New Embargo group may be a rebranded version of ALPHV ransomware gang
Russian threat group GreedyBear is stealing crypto, Israel beat Iran in the brief war's cyber conflicts, M&S resumes click and collect orders, GPT-5 was a disaster and easy to hack, Hacker breached dealership portal and could hack customers' cars, Korea's Yes24 ransomwared again, much more
Researchers at TRM Labs report that a relatively new ransomware group known as Embargo, which may be a rebranded version of the ALPHV group, has become a key player in the cybercrime underground, moving over $34 million in crypto-linked ransom payments since April 2024.
Operating under a ransomware-as-a-service (RaaS) model, Embargo has hit critical infrastructure across the United States, with targets including hospitals and pharmaceutical networks.
Victims include American Associated Pharmacies, Georgia-based Memorial Hospital and Manor, and Weiser Memorial Hospital in Idaho. Ransom demands have reportedly reached up to $1.3 million.
TRM’s investigation suggests Embargo may be a rebranded version of the infamous BlackCat (ALPHV) operation, which disappeared following a suspected exit scam earlier this year. The two groups share technical overlap, using the Rust programming language, operating similar data leak sites, and exhibiting onchain ties through shared wallet infrastructure.
Around $18.8 million of Embargo’s crypto proceeds remain dormant in unaffiliated wallets, a tactic experts believe may be designed to delay detection or exploit better laundering conditions in the future. (Amin Haqshanas / Cointelegraph)
Related: TRM Labs, Cryptonews, Security Affairs, The Record, Cryptopolitan
Researchers at Koi Security report that a malicious campaign by a Russian threat group they call GreedyBear has netted more than $1 million in stolen crypto using a trifecta of attack types through hundreds of browser extensions, websites, and malware.
Koi Security researcher Tuval Admoni said on Thursday that the malicious group, which the company dubbed “GreedyBear,” has “redefined industrial-scale crypto theft.”
“Most groups pick a lane — maybe they do browser extensions, or they focus on ransomware, or they run scam phishing sites — GreedyBear said, ‘Why not all three?’ And it worked. Spectacularly,” Admoni said.
The types of attacks undertaken by GreedyBear have been used before, but the report highlighted that cybercriminals are now deploying a range of complex scams to target crypto users, which Admoni said shows scammers have stopped “thinking small.”
The group has published over 150 malicious browser extensions to the Firefox browser marketplace, each designed to impersonate popular crypto wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet.
The malicious actors use an “Extension Hollowing” technique, first creating a legitimate extension to bypass the marketplaces’ checks, and later making it malicious.
Admoni explained that the malicious extensions directly capture wallet credentials from user input fields within fake wallet interfaces. (Martin Young / Cointelegraph)
Related: Koi Security, CryptoNews, It's Foss News, Hack Read, CCN, WebProNews, Decrypt
From the details that have seeped out after the Israel-Iran war in June, Israel’s cyber warriors appear to have landed the most telling blows, according to researchers from the Israeli cyber threat intelligence company ClearSky.
However, the cyber assaults from Iran have continued. For example, Iranian-aligned groups have attempted to use a vulnerability recently identified in a global breach of Microsoft server software to attack Israeli companies.
In addition, recent attacks ranged from a heist at an Iranian cryptocurrency exchange to a surge in spear-phishing messages targeting prominent Israelis, which cybersecurity company Check Point said have purported to be from diplomats and even the country’s prime minister’s office.
Moreover, some of the Iranian attacks are still lingering. “It heated up after the start of the war, and it’s still going on,” one Israeli official said of the texts. “I’m still getting them.” (James Shotter and Bita Ghaffari / Financial Times)
Related: Foreign Affairs, The American Conservative, The Times of Israel
British retailer Marks & Spencer resumed taking click and collect orders for clothing after a nearly four-month hiatus following a cyber hack and data theft that impacted its earnings during the period, sending its shares higher.
The 141-year-old M&S stopped taking orders through its website and app for clothing and home deliveries and collection from stores on April 25, three days after disclosing it was managing a "cyber incident."
It gradually resumed taking online orders for delivery from June 10, but click and collect services, which allow customers to order items online and pick up in stores, had remained suspended.
M&S said that "Click & Collect is back." In an Instagram post, John Lyttle, M&S's managing director for fashion, home and beauty, said the retailer's full online delivery offers were restored across fashion, homeware and beauty products, including the returns of online orders to any M&S store. (James Davey / Reuters)
Related: BBC, ITPro, The Independent, BelfastTelegraph.co.uk, The Sun, The Times, Tech Digest, Insurance Journal, RTE, Techradar
After a disastrous 72 hours that saw its most loyal users in open revolt, OpenAI is making a major U-turn with CEO Sam Altman announcing that the company is bringing back its beloved older AI models, including GPT-4o, and dramatically increasing usage limits for paying subscribers, a clear peace offering to a furious customer base.
The move comes just days after the botched rollout of GPT-5, the company’s latest and most powerful model. The launch, which should have been a triumph, instead sparked a firestorm.
