wave of media coverage after Mike Waltz accidentally revealed he used the tool in a cabinet meeting with President Trump.
The hack shows that an app gathering messages of the highest ranking officials in the government—Waltz’s chats on the app include recipients that appear to be Marco Rubio, Tulsi Gabbard, and JD Vance—contained serious vulnerabilities that allowed a hacker to trivially access the archived chats of some people who used the same tool. The hacker has not obtained the messages of cabinet members, Waltz, and people he spoke to, but the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer.
MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.
Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.
Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.
Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
Europol has launched a new Operational Taskforce (OTF) to tackle the rising trend of violence-as-a-service and the recruitment of young perpetrators into serious and organised crime. Known as OTF GRIMM, the Taskforce, led by Sweden, brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway, with Europol providing operational support, threat analysis and coordination.
The exploitation of young perpetrators to carry out criminal acts has emerged as a fast-evolving tactic used by organised crime. This trend was underlined in the European Union Serious and Organised Crime Threat Assessment 2025 (EU-SOCTA), which identified the deliberate use of youngsters as a way to avoid detection and prosecution.
Violence-as-a-service refers to the outsourcing of violent acts to criminal service providers — often involving the use of young perpetrators to carry out threats, assaults, or killings for a fee.
Investigations show that these acts are often orchestrated remotely, with young people recruited and instructed online. There is a clear demand from the criminal underworld for youngsters willing to carry out violent tasks — and a supply of vulnerable young people being groomed or coerced into doing so.
Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.
The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.
The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.
Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom.
In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online.
"On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.
"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.
"We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."
Following news of cyber incidents impacting UK retailers, the NCSC can confirm it is working with organisations affected.
NCSC CEO Dr Richard Horne said:
“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.
“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
April 28, 2025
HALIFAX, Nova Scotia--(BUSINESS WIRE)-- Emera Inc. and Nova Scotia Power today announced, on April 25, 2025 they discovered and are actively responding to a cybersecurity incident involving unauthorized access into certain parts of its Canadian network and servers supporting portions of its business applications.
Immediately following detection of the external threat, the companies activated their incident response and business continuity protocols, engaged leading third-party cybersecurity experts, and took actions to contain and isolate the affected servers and prevent further intrusion. Law enforcement officials have been notified.
There remains no disruption to any of our Canadian physical operations including at Nova Scotia Power’s generation, transmission and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s U.S. or Caribbean utilities.
Emera will release its Q1 Financial Statements and Management Disclosure and Analysis on May 8, 2025, as planned. At this time, the incident is not expected to have a material impact on the financial performance of the business.
Our IT team is working diligently with cyber security experts to bring the affected portions of our IT system back online.
The individuals operating under the DragonForce banner and attacking UK high street retailers are using social engineering for entry. I think it’s in the public interest to break down what is happening.
The attacks on Marks and Spencer, Co-op and Harrods are linked. DragonForce’s lovely PR team claim more are to come.
Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it’s a repeat of the 2022–2023 activity which saw breaches at Nvidia, Samsung, Rockstar and Microsoft amongst many others. More info below.
I am not saying it is Scatter Spider; Scattered Spider has become a dumping ground for e-crime groups anyway. The point is they — the threat actor — are entering using the front door, via the helpdesk to get MFA access — those are very good guides from defenders about what to do, links below.
Source: Cybersecurity and Infrastructure Security Agency
DragonForce is a white label cartel operation housing anybody who wants to do e-crime. Some of them are pretty good at e-crime.
While organisations are away at RSA thinking about quantum AI cyber mega threats — the harsh reality is most organisations do not have the foundations in place to do be worrying about those kind of things. Generative AI is porn for execs and growth investment — threat actors are very aware that now is the time to launch attacks, not with GenAI, but foundational issues. Because nobody is paying attention.
Once they get access, they are living off the land — using Teams, Office search to find documentation, the works. Forget APTs, now you have the real threat: Advanced Persistent Teenagers, who have realised the way to evade most large cyber programmes is to cosplay as employees. Last time this happened, the MET Police ended up arresting a few under-18 UK nationals causing incidents to largely drop off.
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.
Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.
“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”
The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.
The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.
The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.
The 84 attacks seen from January to March were more than double the number seen in Q1 2024.
