Travel on the Cyber Express

One bright spot in Sophos’ annual State of Ransomware report released this week is that organizations have gotten better at stopping ransomware attacks before attackers are able to encrypt data. But otherwise the report shows that defensive and preventive preparation continues to lag, if not backslide in some cases. Ransomware Response Improves as Backup Lags The report, based on a survey of 3,400 IT and cybersecurity leaders in 17 countries whose organizations were hit by ransomware attacks in the last year, found that 44% of organizations were able to stop the attack before data was encrypted. That’s the highest rate in the survey’s six-year-history (image below). Ransomware encryption rates decline (Sophos) Data was encrypted in half the cases, the lowest rate in the survey’s history, while in 6% of cases organizations faced extortion demands even when data wasn’t encrypted. The report also noted that: 28% of organizations that had data encrypted also experienced data exfiltration. 97% that had data encrypted were able to recover it. The use of backups to restore encrypted data is at the lowest rate in six years, used in just 54% of incidents. 49% of victims paid the ransom to get their data back, the second highest ransom payment rate in six years. Looking at recovery from backups vs. the percentage of ransom payments, the trend begins to appear worrisome, as successful backup recovery has declined significantly, from 73% in 2022 to 54% this year, while the percentage of ransom payments has generally been trending higher throughout the report’s history (chart below). Recovery from backups is declining as ransom payment frequency is increasing (Sophos) The average ransom payment fell from $2 million in 2024 to $1 million in 2025, largely because of a sizeable drop in ransom payments of $5 million or more. On average, ransom payments were 85% of the amount demanded; 29% said their payment matched the demand, 53% paid less and 18% paid more. Excluding ransoms, the average cost to recover from a ransomware attack dropped from $2.73 million in 2024 to $1.53 million. More than half of organizations – 53% – fully recovered in a week, up from 35% in 2024. Also read: SafePay, DevMan Emerge as Major Ransomware Threats The Root Causes of Ransomware Attacks For the third straight year, ransomware victims said vulnerabilities were the most common technical root cause of an attack, exploited by attackers in 32% of incidents. Compromised credentials were the second most common attack vector even as those attacks fell from 29% in 2024 to 23% in 2025. 19% of victims reporting malicious email as the root cause and 18% citing phishing. A lack of expertise was a factor in 40.2% of attacks, followed by unknown security gaps at 40.1%. Lack of people and capacity was cited in 39.4% of attacks. Overall, the report suggests that organizations still have much progress to make on essential ransomware protections such as vulnerability management, segmentation and zero trust, ransomware-resistant backups, and infrastructure and endpoint hardening and monitoring.  

The U.S. is alleging that 25-year-old British national Kai West is the prolific hacker “IntelBroker.” IntelBroker was arrested in February, the Paris, France Public Prosecutor’s Office announced yesterday, while also revealing that four members of the “ShinyHunters” collective that operated the BreachForums cybercrime forum were arrested this week. French officials didn’t name IntelBroker or the other hackers, but the U.S. named West in a four-count indictment and complaint unsealed yesterday. How FBI investigators made the connection between West and IntelBroker was detailed in the 15-page complaint filed in the U.S. District Court for the Southern District of New York. IntelBroker Mingled Personal, Online Accounts, U.S. Alleges The U.S. alleges that IntelBroker and the “CyberNiggers” group conspired “to steal data from a telecommunications company, municipal health care provider, an Internet service provider, and more than 40 other victims,” according to a Justice Department press release announcing the unsealing of the court documents. West and his co-conspirators “took that stolen data, and offered it for sale online for more than $2 million,” the press release claims, adding that the alleged hackers “caused in excess of $25 million in damages to victims.” West was arrested in France in February 2025, and the U.S. is seeking his extradition. An undercover purchase by law enforcement in January 2023 helped investigators begin to piece together IntelBroker’s identity, according to the complaint signed by an FBI Special Agent. IntelBroker offered for sale an API key for a particular victim for $250 in Monero cryptocurrency, the complaint said. An undercover agent sent a private message to IntelBroker asking if the threat actor would sell the data for $250 in Bitcoin, a cryptocurrency that isn’t as private as Monero. IntelBroker gave the agent a particular Bitcoin wallet address referred to as “BTC Wallet-1” in the complaint. After