A federal judge sentenced a Latvian national to 102 months in prison for his involvement in a series of ransomware attacks for more than two years prior to his arrest in 2023, the Justice Department said Monday.

Deniss Zolotarjovs, a resident of Moscow at the time, helped an organization led by former leaders of the Conti ransomware group extort payments from more than 54 companies. 

The 35-year-old was mostly tasked with putting pressure on the crew’s victims. In one case, Zolotarjovs urged co-conspirators to leak or sell children’s health records stolen from a pediatric healthcare company and ultimately sent a collection of sensitive data to “hundreds of patients,” according to court records. 

The ransomware crew identified itself in ransom notes under multiple names during Zolotarjovs’ involvement, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, Akira and others. 

Zolotarjov and his co-conspirators extorted nearly $16 million in confirmed ransom payments from their victims. Officials estimate the group’s crimes resulted in hundreds of millions of dollars in losses, not including the psychological and future financial exposure confronting tens of thousands of people whose personal data was stolen.

“Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline,” A. Tysen Duva, assistant attorney general of the Justice Department’s Criminal Division, said in a statement. 

Officials said Zolotarjovs searched for points of leverage after researching victim companies and analyzing stolen data. Many of the victims impacted during his active participation between June 2021 and August 2023 were based in the United States.

Zolotarjov was arrested in the country of Georgia in December 2023 and extradited to the United States in August 2024. He pleaded guilty to money laundering and wire fraud in July 2025. 

“Cybercriminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries,” Dominick S. Gerace II, U.S. attorney for the Southern District of Ohio, said in a statement. “But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”

The Russian ransomware crew was prolific and spread across multiple teams, relying on companies registered in Russia, Europe and the United States to conceal its operations. Authorities said the group included former Russian law enforcement officers whose connections allowed members to access Russian government databases to harass detractors and identify potential new recruits.

Conti was among the most prolific ransomware groups globally for a time, impacting hundreds of critical infrastructure providers, Costa Rica’s government in 2022, and ultimately leading the State Department to offer a $10 million reward for information related to Conti’s leaders. The group was notoriously resilient, bouncing back with new infrastructure and hitting new targets after a massive leak exposed chats between the group’s members in 2022.

Conti disbanded later that year, but members of the Cyrillic-language group rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal, before rebranding again to BlackSuit in 2024.

The post Latvian national sentenced for ransomware attacks run by former Conti leaders appeared first on CyberScoop.

The initial vulnerability was exploited by Russia-linked APT28 in attacks against Ukraine and EU countries.

The post Incomplete Windows Patch Opens Door to Zero-Click Attacks appeared first on SecurityWeek.

National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday.

Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.

Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”

The administration released an executive order on fraud the same day it released its cyber strategy on March 6. Some of that order touched on cybercrime.

“This is rolling forward actively, and you should expect that there will be more execution and action in line with our strategic goals,” he said.

Cairncross cited another administration activity that fit into the strategy, such as the first conviction last week under the Take It Down Act, a law First Lady Melania Trump advocated for that seeks to combat non-consensual AI-generated sexually explicit images, violent threats and cyberstalking.

He declined to preview any future implementation plans, and said he expected they would be coming “relatively soon.”

A centerpiece of the administration strategy is confronting adversaries to make sure they suffer consequences for their hacking of United States targets.

Cairncross wouldn’t say explicitly if Trump, in his visit to Beijing next month, would address Chinese hacking.

“When we start to see things like prepositioning on critical infrastructure, that is something that needs to be addressed,” he said. Pressed on whether that meant cyber would be on the agenda during the visit, Caincross said, “I would expect that the safety and security of the American people will be first and foremost, as it always is for the president.”

Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.

“I would say from the White House perspective, we are working very closely with industry,” Cairncross said. “We’ve been in close collaboration with the model companies across the interagency to make sure that we are evaluating and doing this.”

The post Executive orders likely ahead in next steps for national cyber strategy appeared first on CyberScoop.

A small group of former Black Basta affiliates have targeted more than 100 employees across dozens of organizations to intrude network systems for potential data theft, ransomware deployment and extortion, according to ReliaQuest.

