company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ShinyHunters

CRM

loading..
loading..
loading..

1.4M Allianz Life Customers Exposed in Massive ShinyHunters CRM Hack

ShinyHunters breaches Allianz Life's third-party CRM via social engineering, exposing majority of 1.4M customers' data in sophisticated attack.

28-Jul-2025
8 min read

No content available.

Related Articles

loading..

Bybit

North Korean TraderTraitor group executed largest crypto theft in history throug...

The threat landscape witnessed an unprecedented breach in February 2025 when North Korea's TraderTraitor hacking collective orchestrated the largest cryptocurrency theft in history, stealing $1.5 billion from Bybit exchange through a sophisticated supply chain compromise targeting Safe{Wallet}'s multisignature platform. ## **Attack Methodology and Timeline** The operation began on February 4, 2025, when TraderTraitor operatives compromised a Safe{Wallet} developer's macOS workstation through a targeted social engineering campaign[3][4]. The attackers, masquerading as recruiters on LinkedIn, lured the developer into downloading a malicious Docker container named "MC-Based-Stock-Invest-Simulator-main," which established communication with the command-and-control domain getstockprice[.]com. Following the initial compromise, the threat actors gained access to Safe{Wallet}'s Amazon Web Services infrastructure on February 5 by hijacking the developer's AWS session tokens, effectively bypassing multi-factor authentication controls. The attackers operated within the compromised environment for nearly two weeks, conducting reconnaissance and preparing for the final assault. The critical phase occurred on February 19, when the attackers injected malicious JavaScript code into Safe{Wallet}'s web interface resources hosted on AWS S3 buckets. This code was specifically engineered to target Bybit's cold wallet transactions while remaining dormant for other users, demonstrating the precision and sophistication of the attack. ## **Technical Execution** On February 21, 2025, when Bybit employees initiated what appeared to be a routine $7 million transfer from their cold wallet to a warm wallet, the malicious JavaScript code intercepted and modified the transaction parameters. The user interface displayed the legitimate transaction details to the three required signers, but the underlying smart contract logic was altered to transfer 401,000 ETH (approximately $1.5 billion) to attacker-controlled wallets. The sophistication of the attack extended to its immediate aftermath, with the malicious code being automatically removed from Safe{Wallet}'s infrastructure just two minutes after the successful theft, demonstrating advanced operational security practices. This rapid cleanup complicated forensic investigations and highlighted the threat actors' experience in covering their tracks. ## **Attribution & Strategic Context** The Federal Bureau of Investigation formally attributed the attack to TraderTraitor, a financially motivated subgroup operating under North Korea's Lazarus Group umbrella. TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces, represents one of several elite hacking units controlled by North Korea's Reconnaissance General Bureau (RGB). This attack continues a pattern of escalating North Korean cryptocurrency theft, with the regime stealing an estimated $1.34 billion across 47 incidents in 2024 alone. Intelligence assessments indicate that up to 50% of North Korea's foreign currency income derives from malicious cyber activities, with these funds directly supporting the country's nuclear weapons and ballistic missile programs. ## **Broader Campaign Activities** The Bybit heist represents the culmination of TraderTraitor's evolving tactics, building upon previous successful operations including the $308 million DMM Bitcoin theft in May 2024. In that attack, operatives used similar social engineering techniques, targeting a Ginco cryptocurrency wallet developer through a fake LinkedIn recruitment scheme that delivered Python-based malware designated as RN Loader and RN Stealer. TraderTraitor's methodology consistently leverages supply chain vulnerabilities, as demonstrated in the 2023 JumpCloud compromise where the group infiltrated the cloud identity management provider to access downstream cryptocurrency customers. This approach exploits the trust relationships inherent in modern software development and deployment pipelines. ## **Defensive Implications and Industry Response** The attack exposed critical vulnerabilities in multisignature wallet implementations, particularly the risk of user interface manipulation in web-based signing processes. Security researchers emphasized that while the underlying smart contract remained secure, the compromise of the presentation layer enabled the deception of authorized signers. Bybit maintained solvency through emergency bridge loans and implemented a "Lazarus Bounty Program" offering rewards for the recovery of stolen assets. However, blockchain intelligence firms confirmed that over $300 million of the stolen cryptocurrency had already been successfully laundered through mixing services and decentralized exchanges. The incident prompted renewed scrutiny of supply chain security practices across the cryptocurrency industry, with particular focus on the verification of software dependencies and the implementation of code signing verification mechanisms. Organizations utilizing multisignature solutions have initiated comprehensive reviews of their transaction signing processes and user interface integrity controls. This unprecedented breach underscores the sophisticated capabilities of state-sponsored threat actors in exploiting complex software supply chains, demonstrating how traditional security boundaries become ineffective against advanced persistent threats with strategic patience and significant resources.

loading..   01-Aug-2025
loading..   4 min read
loading..