the agent sent the payment, IntelBroker provided the API key “as well as three purported administrator logins with a password for those logins.” FBI personnel analyzed BTC Wallet-1’s transactions on the Bitcoin blockchain and connected four transactions and two other accounts, dubbed “West Wallet-1” and “Ramp Account-1,” that seeded BTC Wallet-1. The FBI concluded that BTC Wallet-1 was created as a pass-through wallet to obscure funds from Ramp Account-1. Ramp Account-1 “is associated with a particular United Kingdom Provisional Driving License with the name ‘Kai Logan West,’” who also goes by the alias “Kyle Northern,” the U.S. complaint claims. That license is also associated with a particular Coinbase account that investigators said they connected to West via “Know-Your-Customer” (KYC) data. The court filing included an image of that license with some information redacted: Both Ramp Account-1 and the Coinbase account were registered to a personal email account used by West, the U.S. claims. Investigators also tied a data storage invoice and university correspondence with the email account that they say also confirms West’s identity. Accounts registered to West’s email account also used the same IP addresses as “IntelBroker,” the complaint alleges, and the email account also had YouTube activity that overlapped with IntelBroker. Also read: IntelBroker Interview: The Elusive Hacker in the Shadows Talks to The Cyber Express ‘Innocent Unless and Until Proven Guilty’ Whether the U.S. has enough evidence to convict West – or elicit a plea deal – is a matter for the courts to decide. As the press release noted, “The charges contained in the Indictment and Complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty.” West has been charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; accessing a protected computer to obtain information, which carries a maximum sentence of five years in prison; and wire fraud, which carries a maximum sentence of 20 years in prison.

BreachForums was arguably the biggest cybercrime forum until it went offline in April amid rumors of the arrest of one of its most prominent members. The forum’s primary domain has remained offline since then even as sites have popped up claiming to be BreachForums’ replacement. In the latest twist to the on-again, off-again saga of BreachForums, the French newspaper Le Parisien reported today that five French hackers have been arrested as the alleged operators of the forum. IntelBroker, ShinyHunters Allegedly Arrested The Parisien report didn’t name the suspects but referred to them by their BreachForums user names. “IntelBroker” – a notorious trafficker of stolen data who once did an exclusive interview with the editors of The Cyber Express – was apparently the first arrested; the Parisien report said the threat actor was arrested in February. The site’s other administrators feared exposure and suspended the site in April, according to the French paper. That report differs significantly from the site’s own claim that it had been compromised via a MyBB zero-day vulnerability and would return and that no arrests had occurred (screenshot below; the site is now down entirely). BreachForums site message from April 2025 The site’s other operators – described as four French hackers in their twenties – were arrested on Monday in France by specialist police officers from the Cybercrime Brigade (BL2C) of the Paris police headquarters. Those arrested include “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” the paper said, noting that the four “are accused of harming numerous victims of high-profile data leaks, including Boulanger, SFR, France Travail, and the French Football Federation” (translated). A press release (French) issued today by the Paris Public Prosecutor’s Office referred to ShinyHunters as a collective of four people arrested this week, and said IntelBroker was a British national arrested in France in February and held under pre-trial detention. “Computer elements” seized in the case will likely advance numerous ongoing investigations, the press release said, and it thanked the U.S. FBI and Department of Justice for assistance. It was signed by public prosecutor Laure Beccuau. While early in the legal process, the arrests could potentially mark a dramatic end for the once-feared site. BreachForums’ History of Seizures, Shutdowns and Leadership Changes The first major legal action against the three-year-old BreachForums occurred in 2023 with the FBI’s arrest of alleged forum administrator Conor Brian Fitzpatrick, aka “Pompompurin.” The U.S. would ultimately appeal Fitzpatrick’s sentence, claiming it was too lenient. The site was hacked in 2023 and again in 2024, at which point ShinyHunters took over the forum from Baphomet, who had succeeded Fitzpatrick. After ShinyHunters retired not long after, control of the forum eventually turned over to IntelBroker. It’s not clear what the next step will be in the legal process, but the identities behind some of the dark web’s most notorious pseudonyms may soon be known.  