The social engineering campaign, which involves mass email bombing and Microsoft Teams help desk impersonation, surged last month and dates back to at least May 2025, ReliaQuest said in a report Tuesday. 

Attackers have primarily targeted senior leadership to gain highly privileged access. “Roughly three-quarters of targeted users were executives, directors, managers or similarly high-value roles,” researchers who worked on the report told CyberScoop via email. 

Cybercriminals involved in Black Basta, an offshoot of Conti, scattered after the threat group’s internal chat logs leaked online in February 2025, providing threat researchers and authorities key details about the group’s operations. 

German police publicly identified Oleg Evgenievich Nefedov, a Russian national, as Black Basta’s alleged leader in January. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 

He is accused of extorting more than 100 companies in Germany and about 600 other countries globally.

ReliaQuest said the recently observed campaign shares many similarities with previous Black Basta activity and follows the same playbook — tooling, targeting and execution style — associated with the once-prolific ransomware group. 

“That includes the repeated use of remote access tools, a strong concentration in sectors Black Basta historically favored, and a level of speed and coordination that suggests experienced operators are building on a playbook they already know works,” researchers said. 

“We’re careful not to treat any one artifact as definitive proof, but taken together, the similarities are strong enough that we assess it is highly likely former affiliates or closely aligned operators are involved,” ReliaQuest researchers added. 

Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment. Threat hunters warned that former members were still actively targeting additional victims earlier this year. 

ReliaQuest released its report, including indicators of compromise, after it observed a particularly sharp spike in activity in March, noting that the group’s targeting was more focused on senior employees.

“The operators are moving very quickly, with parts of the workflow becoming more automated or highly streamlined, which makes the campaign easier to scale and harder for defenders to interrupt before remote access is established,” researchers said.

The top-five sectors targeted in recent Black Basta-style attacks include manufacturing, professional services, finance and insurance, construction and technology, according to ReliaQuest.

Attackers typically bombard targeted employees with hundreds of emails within minutes and then contact targeted users, posing at IT support via direct messages on Microsoft Teams or a phone call. ReliaQuest said it’s observed some attackers achieve remote access minutes after the first sign of an email bomb.

Researchers did not say how many organizations have been successfully intruded as a result of this campaign thus far. 

While extortion appears to be the most likely objective, ReliaQuest cautioned against assuming every attack results in ransomware encryption.

“Based on what we’ve observed, the intrusion chain is built to gain access quickly, understand the environment, and create options for follow-on monetization,” researchers said. “That could lead to data theft, extortion without encryption, or ransomware deployment, depending on the victim and the opportunity.”

The post Black Basta’s playbook lives on as former affiliates launch fast-scale intrusion campaign appeared first on CyberScoop.

On March 23, the Senate confirmed Senator Markwayne Mullin as the next homeland security secretary, marking an important step in strengthening leadership during a critical moment for our nation’s security.

But only half of the job is done.

The Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s main civilian cyber defense agency, still lacks a Senate-confirmed director. As global cyber threats escalate,  this prolonged leadership gap poses a growing national security risk.

As Executive Director of the National Technology Security Coalition (NTSC), I represent Chief Information Security Officers who are responsible for protecting the systems that sustain America’s economy and critical infrastructure. In every sector, energy, healthcare, financial services, manufacturing, and transportation, there is a common concern: the threat landscape is growing more aggressive, and our defenses must stay ahead.

Our enemies are not waiting.

Since the start of the conflict with Iran, cybersecurity experts have reported increased malicious cyber activity targeting U.S. and allied systems. Iran-linked actors have shown their ability to disrupt operations and exploit vulnerabilities. Meanwhile, China continues its long-term effort to infiltrate American networks and position itself for possible disruption of critical infrastructure. Russia and its affiliated groups remain persistent, probing Western systems for weaknesses and exerting constant pressure.

This is the reality of modern conflict. Cyber operations have emerged as a primary domain of competition. In some cases, they can rival the effects of traditional military action, disrupting economies, communications, and public safety through code alone. 

