Website of Russian crypto exchange Garantex seized in an international law enforcement op
A coalition of international law enforcement agencies has seized the website of the cryptocurrency exchange Garantex, almost three years after the US Treasury Department sanctioned the service in April 2022. The domain was seized by the United States Secret Service under a court order, with support from various agencies including the FBI, Europol, and police forces from the Netherlands, Germany, Finland, and Estonia.
Founded in 2019, Garantex had been previously linked to facilitating transactions for illicit actors, including darknet markets like Hydra and ransomware groups such as Conti. In 2022, the US Treasury sanctioned the exchange for processing over $100 million in transactions connected to these criminal activities. In late 2023, sanctions were also imposed on Russian national Ekaterina Zhdanova for her role in laundering ransomware funds via Garantex. After the seizure, Garantex suspended all services, including cryptocurrency withdrawals, and made no mention of the law enforcement action in its official communications.
The Department of Justice has unsealed an indictment against Aleksej Besciokov, a 46-year-old Lithuanian national and Russian resident, and Aleksandr Mira Serda, a 40-year-old Russian national and UAE resident. Both are charged with money laundering conspiracy, while Besciokov faces additional charges of conspiracy to violate sanctions and operate an unlicensed money transmitting business. Between 2019 and 2025, they operated Garantex, a platform involved in laundering hundreds of millions in criminal proceeds, facilitating crimes like hacking, ransomware, terrorism, and drug trafficking. Besciokov was responsible for Garantex's technical operations, while Serda was its co-founder and commercial officer. They are accused of knowingly concealing criminal activities on the platform, including providing false information to Russian law enforcement.
The US сharges APT27 and i-Soon hackers with cyberattacks on entities across the globe
US authorities unsealed two indictments against two Chinese nationals, Yin Kecheng (aka “YKC”) and Zhou Shuai (aka “Coldface”) for their involvement in extensive cyberattacks spanning over a decade. The Department of Justice revealed that the two individuals, associated with the hacking group APT27 (also known as Threat Group 3390, Bronze Union, and several other names), conducted sophisticated, profit-driven cyber intrusions targeting both US and global networks since 2013. Their activities included exploiting system vulnerabilities, deploying malware, and exfiltrating sensitive data, which was sold to various customers, including those linked to the Chinese government and military.
Additionally, eight employees from a Chinese company, Anxun Information Technology Co. Ltd. (i-Soon), were charged for their role in cyber intrusions from 2016 to 2023. The company, operating in the hacker-for-hire industry, provided hacking services to Chinese authorities, including the Ministry of State Security (MSS) and the Ministry of Public Security (MPS). i-Soon generated millions of dollars by hacking email accounts, phones, servers, and websites and even trained Chinese government personnel in hacking techniques. The company was also implicated in transnational repression and the sale of stolen data to Chinese agencies.
The Department of Justice seized domains and server accounts linked to the hackers, while the State Department offered rewards up to $10 million for information leading to the suspects' identification or location.
North Korean Moonstone Sleet observed deploying Qilin ransomware payloads in attacks
Microsoft has reported that the North Korean hacking group Moonstone Sleet, previously known as Storm-1789, has started deploying Qilin ransomware in a limited number of recent attacks since late February 2025. This marks a shift for the group, which had previously only used its custom ransomware. Moonstone Sleet, a state-sponsored threat actor, is known for targeting both financial and cyberespionage organizations, using a range of tactics, including trojanized software, custom malware loaders, malicious games, npm packages, and fake companies. The fake entities often engage with potential victims on platforms like LinkedIn, Telegram, or via email, to spread their attacks.
A separate report from Microsoft looks into a large-scale malvertising campaign that impacted nearly one million devices worldwide in an opportunistic attack to steal information. The attack originated from illegal streaming sites containing malvertising redirectors, leading users to an intermediary site that redirected them to GitHub and other platforms. The GitHub repositories hosted malware used to deploy additional malicious files. Once the malware gained access to the device, it used a multi-stage approach to deliver payloads, execute scripts, and persist on the system. The malware collected system information and exfiltrated data, with activity tracked under the name Storm-0408.
Three zero-day flaws in VMware ESXi, Workstation, and Fusion exploited in the wild
VMware has issued security updates for its ESXi, Workstation, and Fusion products to address three vulnerabilities being actively exploited in the wild. The first, CVE-2025-22224, is a heap-based buffer overflow in VMCI that allows arbitrary code execution on the hypervisor. The second, CVE-2025-22225, is a privilege escalation flaw that lets a malicious guest bypass sandbox restrictions. The third, CVE-2025-22226, is an out-of-bounds issue that could allow memory reading. These flaws impact various VMware products, and users are urged to update their systems promptly.
