Tag Palo Alto Networks

CryptoClippy: New Malware Targets Portuguese Cryptocurrency Users

April 5, 2023
Cyber Threat / Malware

A newly identified malware, dubbed CryptoClippy, is specifically targeting Portuguese cryptocurrency users through a malvertising campaign. This sophisticated malware employs SEO poisoning techniques to lure users searching for “WhatsApp web” to malicious domains that host the threat, according to a recent report from Palo Alto Networks’ Unit 42.

CryptoClippy, written in C, is a type of cryware known as clipper malware, which monitors clipboard activity for cryptocurrency addresses. When it detects a match, the malware substitutes the copied address with one controlled by the attacker. “The clipper malware utilizes regular expressions (regexes) to ascertain the cryptocurrency type of the address,” noted researchers from Unit 42. “It then replaces the clipboard entry with a visually similar wallet address belonging to the adversary.”

CryptoClippy Emerges as New Threat Targeting Portuguese Cryptocurrency Users April 05, 2023 A concerning new malware known as CryptoClippy is currently posing risks to cryptocurrency users in Portugal, as reported by cybersecurity experts at Palo Alto Networks’ Unit 42. This malware is part of a malvertising campaign that capitalizes on…

Read More

CryptoClippy: New Malware Targets Portuguese Cryptocurrency Users

April 5, 2023
Cyber Threat / Malware

A newly identified malware, dubbed CryptoClippy, is specifically targeting Portuguese cryptocurrency users through a malvertising campaign. This sophisticated malware employs SEO poisoning techniques to lure users searching for “WhatsApp web” to malicious domains that host the threat, according to a recent report from Palo Alto Networks’ Unit 42.

CryptoClippy, written in C, is a type of cryware known as clipper malware, which monitors clipboard activity for cryptocurrency addresses. When it detects a match, the malware substitutes the copied address with one controlled by the attacker. “The clipper malware utilizes regular expressions (regexes) to ascertain the cryptocurrency type of the address,” noted researchers from Unit 42. “It then replaces the clipboard entry with a visually similar wallet address belonging to the adversary.”

China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

China-Linked Hackers Exploit Vulnerabilities in SAP and SQL Server Across Asia and Brazil May 30, 2025 In a concerning development for global cybersecurity, a China-linked threat actor has been identified as the driving force behind a significant exploitation of a critical vulnerability in SAP NetWeaver. This incident is part of…

Read More

China-Linked Hackers Target SAP and SQL Server Vulnerabilities in Attacks Across Asia and Brazil

May 30, 2025
Vulnerability / Threat Intelligence

A China-linked threat group has been identified as the source of recent attacks exploiting a critical security flaw in SAP NetWeaver, part of a larger campaign against organizations in Brazil, India, and Southeast Asia that began in 2023. According to Trend Micro security researcher Joseph C. Chen, the attackers primarily exploit SQL injection vulnerabilities in web applications to infiltrate SQL servers of targeted entities. “The actor also leverages various known vulnerabilities to compromise public-facing servers,” Chen noted in a recent analysis. Key targets have included Indonesia, Malaysia, the Philippines, Thailand, and Vietnam. Trend Micro is tracking this activity under the name Earth Lamia, which shows some overlap with threat clusters reported by Elastic Security Labs as REF0657, Sophos as STAC6451, and Palo Alto Networks’ Unit 42.

North Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Assaults

Date: Sep 26, 2024
Category: Cyber Attack / Malware

Cybercriminals linked to North Korea have been detected deploying two new malware variants, KLogEXE and FPSpy. These activities have been connected to the threat group known as Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. “These new samples expand Sparkling Pisces’ already extensive toolkit and highlight the group’s ongoing evolution and enhanced capabilities,” stated Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger. Active since at least 2012, this group has earned the moniker “king of spear-phishing” for its skill in deceiving victims into downloading malware via emails that appear to originate from trusted sources. Unit 42’s investigation into Sparkling Pisces’ infrastructure has revealed the emergence of two new portable executables, KLogEXE and FPSpy. “These malware strains are known to be…

N. Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Campaigns On September 26, 2024, cybersecurity experts revealed that threat actors associated with North Korea have introduced two new malware strains, KLogEXE and FPSpy, into their cyber offensive toolkit. This initiative is linked to a group known as Kimsuky,…

