An international police operation takes down Cracked and Nulled cybercrime forums
A joint law enforcement action codenamed "Operation Talent" has successfully dismantled two major cybercrime forums, Cracked and Nulled, following a series of law enforcement raids conducted between January 28 and 30, 2025. The operation led to the seizure of 17 servers, over 50 electronic devices, and approximately EUR 300,000 in cash and cryptocurrency. Two suspects were arrested in Spain, and seven properties linked to the forums were searched.
The seized assets also included 12 domain names associated with Cracked and Nulled, which were taken offline. In addition to these forums, other critical hacker services like Sellix (a financial processor) and StarkRDP (a hosting service) were shut down, both of which had been essential for enabling transactions and hosting malicious tools on these forums.
Cracked, which had been operational since 2018, had over 4 million users and generated approximately $4 million in revenue by selling stolen login credentials, hacking tools, and other illicit products.
Similarly, Nulled, which had been operating since 2016, had over 5 million users and generated about $1 million annually. It also sold stolen credentials and hacking tools. The Justice Department unsealed charges against Nulled’s administrator, Lucas Sohn, an Argentinian national arrested in Spain.
In a separate announcement, the DoJ said it seized 39 domains and their associated servers as part of an international effort involving the Dutch National Police to disrupt a Pakistan-based network operated by a phishing group called Saim Raza, also known as HeartSender and Manipulaters Team.
The group, which has been active since at least 2020, ran online marketplaces selling hacking and fraud-enabling tools, including phishing kits, scam pages, and email extractors. The tools were marketed to transnational organized crime groups and used to facilitate cybercrimes, particularly business email compromise schemes.
Saim Raza not only sold these malicious programs but also provided instructional materials, including YouTube videos, to train others on how to execute fraud schemes, the DoJ alleges. The group advertised its tools as “undetectable” by anti-spam software, making them particularly attractive to cybercriminals. The tools were primarily used to conduct schemes in which cybercriminals tricked businesses into transferring funds to accounts they controlled, as well as to steal victim credentials for further exploitation.
Unpatched flaw in Zyxel CPE series devices exploited in the wild
Hackers are actively exploiting a critical command injection vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891, which has remained unpatched since its discovery last July. The flaw allows unauthenticated attackers to execute arbitrary commands via the vulnerable devices’ ‘supervisor’ or ‘zyuser’ service accounts. Zyxel has yet to issue a security advisory or patch for CVE-2024-40891.
Apple fixes actively exploited zero-day flaw affecting iPhones
Apple has released security updates addressing a zero-day vulnerability that has been actively exploited by attackers targeting iPhone users. The vulnerability (CVE-2025-24085) is a use-after-free bug in the CoreMedia framework responsible for processing media data on Apple devices, which allows for potential memory corruption and could result in arbitrary code execution. The flaw impacts versions of iOS prior to iOS 17.2. While Apple acknowledged that the vulnerability may have been leveraged in attacks against devices running earlier versions of iOS, the company withheld additional details regarding real-world exploitation.
New Aquabot botnet abuses Mitel flaw for DDoS attacks
A new Mirai botnet variant, dubbed ‘Aquabot’, has been detected exploiting a security vulnerability (CVE-2024-41710) in Mitel phones, targeting their boot process to inject commands. The flaw, which affects several Mitel phone models including the 6800, 6900, and 6900w Series SIP Phones and the 6970 Conference Unit, allows attackers to execute arbitrary commands. Mitel addressed the issue in July 2024, and a proof-of-concept exploit was publicly released in August. Compromised devices are used in DDoS attacks.
Over 57 threat actors are using Google’s AI for malicious purposes
A recent report from Google's Threat Intelligence Group (GTIG) reveals that over 57 distinct threat actors, linked to China, Iran, North Korea, and Russia, have been using Google’s AI technology Gemini to enhance their cyber and information operations. These groups primarily use AI for tasks like research, code troubleshooting, content creation, and localization.
Iranian APT actors, particularly APT42, are leveraging Gemini for phishing campaigns, reconnaissance, and content generation related to cybersecurity. The group has a history of using social engineering tactics to infiltrate organizations across various sectors.
Chinese groups are using Gemini for reconnaissance, network infiltration techniques, and lateral movement within victim systems. Russian actors have mainly used the tool for malware conversion and adding encryption, while North Korean actors have used it for job research and writing cover letters as part of efforts to place clandestine IT workers in Western companies.
In other news, North Korea’s Lazarus Group has been using a web-based administrative platform to manage its command-and-control (C2) infrastructure, leveraging Astrill VPN and proxies to mask the traffic and control C2 servers. From September 2024 to January 2025, Lazarus targeted 233 victims globally, using a sophisticated React application and API to manage exfiltrated data and deliver payloads through C2 servers over port 1245.
In another campaign, the North Korean-linked Andariel threat group has been observed using the RID hijacking technique that allows low-privileged user accounts to gain administrator-level access on Windows systems.