Google has released its March 2025 Android Security Bulletin, fixing over 40 vulnerabilities, including two issues exploited by a zero-day exploit chain targeting a Serbian youth activist. Additionally, CISA has added five vulnerabilities to its Known Exploited Vulnerabilities catalog, including flaws in Cisco routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows, and Progress WhatsUp Gold.
In other news, ransomware gangs are exploiting a zero-day vulnerability in Paragon Partition Manager's kernel-level driver, BioNTdrv.sys, as part of "Bring Your Own Vulnerable Driver" (BYOVD) attacks. Microsoft researchers identified five vulnerabilities in the driver, with CVE-2025-0289 being the specific flaw used by attackers. This vulnerability allows threat actors to escalate privileges to SYSTEM level in Windows, enabling them to execute malicious commands with elevated access. Currently, it is unclear which ransomware groups are taking advantage of this zero-day flaw.
A critical PHP-CGI remote code execution (RCE) vulnerability (CVE-2024-4577) has been exploited in ongoing cyberattacks against Japan’s tech, telecom, and e-commerce sectors. Discovered by Cisco Talos, the attacks that have been occurring since January 2025, involve an unknown attacker using the flaw in PHP’s Windows implementation to gain access to victim systems. The attacker then employs Cobalt Strike’s "TaoWu" plugins for post-exploitation activities. Talos identified a pre-configured installer script on the command-and-control server, which deploys a suite of malicious tools hosted on an Alibaba cloud container registry. These tools, indicating the attacker’s advanced capabilities, are used for credential theft, persistence, and privilege escalation, suggesting the possibility of further attacks targeting these organizations.
New Eleven11bot DDoS botnet encompasses 80,000 hacked devices
Security researchers have spotted one of the largest DDoS botnets in recent years, named Eleven11bot. Initially compromising 30,000 devices, mostly security cameras and network video recorders, the botnet's scope expanded, with the Shadowserver Foundation reporting 86,400 infected IoT devices globally. The majority of compromised devices are in the US, with others affected in the UK, Canada, and Australia. Eleven11bot has caused significant disruptions across sectors like gaming and communications.
Additionally, Human Security’s Satori research team has discovered a new variant of the Badbox malware, which has infected as many as one million Android devices forming a massive botnet. First spotted in 2023, Badbox originally targeted off-brand Android-powered TV devices involved in a large ad-fraud network. The updated Badbox 2.0 variant now targets various devices running the Android Open Source Project (AOSP), including cheap smartphones, TV boxes, car tablets, and digital projectors, all manufactured in China.
North Korean IT workers are creating fake personas on GitHub to secure remote jobs
A new report from threat monitoring firm Nisos reveals that North Korean IT workers are posing as various Asian nationals on GitHub to secure remote engineering and blockchain development roles in the US and Japan. The fake personas often utilize reused GitHub accounts and portfolio content, with some even claiming to work for small companies.
The Chinese espionage group Silk Typhoon has recently shifted its focus to IT supply chain attacks, according to a Microsoft Threat Intelligence report. Instead of targeting cloud services directly, Silk Typhoon exploits vulnerabilities in IT solutions like remote management tools, cloud applications, and privileged access management (PAM) systems to gain initial access. By stealing API keys and credentials linked to PAM and cloud service providers, the group infiltrates sensitive environments, including government and IT sector networks. Once inside, they conduct reconnaissance, collect data related to Chinese interests, and carry out additional tactics such as resetting admin accounts, implanting web shells, and clearing logs.
Threat intelligence platform GreyNoise said it detected over 90 unique threat IPs exploiting CVEs associated with Silk Typhoon (CVE-2021-26855, CVE-2021-44228 (Log4Shell), and CVE-2024-3400). However, GreyNoise has not attributed the observed exploitation attempts directly to the Silk Typhoon threat actor.
Proofpoint researchers have uncovered a highly targeted, email-based cyberattack campaign aimed at fewer than five organizations in the United Arab Emirates (UAE). These organizations, specifically involved in aviation, satellite communications, and critical transportation infrastructure, were carefully selected as targets due to their strategic importance. The cyberattack, attributed to an adversarial group tracked as UNK_CraftyCamel, employed sophisticated methods to deliver a malicious payload and leveraged a new backdoor malware known as Sosano.