Leadership is important in this environment.

CISA plays a key role in coordinating federal cyber defense, sharing threat intelligence with the private sector, and supporting state and local governments. It serves as the link between government and industry in protecting the nation’s digital infrastructure. Without a Senate-confirmed director, the agency’s ability to set priorities, coordinate efforts, and respond quickly is limited.

That challenge is growing more urgent. The President’s fiscal year 2027 budget plan proposes significant cuts to CISA’s funding. At a time when the agency faces increasing operational pressure, fewer resources make strong, steady leadership even more crucial.

This is the moment when Secretary Mullin’s leadership is critical.

As a former member of the Senate, Secretary Mullin understands the institution, its dynamics, and how to build consensus. He is uniquely positioned to connect with past colleagues and help advance Sean Plankey’s nomination as Director of CISA.

Plankey is highly qualified and widely respected in the cybersecurity community. His experience in the U.S. Coast Guard, at the Department of Energy securing the nation’s energy infrastructure, and in the private sector provides him with a clear understanding of both the threat landscape and the importance of public-private collaboration. At a time when coordination between government and industry is vital, these qualities are essential.

The Senate has already signaled that it takes cyberthreats seriously. It recently confirmed Lt. Gen. Joshua Rudd to lead U.S. Cyber Command and serve as director of the National Security Agency, ensuring strong leadership of America’s military cyber defense team.

Now it needs to do the same on the civilian side.

Confirming Plankey matters because the country’s main civilian cyber defense agency needs established leadership to combat adversaries who are already inside our networks, probing our systems, and preparing for the next phase of conflict.

The leadership gap at CISA has gone on long enough.

Secretary Mullin must engage. The Senate needs to act. And Sean Plankey should be confirmed without further delay.

America’s cyber defenses depend on it.

Chris Sullivan is the executive director of the National Technology Security Coalition, a nonprofit, non-partisan organization that serves as an advocacy voice for chief information security officers across the nation.

The post Secretary Mullin must help finish the job: Urge the Senate to confirm Plankey appeared first on CyberScoop.

The recent FBI-led operation to knock Russian government hackers off routers sought to topple an especially insidious and threateningly contagious cyberespionage campaign, top bureau cyber official Brett Leatherman told CyberScoop.

Researchers, along with U.S. and foreign government agencies, revealed details of the campaign this week by which APT28 — also known as Forest Blizzard or Fancy Bear, and attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) — compromised more 18,000 TP-Link routers and infiltrated more than 200 organizations worldwide. 

The compromise of routers used in small and home offices prompted the takedown operation, Operation Masquerade, which involved sending commands to the routers to reset Domain Name System (DNS) settings to prevent the hackers from exploiting that access.

“What’s unique to me in this one is that when you change the internet settings in a router like they did, it propagates to all the devices in your house,” Leatherman, assistant director of the FBI’s cyber division, said. “All those devices now, once they’re connected to that Wi-Fi, are getting the malicious IP addresses that they are then routing their traffic through, and it gives the Russian GRU tremendous access to the content offered through a router itself.”

“The difficulty in an attack like this is that it’s virtually invisible to the end users,” he said. “Actors were not deploying malware like we often see. And so when you think about endpoint detection on your computer or something like that, it’s not seeing that activity because they don’t have to. They’re using the tools on the router itself to capture your internet traffic and extend it  throughout the house, and so traditional tools that detect that activity [are] just not there.”

The disruption operation is in line with the cyber strategy the Trump administration published last month, with its emphasis on going on offense against malicious hackers and protecting critical infrastructure, Leatherman said.

The FBI understands its role in implementing that strategy, he said, and worked with the Office of the National Cyber Director and other agencies in developing it. The White House has kept the public and Capitol Hill in the dark about strategy implementation, however.

“We’ve got a long track record of leveraging unique authorities and capabilities to counter these actors, to impose costs, and through the 56 field offices to really defend critical infrastructure,” Leatherman said. “That’s part of our DNA, really. And so we want to make sure that we continue to align that in the most scalable and agile way we can, to align with the priorities of the strategy itself.”