Read More

North Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Assaults

Date: Sep 26, 2024
Category: Cyber Attack / Malware

Cybercriminals linked to North Korea have been detected deploying two new malware variants, KLogEXE and FPSpy. These activities have been connected to the threat group known as Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. “These new samples expand Sparkling Pisces’ already extensive toolkit and highlight the group’s ongoing evolution and enhanced capabilities,” stated Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger. Active since at least 2012, this group has earned the moniker “king of spear-phishing” for its skill in deceiving victims into downloading malware via emails that appear to originate from trusted sources. Unit 42’s investigation into Sparkling Pisces’ infrastructure has revealed the emergence of two new portable executables, KLogEXE and FPSpy. “These malware strains are known to be…

Spike in Erlang/OTP SSH Exploits Following April Patch

Critical Infrastructure Security, Governance & Risk Management, Operational Technology (OT) Surge in Attacks Targeting Operational Technology Networks Prajeet Nair (@prajeetspeaks) • August 13, 2025 Image: Ivan Kislitsin/Shutterstock Researchers report a notable surge in exploitation attempts against a critical vulnerability in the Erlang/OTP runtime system, prevalent in operational technology settings. The…

Read MoreSpike in Erlang/OTP SSH Exploits Following April Patch

⚡ Weekly Update: Airline Threats, Citrix Vulnerabilities, Outlook Malware, Banking Trojans, and More

📅 Jun 30, 2025
Cybersecurity / Hacking News

Curious about what happens when attackers play by the rules—only better? This week, we explore stories that challenge our understanding of security control. It’s not always a broken firewall or an unpatched system; sometimes, it’s the seemingly innocuous choices, default settings, and shortcuts we take that introduce risk. The true shock is that threats can stem from the very design of our systems. Join us as we delve into the underlying factors influencing today’s security landscape.

⚡ Threat of the Week

FBI Alerts on Scattered Spider’s Airlines Attacks — The FBI has issued warnings about a new wave of sophisticated attacks by the cybercrime group Scattered Spider, specifically targeting the airline industry through advanced social engineering tactics. Cybersecurity experts from Palo Alto Networks Unit 4…

Weekly Cybersecurity Recap: Airline Breaches, Citrix Vulnerabilities, and Malware Threats June 30, 2025 Cybersecurity | BreachSpot In the ever-evolving landscape of cybersecurity threats, recent events serve as a stark reminder that vulnerabilities often lie in systemic operations rather than overt faults. This week, we explore incidents that challenge our assumptions…

Read More

⚡ Weekly Update: Airline Threats, Citrix Vulnerabilities, Outlook Malware, Banking Trojans, and More

📅 Jun 30, 2025
Cybersecurity / Hacking News

Curious about what happens when attackers play by the rules—only better? This week, we explore stories that challenge our understanding of security control. It’s not always a broken firewall or an unpatched system; sometimes, it’s the seemingly innocuous choices, default settings, and shortcuts we take that introduce risk. The true shock is that threats can stem from the very design of our systems. Join us as we delve into the underlying factors influencing today’s security landscape.

⚡ Threat of the Week

FBI Alerts on Scattered Spider’s Airlines Attacks — The FBI has issued warnings about a new wave of sophisticated attacks by the cybercrime group Scattered Spider, specifically targeting the airline industry through advanced social engineering tactics. Cybersecurity experts from Palo Alto Networks Unit 4…

North Korean Group Partners with Play Ransomware in Major Cyber Attack

Oct 30, 2024
Ransomware / Threat Intelligence

Threat actors associated with North Korea have been linked to a recent cyber incident involving the notorious Play ransomware, highlighting their financial motives. This activity, which took place between May and September 2024, is connected to a group known as Jumpy Pisces, also referred to as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. According to a new report from Palo Alto Networks’ Unit 42, “We have moderate confidence that Jumpy Pisces, or a segment of this group, is now collaborating with the Play ransomware collective.” This incident is particularly significant as it represents the first documented partnership between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware operation. Active since at least 2009, Andariel is associated with North Korea’s Reconnaissance General Bureau (RGB) and has a history of deploying various cyber tactics.

Significant Cyber Attack Involves North Korean Collaboration with Play Ransomware Group October 30, 2024 In a notable development in the realm of cybersecurity, threat actors associated with North Korea have been identified as key players in a recent attack utilizing the Play ransomware variant. This collaboration highlights the increasing intersection…

Read More

North Korean Group Partners with Play Ransomware in Major Cyber Attack

Oct 30, 2024
Ransomware / Threat Intelligence

Threat actors associated with North Korea have been linked to a recent cyber incident involving the notorious Play ransomware, highlighting their financial motives. This activity, which took place between May and September 2024, is connected to a group known as Jumpy Pisces, also referred to as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. According to a new report from Palo Alto Networks’ Unit 42, “We have moderate confidence that Jumpy Pisces, or a segment of this group, is now collaborating with the Play ransomware collective.” This incident is particularly significant as it represents the first documented partnership between the Jumpy Pisces North Korean state-sponsored group and an underground ransomware operation. Active since at least 2009, Andariel is associated with North Korea’s Reconnaissance General Bureau (RGB) and has a history of deploying various cyber tactics.

