An anonymous reader shares a report: Over the years, Intel has established itself as a paragon of the open source community, but that could soon change under the x86 giant's new leadership. Speaking to press and analysts at Intel's Tech Tour in Arizona last week, Kevork Kechichian, who now leads Intel's datacenter biz, believes it's time to rethink what Chipzilla contributes to the open source community. "We have probably the largest footprint on open source out there from an infrastructure standpoint," he said during his opening keynote. "We need to find a balance where we use that as an advantage to Intel and not let everyone else take it and run with it." In other words, the company needs to ensure that its competitors don't benefit more from Intel's open source contributions than it does. Speaking with El Reg during a press event in Arizona last week, Kechichian emphasized that the company has no intention of abandoning the open source community. "Our intention is never to leave open source," he said. "There are lots of people benefiting from the huge investment that Intel put in there." "We're just going to figure out how we can get more out of that [Intel's open source contributions] versus everyone else using our investments," he added.

Read more of this story at Slashdot.

Intel today announced its Panther Lake laptop processors, consolidating the confusing split between Lunar Lake and Arrow Lake chips that define its current generation. The new processors use a unified architecture across all models instead of mixing different technologies at different price points. Panther Lake comes in three configurations. An 8-core model targets mainstream ultrabooks. A 16-core version adds PCI Express lanes for gaming laptops and workstations with discrete GPUs. A third 16-core variant with 12 Xe3 graphics cores aims at high-end thin-and-light laptops without dedicated graphics cards. All three chips use the same Cougar Cove P-cores, Darkmont E-cores, and Xe3 GPU architecture. They share an NPU capable of 50 trillion operations per second and identical media encoding capabilities. The main differences are core counts and I/O options rather than fundamental architectural variations. The approach contrasts with Intel's current Core Ultra 200 series. Lunar Lake chips integrated RAM on-package and used the latest Battlemage GPU architecture but were mostly used in high-end thin laptops. Arrow Lake processors offered more flexibility but paired newer CPU cores with older graphics and an NPU that did not meet Microsoft Copilot+ requirements. Intel claims Panther Lake delivers up to 10% better single-threaded performance than Lunar Lake and up to 50% faster multi-threaded performance than both previous generations. The GPU is roughly 50% quicker. Power consumption drops 10% compared to Lunar Lake and 40% versus Arrow Lake. The chips use Intel's 18A manufacturing process for the compute tile. TSMC fabricates the platform controller tile. Intel said systems with Panther Lake processors should ship by the end of 2025.

Read more of this story at Slashdot.

"Your AMD chips may have Intel Inside soon," writes longtime Slashdot reader DesScorp. "Discussions are underway between the two companies to move an undisclosed amount of AMD's chip business to Intel foundries. (AMD currently does their production through TSMC.) The talks come hot on the heels of a flurry of other Intel investments." Tom's Hardware reports: In the past several weeks, Intel has seen a flurry of activity and investments. The United States announced a 9.9% ownership stake in Intel, while Softbank bought $2 billion worth of shares. Alongside Nvidia, Intel announced new x86 chips using Nvidia graphics technology, with the graphics giant also purchasing $5 billion in Intel shares. There have also been reports that Intel and Apple have been exploring ways to work together. The article notes that there is a trade/political dimension to an AMD-Intel deal as well: It makes sense for Intel's former rivals -- especially American companies -- to consider coming to the table. The White House is pushing for 50% of chips bound for America to be built domestically, and tariffs on chips aren't off the table. Additionally, doing business with Intel could make the US government, Intel's largest shareholder, happy, which can be good for business. AMD faced export restrictions on its GPUs earlier this year as the US attempted to throttle China's AI business.

Read more of this story at Slashdot.

The attack uses a passive interposer to control the SGX enclave and extract the DCAP attestation key, breaking the mechanism.

The post WireTap Attack Breaks Intel SGX Security appeared first on SecurityWeek.

Intel and AMD say the research is not in scope of their threat model because the attack requires physical access to a device.

The post Battering RAM Attack Breaks Intel and AMD Security Tech With $50 Device appeared first on SecurityWeek.

