February 20 2025 – Cyber Briefing

👉 What’s going on in the cyber world today?

Snake Keylogger, AutoIt, NailaoLocker Ransomware, European Healthcare, Cyber-Espionage, CryptoBytes, UxCryptor Ransomware, CISA, FBI, Ghost Ransomware, Russian Hackers, Ukrainian Signal Users, Phishing QR Codes, B1ack’s Stash, Dark Web Marketplace, Stolen Cards, Burlington Hydro, Data Breach, Utsunomiya Central Clinic, Consultants in Pain Medicine, Fortis Solutions Group, Trump, John Eisenberg, DOJ, Sanctioned Entities, Crypto Activity, Mollitiam Industries, Spyware, US Army Soldier, AT&T, Verizon, Confidential Data, Endpoint Malware, Social Engineering Tactics.

Listen to the full podcast

🚨 Cyber Alerts

1. Snake Keylogger Targets Multiple Countries

A new variant of the Snake Keylogger malware has been targeting Windows users across multiple countries, including China, Turkey, Indonesia, Taiwan, and Spain. With over 280 million blocked infection attempts this year, it uses phishing emails with malicious attachments or links to steal sensitive information from popular browsers. The malware uses advanced techniques like AutoIt scripting and process hollowing to evade detection, while exfiltrating stolen data via SMTP and Telegram bots.

2. NailaoLocker Ransomware Targets Healthcare

A new ransomware strain named NailaoLocker has been targeting European healthcare organizations between June and October 2024, exploiting a vulnerability in the Check Point Security Gateway (CVE-2024–24919). Though relatively unsophisticated, the ransomware encrypts files using AES-256-CTR and drops a lengthy ransom note instructing victims to contact a ProtonMail address. Researchers suspect that the attacks may be part of a larger espionage operation, possibly linked to Chinese state-sponsored threat groups, though evidence remains inconclusive.

3. CryptoBytes Escalates Attacks with UxCryptor

The Russian cybercriminal group CryptoBytes has escalated its ransomware campaigns using a modified version of UxCryptor, according to SonicWall’s Capture Labs. The group, active since 2023, targets Windows systems globally, employing advanced evasion tactics to avoid detection and psychological pressure to extort cryptocurrency payments from victims. UxCryptor uses a multi-stage attack, terminating critical system processes, detecting virtual environments, and encrypting files with AES-256-CBC encryption, marking them with a .ux-cryptobytes extension.

4. CISA and FBI Warn of Ghost Ransomware Threat

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory about the growing threat of Ghost ransomware, which has targeted over 70 organizations worldwide. Since its emergence in 2021, Ghost actors, believed to be based in China, exploit known vulnerabilities in outdated software to compromise critical systems. Despite claims of data exfiltration, the group primarily focuses on encrypting data and demanding cryptocurrency payments in exchange for decryption.

5. Hackers Target Signal Users with Phishing

Russian nation-state hackers are using phishing attacks to target Ukrainian users of the Signal app, exploiting social engineering tactics. The attackers leverage malicious QR codes to gain access to victims’ accounts by tricking them into linking an additional device, allowing the hackers perpetual access to their messages. This method bypasses Signal’s end-to-end encryption, posing significant risks as compromised accounts may go unnoticed for extended periods.

💥 Cyber Incidents

6. B1ack’s Stash Leaks 4 Million Stolen Cards

B1ack’s Stash, a new Dark Web carding marketplace, recently leaked 4 million stolen credit card details. This release, aimed at attracting more cybercriminals, is one of the largest carding leaks in recent years, raising concerns over financial fraud, identity theft, and business exposure. The platform’s aggressive marketing strategy, which includes regular large-scale data dumps, signals a growing threat to cybersecurity.

