Dark Web News

Dark Web News – The Cyber Express Trending Cybersecurity News, Updates, Magazine and More.

  • The Cyber Express Weekly Roundup: AI Security Controls, Major Patch Releases, Public Sector Audits, and Emerging Online Scams
    by Ashish Khaitan on June 12, 2026 at 11:48 am

    This week’s cybersecurity developments highlight a growing emphasis on proactive security measures, governance oversight, and risk management across both public and private sectors. From large-scale vulnerability remediation efforts and AI security enhancements to government-led technology reviews and event-driven cybercrime campaigns, organizations continue to face a complex threat landscape.  A common theme across this week’s stories is the balance between innovation and security. As institutions adopt AI-powered systems, expand digital services, and move critical operations online, security teams are being challenged to strengthen protections without slowing modernization efforts. At the same time, threat actors continue to capitalize on public-interest events and trusted digital platforms to conduct fraud and data-theft campaigns.  The Cyber Express Weekly Roundup  CBSE Re-Evaluation Portal Receives Final Security Clearance  The Central Board of Secondary Education (CBSE) has completed the final cybersecurity review of its examiner-facing re-evaluation platform, clearing the way for the reassessment of Class 12 answer scripts. Following an IIT-led audit and security testing process, examiners can now access the system to process applications submitted by more than 70,000 students. Read more…  OpenAI Expands Lockdown Mode Across ChatGPT Accounts  OpenAI has extended its Lockdown Mode security feature to all personal ChatGPT users, including Free, Go, Plus, Pro, and self-service Business accounts. The feature is designed to reduce the risk of prompt injection-related data exposure by limiting access to high-risk capabilities such as live web browsing, Deep Research, Agent Mode, and external file interactions. Read more…  UK Courts Explore AI-Powered Legal Assistance  The UK government has announced plans to test AI legal assistants within Crown Courts as part of broader judicial modernization efforts. The tools are expected to assist with legal research, case review, scheduling, and administrative processes while remaining under human supervision. Read more…  Microsoft Issues Largest Patch Tuesday Update on Record  Microsoft’s June 2026 Patch Tuesday addressed a record-breaking 200 security vulnerabilities across its product ecosystem, including Windows, Office, Azure, and Exchange. The release included fixes for three publicly disclosed zero-day vulnerabilities and dozens of critical flaws. Read more…  ServiceNow Clarifies Nature of Recent Security Incident  ServiceNow has provided additional details regarding a recently disclosed security vulnerability, stating that observed activity originated from security researchers and customer investigations rather than malicious attackers. The company released a security update to address the issue and emphasized that there is no evidence of customer data misuse. Read more…  World Cup-Themed Scams Target Fans Ahead of FIFA 2026  Cybercriminals are already leveraging interest in the FIFA World Cup 2026 to launch phishing campaigns, fake ticket sales, and fraudulent recruitment schemes. Security researchers and law enforcement agencies have identified numerous lookalike domains impersonating official FIFA services in an effort to steal personal and financial information. Read more…  Weekly Cybersecurity Takeaway  This week’s developments demonstrate that cybersecurity is becoming a foundational requirement for digital transformation rather than a separate consideration. Whether securing AI platforms, protecting educational systems, modernizing public services, or managing enterprise vulnerabilities, organizations are being forced to address security challenges alongside innovation initiatives.  Meanwhile, threat actors continue to exploit trust, familiarity, and public interest to achieve their objectives. From phishing campaigns targeting global sporting events to attacks focused on cloud services and enterprise platforms, the most effective defenses remain strong security governance, timely patching, user awareness, and continuous monitoring of emerging risks. 

  • 163 Organizations Hit by Thai Gambling SEO Poisoning Campaign
    by Ashish Khaitan on June 12, 2026 at 7:28 am