Intel has approached Apple about a possible investment and closer collaboration, following recent multibillion-dollar deals with Nvidia, the U.S. government, and SoftBank to stabilize the struggling chipmaker. Reuters reports: The iPhone maker and Intel have also discussed how to work more closely together, the report said, adding that the talks are at an early stage and may not lead to an agreement. Shares of Intel closed 6% higher after the news. [...] Striking lucrative partnerships and persuading outside clients to use Intel's factories remain key to its future. Intel has also reached out to other companies about possible investments and partnerships, according to the Bloomberg News report. The reported investment from Apple would come as another vote of confidence for Intel - Apple had been a longtime customer of Intel before it transitioned to using its own custom-designed silicon chips in 2020. For Apple, which relies heavily on Intel's rival TSMC to manufacture its chips, the new partnership would allow it to diversify its chipmaking supplier base - a move that would be valuable if geopolitical risks in Taiwan worsen due to China's role in the region. It would also help Apple improve its relationship with U.S. President Donald Trump, by showing that it is investing in the United States - while much of Apple's supply chain remains international, the company has committed about $600 billion to domestic initiatives over the next four years.

Read more of this story at Slashdot.

If you're wondering what effect Intel's blockbuster deal with Nvidia will have on its existing product roadmaps, Intel has one message for you: it won't. PCWorld: "We're not discussing specific roadmaps at this time, but the collaboration is complementary to Intel's roadmap and Intel will continue to have GPU product offerings," an Intel spokesman told my colleague, Brad Chacos, earlier today. I heard similar messaging from other Intel representatives. Nvidia's $5 billion investment in Intel, as well as Nvidia's plans to supply RTX graphics chiplets to Intel for use in Intel's CPUs, have two major potential effects: first, it could rewrite Intel's mobile roadmap for laptop chips, because of the additional capabilities provided by those RTX chiplets. Second, the move threatens Intel's ongoing development of its Arc graphics cores, including standalone discrete GPUs as well as integrated chips. We're still not convinced that Arc's future will be left unscathed, in part because Intel's claim that it will "continue" to have GPU product offerings sounds a bit wishy-washy. But Intel sounds much more definitive on the former point, in that the mobile roadmap that you're familiar with will remain in place.

Read more of this story at Slashdot.

Nvidia has agreed to invest $5 billion in its struggling rival Intel [non-paywalled source] as part of a deal to develop new chips for PCs and data centres, the latest reordering of the tech industry spurred by AI. From a report: The deal comes a month after the US government agreed to take a 10 per cent stake in Intel, as Donald Trump's administration looks to secure the future of American chip manufacturing. However, the pair's announcement makes no reference to Nvidia using Intel's foundry to produce its chips. Intel, which has struggled to gain a foothold in the booming AI server market, lost its crown as the world's most valuable chipmaker to Nvidia in 2020. On Thursday Jensen Huang, Nvidia's chief executive, hailed a "historic collaboration" and "a fusion of two world-class platforms," combining its graphics processing units, which dominate the market for AI infrastructure, with Intel's general-purpose chips. Further reading: Intel Weighed $20 Billion Nvidia Takeover in 2005.

Read more of this story at Slashdot.

