Dark Web News

The global cybersecurity landscape continues to evolve rapidly as attackers expand their focus on developer ecosystems, public-facing institutions, and anonymization infrastructure. At the same time, regulators and law enforcement agencies are stepping up enforcement efforts around AI misuse and cybercrime-enabling services. This week’s weekly roundup developments highlight how cyber threats are becoming increasingly distributed across platforms and industries, with supply chain compromises, operational disruptions, and policy enforcement actions shaping the broader risk environment. The Cyber Express Weekly Roundup  Austria Blocks Hundreds of Cyberattacks During Eurovision Week in Vienna  Austria successfully prevented nearly 500 cyberattack attempts targeting systems connected to Eurovision operations during the contest week in Vienna. Officials stated that the attacks were intended to disrupt event infrastructure and associated services, but no major operational failures were recorded. Read more…  Massive npm Supply Chain Attack Hits AntV Ecosystem  A large-scale software supply chain compromise has impacted more than 300 npm packages within the AntV ecosystem following the hijacking of a trusted maintainer account. The compromised packages were reportedly modified as part of the “Mini Shai-Hulud” malware campaign, which targeted developer environments and widely used JavaScript libraries. Read more…  Chanhassen Dinner Theatres Cyberattack Disrupts Operations and Ticketing Systems  A cyberattack targeting Chanhassen Dinner Theatres disrupted key operational systems, including ticketing, payment processing, and customer communications, forcing additional cancellations of scheduled performances of “Guys and Dolls.” The disruption comes amid concurrent operational challenges, including an illness outbreak affecting performers and attendees, further complicating recovery efforts. Read more…  FTC Targets AI “Nudify” Platforms Over TAKE IT DOWN Act Violations  The U.S. Federal Trade Commission has issued formal warnings to multiple AI-powered “nudify” platforms over alleged violations of the TAKE IT DOWN Act, which requires rapid removal of nonconsensual intimate content upon valid request. According to regulators, several platforms failed to implement compliant removal workflows, including the mandated 48-hour takedown requirement. Read more…  GitHub Confirms Internal Repository Breach via Malicious VS Code Extension  GitHub has confirmed a security incident in which attackers accessed thousands of internal repositories after compromising an employee’s device through a malicious Visual Studio Code extension. The company stated that there is no evidence of customer repository compromise or enterprise data exposure, and that the incident was contained following detection. Read more…  European Authorities Shut Down VPN Service Used in Ransomware Operations  European law enforcement agencies have seized the infrastructure of a VPN service known as First VPN during “Operation Saffron,” targeting its alleged use in supporting ransomware and cybercriminal operations. Authorities dismantled 33 servers and detained the suspected administrator in Ukraine. Read more…  Weekly Cybersecurity Takeaway  This week’s weekly roundup reflects a cybersecurity landscape defined by ecosystem-level compromise rather than isolated incidents. Supply chain attacks continue to target developer tooling and open-source ecosystems, while AI-related enforcement actions signal growing regulatory pressure around synthetic content abuse.  At the same time, law enforcement actions against anonymization infrastructure demonstrate a stronger focus on disrupting the operational backbone of cybercriminal networks. Taken together, these events highlight a shifting threat environment where compromise of platforms, dependencies, and infrastructure can cascade across multiple industries simultaneously. 

Researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered an advanced cyber campaign targeting FreePBX systems and, with high confidence, linked the activity to the threat actor INJ3CTOR3. The operation introduces a previously undocumented PHP webshell family named JOMANGY and deploys the ZenharR malware toolkit, which has previously been associated with the same actor.  Unlike conventional malware campaigns centered on ransomware or data theft, this operation is designed to hijack telephony infrastructure and abuse victims’ SIP trunks to generate fraudulent outbound calls billed directly to affected organizations. Researchers said the campaign demonstrates an unusually persistent architecture capable of surviving cleanup attempts and restoring infections within minutes.  INJ3CTOR3 Builds a Self-Healing Persistence Framework  At the center of the operation is a multi-stage Bash-based infection chain that installs six separate persistence mechanisms across compromised FreePBX systems. These mechanisms continuously reinforce one another, creating what researchers described as a “self-healing” malware ecosystem.  The persistence channels include cron-based command-and-control polling every one to three minutes, shell profile injections triggered during reboots and root logins, immutable crontab backups protected with chattr +i, watchdog processes that automatically relaunch malware components, multiple immutable copies of JOMANGY webshells scattered across the server, and a self-reinstalling PHP executor embedded into the environment.  Image source: Cyble Researchers noted that partial remediation efforts are ineffective because any surviving component can rapidly rebuild the full compromise. Even if administrators remove several malicious files or cron jobs, remaining persistence layers can silently restore the infection. Attackers Create 18 Backdoor Accounts Across FreePBX Systems  The campaign also establishes extensive unauthorized access using 18 separate backdoor accounts spread across multiple privilege levels. Nine of these accounts possess UID-0 privileges, effectively granting root-level access to the attackers. Another eight accounts imitate legitimate service accounts commonly found in FreePBX systems, while one additional account is inserted directly into the FreePBX MySQL database to provide administrative web-panel access. To avoid suspicion, the attackers used names such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma,” allowing the malicious accounts to blend into ordinary PBX administrative environments.  Researchers believe this approach significantly reduces the chances of casual detection during routine inspections. JOMANGY Introduces a New PHP Webshell Family  CRIL researchers identified JOMANGY as a previously undocumented malware family, making this investigation the first publicly known analysis of the toolset. Every recovered sample used a double-obfuscation technique involving Base64 encoding layered over ROT13 transformations. All identified payloads also contained the watermark string trace_e1ebf9066a951be519a24140711839ea, linking the malware samples to a common development source. Beyond persistence and remote command execution, JOMANGY contains active toll fraud functionality capable of initiating outbound calls through compromised PBX infrastructure. Researchers observed commands such as: asterisk -rx “channel originate Local/<num>@<context>”  This capability allows attackers to abuse victims’ telephony infrastructure directly for financial gain.  Large-Scale Reconnaissance Suggests Mass Exploitation  Researchers also discovered a command-and-control-hosted inventory file named people2.txt containing 3,080 IP addresses believed to represent automated reconnaissance results. Approximately 39 percent of the listed systems were hosted on Alibaba Cloud infrastructure located in China, Hong Kong, and Singapore, suggesting a geographically broad scanning operation. The findings indicate that INJ3CTOR3 is pursuing mass exploitation rather than highly selective targeting.  Additional evidence recovered from stolen Elastix databases and references to Issabel and Sangoma environments suggests the campaign targets a wide range of PBX deployments across Latin America, Southeast Asia, and the Middle East.  Infrastructure Overlaps Tie the Campaign to INJ3CTOR3  The malware infrastructure demonstrated strong operational continuity with earlier INJ3CTOR3 campaigns. The Stage 1 dropper aggressively removed competing malware families and defensive tooling before deploying its own payloads. Researchers found that more than 50 webshell signatures were deleted from infected systems, while firewall rules blocked 11 rival command-and-control IP addresses. Interestingly, the malware also removed artifacts associated with the actor’s own January 2026 campaign. Researchers believe this indicates that the operators migrated infrastructure from Brazilian-hosted systems to Dutch-hosted servers while attempting to erase remnants of older compromises. Attribution to INJ3CTOR3 is supported by several overlapping indicators. Researchers identified the marker string bm2cjjnRXac1WW3KT7k6MKTR, previously documented by Fortinet during analysis of the encystPHP campaign in January 2026. Source: Cyble Additional overlaps involving command-and-control infrastructure, file paths, credential implantation patterns, and binary names matched prior reporting from Palo Alto Networks Unit 42, Check Point Research, and SANS Internet Storm Center.  Stage 1 Establishes Initial Control and Persistence  The infection chain unfolds in multiple stages. Stage 1 begins with a large Bash dropper that removes competing implants, creates unauthorized accounts, deploys persistence mechanisms, and wipes evidence from system logs.  The malware modifies .bash_profile, .bashrc, and /etc/rc.local to ensure execution during reboots and root logins. It also installs recurring cron jobs that continuously retrieve additional payloads from the command-and-control infrastructure.  