U.S. Imposes Sanctions on Iran-Linked Nemesis Administration

Every week, Information Security Media Group compiles notable cybersecurity incidents and breaches globally. This week, the U.S. imposed sanctions on an Iranian national managing a darknet marketplace, Dark Caracal is reportedly deploying a new remote access tool in Latin America, Apple is contesting a British order that would compromise cloud storage encryption, and the FBI has issued warnings regarding fraudulent letters falsely claiming to be from the BianLian group. Additional stories include the extradition of a Nigerian cybercriminal, the identification of a new botnet, and a vulnerability detected in Webex.

See Also: Top 10 Technical Predictions for 2025

The U.S. Treasury Department has sanctioned Behrouz Parsarad, an Iranian individual accused of operating Nemesis, a darknet platform that facilitated the sale of drugs, cybercriminal activities, and money laundering. This action follows a significant international law enforcement operation last year that shuttered much of Nemesis’ infrastructure. Founded in 2021, the marketplace reportedly had over 150,000 users and facilitated around $30 million in drug sales, including substances like fentanyl. Sellers on the platform also provided stolen data, counterfeit documents, and services related to ransomware and distributed denial-of-service (DDoS) attacks.

According to the Treasury, Parsarad was responsible for all marketplace operations and the management of cryptocurrency wallets, earning substantial profits from transaction fees while allegedly laundering illicit funds for cybercriminals. Post the platform’s shutdown, he reportedly attempted to resurrect the marketplace. U.S. and German enforcement agencies have since linked 49 cryptocurrency wallets to his activities, highlighting an ongoing effort to dismantle darknet platforms, as recently noted in other cases of enforcement actions across Europe.

The cyberespionage group known as Dark Caracal, which has ties to Lebanese intelligence, is now associated with deploying the Poco Remote Access Trojan (RAT) in various cyberattacks across Latin America, as reported by Russian cybersecurity vendor Positive Technologies. Initially detected by Cofense in mid-2024, this malware has been utilized to target sectors such as mining, manufacturing, and utilities through phishing campaigns using finance-themed emails. Often, these emails contain malicious attachments formatted to evade detection and direct victims to download the malware embedded in cloud storage links.

The target regions primarily include Venezuela, Colombia, and Chile, with techniques observed in previous Dark Caracal operations suggesting continuity in their methodologies, such as their earlier Bandidos campaign. The malware connects to a command-and-control server for remote operations. While it lacks a built-in persistence mechanism, this suggests reliance on command dispatch for maintaining access. The evolving nature of this malware highlights the persistent cyber threats posed by sophisticated adversary tactics such as initial access and execution phases identified in the MITRE ATT&CK framework.

In a significant legal move, Apple has filed a complaint with the U.K. Investigatory Powers Tribunal against a government order demanding that it weaken optional end-to-end encryption for cloud backups of Apple devices. This appeal, marking a first of its kind before the IPT, stems from a technical capability notice reportedly issued by the U.K. Home Office, which sought to compel Apple to create a backdoor into its iCloud services for law enforcement purposes. As a response to these developments, Apple has suspended the “Advanced Data Protection” feature for U.K. users—an indication of the ongoing tension between user privacy rights and government surveillance demands.

The FBI has recently issued a warning to corporate executives regarding a fraudulent mail scheme claiming to originate from the BianLian group, which indicates a broader trend in extortion attempts. These letters, which appear legitimate and advise immediate attention, demand payments ranging from $250,000 to $500,000, featuring QR codes linked to Bitcoin wallets. Interestingly, the FBI clarified that the perpetrators of these letters are not associated with the actual BianLian ransomware group, which adds a layer of complexity to the threat landscape as malicious actors continue to exploit fear for monetary gain.

Despite the letters containing actual compromised credentials to enhance their legitimacy, cybersecurity experts have expressed confidence that these extortion efforts are not connected to real data breaches. The ongoing investigation underscores the urgency for organizations to be vigilant against such scams, maintaining robust security practices to mitigate risks associated with social engineering tactics.

The U.K. has extradited Kehinde Hassan, a Nigerian national, to the U.S. to face multiple charges linked to an elaborate cyber fraud operation that defrauded taxpayers of over $1.3 million through the distribution of phishing emails targeting tax preparation firms. Utilizing the Warzone RAT, Hassan and his co-conspirators obtained sensitive client information to file fraudulent tax claims—an operation that aimed to elude authorities while seeking in excess of $8 million in returns. This extradition marks a significant collaboration between U.S. and U.K. law enforcement agencies in combating transnational cyber crime.

Recent research has unveiled a new botnet named Eleven11bot, which currently infects over 86,000 Internet of Things devices, primarily targeting security cameras and network video recorders. This botnet has facilitated large-scale DDoS attacks on various telecom providers and gaming servers. Initial disclosures suggested around 30,000 affected devices; however, further analysis by the Shadowserver Foundation shows that the actual numbers are substantially higher, with significant clusters of infected devices reported across the United States and other countries. The botnet executes attacks generating massive volumes of packet traffic, which pose severe operational risks to internet service delivery.

The malware behind Eleven11bot exploits weak administration credentials, default passwords, and open ports to proliferate, highlighting ongoing vulnerabilities in IoT device security. Researchers recommend implementing stringent security measures, including updated credentials and device monitoring, to counteract the risk posed by such malicious networks.

Cisco has alerted its users to a critical vulnerability present in Webex for BroadWorks, which could be exploited by unauthenticated attackers to access credentials remotely. Disclosed in a recent security advisory, this flaw can expose sensitive information in session initiation protocol (SIP) headers, potentially allowing impersonation of users. Cisco has issued a configuration change to mitigate this risk, recommending users to restart their Webex applications and activate secure SIP transport to encrypt data as a precaution against unauthorized access.

Thus far, there have been no reports of active exploitation associated with this vulnerability, but organizations are encouraged to proactively address this issue through diligent security practices and necessary system adjustments.

Other Stories From Last Week

Reported by Information Security Media Group’s Prajeet Nair in Bengaluru, India, and David Perera in Washington, D.C.