GLOBAL GROUP RaaS Launches Operations with AI-Powered Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since its debut in early June 2025. According to EclecticIQ researcher Arda Büyükkaya, GLOBAL GROUP was “advertised on the Ramp4u forum by the threat actor known as ‘$$$.'” This same individual is associated with the BlackLock RaaS and has previously overseen the Mamona ransomware operations. It is believed that GLOBAL GROUP represents a rebranding of BlackLock, following the defacement of its data leak site by the DragonForce ransomware cartel in March. Notably, BlackLock itself was a rebranding of an earlier RaaS scheme called Eldorado. This financially motivated group is known for relying heavily on initial access brokers (IABs) to deploy ransomware, utilizing vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks.

GLOBAL GROUP RaaS Expands Operations with Advanced AI Negotiation Tools July 15, 2025 Cybercrime / Ransomware A newly identified ransomware-as-a-service (RaaS) entity, referred to as GLOBAL GROUP, has rapidly gained traction, targeting various sectors across Australia, Brazil, Europe, and the United States since its inception in early June 2025. Researchers…

Read More

GLOBAL GROUP RaaS Launches Operations with AI-Powered Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since its debut in early June 2025. According to EclecticIQ researcher Arda Büyükkaya, GLOBAL GROUP was “advertised on the Ramp4u forum by the threat actor known as ‘$$$.'” This same individual is associated with the BlackLock RaaS and has previously overseen the Mamona ransomware operations. It is believed that GLOBAL GROUP represents a rebranding of BlackLock, following the defacement of its data leak site by the DragonForce ransomware cartel in March. Notably, BlackLock itself was a rebranding of an earlier RaaS scheme called Eldorado. This financially motivated group is known for relying heavily on initial access brokers (IABs) to deploy ransomware, utilizing vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks.

Alert: Over 2,000 Palo Alto Networks Devices Compromised in Ongoing Cyber Attack Campaign

As of November 21, 2024, an estimated 2,000 devices from Palo Alto Networks have been compromised due to a campaign exploiting newly disclosed security vulnerabilities. According to data from the Shadowserver Foundation, the majority of incidents have been reported in the U.S. (554) and India (461), with additional cases in Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).

Earlier this week, Censys reported identifying 13,324 publicly exposed next-generation firewall management interfaces, with 34% of these exposures located in the U.S. However, it is crucial to note that not all exposed hosts are necessarily vulnerable. The vulnerabilities, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), involve authentication bypass and privilege escalation, potentially enabling attackers to carry out malicious actions.

Warning: Ongoing Attack Campaign Compromises Over 2,000 Palo Alto Networks Devices November 21, 2024 In a concerning development in cybersecurity, it has been reported that approximately 2,000 devices from Palo Alto Networks have been compromised as a result of an ongoing attack campaign leveraging recently uncovered security vulnerabilities. The Shadowserver…

Read More

Alert: Over 2,000 Palo Alto Networks Devices Compromised in Ongoing Cyber Attack Campaign

As of November 21, 2024, an estimated 2,000 devices from Palo Alto Networks have been compromised due to a campaign exploiting newly disclosed security vulnerabilities. According to data from the Shadowserver Foundation, the majority of incidents have been reported in the U.S. (554) and India (461), with additional cases in Thailand (80), Mexico (48), Indonesia (43), Turkey (41), the U.K. (39), Peru (36), and South Africa (35).

Earlier this week, Censys reported identifying 13,324 publicly exposed next-generation firewall management interfaces, with 34% of these exposures located in the U.S. However, it is crucial to note that not all exposed hosts are necessarily vulnerable. The vulnerabilities, CVE-2024-0012 (CVSS score: 9.3) and CVE-2024-9474 (CVSS score: 6.9), involve authentication bypass and privilege escalation, potentially enabling attackers to carry out malicious actions.

Leak Uncovers Daily Lives of North Korean IT Scammers

Targeted Data Exploitation of IT Workers Revealed in Recent Findings Recent investigations have unveiled a concerning scheme targeting IT professionals, highlighting a structured operation that gathers and exploits sensitive information. Documented evidence includes detailed listings of potential job opportunities within the IT sector, alongside personal data that suggests a deliberate…

Read MoreLeak Uncovers Daily Lives of North Korean IT Scammers