Researchers said the malware additionally creates immutable crontab backups and deploys watchdog processes capable of restoring deleted components automatically.  Stage 2 Deploys JOMANGY Across Legitimate FreePBX Directories  Stage 2 is delivered through k.php, which introduces the JOMANGY webshell family into compromised FreePBX systems.  The payload first re-executes portions of Stage 1 to reinforce persistence before writing obfuscated PHP backdoors into legitimate FreePBX web directories. One major target is /var/www/html/admin/views/ajax.php, a legitimate administrative file frequently accessed in FreePBX environments. Additional JOMANGY copies are deployed into locations such as rest_phones/ajax.php, admin/modules/h/, and several PBX management directories. The attackers also implement .htaccess rewrite rules that redirect arbitrary requests toward hidden webshell copies, improving accessibility and survivability. Researchers observed that k.php actively reinstalls malicious MySQL backdoor accounts whenever the payload executes, ensuring administrative access is recreated even if defenders remove compromised accounts. Possible Exploitation Paths Remain Under Investigation  Researchers could not conclusively identify the initial exploitation vector because relevant web logs and exploit payloads were unavailable during analysis. However, two vulnerabilities emerged as likely candidates.  The first is CVE-2025-64328, a post-authentication command injection flaw affecting the FreePBX filestore module. The vulnerability had previously been exploited during earlier INJ3CTOR3 operations.  The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module capable of inserting malicious cron jobs into the scheduler.  CRIL researchers believe CVE-2025-57819 may be particularly relevant because the campaign’s persistence architecture closely mirrors the scheduling abuse associated with the flaw. Earlier malware variants reportedly disabled the Endpoint module after exploitation, while the latest campaign leaves it active.  ZenharR Malware Toolkit Expands the Infection  Stage 3 of the campaign is delivered through wr.php, a Bash-based dropper associated with the ZenharR malware toolkit. Like earlier stages, the payload reruns portions of the infection chain before deploying additional malware components. ZenharR webshells are written into key FreePBX directories, including /var/www/html/digium_phones/ajax.php and /var/www/html/admin/views/some.php.  However, researchers noted that the propagation logic also replicated the already-installed JOMANGY webshell into 15 additional locations across the web root. As a result, both JOMANGY and the ZenharR malware toolkit operate side by side on infected systems. Another payload named wor.php was also discovered on the command-and-control server, although researchers could not identify an active trigger mechanism during analysis. license.php Functions as a Privileged Persistence Mechanism  The license.php component acts as a highly privileged PHP command executor embedded within the FreePBX HA infrastructure.  Unlike browser-accessible JOMANGY and ZenharR webshells, license.php contains no authentication controls and relies on remotely supplied format-string placeholders before activation.  Once triggered, the component enables arbitrary command execution with elevated privileges. Researchers observed that it could delete competing accounts, reset passwords for service users and even the root account, promote accounts to UID-0 privileges, modify SSH settings to preserve root access, and install dual-track cron persistence for both k.php and wr.php.  The malware also repeatedly scrubbed Apache logs and communicated with root.php on the command-and-control infrastructure. Obfuscation and Evasion Techniques Reduce Detection Rates  The campaign’s evasion methods were carefully optimized rather than excessively complex. In Stage 1, Base64 encoding was selectively applied only to highly suspicious commands, including useradd instructions responsible for creating UID-0 accounts.  Source: Cyble Cron payloads were hidden inside encoded variables, causing malicious crontab entries to appear relatively benign during casual inspection. JOMANGY’s double-obfuscation design represents a notable evolution over earlier malware associated with INJ3CTOR3. Many automated analysis tools decode only the outer Base64 layer, leaving unreadable ROT13 output rather than functional PHP code. Source: Cyble Combined with dead-code anti-analysis logic, these techniques contributed to extremely low antivirus detection rates. Researchers reported that both k.php and wr.php showed zero detections on VirusTotal during analysis, while the Stage 1 dropper was detected by only four out of 76 antivirus engines.  VoIP Toll Fraud Continues to Grow Globally  The broader implications of the campaign are substantial. Industry estimates place global telecom fraud losses at more than $41 billion annually, with VoIP toll fraud representing a major segment of the underground economy.  Unlike ransomware campaigns that generate immediate visibility, toll fraud operations provide cybercriminals with a quieter and more sustainable revenue stream by routing calls through premium-rate numbers or third-party fraud networks. FreePBX systems remain particularly attractive targets because many organizations expose management interfaces directly to the internet while running outdated or poorly secured deployments. According to data from the Shadowserver Foundation collected in early 2026, more than 900 FreePBX systems were actively compromised by related campaigns, while over 700 remained infected months after public disclosure and remediation guidance. Researchers concluded that INJ3CTOR3 continues to evolve its tooling, infrastructure, and persistence techniques. The introduction of JOMANGY alongside the ZenharR malware toolkit demonstrates a highly mature threat operation specifically engineered for resilience, monetization, and long-term control over vulnerable FreePBX systems.