Intel's long-time Xeon chief architect Ronak Singhal is leaving the company after nearly 30 years, marking yet another high-profile departure amid Intel's leadership churn and intensifying competition from AMD and Arm-based cloud CPUs. The Register reports: The Carnegie Mellon alum holds degrees in electrical and computer engineering, along with at least 30 patents involving CPUs. Singhal joined Intel in 1997 after spending the previous summer as an intern at Cyrix. After a year in Intel's Rotation Engineers Program, he spent the remainder of his tenure helping to develop some of the chipmaker's most consequential and, at times, controversial processors. Most notably, Singhal oversaw the core development of Intel's 22nm Haswell and 14nm Broadwell processor architectures. His innovations aren't limited to the datacenter either, with his architectural contributions playing a significant role in the success of Intel's Core and Atom processor families as well. [...] Singhal is only the latest Xeon lead to jump ship since the start of the year. In January, Sailesh Kottapalli, another senior fellow, left for Qualcomm barely a month after former CEO Pat Gelsinger's unceremonious "retirement." Even before Gelsinger's eviction, Intel's datacenter group has been something of a revolving door. Last summer Singhal's long-time colleague Lisa Spelman departed the company, eventually landing a spot as CEO of HPC interconnect vendor Cornelis Networks. Her replacement, Ryan Tabrah, lasted seven months in the role, about half as long as Intel datacenter boss Justin Hotard, who defected for the forests of Finland to lead Nokia as its new President and CEO back in April. In fact, the churn now extends all the way to the top. On Monday, Intel announced its CEO of Products, Michelle Johnston Holthaus, would be leaving the business. The move is part of a broader executive shakeup that will see former Arm engineer Kevork Kechichian take over as head of Intel's datacenter engineering group. Jim Johnson, meanwhile, will take over as head of the chipmaker's client computing group while Srinivasan (Srini) Iyengar will head up a new central engineering division.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Tom's Hardware: Intel has removed its chief executive officer of products, Michelle Johnston Holthaus, as part of a major shake-up of the executive branch of the embattled chip firm, according to Reuters. This is part of new CEO Lip-Bu Tan's plan to reshape the company under his leadership, flattening the leadership structure so he makes more of the important decisions about day-to-day operation. [...] Holthaus is the latest high-profile figure at Intel to get the axe, ending a 30-year career at Intel, but a mere 10 months in her CEO of products role, and a temporary position as co-CEO after the previous CEO, Pat Gelsinger, suddenly left in 2024. "Throughout her incredible career, Michelle has transformed major businesses, built high-performing teams and worked to delight our customers," Tan said in a statement. "She has made a lasting impact on our company and inspired so many of us with her leadership. We are grateful for all Michelle has given Intel and wish her the best." Intel has said Holthaus will remain with the company in an advisory role, but her position will not be filled by anyone else. What Intel is doing, though, is bringing in executives from elsewhere, including one who worked at Tan's previous endeavour, Cadence. Srinivasan Iyengar joined the company in June and will take on the role of head of a new central engineering division. This group will focus on developing a new custom silicon business for external customers. Although Intel's fabrication business has been one of its worst-performing in recent years, and there are still talks of it selling large portions of it, it's found a new lease of life following U.S. government investment and Bu Tan's leadership. With Iyengar's new role, though, it's possible we'll see Intel designing chips for customers, rather than merely producing them. That could see it compete against the likes of Broadcom and Marvell. With Tan pushing for a faster, leaner business overall, Iyengar will report directly to him in his new role. Intel also announced that it had acquired the services of former executive vice president of solutions engineering at Arm, Kevork Kechichian. He'll begin heading Intel's datacenter group, and brings years of experience at ARM, NXP Semiconductor, and Qualcomm.

Read more of this story at Slashdot.

ISSUE 22.36 • 2025-09-08 PUBLIC DEFENDER By Brian Livingston The Intel Corporation, long the world’s largest manufacturer of processors for personal computers, fried investors’ money with a catastrophic loss of $20 billion in the 12 months ending June 2025. Intel’s manufacturing (foundry) division alone lost $8 billion in the same period. Meanwhile, CPUs by Advanced […]

Intel shelled out $16.5 billion on R&D in 2024, outspending Nvidia by 28% and AMD by 156%, with much of the cash going into chip design, fabrication tech, and the upcoming Nova Lake architecture. "When you compare the R&D expenditures to the amount of revenue, though, the story takes on a very different look," notes PC Gamer. "Intel spent 31% of its net revenue, and 26% for AMD, but Nvidia and Samsung got by on just 10% and 4%, respectively." From the report: An analysis of research and development expenditure by TechInsights was reported by Korea JoongAng Daily, but you can get the numbers yourself by pulling up each company's 2024 financial results. For example, AMD declared that it spent $6.456 billion last year (pdf, page 1) on R&D, whereas Nvidia forked out $12.914 billion. It's worth noting that Nvidia's financial statements are numbered one year ahead of the actual period (FY 2026 is 2025 and so on). Anyway, those figures pale in comparison to how much cash Intel burned through in 2024 to research and develop chip, fabrication technologies, software, and all kinds of tech stuffâ"a staggering $16.546 billion (pdf, page 25). That's 28% more than Nvidia and a frankly unbelievable 156% more than AMD. The nearest non-US semiconductor firm is Samsung Electronics, which spent a reported $9.5 billion on R&D. That would place third, comfortably ahead of AMD, and it strongly suggests that if you have your own foundries for making chips, you need to spend a lot of cash on finding ways to make better processors.