Leatherman traced how Operation Masquerade — the success of which he credited to the FBI’s Boston offices and partnerships with the private sector and foreign governments — fits into a series of disruptions aimed at Russian government hackers dating back to 2018.

That’s when the bureau took on the VPNFilter botnet by seizing a domain used to communicate with infected routers. In 2022, the FBI took on the Cyclops Blink botnet, and in 2024, Operation Dying Ember went after another botnet.

“”Over the course of those four operations, while the adversary continued to evolve in their tradecraft, so did we,” Leatherman said. “We moved from just sinkholing domains to actually taking steps that block them at the door of these routers, pulled any capability off of those routers so they were no longer able to collect the sensitive information, and then prohibited them from getting back in.”

The post Inside the FBI’s router takedown that cut off APT28’s ‘tremendous access’ appeared first on CyberScoop.

The APT28 threat group exploited vulnerable TP-Link and MikroTik routers to conduct adversary-in-the-middle (AitM) attacks.

The post US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking appeared first on SecurityWeek.

Russian state-sponsored attackers compromised more than 18,000 routers spread across more than 120 countries to gain deeper access to sensitive networks for a large-scale espionage campaign before it was recently neutralized, researchers and authorities said Tuesday.

Forest Blizzard, also known as APT28 and Fancy Bear, exploited known vulnerabilities to steal credentials for thousands of TP-Link routers globally. The threat group, which is attributed to Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, hijacked domain name system settings and stole additional credentials and tokens via redirected traffic, the Justice Department said.

The threat group established an expansive espionage network by intruding systems of more than 200 organizations, impacting at least 5,000 consumer devices, Microsoft Threat Intelligence said in a report. 

Operation Masquerade, a collaborative takedown operation led by the FBI, aided by federal prosecutors, the National Security Division’s National Security Cyber section, Lumen’s Black Lotus Labs and Microsoft Threat Intelligence, involved a series of commands designed to reset DNS settings and prevent the threat group from further exploiting its initial means of access. 

“GRU actors compromised routers in the U.S. and around the world, hijacking them to conduct espionage. Given the scale of this threat, sounding the alarm wasn’t enough,” Brett Leatherman, assistant director of the FBI’s cyber division, said in a statement. “The FBI conducted a court-authorized operation to harden compromised routers across the United States.”

Forest Blizzard’s widespread campaign involved adversary-in-the-middle attacks against domains mimicking legitimate services, including Microsoft Outlook Web Access. This allowed attackers to intercept passwords, OAuth tokens, credentials for Microsoft accounts, and other services and cloud-hosted content. 

Microsoft insists company-owned assets or services were not compromised as part of the campaign.

The threat group targeted network edge devices, including TP-Link and MicroTik routers, opportunistically before it identified sensitive targets of intelligence interest to the Russian government, including people in the military, government and critical infrastructure sectors. 

Victims, according to researchers, include government agencies and organizations in the IT, telecom and energy sectors. Lumen identified other victims associated with Afghanistan’s government and others linked to foreign affairs and national law enforcement agencies in North Africa, Central America and Southeast Asia. An unnamed European country’s national identity platform was also impacted, the company said.

Lumen did not find evidence of any compromised U.S. government agencies as part of this campaign, but warned that the activity poses a grave national security threat.

While the full scope of Forest Blizzard’s accomplishments remain under investigation, researchers are confident the bleeding of sensitive information has stopped. 

“The campaign has ceased,” Danny Adamitis, distinguished engineer at Black Lotus Labs, told CyberScoop. “We have observed a gradual decline in communications associated with this infrastructure over the past several weeks.”

Lumen said it observed widespread router exploitation and DNS redirection beginning in August, the day after the United Kingdom’s National Cyber Security Centre published a malware analysis report about a tool used to steal Microsoft Office credentials. The U.K.’s NCSC on Tuesday published details about APT28’s DNS hijacking campaign, including indicators of compromise.

The Justice Department and FBI, acting on a court order, remediated compromised routers in the United States after collecting evidence on Forest Blizzard’s activity. The FBI said Russia’s GRU weaponized routers owned by Americans in more than 23 states to steal sensitive government, military and critical infrastructure information.