    A large-scale Thai gambling SEO poisoning operation has compromised 163 organizations across more than 30 countries by exploiting abandoned cloud DNS delegations, according to research from Cyble Research & Intelligence Labs (CRIL).   The ongoing SEO poisoning campaign has affected government agencies, healthcare organizations, financial institutions, universities, and critical infrastructure operators, allowing attackers to host Thai-language gambling content on trusted enterprise domains.  How the SEO Poisoning Campaign Works  Researchers found that the campaign primarily abuses abandoned Azure DNS zone delegations. When organizations retire cloud projects, DNS records that delegate subdomains to Azure are often left behind. Threat actors identify these orphaned delegations, recreate the abandoned DNS zones under new Azure subscriptions, and gain authority over the affected subdomains.  Using this method, the attackers deploy a Next.js-based Thai-language gambling kit protected by valid Let’s Encrypt wildcard certificates. As a result, users, browsers, and search engines see what appears to be legitimate content hosted under trusted corporate domains.  At the time of publication, 161 of the 163 affected organizations remained actively compromised.  Discovery Leads to Global Exposure  The investigation began when CRIL identified unusual DNS activity on a Verizon subdomain environment. Researchers discovered more than 1,000 individually named subdomains serving Thai-language gambling content. Each page contains affiliate links designed to drive user registrations and generate commissions.  Further analysis revealed the same infrastructure and content fingerprints across 162 additional organizations. More than 90 compromised enterprise subdomains shared the same Next.js build ID (QQOrXCFjoI6C9oF-4YVhl), favicon path (/img/ib99-hq.ico), and affiliate redirect destinations.  Four DNS Abuse Methods Identified  The Thai gambling SEO poisoning operation relied on four compromise mechanisms:  Azure DNS zone takeover: More than 150 organizations were affected through abandoned Azure DNS delegations.  DigitalOcean DNS zone takeover: Two organizations were compromised using a similar technique.  Direct wildcard DNS misconfigurations: Two organizations had wildcard records pointing to attacker-controlled infrastructure.  Mass A-record creation: Verizon’s environment contained over 1,000 individual DNS records directing traffic to gambling content.  Certificate Transparency records showed some abandoned zones had remained dormant for years. One pharmaceutical company’s subdomain had not seen a legitimate certificate since October 2019 before attackers obtained a new certificate on April 11, 2026. Another electronics firm’s platform showed a gap between February 2023 and April 10, 2026.  Monetization and Backend Infrastructure  The SEO poisoning campaign generated revenue through affiliate tracking codes such as “ibiza99vip1,” “bigwinv1,” “seven77vip1,” and “link99.” Researchers observed server-side filtering that verified visitors originated from Thailand before redirecting them to gambling platforms.  The campaign ultimately linked to four gambling destinations: ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest. The gambling pages promoted deposits as low as 1 Thai Baht (approximately $0.03 USD) and included structured SEO content, FAQ schema, and mobile optimization features.  Behind the delivery infrastructure, researchers uncovered a dedicated backend fleet of 103 servers located in Hong Kong under AS398478 (PEG TECH INC). Evidence linking the servers included identical TLS fingerprints, shared certificates, matching HTTP hashes, uniform MySQL configurations, and common administration tools.  Detection and Mitigation CRIL noted that traditional security tools are unlikely to detect this Thai gambling SEO poisoning activity because the attackers use valid certificates, reputable domains, and clean infrastructure. The researchers recommend continuous monitoring of Certificate Transparency logs, auditing all DNS delegations, and immediately removing abandoned NS records pointing to cloud providers.  According to the report, the campaign demonstrates how a single DNS hygiene failure can be systematically exploited at scale. Rather than breaching networks or applications, the attackers capitalized on forgotten cloud configurations, turning trusted domains into vehicles for a sophisticated SEO poisoning campaign targeting Thai search traffic. 

  • Miasma Malware Targets Red Hat npm Packages in New Supply Chain Attack
    by Ashish Khaitan on June 2, 2026 at 8:14 am