In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date. Dubbed Operation TrustTrap, this large-scale operation has leveraged over 16,800 malicious domains to exploit cognitive trust mechanisms and harvest sensitive user data from unsuspecting victims. The scope and scale of this operation reveal a shift in how cybercriminals are evolving their tactics to bypass traditional technical security measures. What is Operation TrustTrap Since early 2026, CRIL has been tracking a well-coordinated infrastructure involving a massive network of spoofed domains. These domains were designed to mimic legitimate government portals, particularly those related to transportation services like Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration services in the United States. The aim of this campaign is clear: credential and payment card harvesting through the exploitation of trusted government-facing services. However, the technical complexity of the attack isn’t based on advanced hacking techniques. Instead, Operation TrustTrap exploits how humans visually interpret URLs. By embedding government-like subdomains, attackers have created fraudulent domains that resemble legitimate government addresses, deceiving individuals into visiting these sites and providing sensitive information. Tencent Cloud and Alibaba Cloud APAC The spoofed domains were predominantly hosted on Tencent Cloud and Alibaba Cloud APAC, both of which have significant data centers in the Asia-Pacific region. These platforms have been linked to the infrastructure of the campaign, and their concentrated use adds another layer of complexity to the attribution process. Furthermore, CRIL found that the domains were primarily registered through Gname.com Pte. Ltd., a registrar known for its significant Chinese customer base. Other registrars, such as Dominet (HK) Limited and NameSilo LLC, were also identified in the campaign. These domain names were often associated with .bond, .cc, and .cfd top-level domains (TLDs), which were frequently used to evade detection and blacklisting. The Key Technique: Subdomain Trust Injection The most common method used in Operation TrustTrap is subdomain trust injection. This technique involves embedding trusted government tokens, such as mass.gov or wa.gov, in subdomains rather than the root domain. In legitimate URLs, the .gov component typically appears at the end of the domain string, but in these malicious domains, .gov is cleverly placed as part of a subdomain. For instance, a URL such as mass.gov-bzyc[.]cc will lead a user to believe they are accessing an official Massachusetts government page, but in reality, they are on a fraudulent site designed to capture personal and financial data. Fake Massachusetts RMV citation landing page (Source: Cyble) This manipulation of the domain’s structure is visually convincing, but it bypasses traditional security filters that only check the root domain for trusted indicators like .gov. Another obfuscation technique used is hyphen-based semantic manipulation, where hyphens are inserted into familiar government identifiers to create visually similar URLs. This tactic further complicates the detection of malicious domains. Global Targeting and Regional Focus While Operation TrustTrap is heavily focused on the United States, targeting state portals such as those in California, Washington, and Florida, the operation is not confined to one region. CRIL identified similar spoofing efforts targeting government portals in India, Vietnam, and the United Kingdom. In India, attackers have specifically targeted portals that follow the .gov.in domain structure. By injecting subdomains like www.in.gov-bond, the attackers were able to replicate the appearance of legitimate government websites, particularly those related to the Indian Department of National Investigation (NIA) and other defense-adjacent sites. APT36 impersonating NIA (Source: Cyble) This specific targeting suggests that the threat actor has knowledge of government infrastructure and how it operates. APT36 and the Connection to Operation TrustTrap In addition to the use of Tencent Cloud and Alibaba Cloud, the tactics, techniques, and procedures (TTPs) observed in the campaign bear a striking resemblance to those used by APT36 (also known as Transparent Tribe). This Pakistan-based Advanced Persistent Threat (APT) group has a long history of targeting Indian government entities, defense personnel, and diplomatic infrastructure. The infrastructure used in Operation TrustTrap shows similarities to APT36’s previous campaigns, particularly in terms of the domain registration patterns and use of Tencent Cloud and Alibaba Cloud APAC infrastructure. Furthermore, the behavior observed, including domain rotation and the use of disposable domains, matches previous APT36 activities. Registrar and Hosting Analysis The dominance of Gname.com as the registrar of choice for over 70% of the spoofed domains points to a specific trend in the campaign’s operational setup. This Singapore-based registrar, which serves a large number of Chinese entities, is part of the broader infrastructure strategy that focuses on low-cost hosting in the Asia-Pacific region. Notably, Tencent Cloud and Alibaba Cloud APAC offer cloud services with global reach, providing the necessary infrastructure to scale this type of malicious operation. These services have been instrumental in supporting the rapid deployment of phishing sites across a variety of government services, especially those involving time-sensitive financial transactions.