7. Burlington Hydro Customers Hit by Breach

Burlington Hydro, based in Ontario, Canada, has informed all of its customers about a potential data breach that may have exposed personal information. The breach, which occurred due to a third-party vendor’s security incident, was reported to Ontario’s Information and Privacy Commissioner (IPC) on January 27. While no financial data was involved, the breach may have affected all current customers, prompting Burlington Hydro to advise individuals to monitor their accounts for unusual activity and change passwords regularly.

8. Utsunomiya Central Clinic Hit by Ransomware

Utsunomiya Central Clinic in Japan was targeted by a ransomware attack on February 10, 2025, which led to the possible exposure of personal and medical information of up to 300,000 individuals. The compromised data includes sensitive details like names, dates of birth, contact information, and health records, but excludes financial information such as bank accounts, credit card details, and social security numbers.

9. Consultants in Pain Medicine Reports Breach

Consultants in Pain Medicine (CPM), based in San Antonio, Texas, reported a data breach on February 18, 2025, after unauthorized access to their computer network. The breach, which occurred between June 26, 2024, and July 7, 2024, exposed sensitive patient information such as Social Security numbers, medical details, financial information, and health insurance data. CPM launched an investigation with cybersecurity experts to assess the extent of the breach and identify the affected individuals.

10. Fortis Solutions Group Data Breach Incident

Fortis Solutions Group, a packaging company based in Virginia, recently reported a data breach to the Attorney General of Maine after discovering unauthorized access to employee email accounts. The breach, which occurred between January 5 and January 25, 2024, potentially exposed sensitive personal information stored in its systems. Fortis launched an investigation upon noticing the breach on February 14, 2024, and has since completed a review of the compromised data.

📢 Cyber News

11. Trump Nominates John Eisenberg for DOJ Role

President Donald Trump has nominated John Eisenberg to lead the Justice Department’s National Security Division. Eisenberg, a key figure in Trump’s first impeachment, would take charge of high-profile terrorism and cyber-espionage cases if confirmed. His nomination comes as the division faces recent personnel changes, and his handling of past legal controversies, including his role in the Ukraine call investigation, is expected to draw significant scrutiny.

12. Sanctioned Entities Fuel $16 Billion Crypto

Sanctioned entities and regions were behind nearly $16 billion in cryptocurrency transactions in 2024, with Tornado Cash and crypto use in Iran playing central roles. Tornado Cash, despite being sanctioned in 2022, continues to operate, with monthly inflows reaching $100 million last year. The platform was increasingly used for money laundering, including stolen funds from high-profile hacks. Meanwhile, Iran saw a dramatic rise in cryptocurrency outflows, with citizens moving funds amid the crumbling rial and political instability.

13. Mollitiam Industries Closes After Bankruptcy

Mollitiam Industries, a little-known Spanish spyware maker, has filed for bankruptcy, citing financial issues. The company, which had remained largely secretive, briefly gained attention in 2021 for its spyware products Invisible Man and Night Crawler, used to extract sensitive data from devices. Despite being linked to a scandal in Colombia, the company’s closure marks the end of its discreet operations.

14. Ex US Soldier Pleads Guilty to Hacking AT&T

Cameron John Wagenius, a former U.S. Army soldier, has pleaded guilty to hacking into AT&T and Verizon’s systems, stealing a large amount of sensitive phone records. Court documents filed on Wednesday show that Wagenius faced two counts of unlawful transfer of confidential phone records, which he allegedly shared through an online forum and communications platform. His lawyer confirmed that he now faces significant legal consequences, including a potential fine of $250,000 and up to 10 years in prison for each charge.

15. Endpoint Malware Surge 300% in Q3 2024

The third quarter of 2024 saw a staggering 300% increase in endpoint malware detections, according to a WatchGuard report. This surge is attributed to threat actors using social engineering techniques and exploiting legitimate services such as OneNote and WordPress plugins to deliver malware. Notably, attackers are now targeting vulnerabilities in widely-used platforms like WordPress to host malicious downloads, deceiving users with fake update prompts.