The post Feds quash widespread Russia-backed espionage network spanning 18,000 devices appeared first on CyberScoop.

A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.

The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.

“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”

Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.

“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”

TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.

The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.

“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.

Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.

The post European-Chinese geopolitical issues drive renewed cyberespionage campaign appeared first on CyberScoop.

The state-sponsored group’s campaign has targeted government, higher education, financial, and legal entities, as well as think tanks.

The post Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit appeared first on SecurityWeek.

Ilya Angelov was a member of the cybercrime group tracked as TA-551, Shathak, Gold Cabin, Monster Libra, and ATK236.

The post Russian Cybercriminal Gets 2-Year Prison Sentence in US  appeared first on SecurityWeek.

Aleksei Volkov has been sentenced to 81 months in prison for his role in Yanluowang ransomware attacks. 

The post US Prisons Russian Access Broker for Aiding Ransomware Attacks appeared first on SecurityWeek.

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.

The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).

The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.

The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”

However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.

The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps. 

There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.

‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

The post FBI, CISA issue PSA on Russian intelligence campaign to target messaging apps appeared first on CyberScoop.

Researchers have discovered a second instance of suspected Russian hackers using iOS exploits, pointing to what they say are several foreboding trends.

iVerify, Lookout and Google collaborated on the research published Wednesday, a follow-up to earlier revelations about a similar exploit kit, Coruna. While the second kit — dubbed DarkSword — also targeted users in Ukraine, the scale is significant: iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout told CyberScoop roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit.

The research reveals a range of new details, as well as interesting patterns:

• Whereas Russian and Chinese hackers used Coruna with financial gain in mind, there are signs DarkSword could serve both financial and surveillance purposes, and/or could be used to inflict harm.
• Lookout observed that someone used a large language model to customize both Coruna and DarkSword.
• The discovery of DarkSword reinforces earlier concerns about a secondary exploit market, Lookout and iVerify said.
• DarkSword is the second “mass” iOS campaign discovered this month, with the first known one to be Coruna.
• Both kits suggest cyberattacks are migrating toward mobile phones as they make up a bigger portion of internet traffic, Rocky Cole, iVerify’s co-founder and chief operating officer, told CyberScoop.
• Google also found that DarkSword was used against targets in Saudi Arabia, Turkey, and Malaysia

DarkSword can exfiltrate saved passwords, crypto wallets, text messages and more, researchers found. Attackers are leveraging the exploit kit by first compromising Apple’s WebKit and then using WebGPU as a pivot point for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.

What’s less clear is who, exactly, is behind the exploit kit, other than the links to Russia. Cole said DarkSword is hosted on the same command and control infrastructure as Coruna, but is an entirely separate kit made by entirely separate people. Google has attributed the campaigns to a group it tracks as UNC6353, which it describes as a Russian-backed espionage group, as well as UNC6748 and Turkish commercial surveillance vendor PARS Defense. 

The attackers’ motives are also a bit opaque, mixing what appears to be both espionage and financial objectives. Albrecht noted there is precedent for this: Russian threat groups have targeted cryptocurrency in Ukraine before, notably with Infamous Chisel, an Android exploit kit deployed by Sandworm. 

“They’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto. There is definitely a financial motivation,” Albrecht told CyberScoop. “Now, I think the big question is, depending on who the group is, is the financial motivation in this just to do damage to Ukrainians, or is it to steal crypto?”

Russia has been under heavy sanctions for a long time and is starting to have budget problems due to the ongoing war in Ukraine, he noted. “Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general,” Albrecht said. 

The kit could be handy for someone trying to do a “pattern of life” analysis, Cole said, and thus useful for surveillance and intelligence purposes.

He said a commercial spyware vendor might have made the kit with no target audience in mind, thus the “Swiss Army knife”-like quality of it. The major concern for Cole is that there’s apparently a growing market for these kinds of tools, and people may be lulled into a false sense of security about iPhones not being vulnerable.