Read more of this story at Slashdot.

Intel amended its deal with the U.S. Department of Commerce "to remove earlier project milestones," reports Reuters, "and received about $5.7 billion in cash sooner than planned." "The move will give Intel more flexibility over the funds." The amended agreement, which revises a November 2024 funding deal, retains some guardrails that prevent the chipmaker from using the funds for dividends and buybacks, doing certain control-changing deals and from expanding in certain countries. The move makes the Wall Street Journal wonder what, beyond equity, the U.S. now gets in return, calling government's position "a stake without a strategy." The U.S. has historically shied away from putting money into private business. It can't really outguess the market on where the most promising returns lie. Yet there are exceptions. Sometimes a company or industry risks failing without public support, and that failure would hurt the whole country, not just its shareholders and employees. Intel meets both conditions. It isn't failing, but it is losing money, its core business is in decline, and it lacks the capital and customers needed to make the most advanced semiconductors. If Intel were to fail, it would take a sizable chunk of the semiconductor industrial base with it. At a time of existential competition with China, that is a national emergency... [U.S. Commerce Secretary Howard Lutnick] said as a shareholder, the U.S. would help Intel "to create the most advanced chips in the world." And yet the deal doesn't provide Intel with new resources to accomplish that. Rather, to get the remaining $9 billion, Intel had to give the U.S. equity. This is more like a tax than an investment: Shareholders gave up a 10th of their ownership in return for money the company was supposed to get anyway... Some of the administration's forays into private business do reflect strategic thinking, such as the Pentagon's 15% stake in MP Materials in exchange for investment and contracts that help make the company a viable alternative to China as a supplier of rare-earth magnets for products such as automobiles, wind turbines, jet fighters and missile systems. But more often, companies recoil from government ownership... Though the U.S. stake dilutes Intel's existing shareholders, its stock has held up. There could be several reasons. It eliminates uncertainty over whether the remaining $9 billion in federal funds will be forthcoming... [B]ecause Washington has a vested interest in Intel's share price, investors believe it may prod companies such as Nvidia and Apple to buy more of its chips. But that only goes so far, the article seems to conclude, offering this quote from an analyst Bernstein investment research. "If Intel can prove they can make these leading-edge products in high volume that meets specifications at a good cost structure, they'll have customers lined up around the block. If they can't prove they can do it, what customer will put meaningful volume to them regardless of what pressure the U.S. government brings to bear?" CBS News also notes the U.S. government stake "is being criticized by conservatives and some economic policy experts alike, who worry such extensive government intervention undermines free enterprise." Thanks to Slashdot reader joshuark for sharing the news.

Read more of this story at Slashdot.

Intel said Monday that converting $8.87 billion in federal chip subsidies into a 10% equity stake creates unprecedented complications and potential "adverse reactions" for a company deriving 76% of revenue internationally. The arrangement transforms Biden-era CHIPS Act grants into share purchases at $20.74 -- a discount to Friday's $24.80 close -- with the Department of Commerce receiving up to 433 million shares by Tuesday's expected closing. Foreign governments may impose additional regulations on Intel due to US government ownership, the company warned in securities filings, while the precedent could discourage other nations from offering grants if they expect similar equity conversions. China alone represents 29% of Intel's revenue. The deal also restricts Intel's strategic flexibility, requiring government votes align with board recommendations except on matters affecting federal interests.

Read more of this story at Slashdot.