Among the steps that OpenAI botched is that it removed the menu that allowed users to choose between older, trusted models like GPT-4o, which was launched in March 2023, which felt like a betrayal for paying subscribers who built models in older workflows.
On the cybersecurity front, two different teams of researchers tested GPT-5’s weaknesses using, among other things, multi-step “narrative” attacks, and it surrendered to hackers in 24 hours, faster than its predecessor, 4o, and competitive Grok-4, which lasted for 2 days.
One group, the NeuralTrust team, used a combination of its own EchoChamber attack and basic storytelling to jailbreak the system, forcing GPT-5 to publish a step-by-step guide to creating a Molotov cocktail. This is another confirmation of the problems with AI defense mechanisms when it comes to context manipulation.
Another group, the SPLX red team, confirmed that obfuscation attacks against AI models still work and are quite effective. In this case, they used the StringJoin method, where they inserted hyphens between each character, and the query was presented as a “decryption task." (Luc Olinda / Gizmodo and Kevin Townsend / Security Week)
Related: BleepingComputer, Business Today, The Hans India, Business Standard, Benzinga, Digit, Livemint, The Indian Express, BMI, Analytics India Magazine, Digital Trends, Business Insider, Moneycontrol, Inc, The Algorithmic Bridge, Windows Central, TechRadar, Engadget, Neowin, PCMag, Financial Express, The Decoder, OneUsefulThing
Ahead of his talk at DEF CON, Eaton Zveare, a security researcher at software delivery company Harness, said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to break into any of its customers’ vehicles remotely.
He said he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners, or the hackers, to control some of their cars' functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user, in this case, Zveare, to modify the code to bypass the login security checks. Zveare said that the carmaker found no evidence of past exploitation, suggesting he was the first to see it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States. (Zack Whittaker / TechCrunch)
Related: Benzinga, DEF CON, WebProNews
Yes24, Korea's country’s largest online bookseller and a major ticketing platform, experienced another cyberattack early Monday, causing its website and app to go offline just two months after a major ransomware attack.
Service was restored by the afternoon.
A Yes24 official confirmed that the early-morning ransomware attack disabled user access.
"We sincerely apologize for the inconvenience caused by the external ransomware attack that occurred around 4:40 a.m.," the official said.
"We have been working to restore the service, and as of 11:30 a.m., all services are fully accessible and functioning normally." (Hwang Dong-hee / The Korea Herald)
Related: Chosun Biz, Maeil Business Newspaper, Korea JoongAng Daily
The Defense Advanced Research Project Agency’s AI Cyber Challenge, designed to spur the development of cyber-reasoning systems that use large language models to autonomously find and patch vulnerabilities in open-source software, concluded with $8.5 million awarded to three teams of security specialists at DEF CON.
Team Atlanta took the first-place prize of $4 million, Trail of Bits won second place and $3 million in prize money, and Theori ranked third, taking home $1.5 million. The competition’s organizers allocated an additional $1.4 million in prize money for participants who can demonstrate when their technology is deployed into critical infrastructure.
Representatives from the three winning teams said they plan to reinvest the majority of the prize money back into research and further development of their cyber-reasoning systems or explore ways to commercialize the technology. (Matt Kapko / CyberScoop)
Related: DARPA, Infosecurity Magazine, NextGov/FCW, The Record
In an analysis published in the latest issue of Phrack magazine handed out at the DEF CON conference in Las Vegas, two hackers, identified only as Saber and cyb0rg, said they compromised and stole data from a nation-state operator who appears to work for China, and possibly, North Korea, known as Kimsuky.
The hackers claimed to have stolen data both from a virtual workstation and a virtual private server (VPS) used by the APT operator. The authors dubbed the APT actor "KIM," arguing that the evidence points to the operator being part of the North Korean-sponsored group Kimsuky.
The article, part of the magazine's 40th anniversary edition, is accompanied by two data dumps online. Links to additional download sites will be published on Phrack's site next week, the editors said.
The first data dump consists of logs from attacks targeting the South Korean government and Defense Counterintelligence Command for the virtual private server used in those campaigns, while a second includes attack tools, internal documentation, and credentials from the workstation. Links to additional download sites will be published on Phrack's site next week, the editors said.
The hackers behind the analysis claimed they had compromised a virtual Linux workstation hosted on Windows, including nearly 20,000 entries in the actor's Chrome and Brave browser histories, a manual of how to operate a backdoor, passwords and email addresses, and credentials for different tools.
They also claimed to have files from the threat operator's virtual private server, including attack data and logs from various phishing campaigns such as the ones on South Korea's Defense Counterintelligence Command and the Supreme Prosecutor Office. (Robert Lemos / Dark Reading)
Related: Chosun Biz, Cyber Security News
At DEF CON, Kenny Miltenberger and Nick Fredericksen, lieutenant commanders for two Coast Guard cyber protection teams, said the service has conducted 11 cybersecurity missions in recent years at US ports, discovering unauthorized communications equipment in Chinese-made cranes, a major finding last Congress that set off alarm bells on the Hill.