Despite the sophistication of the exploits themselves, the threat actors behind DarkSword may not be particularly experienced, Albrecht said. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled “Dark sword file receiver” — poor operational security for a seasoned Russian threat actor.

“Your experienced Russian threat actors, your APT29’s of the world, I would expect them to have better OPSEC,” Albrecht said.

One of the more unusual findings in the research is the clear presence of large language model-generated code. The server-side component of DarkSword, for instance, includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output.  It’s a development that effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors, Albrecht said.

All three research teams have been in contact with Apple about the findings, according to Albrecht, with Google likely in closest contact since they began investigating the threat in late 2025. In its blog, Google said it reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior.

CLARIFICATION 3/18/26: Clarified the suspected origins of the DarkSword exploit kit and any links to tools developed for the U.S. government.

The post Second iOS exploit kit now in use by suspected Russian hackers appeared first on CyberScoop.

National Cyber Director Sean Cairncross said Tuesday that the Trump administration isn’t aspiring to enlist the private sector to conduct offensive cyber operations, but instead to help the government by keeping them abreast of the threats they’re facing.

The recently-released national cyber strategy talks about incentivizing companies to disrupt the networks of adversaries.

“I’m not talking about the private sector, industry or companies engaging in a cyber offensive campaign,” Cairncross said at an event hosted by Auburn University’s McCrary Institute. “What I’m talking about are the technical capabilities, the ability of our private sector to illuminate the battlefield from what they’re seeing, to inform and share information so that the USG [U.S. government] can respond to get ahead of things.”

The idea of enabling U.S. companies to undertake disruptive or offensive campaigns against malicious hackers, or to at least aid in U.S. government offensive operations, has regained currency in some GOP circles in recent years. Some companies have shown an interest in doing so, especially if laws are changed to make it more viable.

That trend coincides with growing calls from Trump administration officials — and now the release of the cybersecurity strategy — to go on the offense against hackers, although Cairncross emphasized again that the strategy pillar to “shape adversary behavior” isn’t just about conducting cyber offensive campaigns, but to use other government mechanisms to put pressure on hackers, be they legal or diplomatic.

The government can go about shaping the “risk calculus” “in a more agile fashion” with private sector help, he said.

There’s an enormous amount of capability on the private sector side, and now we have a spear from the United States government… we are looking for real partnership,” Cairncross said.

One way the U.S. government has sought to bring the fight to cyber adversaries is the FBI’s “joint sequenced operations,” used to degrade their capabilities. Speaking at the same event, the head of the bureau’s cyber division said the private sector was key to those operations as well.

“Every one of the joint sequenced operations that the FBI conducts to remove that capacity and capability that I talked about — from the Russians, from the Chinese, from the Iranians and others — happens because a victim came forward and engaged the FBI,” said Brett Leatherman.

“One takeaway for everybody here is ‘What is your game plan in the event of a breach to engage your local FBI field office?’” he asked. “I would proffer there’s very little liability in doing so, and we’re happy to have conversations with your outside or inside counsel, but there’s a tremendous amount to be gained by doing that.”

The post Trump administration isn’t pushing companies to conduct cyber offense, national cyber director says appeared first on CyberScoop.

A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.

But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.

Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.

“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.

“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”

Signs of activity

In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.

In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.

“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”

The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.

But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.

Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.

Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”

There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.

Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.

There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.

How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.

But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.

Even low-level defacement or distributed denial-of-service attacks can play a role.

“Coming into work and finding an Iranian flag on your workstation would be a little bit  disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.

Possible follow-up impacts

While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.

The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.

While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.

He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.

“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”

Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.

“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”

Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.

“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.

“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”

The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.

Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.

Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.

Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.

Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

The 43-year-old pleaded guilty to engaging in a global ransomware scheme with co-conspirators beginning in November 2020. Ptitsyn and alleged associates distributed Phobos ransomware to other co-conspirators who broke into victim networks, often with stolen credentials, to steal and encrypt data, which they used to extort victims for payment.

Phobos ransomware administrators operated a site to coordinate the sale and distribution of Phobos ransomware to co-conspirators. Affiliates who successfully attacked victims with the ransomware paid $300 to administrators for a unique decryption key.