    A newly discovered software supply chain campaign, dubbed Miasma, has emerged as the latest evolution of the Shai-Hulud supply chain attack, compromising several redhat-cloud-services npm packages to steal credentials, harvest secrets from developer systems, and spread through development environments using worm-like behavior. Security researchers at Socket described the operation as a smaller but highly capable successor to earlier Shai-Hulud campaigns, noting that it employs many of the same techniques that made previous attacks effective against software development ecosystems. “This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation,” Socket said. Attribution Remains Unclear as TeamPCP Tools Continue to Circulate The identity of the threat actor behind the latest Shai-Hulud supply chain attack remains uncertain. One major reason is the role of TeamPCP, a well-known cybercrime group that previously open-sourced tools associated with the original Shai-Hulud worm. By publicly releasing those resources, TeamPCP lowered the barrier for other attackers to launch similar operations, making attribution significantly more difficult. Researchers have not yet linked the Miasma campaign to any specific actor with confidence. Affected redhat-cloud-services Packages The attack targeted multiple packages published under the redhat-cloud-services namespace. The known compromised packages include: @redhat-cloud-services/vulnerabilities-client @redhat-cloud-services/tsc-transform-imports @redhat-cloud-services/topological-inventory-client @redhat-cloud-services/sources-client @redhat-cloud-services/rule-components @redhat-cloud-services/remediations-client @redhat-cloud-services/rbac-client The malicious code embedded within these packages was designed to execute during installation, allowing attackers to collect sensitive information from infected developer environments. Encrypted Data Theft and GitHub-Based Propagation Similar to earlier waves of the Shai-Hulud supply chain attack, the malware incorporates encrypted exfiltration capabilities. Stolen information is transmitted to the endpoint “api.anthropic[.]com:443/v1/api,” while GitHub serves as a secondary communication and propagation channel. According to Socket, the malware can commit encrypted data packages directly through GitHub’s API. “It commits the encrypted result envelope through the GitHub API,” Socket said. “The commit message can include: IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner:.” Researchers from OX Security identified the first commit containing the phrase “Miasma: The Spreading Blight” on May 29, 2026. This suggests either that the malware variant had already been active by that date or that attackers began testing the campaign around that time. GitHub Abuse Enables Verified Malicious Commits The Miasma malware actively searches for repositories where stolen GitHub tokens possess write permissions. It then inspects action.yml and action.yaml files using GraphQL queries before injecting malicious workflows through GitHub’s createCommitOnBranch mutation. This technique allows the resulting commits to appear as legitimate, verified, and signed changes, increasing the likelihood that malicious modifications will evade scrutiny. The malware is also capable of performing several additional actions, including: Attempting privilege escalation by launching containers that bind-mount the host’s /etc/sudoers.d directory and grant passwordless sudo access to CI runners. Detecting endpoint protection products such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before executing malicious activities. Establishing persistence by modifying Anthropic Claude Code through a SessionStart hook. Creating Visual Studio Code tasks.json files configured with “runOn”: “folderOpen” to ensure automatic execution whenever a project is opened. Red Hat GitHub Account Believed to Be Initial Entry Point Investigators believe the campaign originated from the compromise of a Red Hat employee’s GitHub account. Evidence indicates that the account served as the patient zero event used to inject malicious code into the affected redhat-cloud-services packages. The compromised account reportedly pushed malicious orphan commits into two RedHatInsights repositories, allowing the attacker to bypass normal code review procedures and introduce the malicious payload. Recommended Response and Remediation Steps Security experts advise organizations that installed affected redhat-cloud-services package versions to immediately isolate impacted systems and remove compromised releases. Additional recommendations include: Rotating all potentially exposed credentials. Reviewing GitHub and npm activity for suspicious behavior. Auditing environments for persistence mechanisms. Investigating modifications to configuration files such as: ~/.claude/settings.json .vscode/tasks.json .github/workflows/codeql.yml .github/setup.js Enforcing stronger access controls across development environments. Socket warned that removing the malicious package alone is not sufficient. “Because the malware includes background execution and potential developer-tool persistence mechanisms, uninstalling the npm package or deleting node_modules should not be considered sufficient cleanup,” Socket explained. The company also urged organizations operating CI/CD pipelines to suspend affected workflows, invalidate any build artifacts created during the exposure period, and review whether software releases, container images, npm packages, or deployment artifacts were generated after installation of the malicious package.

  • The Cyber Express Weekly Roundup: Supply Chain Breaches, AI Content Enforcement, And Event Disruption Attacks
    by Ashish Khaitan on May 22, 2026 at 11:44 am