The U.S. government's 10% stake in Intel "is a mistake," writes the Washington Post's editorial board, calling Intel "an aging also-ran in critical markets" that "has spent recent years stumbling on execution and missing one strategic opportunity after another." But TechCrunch points out that the U.S. government "does not appear to be committing new funds. Instead, it's simply making good on what Intel described as 'grants previously awarded, but not yet paid, to Intel.'" Specifically, the $8.9 billion is supposed to come from $5.7 billion awarded-but-not-paid to Intel under the Biden administration's CHIPS Act, as well as $3.2 billion also awarded by the Biden administration through the Secure Enclave program. In a post on his social network Truth Social, Trump wrote, "The United States paid nothing for these shares..." Trump has been critical of the CHIPS Act, calling it a "horrible, horrible thing" and calling on House Speaker Mike Johnson to "get rid" of it... According to The New York Times, some bankers and lawyers believe the CHIPS Act may not allow the government to convert its grants to equity, opening this deal to potential legal challenges. Reuters writes that the money "will not be enough for its contract-chipmaking business to flourish, analysts said. Intel still needs external customers for its cutting-edge 14A manufacturing process to go to production, says Summit Insights analyst Kinngai Chan, "to make its foundry arm economically viable." "We don't think any government investment will change the fate of its foundry arm if they cannot secure enough customers..." Reuters has reported that Intel's current 18A process — less advanced than 14A — is facing problems with yield, the measure of how many chips printed are good enough to make available to customers. Large chip factories including TSMC swallow the cost of poor yields during the first iterations of the process when working with customers like Apple. For Intel, which reported net losses for six straight quarters, that's hard to do and still turn a profit. "If the yield is bad then new customers won't use Intel Foundry, so it really won't fix the technical aspect of the company," said Ryuta Makino, analyst at Gabelli Funds, which holds Intel stock. Makino, who believes that Intel can ultimately produce chips at optimal yields, views the deal as a net negative for Intel compared with just receiving the funding under the CHIPS Act as originally promised under the Biden Administration. "This isn't free money," he said. The federal government will not take a seat on Intel's board and has agreed to vote with the company's board on matters that need shareholder approval, Intel said. But this voting agreement comes with "limited exceptions" and the government is getting Intel's shares at a 17.5% discount to their closing price on Friday. The stake will make the U.S. government Intel's biggest shareholder, though neither Trump nor Intel disclosed when the transaction would happen... Some analysts say Intel could benefit from the government's support, including in building out factories. Intel has said it is investing more than $100 billion to expand its U.S. factories and expects to begin high-volume chip production later this year at its Arizona plant. "To have access to capital and a new partial owner that wants to see you succeed are both important," said Peter Tuz, president of Chase Investment Counsel.

Read more of this story at Slashdot.

President Donald Trump said on Friday the U.S. would take a 10% stake in Intel under a deal with the struggling chipmaker and is planning more such moves, the latest extraordinary intervention by the White House in corporate America. Reuters: The development follows a meeting between CEO Lip-Bu Tan and Trump earlier this month that was sparked by Trump's demand for the Intel chief's resignation over his ties to Chinese firms.

Read more of this story at Slashdot.

ISSUE 22.33 • 2025-08-18 BEN’S WORKSHOP By Ben Myers The expiration of Windows 10 support is nigh. In 2021, Microsoft announced Windows 11. with considerable emphasis on its improved security compared to that of Windows 10. With announcements and promotional material, Redmond targeted government enterprises and large corporations as candidates to buy huge volumes of […]

APPLE By Will Fastie Apple’s entire keynote for this year’s Worldwide Developers Conference focused on extensive changes to all its operating systems. There were no hardware or device announcements, but changes to macOS have profound ramifications for Intel-based Apple devices from previous generations. Some Apple users will be unhappy. Read the full story in our […]

Co-authored by Yaniv Allender and Alexandra Blia

Introduction

In the ever-evolving landscape of cyber threat actors, the lines between ideologically driven hacktivism and financially motivated cybercriminals have become increasingly blurred. Originally fueled by political, social, or ethical causes, hacktivist groups have historically engaged in digital protest through website defacements, data leaks, and distributed denial of service (DDoS) attacks.

However, in recent years, a noticeable trend has emerged. Some hacktivist groups are evolving into ransomware operations and even becoming ransomware affiliates. This transformation is driven by a mix of ideological fatigue, opportunity for financial gain, access to sophisticated tools, and the growing profitability of extortion-based attacks. The result is a new hybrid threat actor—one that merges the disruptive zeal of hacktivism with the ruthless efficiency of cybercrime.

Understanding this shift is crucial for defenders, as it represents a convergence of motives that complicates attribution, response, and mitigation strategies. To this end, we have examined three prominent examples of relevant threat actors, namely FunkSec, KillSec, and GhostSec, identifying the drivers behind their transition to financially motivated campaigns and exploring the shift in their modus operandi.

