Russian state-sponsored attackers compromised more than 18,000 routers spread across more than 120 countries to gain deeper access to sensitive networks for a large-scale espionage campaign before it was recently neutralized, researchers and authorities said Tuesday.

Forest Blizzard, also known as APT28 and Fancy Bear, exploited known vulnerabilities to steal credentials for thousands of TP-Link routers globally. The threat group, which is attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, hijacked domain name system settings and stole additional credentials and tokens via redirected traffic, the Justice Department said.

The threat group established an expansive espionage network by intruding systems of more than 200 organizations, impacting at least 5,000 consumer devices, Microsoft Threat Intelligence said in a report. 

Operation Masquerade, a collaborative takedown operation led by the FBI, aided by federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved a series of commands designed to reset DNS settings and prevent the threat group from further exploiting its initial means of access. 

“GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”

Forest Blizzard’s widespread campaign involved adversary-in-the-middle attacks against domains mimicking legitimate services, including Microsoft Outlook Web Access. This allowed attackers to intercept passwords, OAuth tokens, credentials for Microsoft accounts, and other services and cloud-hosted content. 

Microsoft insists company-owned assets or services were not compromised as part of the campaign.

The threat group targeted network edge devices, including TP-Link and MicroTik routers, opportunistically before it identified sensitive targets of intelligence interest to the Russian government, including people in the military, government and critical infrastructure sectors. 

Victims, according to researchers, include government agencies and organizations in the IT, telecom and energy sectors. Lumen identified other victims associated with Afghanistan’s government and others linked to foreign affairs and national law enforcement agencies in North Africa, Central America and Southeast Asia. An unnamed European country’s national identity platform was also impacted, the company said.

Lumen did not find evidence of any compromised U.S. government agencies as part of this campaign, but warned that the activity poses a grave national security threat.

While the full scope of Forest Blizzard’s accomplishments remain under investigation, researchers are confident the bleeding of sensitive information has stopped. 

“The campaign has ceased,” Danny Adamitis, distinguished engineer at Black Lotus Labs, told CyberScoop. “We have observed a gradual decline in communications associated with this infrastructure over the past several weeks.”

Lumen said it observed widespread router exploitation and DNS redirection beginning in August, the day after the United Kingdom’s National Cyber Security Centre published a malware analysis report about a tool used to steal Microsoft Office credentials. The U.K.’s NCSC on Tuesday published details about APT28’s DNS hijacking campaign, including indicators of compromise.

The Justice Department and FBI, acting on a court order, remediated compromised routers in the United States after collecting evidence on Forest Blizzard’s activity. The FBI said Russia’s GRU weaponized routers owned by Americans in more than 23 states to steal sensitive government, military and critical infrastructure information.

The post Feds quash widespread Russia-backed espionage network spanning 18,000 devices appeared first on CyberScoop.

North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 

AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.

Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.

Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.

Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation. 

North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency. 

“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report. 

Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.

Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.

North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity. 

North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.

Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway. 

“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report. 

“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.

The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.

Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.

Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.

The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.

“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown. 

“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added. 

The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.

The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.

Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said. 

Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added. 

Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.

Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro. 

Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint. 

“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.

“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.

Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.

Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.

The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.

The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.

Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 

Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.

Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.

Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday. 

The full scope of attacker interest in the vulnerability is magnified by an unparalleled number of publicly available exploits — underscoring the relative ease and myriad ways unauthenticated attackers can trigger the defect to elevate privileges and pivot into other parts of targeted networks. 

VulnCheck confirmed nearly 200 valid public exploits for React2Shell as of Thursday. “React2Shell CVE-2025-55182 now has the highest verified public exploit count of any CVE,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop.

Ongoing clean-up efforts for React2Shell also led to the discovery of three new defects affecting React Server Components last week, including CVE-2025-55183 and CVE-2025-67779, which fixes an apparent bypass for CVE-2025-55184, she said. 

“The worst-case scenario on many defenders’ minds presently is that a true patch bypass for CVE-2025-55182 might arise. So far, this hasn’t come to pass,” Condon added. 

Researchers continue to urge organizations to apply the patch for CVE-2025-55182, but note that the additional CVEs are not addressed in some early versions of the patch. And, of course, patching won’t evict attackers that already gained access to systems. 

Attacks of different origins and motivations continue to spread globally. 

Google Threat Intelligence said it has observed financially motivated attackers and at least five Chinese espionage threat groups exploiting the defect across multiple regions and industries. GTIG said it also identified attacks attributed to Iran, but it did not provide more information. 

Amazon previously said its threat intelligence teams observed active exploitation attempts by Earth Lamia and Jackpot Panda within hours of the vulnerability’s public disclosure.

Cybersecurity firm S-RM said it responded to a ransomware attack Dec. 5 that involved React2Shell exploitation as an initial access vector. Attackers executed Weaxor ransomware within a minute of gaining access to the victim’s network, the company said in a blog post Tuesday.

Evidence of spiking malicious activity, including exploitation attempts, is showing up across the threat intelligence landscape. 

Cloudflare said multiple Asia-based threat groups have been meticulous in targeting networks in Taiwan, the autonomous region of Xinjiang Uygur, Vietnam, Japan and New Zealand, yet other selective targets were observed, including U.S. government websites, academic research institutions and critical infrastructure operators. 

“These infrastructure operators specifically included a national authority responsible for the import and export of uranium, rare metals and nuclear fuel,” Cloudflare’s threat intelligence team wrote in a blog post.

Several U.S.-based state and federal government agencies have been targeted, but there’s no confirmed exploitation, Blake Darché, head of threat intelligence at Cloudflare, told CyberScoop. The Cybersecurity and Infrastructure Security Agency declined to comment on attempted attacks against government agencies. 

“Victimology has now evolved to be universal, with critical infrastructure targets just a small slice of all organizations and industries under attack,” Darché added.

While successful compromises are outside of GreyNoise’s visibility, malicious activity spotted by its sensors are continuing to pop off, according to Andrew Morris, the company’s founder and chief architect.

“Exploitation is still very high with the number of cumulative networks exploiting this vulnerability reaching all-time highs almost every single day since disclosure,” he wrote in a LinkedIn post Tuesday. 

React2Shell has prompted widespread alarm in the two weeks since the vulnerability was first disclosed in the widely used application framework, and researchers expect the defect to have long-lasting impacts.

Austin Larsen, principal analyst at GTIG, said the critical vulnerability will likely be one of the more consequential defects it observed under active exploitation this year.

A debate that initially ensued in some industry circles over the seriousness and viable impact of the defect has effectively ended. 

“Exploitation timelines are shrinking from weeks to hours,” Dan Perez, technology lead at GTIG, told CyberScoop. “Every new vulnerability presents a race against time. Every minute that a system remains unpatched is a minute that a threat actor can use to their advantage, which gives organizations a razor-thin margin for error.”

The post React2Shell fallout spreads to sensitive targets as public exploits hit all-time high appeared first on CyberScoop.