An advanced persistent threat (APT) group tracked as UAC-0063 linked to the Russian state-sponsored actor APT28 has expanded its cyberespionage operations from Central Asia to Europe. In a recent campaign the threat actor has been observed targeting embassies and government entities across multiple European countries with the HATVIBE malware. The campaign leverages stolen documents from one compromised victim to infiltrate other high-value targets, including diplomatic missions in Germany, the United Kingdom, the Netherlands, Romania, and Georgia.
EU sanctions three Russian intelligence officers for cyberattacks on Estonia
The European Union has imposed sanctions on three Russian nationals in response to their involvement in a series of cyberattacks against the Republic of Estonia in 2020. The individuals, Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov, are all identified as officers in the General Staff of the Armed Forces of the Russian Federation (GRU) Unit 29155. The trio played key roles in a sophisticated cyberattack that targeted various Estonian government ministries, including Economic Affairs and Communications, Social Affairs, and Foreign Affairs. During the attack the intruders gained access to highly sensitive government data, and stole thousands of confidential documents, including business secrets, health records, and other vital information that compromised the security of the affected institutions.
New J-magic campaign backdoors Juniper enterprise routers
Lumen Technologies' Black Lotus Labs has uncovered a malicious campaign aimed at enterprise-grade Juniper routers named “J-magic.” The operation, which began in mid-2023, is believed to have exploited vulnerabilities in Juniper's JunoOS, with the earliest known sample uploaded to VirusTotal in September 2023. The attack utilizes a passive agent that monitors TCP traffic for a specific “magic packet” sent by the attacker. Once this packet is detected, the agent activates a secondary challenge before establishing a reverse shell on the compromised router, granting attackers full control. With this access, threat actors can steal sensitive data or deploy malicious software.
Ongoing phishing campaign targets Poland and Germany with advanced malware
A financially motivated threat actor has been linked to a sophisticated phishing campaign targeting users in Poland and Germany, with the attacks ongoing since at least July 2024. The operation involves various malicious payloads, including well-known malware like Agent Tesla and Snake Keylogger, as well as a previously undocumented backdoor known as TorNet, delivered via a tool called PureCrypter.
Trojanized XWorm RAT builder targets script kiddies
Cybersecurity researchers have spotted a Trojanized version of the XWorm Remote Access Trojan (RAT) builder, which targets specially script kiddies. Distributed primarily via a GitHub repository and file-sharing services, the malware has managed to infiltrate over 18,000 devices globally. Once inside, it exfiltrates sensitive data, steals browser credentials, Discord tokens, Telegram data, and system information from compromised machines.
Ransomware actors targeting ESXi hypervisors with SSH Tunneling for persistence
Ransomware actors are increasingly targeting VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to maintain persistent, undetected access to compromised systems. Threat actors are leveraging known vulnerabilities in ESXi appliances or exploiting compromised administrator credentials to gain initial access. Once inside, they exploit the hypervisor’s built-in SSH service, designed to allow system administrators to remotely manage the device. Ransomware actors are abusing the feature to establish persistence, move laterally within the network, and deploy ransomware payloads.
Poland accuses Russia of recruiting citizens to influence presidential election
A senior member of the Polish government accused Russia of attempting to recruit Polish citizens via the dark web to influence the upcoming presidential election. Deputy Prime Minister Krzysztof Gawkowski warned that Russian intelligence services were targeting Polish nationals to spread disinformation during the campaign for the May election. Gawkowski revealed that Russia's military intelligence (GRU) and its Federal Security Service (FSB) were offering Polish citizens between 3,000 and 4,000 euros ($3,130-$4,170) in exchange for helping to shape the election's narrative through misleading content.
New side-channel attacks SLAP and FLOP targeting Apple silicon processors
A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has revealed two side-channel security issues affecting Apple’s Silicon processors. The attacks, which could potentially expose sensitive data from popular web browsers such as Safari and Google Chrome, are named SLAP (Data Speculation Attacks via Load Address Prediction) and FLOP (Breaking the Apple M3 CPU via False Load Output Predictions).
The vulnerabilities exploit weaknesses in speculative execution, an optimization technique that modern processors, including Apple’s, use to predict and execute instructions ahead of time, based on expected control flows. However, when these predictions go wrong, the CPU may leave traces of the erroneous execution in its cache, which could then be exploited by an attacker to leak sensitive information, even after the processor rolls back the incorrect operations.
In other news, a new attack, called 'Browser Syncjacking,' has been discovered by security researchers at SquareX. The attack exploits a seemingly harmless Chrome extension to take over a victim’s device. It involves a multi-step process, including hijacking the victim’s Google profile and browser, leading to full device control. The attack requires minimal permissions, and only needs the victim to install a legitimate-looking extension, with little to no interaction needed.
DeepSeek exposed database leaks sensitive data, including chat history
Wiz Research has discovered a publicly accessible ClickHouse database belonging to DeepSeek, a new AI chatbot provider from China. This database allows full control over database operations and exposes highly sensitive data, including over a million lines of log streams containing chat history, secret keys, backend details, and other confidential information.