In a significant bipartisan effort, key U.S. lawmakers today introduced the “No Adversarial AI Act,” legislation designed to erect a critical firewall between U.S. federal agencies and artificial intelligence technologies developed by foreign adversaries. The bill, spearheaded by Raja Krishnamoorthi (D-IL), ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, and committee Chairman John Moolenaar (R-MI), aims to mitigate national security risks posed by AI systems potentially controlled by hostile foreign powers, notably the People’s Republic of China (PRC). The legislation has garnered bicameral support, with Representatives Ritchie Torres (D-NY) and Darin LaHood (R-IL) cosponsoring the House bill, and Senators Rick Scott (R-FL) and Gary Peters (D-MI) introducing the companion measure in the Senate. AI as a National Security Vulnerability At the heart of the “No Adversarial AI Act” is the recognition that AI, while transformative, can also be a potent tool for espionage and subversion when controlled by malicious actors. Lawmakers specifically cited concerns about companies like DeepSeek, which has alleged ties to the Chinese Communist Party and its intelligence apparatus, and whose privacy policy explicitly states that U.S. user data is stored in China. A prior investigation by Ranking Member Krishnamoorthi and Chairman Moolenaar into DeepSeek’s operations recommended a federal procurement prohibition on PRC-origin AI models, particularly for use on government devices. The “No Adversarial AI Act” directly addresses this recommendation. Also read: Taiwan’s DeepSeek Ban Reflects Global Concerns Over AI Security Key Provisions of the Bill to Build the Digital Wall The “No Adversarial AI Act” outlines a multi-pronged approach to safeguarding federal systems that includes: Establishing a Federal List of Adversarial AI: The bill mandates that the Federal Acquisition Security Council (FASC) develop a list of AI produced or developed by a foreign adversary within 60 days of the Act’s enactment. This list will then be published publicly by the Director of the Office of Management and Budget (OMB) within 180 days, and updated at least every 180 days thereafter. Prohibiting Federal Use of Listed AI: Once an AI is on this list, U.S. government agencies will be barred from acquiring or using it. This prohibition extends to entities with documented ties to the Chinese Communist Party like DeepSeek. Limited Exceptions with Strict Oversight: While the general rule is prohibition, the bill allows for narrow exceptions. An executive agency head may approve an exception if the AI is deemed necessary for scientifically valid research, evaluation, training, testing, analysis, counterterrorism or counterintelligence activities, or to avoid jeopardizing mission-critical functions. However, any such exception requires written notice to the Director of OMB and appropriate Congressional committees. Regular Updates and Removal Process: The FASC is required to update the adversarial AI list at least every 180 days. A process is also outlined for removing AI from the list if the owner certifies it’s not produced or developed by a foreign adversary, and the FASC reviews and certifies this claim. Empowering Agency Enforcement: The legislation directs executive agencies to leverage existing authorities to consider for exclusion and removal artificial intelligence provided by a covered foreign adversary entity on the list. What Constitutes ‘Foreign Adversary AI’? The bill defines “artificial intelligence” broadly, consistent with existing U.S. law. Crucially, it also provides a clear definition of “foreign adversary” and “foreign adversary entity”. A “foreign adversary entity” includes: A foreign adversary. A foreign person domiciled in, headquartered in, having its principal place of business in, or organized under the laws of a foreign adversary country. An entity where a foreign person or combination of foreign persons described above directly or indirectly owns at least a 20 percent stake. A person subject to the direction or control of any of the aforementioned. “Foreign adversary” is defined by reference to existing U.S. code, typically including countries like China, Russia, Iran, and North Korea. A New Cold War in the Digital Sphere Lawmakers urged approval of the measure. Ranking Member Krishnamoorthi stated, “Artificial intelligence controlled by foreign adversaries poses a direct threat to our national security, our data, and our government operations.” He stressed the necessity of a “clear firewall” to protect U.S. institutions and citizens from hostile regimes embedding their code in sensitive systems. Chairman Moolenaar echoed those sentiments, declaring, “We are in a new Cold War—and AI is the strategic technology at the center.” He criticized the Chinese Communist Party’s approach to AI, alleging that it “steals, scales, and subverts,” and emphasized the need to prevent U.S. government systems from being powered by tools designed to serve authoritarian interests. Senators Scott and Peters also highlighted the risks to national security and American data. Senator Scott warned against federal agencies using “dangerous platforms” that could subject the government to Beijing’s control, citing clear evidence of China’s potential access to U.S. user data on AI systems. Senator Peters said the legislation’s role in safeguarding U.S. government systems from AI that could compromise national security or put personal data at risk, while still allowing for legitimate scientific research and innovation. The “No Adversarial AI Act” represents a significant step in the U.S. effort to secure its digital infrastructure from emerging geopolitical threats, recognizing AI as a critical frontier in national security.