    The global cybersecurity landscape continues to evolve rapidly as attackers expand their focus on developer ecosystems, public-facing institutions, and anonymization infrastructure. At the same time, regulators and law enforcement agencies are stepping up enforcement efforts around AI misuse and cybercrime-enabling services. This week’s weekly roundup developments highlight how cyber threats are becoming increasingly distributed across platforms and industries, with supply chain compromises, operational disruptions, and policy enforcement actions shaping the broader risk environment. The Cyber Express Weekly Roundup  Austria Blocks Hundreds of Cyberattacks During Eurovision Week in Vienna  Austria successfully prevented nearly 500 cyberattack attempts targeting systems connected to Eurovision operations during the contest week in Vienna. Officials stated that the attacks were intended to disrupt event infrastructure and associated services, but no major operational failures were recorded. Read more…  Massive npm Supply Chain Attack Hits AntV Ecosystem  A large-scale software supply chain compromise has impacted more than 300 npm packages within the AntV ecosystem following the hijacking of a trusted maintainer account. The compromised packages were reportedly modified as part of the “Mini Shai-Hulud” malware campaign, which targeted developer environments and widely used JavaScript libraries. Read more…  Chanhassen Dinner Theatres Cyberattack Disrupts Operations and Ticketing Systems  A cyberattack targeting Chanhassen Dinner Theatres disrupted key operational systems, including ticketing, payment processing, and customer communications, forcing additional cancellations of scheduled performances of “Guys and Dolls.” The disruption comes amid concurrent operational challenges, including an illness outbreak affecting performers and attendees, further complicating recovery efforts. Read more…  FTC Targets AI “Nudify” Platforms Over TAKE IT DOWN Act Violations  The U.S. Federal Trade Commission has issued formal warnings to multiple AI-powered “nudify” platforms over alleged violations of the TAKE IT DOWN Act, which requires rapid removal of nonconsensual intimate content upon valid request. According to regulators, several platforms failed to implement compliant removal workflows, including the mandated 48-hour takedown requirement. Read more…  GitHub Confirms Internal Repository Breach via Malicious VS Code Extension  GitHub has confirmed a security incident in which attackers accessed thousands of internal repositories after compromising an employee’s device through a malicious Visual Studio Code extension. The company stated that there is no evidence of customer repository compromise or enterprise data exposure, and that the incident was contained following detection. Read more…  European Authorities Shut Down VPN Service Used in Ransomware Operations  European law enforcement agencies have seized the infrastructure of a VPN service known as First VPN during “Operation Saffron,” targeting its alleged use in supporting ransomware and cybercriminal operations. Authorities dismantled 33 servers and detained the suspected administrator in Ukraine. Read more…  Weekly Cybersecurity Takeaway  This week’s weekly roundup reflects a cybersecurity landscape defined by ecosystem-level compromise rather than isolated incidents. Supply chain attacks continue to target developer tooling and open-source ecosystems, while AI-related enforcement actions signal growing regulatory pressure around synthetic content abuse.  At the same time, law enforcement actions against anonymization infrastructure demonstrate a stronger focus on disrupting the operational backbone of cybercriminal networks. Taken together, these events highlight a shifting threat environment where compromise of platforms, dependencies, and infrastructure can cascade across multiple industries simultaneously. 

  • INJ3CTOR3 Deploys JOMANGY Webshell in Advanced FreePBX Attacks
    by Ashish Khaitan on May 22, 2026 at 7:20 am

    Researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered an advanced cyber campaign targeting FreePBX systems and, with high confidence, linked the activity to the threat actor INJ3CTOR3. The operation introduces a previously undocumented PHP webshell family named JOMANGY and deploys the ZenharR malware toolkit, which has previously been associated with the same actor.  Unlike conventional malware campaigns centered on ransomware or data theft, this operation is designed to hijack telephony infrastructure and abuse victims’ SIP trunks to generate fraudulent outbound calls billed directly to affected organizations. Researchers said the campaign demonstrates an unusually persistent architecture capable of surviving cleanup attempts and restoring infections within minutes.  INJ3CTOR3 Builds a Self-Healing Persistence Framework  At the center of the operation is a multi-stage Bash-based infection chain that installs six separate persistence mechanisms across compromised FreePBX systems. These mechanisms continuously reinforce one another, creating what researchers described as a “self-healing” malware ecosystem.  The persistence channels include cron-based command-and-control polling every one to three minutes, shell profile injections triggered during reboots and root logins, immutable crontab backups protected with chattr +i, watchdog processes that automatically relaunch malware components, multiple immutable copies of JOMANGY webshells scattered across the server, and a self-reinstalling PHP executor embedded into the environment.  Image source: Cyble Researchers noted that partial remediation efforts are ineffective because any surviving component can rapidly rebuild the full compromise. Even if administrators remove several malicious files or cron jobs, remaining persistence layers can silently restore the infection. Attackers Create 18 Backdoor Accounts Across FreePBX Systems  The campaign also establishes extensive unauthorized access using 18 separate backdoor accounts spread across multiple privilege levels. Nine of these accounts possess UID-0 privileges, effectively granting root-level access to the attackers. Another eight accounts imitate legitimate service accounts commonly found in FreePBX systems, while one additional account is inserted directly into the FreePBX MySQL database to provide administrative web-panel access. To avoid suspicion, the attackers used names such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma,” allowing the malicious accounts to blend into ordinary PBX administrative environments.  Researchers believe this approach significantly reduces the chances of casual detection during routine inspections. JOMANGY Introduces a New PHP Webshell Family  CRIL researchers identified JOMANGY as a previously undocumented malware family, making this investigation the first publicly known analysis of the toolset. Every recovered sample used a double-obfuscation technique involving Base64 encoding layered over ROT13 transformations. All identified payloads also contained the watermark string trace_e1ebf9066a951be519a24140711839ea, linking the malware samples to a common development source. Beyond persistence and remote command execution, JOMANGY contains active toll fraud functionality capable of initiating outbound calls through compromised PBX infrastructure. Researchers observed commands such as: asterisk -rx “channel originate Local/<num>@<context>”  This capability allows attackers to abuse victims’ telephony infrastructure directly for financial gain.  Large-Scale Reconnaissance Suggests Mass Exploitation  Researchers also discovered a command-and-control-hosted inventory file named people2.txt containing 3,080 IP addresses believed to represent automated reconnaissance results. Approximately 39 percent of the listed systems were hosted on Alibaba Cloud infrastructure located in China, Hong Kong, and Singapore, suggesting a geographically broad scanning operation. The findings indicate that INJ3CTOR3 is pursuing mass exploitation rather than highly selective targeting.  Additional evidence recovered from stolen Elastix databases and references to Issabel and Sangoma environments suggests the campaign targets a wide range of PBX deployments across Latin America, Southeast Asia, and the Middle East.  Infrastructure Overlaps Tie the Campaign to INJ3CTOR3  The malware infrastructure demonstrated strong operational continuity with earlier INJ3CTOR3 campaigns. The Stage 1 dropper aggressively removed competing malware families and defensive tooling before deploying its own payloads. Researchers found that more than 50 webshell signatures were deleted from infected systems, while firewall rules blocked 11 rival command-and-control IP addresses. Interestingly, the malware also removed artifacts associated with the actor’s own January 2026 campaign. Researchers believe this indicates that the operators migrated infrastructure from Brazilian-hosted systems to Dutch-hosted servers while attempting to erase remnants of older compromises. Attribution to INJ3CTOR3 is supported by several overlapping indicators. Researchers identified the marker string bm2cjjnRXac1WW3KT7k6MKTR, previously documented by Fortinet during analysis of the encystPHP campaign in January 2026. Source: Cyble Additional overlaps involving command-and-control infrastructure, file paths, credential implantation patterns, and binary names matched prior reporting from Palo Alto Networks Unit 42, Check Point Research, and SANS Internet Storm Center.  Stage 1 Establishes Initial Control and Persistence  The infection chain unfolds in multiple stages. Stage 1 begins with a large Bash dropper that removes competing implants, creates unauthorized accounts, deploys persistence mechanisms, and wipes evidence from system logs.  The malware modifies .bash_profile, .bashrc, and /etc/rc.local to ensure execution during reboots and root logins. It also installs recurring cron jobs that continuously retrieve additional payloads from the command-and-control infrastructure.  