In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.   The Cyber Express Weekly Roundup  UK Biobank Data Breach Triggers Urgent Review of Data Security Measures  A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more…  Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets  Vercel’s CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more…  Ofcom Investigates Telegram and Teen Platforms  In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more…  Personal Data Exposed in Breach of France’s ANTS Portal  A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more…  Bluesky Faces Coordinated DDoS Attack  Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more…  Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown  India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more…  Weekly Takeaway  This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

A newly issued cybersecurity advisory highlights an evolution in the tactics, techniques and procedures (TTPs) employed by China-Nexus threat actors. The report, released with support from the UK Cyber League and coordinated by the National Cyber Security Centre (NCSC-UK) alongside international partners, sheds light on how Chinese threat actors are relying on large-scale covert networks of compromised devices to conduct malicious cyber operations. A Strategic Shift in China-Nexus TTPs  In recent years, cybersecurity experts have observed a clear transition in China-Nexus TTPs. Rather than relying on dedicated, individually controlled infrastructure, Chinese threat actors are now leveraging expansive networks of compromised devices, commonly referred to as covert networks or botnets. These networks are primarily composed of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware. According to the advisory, the majority of China-Nexus actors are believed to be using such covert networks, with multiple networks operating simultaneously and often shared among different groups. These networks are continuously updated, making them highly adaptable and difficult to track. Any organization targeted by Chinese threat actors could be affected. For example, the group known as Volt Typhoon has used these covert networks to pre-position cyber capabilities within critical infrastructure, while Flax Typhoon leveraged similar methods for espionage operations. How Covert Networks Operate  Although botnets are not new, China-Nexus actors are now deploying them at an unprecedented scale and with strategic intent. These covert networks allow attackers to mask their identity, route malicious traffic through multiple nodes, and reduce the risk of attribution. Typically, an attacker accesses the network via an entry point, or “on-ramp,” and routes activity through numerous compromised devices—called traversal nodes—before exiting near the target. This multi-hop approach obscures the origin of the attack. These networks support every stage of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also used for general browsing, enabling threat actors to research vulnerabilities and refine TTPs without revealing their identity. The presence of legitimate users on some networks further complicates attribution.  Real-World Examples and Scale  Evidence suggests that some covert networks used by China-Nexus actors are developed and maintained by Chinese cybersecurity firms. One notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. It was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon. Another example includes the KV Botnet used by Volt Typhoon, which primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable because they had reached “end-of-life” status, meaning they no longer received security updates. The scale and adaptability of these networks present a major challenge. As Paul Chichester, NCSC Director of Operations, stated: “Botnet operations represent a significant hreat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.” Challenges for Network Defenders  Cybersecurity researchers have long been aware of such threats, but the evolving nature of China-Nexus TTPs introduces new difficulties. A key issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming less effective because attackers can operate from vast, constantly changing pools of devices.  As compromised nodes are patched or removed, new ones are quickly added, making these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies.  Defensive Measures and Best Practices  The advisory outlines several steps organizations can take to defend against China-Nexus covert networks:  For all organizations:  Maintain a clear inventory of network edge devices.  Establish baselines for normal network activity, particularly VPN access.  Monitor for unusual connections, including those from consumer broadband ranges.  Use dynamic threat intelligence feeds.  Implement multi-factor authentication for remote access.  For higher-risk organizations:  Use IP allow lists instead of blocklists for VPN access.  Apply geographic and behavioral profiling of incoming connections.  Adopt zero-trust security models.  Enforce SSL machine certificates.  Reduce exposure of internet-facing systems.  Explore machine learning tools to detect anomalies.  For the most at-risk entities:  Treat China-Nexus covert networks as advanced persistent threats (APTs).  Conduct active threat hunting for suspicious IP activity.  Map and monitor known covert networks using threat intelligence. 