Ptitsyn controlled multiple cryptocurrency wallets that received thousands of decryption key fees from affiliates who used Phobos to extort victims. He received 25% of the decryption key payment and sometimes received a portion of ransomware payments. 

“Ptitsyn and others were responsible for dozens of ransomware attacks against U.S. victims, including health care companies, hospitals, educational institutions, and providers of essential services,” federal prosecutors said in a stipulation of facts in his plea agreement. 

Phobos ransomware victims paid a collective amount of $30 million in ransoms, based on the value at the time of payment, according to court records. Victims also suffered losses of at least $9.3 million from Phobos ransomware attacks, including a U.S. educational institution that reported losses exceeding $4 million. 

“Ptitsyn and other members of the Phobos ransomware conspiracy launched ransomware attacks against more than 1,000 victims around the world, including at least 890 victims located in the United States,” prosecutors said.

Officials provided details about 15 unnamed U.S. victims that paid a combined $536,000 in ransoms at the time of payment. Victims included a Maryland-based company that provided accounting and consulting services to federal agencies, an Illinois-based contractor for the Departments of Defense and Energy, and a children’s hospital in North Carolina.

You can read the facts entered into court records as part of Ptitsyn’s plea agreement below.

The post Phobos ransomware leader pleads guilty, faces up to 20 years in prison appeared first on CyberScoop.

An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.

Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.

Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.

Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.

Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.

An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.

Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.

Other signs point to U.S. development of the exploit kit, Cole said.

“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”

Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.

Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”

The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.

A Chinese law enforcement official attempted to use ChatGPT to review its reports on cyber operations, subsequently revealing details of a worldwide online harassment and silencing campaign of China’s critics at home and abroad.

In a new threat report released Wednesday, OpenAI said the activity concerned a single account that regularly used ChatGPT to review and edit reports on “cyber special operations.” That same account also attempted to use ChatGPT to plan a propaganda campaign against Japanese Prime Minister Sanae Takaichi. When the model refused, the actor came back weeks later with prompts indicating the operation had proceeded anyway.

The reports uploaded to ChatGPT “suggested that the threat actors had conducted many other, earlier operations, in a comprehensive effort to suppress dissent and silence critics both online and offline, at home and abroad,” the report said.

While there’s only evidence of a single account used by the agency, OpenAI said the operations targeting Chinese critics described in the report appears “large-scale, resource-intensive and sustained,” consisting of hundreds of human staff, thousands of fake accounts across different social media platforms and the use of local Chinese AI models.  

These operations included mass posting and content generation, flooding social media companies with bogus complaints about accounts owned by dissidents, forging documents and in some cases even impersonating U.S. officials for intimidation.  

A separate campaign involving a cluster of accounts that “likely originated” in mainland China prompted ChatGPT for information on “U.S. persons, forums and federal building locations.”

The accounts also generated email drafts purportedly from a company called Nimbus Hub Consulting based in Hong Kong, but OpenAI’s report notes that the accounts used VPNs and prompted the model using Simplified Chinese language characters, which is more commonly associated with mainland China.

OpenAI said that, when asked about U.S. entities, ChatGPT also provided “publicly-available” information sources on U.S. federal government office locations, the distribution of federal employees by state, professional forums and job websites in the US economics and finance industries.

The Chinese actors generated English-language emails to U.S. state officials and to business and financial policy analysts, inviting them to join paid consultations and offer strategic advice to the actors’ clients.

These emails would frequently seek to move the conversation to another video conferencing platform, such as WhatsApp, Zoom or Teams. One of the accounts uploaded their hardware specifications and asked for step-by-step, non-technical instructions for installing real-time face-swapping software called FaceFusion.

“The model responded with information that was drawn from FaceFusion’s publicly-available website and documentation,” OpenAI said.

No evidence of automated cyber attacks

The report focused mainly on how cybercriminals and state actors used ChatGPT to support scams and influence operations. OpenAI detailed four covert information operations and three romance-scam operations. In addition to Chinese influence operations, it also reported on propaganda content generated for Rybar, a Russia-aligned online influence group.