Researchers said the malware additionally creates immutable crontab backups and deploys watchdog processes capable of restoring deleted components automatically.  Stage 2 Deploys JOMANGY Across Legitimate FreePBX Directories  Stage 2 is delivered through k.php, which introduces the JOMANGY webshell family into compromised FreePBX systems.  The payload first re-executes portions of Stage 1 to reinforce persistence before writing obfuscated PHP backdoors into legitimate FreePBX web directories. One major target is /var/www/html/admin/views/ajax.php, a legitimate administrative file frequently accessed in FreePBX environments. Additional JOMANGY copies are deployed into locations such as rest_phones/ajax.php, admin/modules/h/, and several PBX management directories. The attackers also implement .htaccess rewrite rules that redirect arbitrary requests toward hidden webshell copies, improving accessibility and survivability. Researchers observed that k.php actively reinstalls malicious MySQL backdoor accounts whenever the payload executes, ensuring administrative access is recreated even if defenders remove compromised accounts. Possible Exploitation Paths Remain Under Investigation  Researchers could not conclusively identify the initial exploitation vector because relevant web logs and exploit payloads were unavailable during analysis. However, two vulnerabilities emerged as likely candidates.  The first is CVE-2025-64328, a post-authentication command injection flaw affecting the FreePBX filestore module. The vulnerability had previously been exploited during earlier INJ3CTOR3 operations.  The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module capable of inserting malicious cron jobs into the scheduler.  CRIL researchers believe CVE-2025-57819 may be particularly relevant because the campaign’s persistence architecture closely mirrors the scheduling abuse associated with the flaw. Earlier malware variants reportedly disabled the Endpoint module after exploitation, while the latest campaign leaves it active.  ZenharR Malware Toolkit Expands the Infection  Stage 3 of the campaign is delivered through wr.php, a Bash-based dropper associated with the ZenharR malware toolkit. Like earlier stages, the payload reruns portions of the infection chain before deploying additional malware components. ZenharR webshells are written into key FreePBX directories, including /var/www/html/digium_phones/ajax.php and /var/www/html/admin/views/some.php.  However, researchers noted that the propagation logic also replicated the already-installed JOMANGY webshell into 15 additional locations across the web root. As a result, both JOMANGY and the ZenharR malware toolkit operate side by side on infected systems. Another payload named wor.php was also discovered on the command-and-control server, although researchers could not identify an active trigger mechanism during analysis. license.php Functions as a Privileged Persistence Mechanism  The license.php component acts as a highly privileged PHP command executor embedded within the FreePBX HA infrastructure.  Unlike browser-accessible JOMANGY and ZenharR webshells, license.php contains no authentication controls and relies on remotely supplied format-string placeholders before activation.  Once triggered, the component enables arbitrary command execution with elevated privileges. Researchers observed that it could delete competing accounts, reset passwords for service users and even the root account, promote accounts to UID-0 privileges, modify SSH settings to preserve root access, and install dual-track cron persistence for both k.php and wr.php.  The malware also repeatedly scrubbed Apache logs and communicated with root.php on the command-and-control infrastructure. Obfuscation and Evasion Techniques Reduce Detection Rates  The campaign’s evasion methods were carefully optimized rather than excessively complex. In Stage 1, Base64 encoding was selectively applied only to highly suspicious commands, including useradd instructions responsible for creating UID-0 accounts.  Source: Cyble Cron payloads were hidden inside encoded variables, causing malicious crontab entries to appear relatively benign during casual inspection. JOMANGY’s double-obfuscation design represents a notable evolution over earlier malware associated with INJ3CTOR3. Many automated analysis tools decode only the outer Base64 layer, leaving unreadable ROT13 output rather than functional PHP code. Source: Cyble Combined with dead-code anti-analysis logic, these techniques contributed to extremely low antivirus detection rates. Researchers reported that both k.php and wr.php showed zero detections on VirusTotal during analysis, while the Stage 1 dropper was detected by only four out of 76 antivirus engines.  VoIP Toll Fraud Continues to Grow Globally  The broader implications of the campaign are substantial. Industry estimates place global telecom fraud losses at more than $41 billion annually, with VoIP toll fraud representing a major segment of the underground economy.  Unlike ransomware campaigns that generate immediate visibility, toll fraud operations provide cybercriminals with a quieter and more sustainable revenue stream by routing calls through premium-rate numbers or third-party fraud networks. FreePBX systems remain particularly attractive targets because many organizations expose management interfaces directly to the internet while running outdated or poorly secured deployments. According to data from the Shadowserver Foundation collected in early 2026, more than 900 FreePBX systems were actively compromised by related campaigns, while over 700 remained infected months after public disclosure and remediation guidance. Researchers concluded that INJ3CTOR3 continues to evolve its tooling, infrastructure, and persistence techniques. The introduction of JOMANGY alongside the ZenharR malware toolkit demonstrates a highly mature threat operation specifically engineered for resilience, monetization, and long-term control over vulnerable FreePBX systems.

  • Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust
    by Ashish Khaitan on April 27, 2026 at 11:06 am

    In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date. Dubbed Operation TrustTrap, this large-scale operation has leveraged over 16,800 malicious domains to exploit cognitive trust mechanisms and harvest sensitive user data from unsuspecting victims. The scope and scale of this operation reveal a shift in how cybercriminals are evolving their tactics to bypass traditional technical security measures. What is Operation TrustTrap Since early 2026, CRIL has been tracking a well-coordinated infrastructure involving a massive network of spoofed domains. These domains were designed to mimic legitimate government portals, particularly those related to transportation services like Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration services in the United States. The aim of this campaign is clear: credential and payment card harvesting through the exploitation of trusted government-facing services. However, the technical complexity of the attack isn’t based on advanced hacking techniques. Instead, Operation TrustTrap exploits how humans visually interpret URLs. By embedding government-like subdomains, attackers have created fraudulent domains that resemble legitimate government addresses, deceiving individuals into visiting these sites and providing sensitive information. Tencent Cloud and Alibaba Cloud APAC The spoofed domains were predominantly hosted on Tencent Cloud and Alibaba Cloud APAC, both of which have significant data centers in the Asia-Pacific region. These platforms have been linked to the infrastructure of the campaign, and their concentrated use adds another layer of complexity to the attribution process. Furthermore, CRIL found that the domains were primarily registered through Gname.com Pte. Ltd., a registrar known for its significant Chinese customer base. Other registrars, such as Dominet (HK) Limited and NameSilo LLC, were also identified in the campaign. These domain names were often associated with .bond, .cc, and .cfd top-level domains (TLDs), which were frequently used to evade detection and blacklisting. The Key Technique: Subdomain Trust Injection The most common method used in Operation TrustTrap is subdomain trust injection. This technique involves embedding trusted government tokens, such as mass.gov or wa.gov, in subdomains rather than the root domain. In legitimate URLs, the .gov component typically appears at the end of the domain string, but in these malicious domains, .gov is cleverly placed as part of a subdomain. For instance, a URL such as mass.gov-bzyc[.]cc will lead a user to believe they are accessing an official Massachusetts government page, but in reality, they are on a fraudulent site designed to capture personal and financial data. Fake Massachusetts RMV citation landing page (Source: Cyble) This manipulation of the domain’s structure is visually convincing, but it bypasses traditional security filters that only check the root domain for trusted indicators like .gov. Another obfuscation technique used is hyphen-based semantic manipulation, where hyphens are inserted into familiar government identifiers to create visually similar URLs. This tactic further complicates the detection of malicious domains. Global Targeting and Regional Focus While Operation TrustTrap is heavily focused on the United States, targeting state portals such as those in California, Washington, and Florida, the operation is not confined to one region. CRIL identified similar spoofing efforts targeting government portals in India, Vietnam, and the United Kingdom. In India, attackers have specifically targeted portals that follow the .gov.in domain structure. By injecting subdomains like www.in.gov-bond, the attackers were able to replicate the appearance of legitimate government websites, particularly those related to the Indian Department of National Investigation (NIA) and other defense-adjacent sites. APT36 impersonating NIA (Source: Cyble) This specific targeting suggests that the threat actor has knowledge of government infrastructure and how it operates. APT36 and the Connection to Operation TrustTrap In addition to the use of Tencent Cloud and Alibaba Cloud, the tactics, techniques, and procedures (TTPs) observed in the campaign bear a striking resemblance to those used by APT36 (also known as Transparent Tribe). This Pakistan-based Advanced Persistent Threat (APT) group has a long history of targeting Indian government entities, defense personnel, and diplomatic infrastructure. The infrastructure used in Operation TrustTrap shows similarities to APT36’s previous campaigns, particularly in terms of the domain registration patterns and use of Tencent Cloud and Alibaba Cloud APAC infrastructure. Furthermore, the behavior observed, including domain rotation and the use of disposable domains, matches previous APT36 activities. Registrar and Hosting Analysis The dominance of Gname.com as the registrar of choice for over 70% of the spoofed domains points to a specific trend in the campaign’s operational setup. This Singapore-based registrar, which serves a large number of Chinese entities, is part of the broader infrastructure strategy that focuses on low-cost hosting in the Asia-Pacific region. Notably, Tencent Cloud and Alibaba Cloud APAC offer cloud services with global reach, providing the necessary infrastructure to scale this type of malicious operation. These services have been instrumental in supporting the rapid deployment of phishing sites across a variety of government services, especially those involving time-sensitive financial transactions.