In this week’s weekly roundup, The Cyber Express reviews major developments across the cybersecurity domain. highlighting incidents involving crypto ecosystem attacks, state-linked fraud operations, regulatory scrutiny, and underground cybercrime activity. The broader threat landscape continues to show attackers targeting infrastructure weaknesses, social engineering pathways, and third-party dependencies rather than isolated technical flaws.  Across multiple cases, state-aligned and financially motivated actors are focusing on routers, DNS layers, and decentralized systems to intercept data and manipulate transactions. At the same time, gaps in regulation and enforcement continue to complicate platform accountability, particularly in online safety and digital content governance.   The Cyber Express Weekly Roundup  $15M Grinex Hack Halts Trading After Wallet Breach  Grinex suspended trading and withdrawals following a coordinated attack that compromised its wallet infrastructure, resulting in the theft of more than $15 million in USDT. The attackers rapidly moved assets across Ethereum and Tron networks, using chain-hopping and layering techniques to obscure transaction trails and avoid detection. Read more…  Two U.S. Nationals Sentenced in $5M North Korea IT Worker Scheme  Two U.S. nationals, Kejia Wang and Zhenxing Wang, received prison sentences of 108 and 92 months for their roles in a North Korea-linked remote employment scheme that generated over $5 million. The operation used stolen identities, domestic “laptop farms,” and shell companies to present overseas workers as U.S.-based employees across more than 100 companies. Read more…  Australia Social Media Ban Faces Enforcement Questions  Australia’s under-16 social media restriction is facing renewed scrutiny after a study of 1,050 children found that over 60% of previously active users aged 12–15 continue accessing platforms such as TikTok, YouTube, and Instagram. Many accounts remained active without intervention from providers, and in some cases, users created new profiles after restrictions were applied. Read more…  TierOne Dark Web Contest Offers $10K for Exploit Writeups  A dark web forum known as TierOne has launched a $10,000 contest encouraging detailed technical write-ups on vulnerability exploitation techniques. Running from April 13 to May 14, 2026, and reportedly sponsored by a ransomware group, the contest focuses on topics such as remote code execution, IDOR, SSTI, firmware attacks, and EDR bypass methods.  Read more…  Rockstar Cyberattack Confirmed Amid Extortion Threat  Rockstar Games confirmed a cyberattack involving unauthorized access through a third-party service, though it stated that core operations and player systems were unaffected. The threat actor group ShinyHunters claimed responsibility, alleging access to internal company data and demanding payment by April 14, 2026, under threat of public release. Read more…  Weekly Takeaway  The Cyber Express weekly roundup reflects a threat landscape that is fragmented yet interconnected. From multimillion-dollar crypto thefts and criminal employment schemes to underground exploit markets and extortion-driven breaches, attackers are consistently blending technical exploitation with deception and supply chain targeting.   Regulatory uncertainty and weak enforcement mechanisms further amplify these risks, allowing both state-linked and financially motivated actors to operate with greater flexibility across digital environments. 

Researchers have uncovered an Android malware framework dubbed the MiningDropper. Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sharp increase in campaigns using MiningDropper, a modular platform capable of distributing multiple types of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.   A notable aspect of this campaign is its abuse of the open-source Lumolight application, which has been repurposed as a trojanized entry point.  A Modular Android Malware Framework at Scale MiningDropper is not a conventional malware strain. Instead, it operates as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture integrates XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. These layers collectively delay analysis and reduce the likelihood of detection by traditional antivirus solutions.  Over 1,500 MiningDropper samples have been observed in the wild within a single month, with more than 50% showing minimal antivirus detection. Notably, around 668 samples registered only three antivirus detections, indicating widespread distribution with low visibility.  Lumolight as the Initial Infection Vector  A recent variant of MiningDropper uses a trojanized version of Lumolight as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application triggers a native library, “librequisitionerastomous.so”, which begins the execution chain. This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets.  Multi-Stage Payload Delivery Mechanism  MiningDropper attack chain (Source: Cyble) MiningDropper’s infection chain unfolds across multiple stages:  Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component.  First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, making it harder for analysts to extract static keys.  Second Stage: This stage presents a fake Google Play update interface, a social engineering tactic designed to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files. The malware can operate in two modes: a cryptocurrency miner or a user-defined malicious payload.  Configuration files such as “norweyanlinkediting” (miner path) and “udela” (user payload path) dictate the behavior. These configurations include parameters like remote control capabilities, payload splits, and subscription timelines.  Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration.  Campaigns Targeting Multiple Regions  CRIL identified two primary campaign clusters leveraging MiningDropper:  Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular apps. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data.  BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this case, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations.  Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines.  Final Payload Capabilities  The final payload delivered by MiningDropper depends on the configuration:  Infostealers: Extract sensitive data such as login credentials and financial information. RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication. Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation.  Cryptocurrency Miners: Utilize device resources for unauthorized mining operations. The malware also abuses Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions.  A Scalable Malware-as-a-Framework Model  MiningDropper demonstrates a shift toward malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.  MiningDropper is more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it represents a threat model capable of sustaining large-scale, global campaigns.