JSCeal

Infostealer

JSCeal malware spreads via Facebook ads impersonating Binance, Bybit & 48+ crypt...

A sophisticated malware campaign dubbed **JSCeal** has weaponized Facebook's advertising platform to orchestrate one of the most extensive cryptocurrency theft operations ever documented, potentially reaching over **10 million users globally** through malicious advertisements impersonating legitimate crypto trading applications. The campaign, which has operated with alarming stealth since March 2024, demonstrates how threat actors are exploiting social media trust mechanisms to deliver advanced malware that can compromise victims' cryptocurrency assets completely. Security researchers' investigations [reveal](https://research.checkpoint.com/2025/jsceal-targets-crypto-apps/) that JSCeal represents a paradigm shift in cybercriminal tactics, combining social engineering through trusted platforms with cutting-edge technical evasion methods. The campaign's use of **compiled JavaScript (JSC) files** and multi-layered deployment mechanisms has enabled it to maintain near-perfect stealth, with hundreds of malware samples remaining undetected on VirusTotal despite widespread distribution. ## Facebook Advertising Weaponization ### Scale of Social Media Exploitation The JSCeal campaign has transformed [Facebook](https://www.secureblink.com/cyber-security-news/facebook-ads-spreading-dangerous-sys-01-malware)'s advertising ecosystem into a massive malware distribution network, leveraging both **compromised accounts and newly created profiles** to maximize reach and credibility. Check Point's analysis of the European Union's Digital Services Act transparency requirements reveals the staggering scope of this social media exploitation: **Campaign Metrics (January-June 2025):** - **35,000+ malicious advertisements** identified across Facebook platforms - **3.5 million estimated reach in EU alone** (conservative estimate) - **10+ million potential global exposure** when accounting for non-EU markets - **48 legitimate crypto brands impersonated** including Binance, Bybit, and OKX ### Sophisticated Ad Targeting and Redirection The threat actors behind JSCeal have demonstrated remarkable sophistication in their advertising strategy, employing multiple layers of filtering and redirection to maximize victim conversion while evading detection: **Targeting Methodology:** - **Geographic filtering**: Ads redirect only specific IP ranges to malicious content - **Referrer validation**: Only Facebook-referred traffic reaches fake download pages - **Decoy mechanisms**: Non-targeted users see legitimate-appearing placeholder sites - **Brand diversification**: 48+ cryptocurrency and financial brands impersonated The campaign's domain strategy follows specific naming conventions that create an estimated **560 unique potential domain combinations**, with approximately 15% currently registered and active. This systematic approach enables rapid deployment of new infrastructure while maintaining consistent branding that builds user trust. ## JSCeal's Multi-Stage Attack Chain ### Stage 1: MSI Installer Deployment The initial infection vector involves **malicious MSI installers** distributed through fake cryptocurrency application websites. These installers demonstrate unprecedented sophistication in their design and execution: **Installer Characteristics:** - **WIX Toolset creation**: Professional appearance enhancing user trust - **Valid digital signatures**: Most installers signed by legitimate Russian companies - **Interdependent architecture**: Requires parallel execution with fake website for functionality - **Local HTTP listener**: Establishes localhost communication on port 30303 The installers embed multiple custom DLL components that work in concert to establish persistence and facilitate the next stage of the attack chain. Most notably, the malware requires both the fake website and the installer to function simultaneously, creating a unique anti-analysis mechanism that frustrates traditional malware research methodologies. ### Stage 2: Profiling and Fingerprinting Once installed, JSCeal initiates an extensive victim profiling phase that collects comprehensive system intelligence: **Data Collection Categories:** - **System specifications**: BIOS details, hardware configuration, OS version - **Security posture**: UAC settings, antivirus software, proxy configuration - **Network environment**: IP geolocation, network topology, domain membership - **User behavior**: Installed software, browser data, email configuration - **Financial indicators**: Cryptocurrency wallets, trading platform installations This profiling data is compiled into detailed JSON reports and transmitted to command-and-control servers for analysis. The threat actors use this intelligence to determine whether victims warrant deployment of the final, most sophisticated payload. ### Stage 3: JSC Payload Deployment The campaign's most innovative aspect involves the deployment of **compiled JavaScript (JSC) files** through Node.js runtime environments. This technique represents a significant evolution in malware delivery and obfuscation: **JSC Payload Features:** - **V8 engine compilation**: JavaScript compiled to low-level bytecode - **Heavy obfuscation**: Multiple layers of