OpenAI’s report details how some operators used ChatGPT to automate isolated tasks, like a Cambodian romance scam that blended human and AI operators when communicating with victims. The report did not cite any instances of threat actors using ChatGPT for direct offensive hacking operations. 

AI tools can give both malicious and legitimate actors access to tremendous speed and scale online.  Over the past year, Chinese hackers have reportedly used at least one other U.S.-made AI model to conduct heavily automated cyberattacks against businesses and governments.

During a media Q&A, an OpenAI official said they were not aware of any cases in which threat actors used ChatGPT to carry out automated attacks, but added that the company has multiple ongoing investigations that have not concluded.

Much of the observed activity in OpenAI’s report follows a common pattern, detailing threat actors who are still very much in the throes of experimenting with AI technology and learning where it provides the most value in their chain of operations.

Some used it to generate propaganda content around a specific target, or monitor social media platforms, or provide better language translation for phishing lures. But similar to reporting from Google earlier this month, in most cases threat actors are using AI in limited and targeted ways as an amplifier to existing operations.  

In some cases, it’s clear that ChatGPT is one of multiple AI tools being used by the threat actor. In the case of the Chinese law enforcement agency, the status reports uploaded to the model on information operations reference the use of locally deployed Chinese AI models like DeepSeek, and it’s likely the group used a different model to prepare for its propaganda campaign against Taikaichi.

“Threat activity is seldom limited to one platform; as our report…shows, it is not always limited to one AI model,” the report said. “Rather, threat actors may use different AI models at various points in their operational workflow.”

The post Chinese group’s ChatGPT use reveals worldwide harassment campaign against critics appeared first on CyberScoop.

A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.

The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.

John Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.

“Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.”

But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.

Gemini was a useful, dynamic and convenient tool for many tasks, helping threat actors in a variety of different ways. In nearly all cases, Google’s reporting suggests that state-sponsored actors relied on Gemini as one tool among many, using it for specific purposes such as automating routine processes, conducting research or reconnaissance and experimenting with malware.

One North Korean group used it to synthesize open-source intelligence about job roles and salary information at cybersecurity and defense companies. Another North Korean group consulted it “multiple days a week” for technical support, using it to troubleshoot problems and generate new malware code when they got stuck during an operation. One Iranian APT used Gemini to “significantly augment reconnaissance” techniques against targeted victims. China, Russia, Iran and North Korea all also used Gemini to create fake articles, personas, and other assets for information operations.

“What’s so interesting about this capability is it’s going to have an effect across the entire intrusion cycle,” Hultquist said.

There are no instances of state groups using Gemini to automate large portions of a cyber attack, like a Chinese-government backed campaign identified by Anthropic last year. It suggests threat actors may still be struggling to implement fully or mostly-automated hacks using AI.

Hultquist said that some state groups, particularly those focused on espionage, may not find the speed and scale advantages of agentic AI useful if it results in louder, more detectable operations. In fact, while state actors continue to experiment with AI models, he believes on average these developments will help smaller cybercriminal outfits more than state-sponsored hackers.

But that could change in the future. Frontier AI companies like Anthropic and cybersecurity startups like XBOW have already developed models with powerful defensive cybersecurity capabilities in vulnerability scanning, reconnaissance and automation. Foreign governments with similar technology could use those same features for offensive hacking, as Chinese actors did with Claude before being discovered.

In December, the UK AI Security Institute’s inaugural report on frontier AI trends found that Al capabilities are improving rapidly across all tested domains, and particularly in cybersecurity.

And the gap between frontier and free, open-source models is shrinking. According to the institute, open-source AI models can now catch up and provide similar capabilities within 4-8 months of a frontier model release.

“The duration of cyber tasks that Al systems can complete without human direction is also rising steeply, from less than 10 minutes in early 2023 to over an hour by mid-2025,” the institute said in its Frontier AI Trends Report in December.

The post Google finds state-sponsored hackers use AI at ‘all stages’ of attack cycle  appeared first on CyberScoop.