In an unusual development within the underground cyber world, a dark web article contest has been announced on a well-known dark web forum, TierOne forum. The initiative is backed by a $10,000 prize pool. The contest places a spotlight on technical writing centered around vulnerability exploitation, offering insight into how knowledge is shared and rewarded in these spaces.  Traditionally, dark web forums have been linked to illicit activities such as trading stolen data, coordinating ransomware attacks, and distributing malware. However, this contest introduces a different dynamic, one that mirrors legitimate cybersecurity ecosystems, where researchers document findings and share exploit techniques.   The Dark Web Article Contest Overview and Prize Structure  According to an official announcement shared by an administrator on the forum, the post states: “Всем привет! Мы рады сообщить T1 erone [КОНКУРС СТАТЕЙ #1 – 2026]. Победители конкурса получают призы: 1 место 5.000$, 2 место – 3.000$, 3 место – 2.000$, [Призовой фонд 10.000$]. Прием статей начинается 13.04.2026 и заканчивается 14.05.2026.”   The announcement indicates that the dark web article contest will run from April 13, 2026, to May 14, 2026, with prize amounts set at $5,000 for first place, $3,000 for second place, and $2,000 for third place, making up a total prize pool of $10,000, reportedly sponsored by the ransomware group cry0.  Topics Focused on Vulnerability Exploitation  The contest invites submissions covering a wide range of advanced topics related to vulnerability exploitation with real-world applicability. These include:  Remote Code Execution (RCE) through deserialization flaws in React and Node.js frameworks.  Command injection attacks in APIs and backend systems.  Insecure Direct Object Reference (IDOR) vulnerabilities in SaaS platforms.  Server-Side Template Injection (SSTI) in modern templating engines.  Exploitation of insecure deserialization in PHP and Java.  Client-side RCE via Markdown or Office file rendering.  Firmware attacks targeting routers and cameras.  Privilege escalation techniques in RouterOS and similar systems.  Exploitation methods for products from Cisco, MikroTik, Oracle, and Ubiquiti.  Zero-day discovery in browser components like WebGPU and Blink.  AI-assisted vulnerability discovery and reverse engineering.  Techniques for bypassing AV and EDR security systems.  Exploitation of Remote Procedure Call (RPC) mechanisms.  For context, vulnerabilities such as RCE, IDOR, and SSTI allow attackers to execute arbitrary code or access restricted data, while firmware attacks enable persistent control over hardware devices. Similarly, AV/EDR bypass techniques are designed to evade detection by modern security solutions.  Participation Rules and Requirements  The TierOne forum has outlined strict guidelines for participants. Articles must be published within the forum’s designated section and include a specific prefix to qualify:  Submissions must be posted under the Articles section with the prefix “[Contest]”.  A link to the article must be shared in the contest thread with a participation note.  All users are eligible, regardless of registration date or activity level.  The use of multiple accounts is strictly prohibited.  In addition, the contest enforces content quality standards:  Articles must be original and based on the author’s own experience.  Copy-pasted or reposted material is not allowed.  Submissions should comprehensively cover the chosen topic, including tools, techniques, and methodologies.  Minimum length requirement is at least one A4 page.  Excessive filler content is discouraged.  Including video demonstrations may improve chances of winning.  A Glimpse into Dark Web Knowledge Sharing  While the existence of such a contest may seem surprising, it notes a bigger trend within dark web forums. Beyond illegal marketplaces and data trading, these platforms also function as hubs for technical exchange, where members document and refine vulnerability exploitation techniques. In many ways, the structure resembles legitimate bug bounty programs and penetration testing workflows, where cybersecurity professionals publish detailed reports on discovered flaws. The key difference lies in the intent and environment in which this knowledge is applied. It is important to note that this article does not endorse participation in such activities. Instead, it aims to shed light on how these underground ecosystems operate. The TierOne forum contest highlights that even within the dark web, there are organized efforts to produce structured, experience-based technical content, albeit in a context that raises ethical and legal concerns.