code obfuscation and control flow manipulation - **Brotli compression**: Additional payload compression reducing detection signatures - **Dynamic module loading**: Runtime loading of specialized .node modules The final payload establishes a **man-in-the-browser trojan** capable of intercepting and manipulating web traffic in real-time, with particular focus on cryptocurrency exchanges and trading platforms. ## Cryptocurrency-Focused Attack Capabilities ### Real-Time Traffic Interception JSCeal's primary functionality centers on sophisticated cryptocurrency theft through browser manipulation and credential harvesting: **Attack Techniques:** - **Local proxy establishment**: Intercepts all web traffic through embedded certificates - **Script injection**: Malicious JavaScript injected into banking and crypto websites - **Credential harvesting**: Real-time capture of usernames, passwords, and 2FA codes - **Transaction manipulation**: Modification of cryptocurrency transfer details - **Wallet targeting**: Specific focus on popular crypto wallet applications ### Multi-Platform Cryptocurrency Targeting The malware specifically targets users of major cryptocurrency platforms and services: **Primary Targets:** - **Exchanges**: Binance, Bybit, OKX, KuCoin, Gate.io, HTX, Kraken - **Wallets**: MetaMask, Phantom, Solflare, Ledger, TrustWallet - **Trading Platforms**: TradingView, MetaTrader, 3commas, eToro - **DeFi Platforms**: DAO Maker, Akka Finance, DEX Screener - **Regional Platforms**: Asian exchanges including Upbit, Bitget, LBank This comprehensive targeting approach ensures maximum potential for cryptocurrency theft across diverse user portfolios and geographic regions. ## Evasion and Anti-Analysis Techniques ### Novel Detection Evasion Methods JSCeal's technical innovation extends to its anti-analysis capabilities, which have enabled the campaign to operate with remarkable stealth: **Evasion Mechanisms:** - **JSC compilation**: Source code hidden through V8 bytecode compilation - **Legitimate certificate abuse**: Valid code signing certificates from Russian companies - **Cloudflare infrastructure**: C2 communications through legitimate cloud services - **Node.js masquerading**: Malicious code disguised as legitimate Node.js applications - **Progressive deployment**: Conditional payload delivery based on victim value assessment ### Zero-Detection Achievement Perhaps most concerning is JSCeal's near-perfect evasion of traditional security measures. Check Point researchers observed that **hundreds of malware samples remained undetected on VirusTotal** despite repeated submissions, highlighting significant gaps in current detection methodologies for JSC-based threats. ## Global Impact and Victim Demographics ### Geographic Distribution Analysis The campaign's global reach extends far beyond initial European observations, with evidence suggesting systematic targeting of cryptocurrency users worldwide: **Regional Targeting Patterns:** - **Primary focus**: European Union and North American markets - **Secondary targeting**: Asian cryptocurrency markets (China, Thailand, Philippines) - **Emerging markets**: Latin American crypto exchanges and platforms - **Strategic omissions**: Selective geographic filtering to avoid certain jurisdictions ### Financial Impact Assessment While precise financial losses remain difficult to quantify, the campaign's scale and sophistication suggest substantial cryptocurrency theft potential: **Impact Indicators:** - **10+ million potential exposures** through Facebook advertising reach - **48+ legitimate brands impersonated** creating broad targeting surface - **March 2024-present operation** providing extended theft opportunities - **Real-time transaction manipulation** enabling immediate fund extraction ## Industry Response and Mitigation Strategies ### Detection and Prevention Challenges The JSCeal campaign highlights critical gaps in current cybersecurity detection capabilities, particularly regarding JSC-based malware and social media-distributed threats: **Detection Limitations:** - **JSC analysis tools**: Limited availability of compiled JavaScript analysis capabilities - **Social media monitoring**: Insufficient automated detection of malicious advertising campaigns - **Multi-stage attacks**: Traditional security tools struggle with interdependent attack components - **Legitimate infrastructure abuse**: Difficulty distinguishing malicious from legitimate cloud service usage JSCeal is a game-changer in cybercrime—weaponizing Facebook's ad platform to launch stealthy, large-scale attacks on crypto users, exposing over 10 million potential victims. Using compiled JavaScript and multi-stage malware, it evades detection with near-perfect stealth, setting a new bar for technical sophistication in cyberattacks. What makes JSCeal truly dangerous is the blend of social engineering and advanced malware, turning trusted platforms into global threat delivery systems. With 48 major crypto brands impersonated, the campaign highlights the urgent need for industry-wide collaboration, smarter defenses, and user education. JSCeal isn’t just a campaign—it’s a warning shot. As threat actors evolve, so must our tools, strategies, and policies to protect digital assets in an increasingly weaponized digital world.