TeamViewer has shared a new security update for a flaw in TeamViewer Remote Management for Windows. The vulnerability, officially cataloged as CVE-2025-36537, allows a local, unprivileged user to escalate their privileges and delete files with SYSTEM-level access.  According to a TeamViewer security bulletin (ID: TV-2025-1002) published on Tuesday, the flaw stems from incorrect permission assignment for critical resources. This specific weakness, classified under CWE-732, enables attackers to exploit the MSI rollback mechanism within the TeamViewer Remote and Tensor clients (both Full and Host versions) for Windows.  Who Is Affected and How the Exploit Works  The TeamViewer vulnerability specifically impacts the Remote Management features, including Backup, Monitoring, and Patch Management. Notably, users running TeamViewer without these features are not affected.  The exploit requires local access, meaning an attacker must already have some form of presence on the target system. By taking advantage of flawed permissions during the uninstallation process (via MSI rollback), an unprivileged user can delete arbitrary files with SYSTEM-level privileges, potentially compromising the integrity of the entire system.  The vulnerability has been rated 7.0 (High) on the CVSS scale, with the following vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Although the attack complexity is considered high due to the need for local access, the potential damage makes it a serious concern for enterprise environments.  Affected Versions and Urgent Mitigation Steps  The security flaw affects multiple versions of TeamViewer Remote Full Client and Host Client for Windows, including legacy builds. Specifically:  Product  Versions  TeamViewer Remote Full Client (Windows)  < 15.67  TeamViewer Remote Full Client (Windows 7/8)  < 15.64.5  TeamViewer Remote Full Client (Windows)  < 14.7.48809  TeamViewer Remote Full Client (Windows)  < 13.2.36227  TeamViewer Remote Full Client (Windows)  < 12.0.259325  TeamViewer Remote Full Client (Windows)  < 11.0.259324  TeamViewer Remote Host (Windows)  < 15.67  TeamViewer Remote Host (Windows 7/8)  < 15.64.5  TeamViewer Remote Host (Windows)  < 14.7.48809  TeamViewer Remote Host (Windows)  < 13.2.36227  TeamViewer Remote Host (Windows)  < 12.0.259325  TeamViewer Remote Host (Windows)  < 11.0.259324  TeamViewer has already released a fix in version 15.67, and users are strongly advised to upgrade immediately. Devices not running the Remote Management features do not require urgent updates, though regular patching is always recommended.  Discovery and Disclosure of CVE-2025-36537 The vulnerability was disclosed by Giuliano Sanfins (alias 0x_alibabas) from SiDi, working with the Trend Micro Zero Day Initiative. As of the latest update, there is no indication that CVE-2025-36537 has been exploited in the wild.  System administrators should evaluate their deployment of TeamViewer Remote Management, especially where Backup, Monitoring, or Patch Management modules are enabled. Applying the latest updates will eliminate exposure to this TeamViewer vulnerability and help maintain compliance with organizational security standards. 