Threat actor analysis

FunkSec

The FunkSec ransomware group emerged within the cybercrime ecosystem as a rising star in December 2024. The ransomware-as-a-service (RaaS) group has claimed at least 172 victims to date. The group proudly promotes itself as an AI-driven ransomware group, with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.

The group targets organizations from various sectors and regions, such as government, education, automotive, energy, IT, and manufacturing, located in countries like the United States, Israel, France, Italy, Germany, India, and Australia.

FunkSec started as a politically motivated hacking (hacktivist) group, specifically interested in targeting the United States (Figure 1). The group was known to be aligned with the “Free Palestine” movement (Figure 2), and associated itself with other hacktivist groups, such as Ghost Algeria and Cyb3r Fl00d. Among its affiliates are Scorpion (AKA DesertStorm, a suspected Algeria-based hacker), El_farado, XTN, Blako, and Bjorka (an alleged Indonesian hacktivist). In its early days, the group offered tools commonly associated with hacktivist activities, including services for DDoS and defacement attacks.

At some point, the group transitioned its focus from politically motivated attacks to a RaaS model, offering customizable tools to its affiliates. Its victimology also changed from government entities to organizations across various sectors, such as education, technology, telecommunications, and agriculture (Figure 3).

FunkSec’s reliance on relatively simple malware development using AI-based tools also explains the fast transition of the group from targeted hacktivism campaigns to broader, financially-motivated activities, with a large number of victims in a short period of time (Figure 4).

The group’s transition has also been referenced on a Russian-speaking dark web forum, where the author mentioned a cybersecurity vendor’s article on FunkSec (Figure 5).

KillSec

The KillSec hacktivist group (AKA Kill Security) has been active since at least 2021. The Russia-aligned group targets organizations from various sectors, such as government, finance, transportation, electronics, manufacturing, travel and recreation, retail, and consumer services, located in countries like India, Bangladesh, Romania, Poland, and Brazil. The group considers itself a “prominent hacktivist group operating in the cyber realm, with a focus on both disruption and digital activism."

KillSec initially emerged as a hacktivist group aligned with the Anonymous collective, with its operations primarily including DDoS attacks and website defacements, before pivoting to ransomware operations in October 2023. KillSec’s ransomware variants, namely KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.

In June 2024, KillSec introduced a RaaS operation, advertising a locker for Windows environments written in C++ and a dashboard, enabling affiliates to observe detailed statistics, conduct chat communications, and customize ransomware configurations using a builder tool. In November 2024, the group launched an additional locker for ESXi environments, expanding the breadth of its operations (Figure 6).

The group’s shift is aligned with the overall proliferation of RaaS programs, enabling less technically skilled individuals to conduct ransomware attacks with relative ease in exchange for a fee. The group has been advertising its RaaS offering in an attempt to attract cybercriminals and further broaden its affiliate network (Figure 7).

Although in certain incidents, KillSec leveraged solely stolen data to extort the victims, the group appears to adopt mainly double extortion tactics, exfiltrating data in addition to encrypting it and demanding a ransom payment to prevent it from being leaked. The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom. The group also uses its DLS to advertise its services, which include penetration testing, data gathering, and its RaaS program (Figure 8).

It should be noted that KillSec’s DLS also features a “For Sale” section, offering data allegedly exfiltrated from the targeted companies for sale, with the prices ranging between $5,000 and $350,000 (Figure 9). The group likely introduced this section in an attempt to further monetize the exfiltrated data. This offering of stolen data and additional services further suggests the financially motivated nature of the group’s activity.

GhostSec

The GhostSec hacktivist group (AKA Ghost Security, GhostSecMafia, and GSM) has been active since at least 2015. The Anonymous-affiliated group gained prominence with the #OpIsis and #OpParis​​ campaigns, in which various hacktivist groups took down thousands of ISIS websites and social media accounts using defacement and DDoS attacks. Since then, GhostSec has participated in campaigns, such as #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, and #OpColombia. The group has also continuously launched cyberattacks on Israel in response to alleged war crimes, primarily defacing their websites to spread “Free Palestine” messages.