loading..   30-Jul-2025
loading..   7 min read
loading..

Leakzone

Leakzone’s exposed access logs reveal 22 million web requests, exposing user IPs...

On July 18, cybersecurity firm UpGuard discovered an unauthenticated Elasticsearch database containing approximately 22 million web request records, primarily tied to the notorious cracking and leaking forum leakzone.net. The breach provides an unprecedented window into the real traffic patterns and user behaviours on a site associated with trading hacked credentials, illegal data dumps, and cybercrime toolkits. ## What Was Exposed? - **22 million web request records** (June 25, 2025 onward) - Each entry logged: - Target domain (95% were to leakzone.net) - User IP address (considered personal data under GDPR) - Metadata: ISP, geolocation, request size, proxy/VPN usage ### Attribution and Verification - Leakzone.net traffic dominated the logs (95% of entries) - Secondary site: accountbot.io (2.7%)—a known illicit account marketplace - Researchers registered a test account; their IP immediately appeared in the logs, confirming authenticity ## Anonymity Falls Apart: The Anatomy of Visitor Traffic ### Unique IPs: Not Just Human Users - **185,000 unique IP addresses**—far more than the forum’s 109,000 registered users - Explanation: Many visitors used proxies, VPNs, or dynamic cloud IPs to obscure their true identities ### Proxy and VPN Usage - **5% of requests and 2.1% of IPs** were flagged as using public proxies - Top “heavy use” IPs belonged to known VPN providers (e.g., Cogent Communications) - Heavily used VPN IPs suggest mass aggregation and less frequent rotation, making them more block-list susceptible ### Global Reach and the China Exception - Traffic originated globally but **notably excludes China**, likely due to users there tunneling via international proxies - Major cloud providers (Amazon, Microsoft, Google) hosted considerable traffic, with other addresses mapping to Lithuania, UAE, and similar VPN exit nodes ### Lighter Footprints: One-Time and Infrequent IPs - **39% of all IPs show up only once**—many are likely users not taking anonymization seriously, or bots/scrapers/hunters from cybersecurity firms ## Why This Leak Is So Significant - **IP addresses = de facto identity** for many online interactions—now exposed for tens of thousands of users - Even those using VPNs or public proxies are not immune; aggregation patterns can sometimes be traced and blocked - The dataset reveals the **limits of operational security**: sophisticated users cluster around VPNs, but lapses and varied behaviors create exposure points ## Implications for Threat Intelligence, Law Enforcement, and Privacy - The leak serves as a goldmine for tracking cybercrime/infosec threats, as it reveals behavioral patterns, possible botnets, and major network infrastructure used for illicit activity - For law enforcement, clustering and frequency analysis can unmask persistent actors, especially those using poorly rotated proxies - **Visiting leakzone.net is not a crime**, but this breach is a stark warning that digital anonymity is fragile and that even browsing habits can become public—sometimes with legal or reputational consequences

loading..   26-Jul-2025
loading..   3 min read