Threat actors are hijacking Google search results for popular AI platforms like ChatGPT and Luma AI to deliver malware, in a sprawling black hat SEO campaign uncovered by Zscaler’s ThreatLabz. The attack campaign is equal parts clever and insidious: attackers spin up AI-themed websites optimized for search engine ranking, then redirect unsuspecting visitors into a web of fingerprinting scripts, cloaked download pages, and payloads containing some of today’s most active infostealers—Vidar, Lumma, and Legion Loader. The strategy? Ride the hype wave of AI search traffic to quietly drop malware onto the systems of curious users. From Google Search to Malware in Three Clicks The campaign kicks in when a user searches for terms like “Luma AI blog” or “Download ChatGPT 5” and lands on a well-ranked but fake AI website. These malicious sites are built using WordPress and are SEO-optimized to game search algorithms—classic black hat SEO in action. Example Google search result for AI-based topics leading to malware (Source: Zscaler ThreatLabz) Once loaded, the page deploys JavaScript that fingerprints the browser, collects details like user agent, resolution, cookies, and click behavior, and then sends this data (encrypted via XOR) to a remote server at gettrunkhomuto[.]info. From there, the server analyzes the visitor’s data and determines which final destination they should be sent to. It might be a ZIP archive packed with malware or a less-threatening PUA or adware site for fallback monetization. According to Zscaler, this redirection hub—gettrunkhomuto[.]info—has already handled over 4.4 million hits since January 2025. Weaponized SEO + AWS + Signal = Obscurity What makes this campaign particularly evasive is its use of legitimate infrastructure. The redirect logic is hosted on AWS CloudFront, lending credibility to what otherwise might raise red flags in security scanners. Add in advanced techniques like browser fingerprinting, anti-adblocker scripts, and conditional redirect logic based on IP geolocation, and you’ve got a sophisticated traffic laundering operation. These deceptive scripts will even back off if ad blockers like uBlock or DNS filtering tools are detected. If not? Users get redirected to password-protected malware loaders disguised as software installers. The Payloads: Vidar, Lumma, and Legion Loader Once the user is redirected and interacts with the final download page, they’re handed malware tucked inside oversized (800MB+) installer packages. The bloated size is intentional—it helps evade sandbox environments and AV engines that skip file analysis past certain size thresholds. Vidar and Lumma Stealer, both well-known infostealers, arrive in NSIS installers containing a mix of fake .docm files, AutoIT scripts, and obfuscated loaders. Once executed, these loaders scan for antivirus processes like Avast, ESET, Sophos, or Webroot—and kill them using simple Windows tools (tasklist and findstr) before installing the final payload. The attack chain ends with browser credential theft, clipboard hijacking, and cryptocurrency wallet scraping—standard fare for Lumma and Vidar, but now with a far more sophisticated delivery mechanism. Also read: Threat to Security: Lumma Infostealer Unlocks Unstoppable Access to Google Cookies Then there’s Legion Loader, which arrives in a multi-ZIP format (yes, really). The final MSI installer masquerades as a utility suite with names like “Frankwo Utilities” or “Kraew Loop Sols.” In the background, the malware executes DLLs via sideloading, hollowing out legitimate processes like explorer.exe, and dropping malicious browser extensions capable of siphoning off crypto. It even includes a component named DataUploader.dll that phones home to the C2 server with system info and requests passwords for encrypted RAR payloads—again, designed to evade detection by avoiding hardcoded indicators. SEO, AI, and the Future of Malware Distribution This campaign’s novelty isn’t the malware—Vidar, Lumma, and Legion Loader have been around for years. What’s new is the delivery: threat actors are leaning hard into AI’s meteoric rise in popularity, weaponizing curiosity about generative models into a malware vector. AI-related keywords now drive search traffic at a scale attackers can’t ignore, according to Deepen Desai, CISO at Zscaler. If they can get fake sites ranked for popular queries, that’s a guaranteed funnel to distribute malware at scale. And they’re right. This is black hat SEO at its most strategic, using legitimate infrastructure like CloudFront and obfuscated payloads wrapped in trusted formats. With the rapid adoption of AI tools—and the general lack of scrutiny around unofficial downloads—this vector is likely to explode in the coming months. So What Can You Do? If you’re casually Googling “download ChatGPT desktop” or “Luma AI tools,” be wary of where those links lead. As always, avoid downloading tools from third-party sites, check URLs carefully, and watch for shady ZIP archives with passwords. And for defenders: start flagging unusual traffic to gettrunkhomuto[.]info, monitor DNS queries related to AI-themed domain clusters, and consider integrating browser fingerprinting heuristics into sandbox evaluation. In the age of AI, malware doesn’t need to be smarter. It just needs to rank higher than you expected.

Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today. The Cyble blog post said the cyberattack targets have included U.S. Air Force websites, Aerospace & Defense companies, financial services organizations, and an unverified claim of an attack on Truth Social, the social media platform of U.S. President Donald Trump. The U.S. entry into the Israel-Iran conflict was met with less intensive cyber activity than the hacktivism and cyberwarfare that have engulfed the Middle East since the conflict began on June 13 with Israeli attacks on Iranian nuclear and military targets. The U.S. DDoS attacks coincided with a June 22 Department of Homeland Security warning that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.” U.S. DDoS Attacks Launched by Iran-linked Hacktivists Cyble said four hacktivist groups were predominantly responsible for the initial U.S. DDoS attacks: Mr Hamza, Team 313, Keymous+ and Cyber Jihad. The groups’ claims range from “credible to questionable,” the researchers wrote. Mr Hamza claimed that it targeted several websites belonging to the U.S. Air Force and Aerospace & Defense companies. The group posted its exploits using the hashtag #Op_Usa and included check-host.net reports that indicated downtime of the websites over a 10-hour period on June 22 (screenshot below). Hacktivist group Mr Hamza claims U.S. DDoS attacks (Cyble) Keymous+ claimed to have targeted U.S. financial organizations and included check-host.net links showing website disruptions over a one-hour period on June 22. Team 313 claimed to have targeted Truth Social “but the group did not offer sufficient proof to deem the claim credible,” Cyble said. Cyber Jihad Movement said it was planning to launch cyberattacks against U.S. targets between June 23 and June 27. U.S. Hacktivist Activity Small Compared to Middle East Cyble said the initial volume of hacktivist attacks on U.S. targets “has been small compared to the large number of attacks and threat groups that have been active in the Middle East,” where the threat intelligence researchers have recorded attacks by 88 groups, 81 of which are aligned with Iran (image below). Hacktivist groups active in Israel-Iran conflict (Cyble) Middle East cyberattacks have included “DDoS attacks, data and credential leaks, website defacements, unauthorized access, and major breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow,” Cyble said. Interference with commercial ship navigation systems in the region has also been reported. The Handala hacktivist group “appears to have been one of the more effective attackers,” Cyble said, with 15 claims of mostly well documented ransomware/extortion incidents. The group’s victims have all been based in Israel. In one noteworthy incident, a threat actor on the cybercrime forum Darkforums claimed to be offering unauthorized SSH access and VPN credentials of three user accounts for the VPN portal of the Israel Defense Forces (IDF) for the asking price of 2 BTC. Russian groups have been largely absent from the Middle East cyber conflict, Cyble said, with two notable exceptions: Z-Pentest claimed that it compromised an industrial control system (ICS) belonging to an Israeli energy and utilities organization, while NoName057(16) claimed a DDoS attack on an Israeli transportation entity. Attacks have also been aimed at Jordan, Egypt, the UAE and Saudi Arabia, “which appear to have been perceived as too neutral by Iran-aligned groups,” Cyble said. Cyble urged organizations that could become a target of hacktivists to protect themselves against DDoS attacks, data breaches, website defacements, “and increasingly, ransomware and critical infrastructure attacks.”