Black Basta and CACTUS ransomware gangs use BackConnect malware for remote access and data theft
Cybersecurity experts say that the threat actors behind the Black Basta and CACTUS ransomware families have started to utilize the same BackConnect (BC) module, which may indicate that affiliates previously associated with the Black Basta group may have transitioned to CACTUS. According to recent Trend Micro’s report, the BC module, tracked as QBACKCONNECT, allows attackers to remotely control infected systems. Once deployed on a victim's machine, this module allows the threat actors to execute commands, steal sensitive data such as login credentials, financial information, and personal files, and maintain persistent control over the compromised system. The BC module was linked to notorious malware loader QakBot in late January 2025 by security teams at Walmart and Sophos, with Sophos assigning the cluster the label STAC5777.
Earlier this week, the FBI warned that threat actors, claiming to be from the BianLian ransomware group, are using traditional mail to extort money from corporate executives. The letters, marked "Time Sensitive Read Immediately," threaten to release stolen sensitive data unless a ransom between $250,000 and $500,000 is paid within 10 days. The letters, supposedly from the Russian-linked group, include a QR code linked to a Bitcoin wallet for payment. The attackers refuse to negotiate further once the demand is made.
The Akira ransomware operation has been observed employing new tactics that involve the threat actors compromising an unsecured webcam in order to circumvent an Endpoint Detection and Response (EDR) tool and deploy ransomware. The webcam had several critical vulnerabilities, including the ability for remote shell access and unauthorized camera viewing. It ran a lightweight Linux OS that allowed command execution, making it an ideal target for Akira’s Linux ransomware. Additionally, the device lacked EDR tools and, due to limited storage, couldn't support the installation of such protections.
12,000 API keys and passwords found in DeepSeek's training data
A recent investigation by Truffle Security has uncovered nearly 12,000 valid secrets, including API keys and passwords, in the Common Crawl dataset, an open-source collection of petabytes of web data maintained since 2008. Truffle Security's team analyzed the Common Crawl's December 2024 archive, which consists of around 400 terabytes of data, scanning 2.67 billion web pages for sensitive information. The findings revealed 219 distinct types of secrets, with the most common being MailChimp API keys. In total, nearly 1,500 unique MailChimp keys were found hardcoded into HTML and JavaScript on front-end webpages.
Major Western chatbots are spreading Russian propaganda about the war in Ukraine
News and information websites rating provider NewsGuard has found that major Western chatbots (OpenAI’s ChatGPT-4o, You.com’s Smart Assistant, xAI’s Grok, Inflection’s Pi, Mistral’s le Chat, Microsoft’s Copilot, Meta AI, Anthropic’s Claude, Google’s Gemini, and Perplexity’s answer engine) are spreading Russian propaganda, particularly regarding the war in Ukraine. The disinformation originates from the Russian aggregation network Pravda, which spreads false claims such as the existence of secret US bioweapons labs in Ukraine and fabricated narratives involving Ukrainian President Zelensky misusing US military aid. NewsGuard’s audit found that 33% of the chatbot’s responses repeated disinformation from Pravda. The study showed that the chatbots cited 92 different Pravda articles, with 56 out of 450 chatbot responses directly referencing stories spreading false claims.
ClickFix phishing campaign deploys Havok post-exploitation framework for remote access
Cybersecurity researchers have uncovered a new phishing campaign, called ClickFix, which uses social engineering tactics to deliver malware and grant attackers remote access to compromised devices. Discovered by Fortinet’s Fortiguard Labs, the campaign deploys the Havok post-exploitation framework, allowing attackers to control infected systems.
Trustwave has published a deep dive into Strela Stealer, an infostealer that exfiltrates email log-in credentials and has been in the wild since late 2022. Strela Stealer is a precisely focused malware, targeting two email clients, Mozilla Thunderbird and Microsoft Outlook, on systems located in chosen European countries.
EncryptHub, a financially motivated threat actor also known as LARVA-208, has been conducting advanced phishing campaigns to deploy information stealers and ransomware. The threat actor is also working on a new product, EncryptRAT. Active since late June 2024, EncryptHub targets users of popular applications by distributing trojanized versions and utilizes third-party Pay-Per-Install (PPI) services. The tactics include SMS phishing (smishing) and voice phishing (vishing) to trick victims into installing remote monitoring and management (RMM) software.
The US sanctions admin of Nemesis darknet marketplace
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Behrouz Parsarad, the Iran-based administrator of the Nemesis darknet marketplace. Taken down in 2024 after an international law enforcement operation, Nemesis facilitated illegal activities such as drug trafficking, money laundering, and cybercrime. With over 30,000 users and 1,000 vendors, the platform enabled nearly $30 million in illicit drug sales globally, including to the US, between 2021 and 2024. Parsarad controlled the marketplace and profited from transaction fees, while also laundering virtual currencies for criminals.