  • The Cyber Express Weekly Roundup: Data Breaches, Malware Campaigns, and Cyber Fraud Investigations
    by Ashish Khaitan on April 24, 2026 at 11:57 am

    In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.   The Cyber Express Weekly Roundup  UK Biobank Data Breach Triggers Urgent Review of Data Security Measures  A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more…  Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets  Vercel’s CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more…  Ofcom Investigates Telegram and Teen Platforms  In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more…  Personal Data Exposed in Breach of France’s ANTS Portal  A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more…  Bluesky Faces Coordinated DDoS Attack  Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more…  Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown  India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more…  Weekly Takeaway  This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

  • China-Linked Cyber Actors Turn to Massive Covert Botnets to Evade Detection
    by Ashish Khaitan on April 24, 2026 at 8:02 am

    A newly issued cybersecurity advisory highlights an evolution in the tactics, techniques and procedures (TTPs) employed by China-Nexus threat actors. The report, released with support from the UK Cyber League and coordinated by the National Cyber Security Centre (NCSC-UK) alongside international partners, sheds light on how Chinese threat actors are relying on large-scale covert networks of compromised devices to conduct malicious cyber operations. A Strategic Shift in China-Nexus TTPs  In recent years, cybersecurity experts have observed a clear transition in China-Nexus TTPs. Rather than relying on dedicated, individually controlled infrastructure, Chinese threat actors are now leveraging expansive networks of compromised devices, commonly referred to as covert networks or botnets. These networks are primarily composed of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware. According to the advisory, the majority of China-Nexus actors are believed to be using such covert networks, with multiple networks operating simultaneously and often shared among different groups. These networks are continuously updated, making them highly adaptable and difficult to track. Any organization targeted by Chinese threat actors could be affected. For example, the group known as Volt Typhoon has used these covert networks to pre-position cyber capabilities within critical infrastructure, while Flax Typhoon leveraged similar methods for espionage operations. How Covert Networks Operate  Although botnets are not new, China-Nexus actors are now deploying them at an unprecedented scale and with strategic intent. These covert networks allow attackers to mask their identity, route malicious traffic through multiple nodes, and reduce the risk of attribution. Typically, an attacker accesses the network via an entry point, or “on-ramp,” and routes activity through numerous compromised devices—called traversal nodes—before exiting near the target. This multi-hop approach obscures the origin of the attack. These networks support every stage of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also used for general browsing, enabling threat actors to research vulnerabilities and refine TTPs without revealing their identity. The presence of legitimate users on some networks further complicates attribution.  Real-World Examples and Scale  Evidence suggests that some covert networks used by China-Nexus actors are developed and maintained by Chinese cybersecurity firms. One notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. It was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon. Another example includes the KV Botnet used by Volt Typhoon, which primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable because they had reached “end-of-life” status, meaning they no longer received security updates. The scale and adaptability of these networks present a major challenge. As Paul Chichester, NCSC Director of Operations, stated: “Botnet operations represent a significant hreat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.” Challenges for Network Defenders  Cybersecurity researchers have long been aware of such threats, but the evolving nature of China-Nexus TTPs introduces new difficulties. A key issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming less effective because attackers can operate from vast, constantly changing pools of devices.  As compromised nodes are patched or removed, new ones are quickly added, making these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies.  Defensive Measures and Best Practices  The advisory outlines several steps organizations can take to defend against China-Nexus covert networks:  For all organizations:  Maintain a clear inventory of network edge devices.  Establish baselines for normal network activity, particularly VPN access.  Monitor for unusual connections, including those from consumer broadband ranges.  Use dynamic threat intelligence feeds.  Implement multi-factor authentication for remote access.  For higher-risk organizations:  Use IP allow lists instead of blocklists for VPN access.  Apply geographic and behavioral profiling of incoming connections.  Adopt zero-trust security models.  Enforce SSL machine certificates.  Reduce exposure of internet-facing systems.  Explore machine learning tools to detect anomalies.  For the most at-risk entities:  Treat China-Nexus covert networks as advanced persistent threats (APTs).  Conduct active threat hunting for suspicious IP activity.  Map and monitor known covert networks using threat intelligence. 

Share Websitecyber
We are an ethical website cyber security team and we perform security assessments to protect our clients.