A continent-wide takedown of 63,000 Instagram accounts in Nigeria in mid-2024 has spotlighted one of Africa’s fastest growing cyber threats: digital sextortion. The figure, disclosed in Meta’s internal reporting and highlighted in INTERPOL’s newly released Africa Cyberthreat Assessment Report 2025, signals an alarming evolution in online crime across the region. No longer the domain of isolated predators, sextortion — where explicit images are used to extort victims — has scaled into a transnational operation, often enabled by criminal networks traditionally known for financial fraud. INTERPOL now categorizes digital sextortion as a dominant tactic across the continent, second only to phishing scams. And while much of the activity appears to originate in Nigeria and Ghana, countries like Morocco, Egypt, and Mauritania are also experiencing spikes in AI-generated synthetic media used to coerce, blackmail, and financially exploit victims. “Sextortion is being weaponized not just as an isolated offense, but as a recurring Tactic, Technique, and Procedure (TTP) within traditional scam ecosystems. Some reporting also suggests these networks may overlap with long-standing organized crime groups (OCGs) in West Africa,” the report notes. Also read: One of the Largest Cybercriminal Operations in West Africa Dismantled Sextortion Goes Mainstream The 2025 INTERPOL report shows over 60% of African countries reported a rise in online image-based sexual abuse (OIBSA), with most warning that actual numbers are likely underreported due to stigma. Law enforcement agencies across East and North Africa now consider sextortion a high-priority threat, with victims ranging from teenagers to high-profile professionals. Organized cybercriminal rings have begun distributing playbooks, tutorials, and even AI tools to streamline sextortion campaigns. According to INTERPOL’s private sector partners, phishing emails are now the primary delivery vector, often paired with deepfake videos or voice clones to enhance believability. Some of these incidents have turned fatal. In South Africa, a suicide linked to sextortion raised national alarm. In Egypt, a digital support platform received over 250,000 victim appeals in a single year — a figure that investigators say likely represents only a fraction of actual cases. Phishing, Ransomware, and BEC Still Widespread While digital sextortion may be the most disturbing development, it’s not the only threat overwhelming African systems. Phishing — primarily through email and mobile channels — remains the most reported cybercrime across the continent. According to Kaspersky, phishing incidents surged by over 2,930% in Zambia and 826% in Angola in 2024 alone. Social media impersonation and mobile-based smishing are fueling the rise, with AI-generated text and audio now used to exploit linguistic and cultural familiarity. Ransomware has also taken a devastating toll. South Africa, Egypt, and Nigeria were among the most heavily targeted nations in 2024, with attacks disrupting everything from military systems to telecom giants. In one high-profile breach, South Africa’s Department of Defence lost 1.6 terabytes of sensitive data, including presidential contacts, to the LockBit ransomware group. Top 20 African countries by number of ransomware threat detections in 2024 (Image source: Interpol) The Nigerian fintech firm Flutterwave reported $7 million in losses in a single incident last year, illustrating how attackers are increasingly targeting the region’s most digitized financial ecosystems. Is Business Email Compromise Africa’s Most Profitable Scam? Business email compromise (BEC) may not make headlines, but it continues to quietly siphon billions. INTERPOL’s report notes that BEC is one of the most financially damaging threats, particularly in West Africa. Nigeria, Ghana, and Côte d’Ivoire remain major hotspots, with some BEC groups, such as the Black Axe syndicate, evolving into transnational enterprises that deploy everything from phishing kits to social engineering attacks. In 2024, 19 African countries reported a combined 10,490 cybercrime-related arrests, though INTERPOL estimates only 35% of cybercrimes are ever reported. One Nigerian BEC operator was sentenced in the U.S. after defrauding over 400 victims and stealing $19.6 million through fraudulent real estate transfers. Infrastructure, Laws, and Coordination Still Catching Up Despite the sophistication of cybercriminals, many African countries lack the basic infrastructure to fight back. INTERPOL found that: Only 30% of countries have a cybercrime incident reporting system. Just 19% maintain a threat intelligence database. More than 75% say their legal frameworks are inadequate. 95% cite insufficient training and tools for cybercrime investigations. Fragmented legal systems and outdated cybercrime laws are making prosecution difficult, especially in cross-border cases. While some countries — including Tunisia, Nigeria, and Burkina Faso — have updated their laws, only six African nations have ratified the Budapest Convention, and just 15 are parties to the AU’s Malabo Convention. AI-Powered Crime, But Not AI-Powered Policing Perhaps the most troubling gap in the report is the lack of technological parity between attackers and defenders. While criminals use generative AI to scale attacks and create realistic impersonations, 86% of African law enforcement agencies still do not employ AI in their operations. The rise of Cybercrime-as-a-Service (CaaS) — where everything from phishing kits to bulletproof hosting is sold on illicit platforms — further lowers the barrier for entry, allowing low-skilled threat actors to launch sophisticated campaigns. Deepfakes, spoofed voices, and fake job scams are now standard fare. Progress, But the Clock Is Ticking It’s not all bad news. INTERPOL’s Africa Joint Operation against Cybercrime (AFJOC) led to major arrests in 2024 and the dismantling of several ransomware groups, including coordinated actions with AFRIPOL and private cybersecurity firms. Also read: Major Cybercrime Operation Nets Over 1,000 Arrests Across Africa More countries are investing in Computer Emergency Response Teams (CERTs), updating cybercrime laws, and forming public-private partnerships. For instance, Nigeria introduced a national cybersecurity levy in 2024 to fund response initiatives. Still, with estimated financial losses exceeding $3 billion since 2019, the gap between threat actors and national capability remains wide. The 2025 INTERPOL report makes one thing painfully clear: Africa is now a proving ground for cybercriminal innovation — from deepfake BEC scams to AI-fueled sextortion. The threats are borderless, rapid, and devastating. And unless enforcement, legislation, and technology rise at the same speed, the continent’s digital transformation risks becoming a high-speed collision with an underprepared defense.

Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service. Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal. While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks. How the Intrusion Worked Against Ukrainian Government Systems The attackers disguised their malware inside a seemingly benign Word file delivered over Signal. Sample of communication with an attacker in Signal (Source: CERT-UA) If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user. COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor. Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28. What Do BEARDSHELL and SLIMAGENT Actually Do? Both malware tools were written in C++ and designed for stealth and data collection: BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers. SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user. What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless. Why It Matters This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units. Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine. According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus. Defense, Detection, and the Cloud API Problem CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints. The advisory also noted that success of the attack hinged on: Users enabling macros in Office documents Host security tools failing to monitor Signal-based delivery The abuse of trusted services like Icedrive and Koofr as “invisible” control channels It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight. The Bigger Picture APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving. And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West. Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?

Insurance giant Aflac reported today that it was hit by a cyberattack on June 12 but was able to stop the intrusion “within hours.” Aflac detailed the incident in an SEC filing and press release today. The company didn’t name the suspected attacker but said in the press release that “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry.” The Aflac breach disclosure came days after reports that the Scattered Spider threat group was pivoting from retail attacks to a campaign targeting the insurance industry. Other recent insurance industry cyber incidents have targeted Erie Insurance and Philadelphia Insurance Companies, among others. Aflac Breach Began with Social Engineering Aflac said it has engaged third-party cybersecurity experts to help with its response and investigation, and noted that the preliminary investigation suggests that the attackers “used social engineering tactics to gain access to our network.” The insurance company said that its business remains operational and its systems were not affected by ransomware, but the company suggested that hackers may have been able to access some sensitive data. “[W]e have commenced a review of potentially impacted files,” Aflac said. “It is important to note that the review is in its early stages, and we are unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in our U.S. business.” Aflac said that even though the investigation is ongoing, it is offering any individual who contacts the company’s dedicated call center free credit monitoring, identity theft protection, and Medical Shield for 24 months. The SEC filing said Aflac plans to notify regulators and provide “appropriate notifications to individuals affected by this incident. … At this time, the full scope and potential ultimate impact on the Company are not known.” Defending Against Scattered Spider After Scattered Spider-linked retail incidents in the UK last month, the UK’s National Cyber Security Centre issued guidance for protecting operations from cyberattacks. Those steps include: Comprehensive use of multi-factor authentication Monitoring for signs of account misuse, such as “risky logins” within Microsoft Entra ID Protection Monitoring Domain Admin, Enterprise Admin, and Cloud Admin accounts and making sure that any access is legitimate Review helpdesk password reset processes, including procedures for authenticating staff credentials before resetting passwords Making sure that security operation centers can identify suspicious logins, such as from VPN services in residential ranges Following tactics, techniques, and procedures sourced from threat intelligence Google recently issued an advisory looking at Scattered Spider’s vishing attack techniques, or voice-based social engineering, which has included calling corporate service desks and “impersonating employees to have credentials and multi-factor authentication (MFA) methods reset.”