Over the course of those, the Coast Guard discovered cellular modems embedded in cranes and supporting infrastructure made by Shanghai Zhenhua Heavy Industries that US port operators weren’t even aware of, Miltenberger told POLITICO in an interview ahead of his speech.
“These weren't necessarily planted maliciously, but they were completely unknown to the crane owner, which makes them a big risk,” Miltenberger said. (John Sakellariadis / Politico Pro)
A group of computer scientists from the University of Birmingham in the UK found that 80 online game cheat websites are likely making between $12.8 million and $73.2 million annually, or around $1.1 million to $6.1 million per month.
Across the North American and European cheat-selling websites they analyzed, the researchers estimate that around 30,000 to 174,000 people may be buying cheats per month. The estimates, which were first published last year, are likely an undercount of the size of the whole cheat ecosystem, the researchers say, as they don’t include cheats purchased from forums, websites in Asia, or the number of people using free cheats. (Matt Burgess / Wired)
The University of Western Australia (UWA) confirmed it was investigating a cybersecurity incident that involved unauthorized access to password information.
After detecting the breach, UWA locked staff and students out of the system and urged people to change their passwords.
UWA chief information officer Fiona Bishop said a critical incident management team was activated to begin "countermeasures".
"Our IT and many teams worked tirelessly overnight on Saturday and through the weekend to lock and reset all students', staff, and visitor passwords," she told ABC Radio Perth. (Mya Kordic / ABC.net.au)
Related: News.com, 9News, The West Australian, iTnews - Security, The420CyberNews,
Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET discovered that a recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian hacking group linked to ransomware and data-theft extortion attacks, along with campaigns focused on stealing credentials.
The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
Using this vulnerability, attackers can create archives that extract executables into autorun paths, such as the Windows Startup folder, running an executable that runs the next time a user logs in to gain remote code execution. (Lawrence Abrams / Bleeping Computer)
Related: Help Net Security, Hack Read, Security Affairs, Tom's Hardware, r/hacking, Security Week
Google has confirmed that a recently disclosed data breach of one of its Salesforce CRM instances by the ShinyHunters group involved the information of potential Google Ads customers.
"We're writing to let you know about an event that affected a limited set of data in one of Google's corporate Salesforce instances used to communicate with prospective Ads customers," reads a data breach notification sent to affected customers.
"Our records indicate basic business contact information and related notes were impacted by this event."
Google says the exposed information includes business names, phone numbers, and "related notes" for a Google sales agent to contact them again.
The company says that payment information was not exposed and that there is no impact on Ads data in Google Ads Account, Merchant Center, Google Analytics, and other Ads products. (Lawrence Abrams / Bleeping Computer)
Related: Forbes
Security researchers at Malwarebytes report that dozens of porn sites are turning to a familiar source to generate likes on Facebook, malware that causes browsers to surreptitiously endorse the sites, only this time the sites are using a newer vehicle for sowing this malware.svg image files.
The company said it recently discovered that porn sites have been seeding boobytrapped .svg files to select visitors. When one of these people clicks on the image, it causes browsers to surreptitiously register a like for Facebook posts promoting the site.
Unpacking the attack took work because much of the JavaScript in the .svg images was heavily obscured using a custom version of “JSFuck,” a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.
Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open. (Dan Goodin / Ars Technica)
Related: Malwarebytes, Tech Spot
Mark Thompson and his wife Tara say they have been “forced” into making the heartbreaking decision to remove their embryos from storage after their medical information was leaked by one of Australia’s leading IVF clinics.
Dozens of patients have filed a class action lawsuit against Genea after a major data breach earlier this year, which resulted in sensitive and personal information being published on the dark web.
Genea refuses to say how many patients were hit by the February leak, with patients still being notified this week that their data was published.
The couple has told Genea they want to remove their embryos from storage due to further privacy fears, robbing them of their hopes of expanding their family. (Sarah Keoghan / News.com)
Related: The Sydney Morning Herald
St. Paul, Minnesota, Mayor Melvin Carter said the city will start restoring systems soon after 3,500 employees get their devices checked and passwords reset over the next three days in what the city is calling "Operation Secure Saint Paul."
City leaders say they eradicated the threat and are on the road to recovery after a cyberattack late last month prompted officials to shut down systems to minimize damage.
Carter said the individuals who launched the attack demanded a ransom, which the city did not pay. That detail had not previously been disclosed since the mayor's office first alerted the public of the attack at the end of last month. (Caroline Cummings / WCCO News)
Related: Pioneer Press, Star Tribune, KSTP, Kare11, BizJournals
Best Thing of the Day: Take That, You Spying Car Company
Someone at Techno-Fandom, a loose collective of folks who enjoy doing technical production (lighting, sound, video, etc) at science fiction conventions, managed to disconnect their car from Hyundai's data network and avoid having the vehicle being tracked or actively interfered with outside of their control.
Worst Thing of the Day: Extinction for Entry-Level Coders
Among college graduates ages 22 to 27, computer science and computer engineering majors are facing some of the highest unemployment rates, 6.1 percent and 7.5 percent, respectively, more than double the unemployment rate among recent biology and art history graduates, which is just 3 percent.