GhostSec’s shift towards financially motivated operations overlaps with the group’s collaboration with cybercriminals. In July 2023, GhostSec announced that they formed a partnership with the Stormous ransomware group to target organizations in Cuba (Figure 10). Following this announcement, Stormous and GhostSec jointly claimed extortion attacks against three Cuban government ministries, and GhostSec also expressed the potential for future joint operations against other countries. In August 2023, GhostSec, together with ThreatSec, Stormous, Blackforums, and SiegedSec, collectively formed a unified collective, naming themselves “The Five Families” (Figure 11). This collective attempted to extort the presidential website of Cuba and the Brazilian organization Alfa Comercial.

GhostSec solidified its presence in the cybercriminal ecosystem with the launch of its RaaS program “GhostLocker” in October 2023, which was shortly followed by the release of its infostealer tool, GhostStealer (Figure 12). In January 2024, the updated “REWRITE” (aka GhostLocker 2.0) version of GhostLocker was released, with a fully featured management panel allowing affiliates to track campaigns and payouts. The threat actor promoted its malware-as-a-service (MaaS) tools heavily on its Telegram channels, demonstrating its intention to attract affiliates and, in turn, maximize its profits.

On May 15, 2024, GhostSec announced its retirement from cybercriminal activities and its return to hacktivism. The group stated that it reached this decision after having obtained enough funding to support its hacktivist operations. GhostSec further mentioned that Stormous would remain in charge of the management and operation of GhostLocker (Figure 13).

It should be noted that Stormous seemingly had already incorporated GhostLocker into its operations, even before GhostSec’s retirement. As of May 2025, the group is still active and operates the Stormous RaaS program, which appears to be a continuation of GhostLocker. This development signifies the mutual assistance and influence among united threat groups, as collectives like the Five Families allow them to maximize the impact and breadth of their operations by sharing resources, audience, and knowledge.

Two sides of the same coin?

This analysis shows that the threat actors in scope, FunkSec, KillSec, and GhostSec, have followed a similar trajectory, pivoting from politically motivated, disruptive campaigns to financial extortion. This transition is likely facilitated by the public availability of leaked ransomware builders, such as LockBit 3.0, which threat actors can leverage to develop their payloads.

The groups specifically appear to have adopted double extortion tactics, exfiltrating data from their victims and then encrypting it, in an attempt to pressure them to comply with their ransom demands. However, despite their seeming ability to conduct ransomware operations, these groups appear to lack the level of sophistication and specialization that characterize top-tier cybercriminal groups, such as Cl0p and LockBit, which are mentioned in the Rapid7 Q1 2025 ransomware report.

Interestingly enough, all three groups embraced RaaS as their business model while pivoting towards cybercrime. This evolution is aligned with the overall current status of the ransomware ecosystem, as RaaS programs have become increasingly more common. Such programs, demonstrating the financial nature of their activities, enable threat actors to maximize their profits by allowing affiliates to use their ransomware kit for a fee and a percentage of the collected ransom.

This transition of FunkSec, KillSec, and GhostSec has also affected and amplified the victimology of their operations. While these groups once operated as hacktivists that primarily targeted government entities, their scope of activities broadened significantly as they shifted to ransomware attacks. Along this process, their attacks shifted from targeted to opportunistic, against organizations of different sizes, operating in diverse sectors and geographies, that could be relatively easily compromised.

While all of these groups follow the pattern, shifting from hacktivism to cybercrime, and specifically financially motivated RaaS operations, the reason behind this transition remains unclear. As an exception, GhostSec appears to have embraced cybercrime in an attempt to gather funding for its hacktivist operations, according to its exit message. It should be noted that other threat actors, such as CyberVolk, have also launched RaaS programs to fund their operations, but these efforts remain scarce.

Finally, other hacktivist groups, such as Ikaruz Red Team and their affiliates, also operate ransomware, but they do so to cause disruption and make political statements. Thus, the scope of their operations differs from financial gain and is not comparable to that of the groups included in this analysis.

Conclusion

The evolution of FunkSec, KillSec, and GhostSec from hacktivist collectives to RaaS operations highlights a recent trend of a shift in motivations, driving cybercriminal behavior. Initially, these groups were propelled by political and ideological aims, targeting governments and organizations in alignment with their perceived causes. However, over time, their focus has clearly shifted towards financial gain, as evidenced by their adoption of RaaS models that prioritize profit over ideology. As cybercriminals adapt to “market demands,” it becomes clear that financial motivation has come to dominate their activities, leaving behind the ideological roots of their earlier campaigns.

Indicators of compromise (IoCs)

FunkSec

• Darkweb DLS:
• funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid[.]onion
• funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad[.]onion
• funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id[.]onion
• Clearweb DLS: http://funksec[.]top
• Funkforum: http://funk4ph7igelwpgadmus4n4moyhh22cib723hllneen7g2qkklml4sqd[.]onion
• Session ID: 0538d726ae3cc264c1bd8e66c6c6fa366a3dfc589567944170001e6fdbea9efb3d

GhostSec

• Facebook: facebook.com/OfficialGhostSecGroup
• Instagram: instagram.com/ghostsecuritygroup
• LinkedIn: linkedin.com/in/ghostsecuritygroup
• Twitter: twitter.com/GhostSecGroup
• Vimeo: vimeo.com/ghostsecgroup
• Website: ghostsecuritygroup[.]com
• YouTube: https://www.youtube.com/channel/UCltlez3dwuV9_xZIi9LWNjA
• Telegram: https://t.me/GhostSecS
• SHA-256:

8b758ccdfbfa5ff3a0b67b2063c2397531cf0f7b3d278298da76528f443779e9

c9f71fc4f385a4469438ef053e208065431b123e676c17b65d84b6c69ef6748a

a1b468e9550f9960c5e60f7c52ca3c058de19d42eafa760b9d5282eb24b7c55f

3ecf05857d65f7bc58b547d023bde7cc521a82712b947c04ddf9d7d1645c0ce0

Stormous

• Telegram: https://t.me/StmXRaaSV4
• DLS: http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd[.]onion

KillSec

• DLS: http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id[.]onion
• Telegram channel: https://t.me/killsecc
• TOX ID: 9453686EAB63923D1C35C92DDE5E61A6534DD067B5448C1C8D996A460B92CA5055C1AB0FCD22
• Session ID:05cb94c52170c8119f7ebc2d8afc94b9746bc7c361d91c49e7d18e96e266582a07
• SHA256: 8cee3ec87a5728be17f838f526d7ef3a842ce8956fe101ed247a5eb1494c579d
• IP addresses: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65

Rapid7 customers

InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to the FunkSec, KillSec, and GhostSec ransomware activity. We will also continue to iterate detections as new variants emerge, giving customers continuous detection without manual tuning:

Suspicious Process - Malicious Hash On Asset

While this specific detection directly covers malicious binaries linked to ransomware operations, customers also benefit from a comprehensive suite of detections that alert on post-exploitation behavior often observed prior to ransomware deployment. These include detections for lateral movement, privilege escalation, and suspicious persistence mechanisms, providing layered defense even when the specific ransomware payload is novel or obfuscated.

Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.

A report from the Pakistani media outlet Dawn states that authorities there arrested 21 people alleged to have operated Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me. Pakistan’s National Cyber Crime Investigation Agency (NCCIA) reportedly conducted raids in Lahore’s Bahria Town and Multan on May 15 and 16.

The NCCIA told reporters the group’s tools were connected to more than $50m in losses in the United States alone, with European authorities investigating 63 additional cases.

“This wasn’t just a scam operation – it was essentially a cybercrime university that empowered fraudsters globally,” NCCIA Director Abdul Ghaffar said at a press briefing.

In January 2025, the FBI and the Dutch Police seized the technical infrastructure for the cybercrime service, which was marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.

The FBI says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.

Dawn reported that those arrested included Rameez Shahzad, the alleged ringleader of the Heartsender cybercrime business, which most recently operated under the Pakistani front company WeCodeSolutions. Mr. Shahzad was named and pictured in a 2021 KrebsOnSecurity story about a series of remarkable operational security mistakes that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.

Prior to folding their operations behind WeCodeSolutions, Shahzad and others arrested this month operated as a web hosting group calling itself The Manipulaters. KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.

Sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners.

In 2024, DomainTools.com found the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees. DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”

Shahzad allegedly used the alias “Saim Raza,” an identity which has contacted KrebsOnSecurity multiple times over the past decade with demands to remove stories published about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had quit the cybercrime industry and turned over a new leaf after a brush with the Pakistani police.

The arrested suspects include Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.