Pirated Battlefield 6 used to steal crypto, Kyiv call-centre takedown and other cybersecurity news

This week’s cybersecurity highlights: game stealers, botnets, scams and AI-driven attacks.

We have compiled the week’s most important cybersecurity news.

Pirated Battlefield 6 used to steal cryptocurrency

Researchers at Bitdefender Labs uncovered large-scale malicious campaigns piggybacking on the October release of the shooter Battlefield 6. The malware is delivered via fake software for installing pirated versions of the game—“repacks” attributed to popular teams.

Attackers rely on social engineering and impersonate well-known groups such as InsaneRamZes and RUNE to deliver booby-trapped installers seeded with stealers.

The malicious files do not do what they claim; they silently compromise systems on launch. Analysts found several strains:

• a rudimentary infostealer that pilfers crypto‑wallet data and Discord authentication tokens;
• software posing as an InsaneRamZes installer—uses advanced techniques such as Windows API hashing while blocking execution of its payload in CIS countries;
• a fake RUNE repack—deploys a remote‑access agent via the regsvr32.exe system utility.

Bitdefender urged users to download software only from official platforms such as Steam or the EA App.

Authorities dismantled a call centre in Kyiv

In Kyiv, police exposed a ring that stole money from EU citizens under the guise of investments in cryptocurrency and shares of “promising” companies, according to Ukraine’s Cyber Police.

More than 30 victims were identified. During raids, officers conducted 21 searches and seized over $1.4m, more than 5.8m hryvnias and €17,000 in cash.

According to operational data, the ringleader and two accomplices set up a 20‑seat call centre in Kyiv. “VIP client managers” cultivated the illusion of successful trading on global exchanges. To that end, the scammers used remote access to install special software on victims’ computers. 

Once they received cryptocurrency, the group cashed it out through physical exchangers in Kyiv. They face up to 12 years in prison.

Hackers used Ethereum to make their attacks more resilient

Researchers at Kaspersky discovered the Tsundere botnet, which infiltrates Windows machines by masquerading as installers for popular games such as Valorant, CS2 and R6x.

The malware uses Ethereum smart contracts to orchestrate attacks, greatly increasing the botnet’s resilience. If one command server is blocked, the system automatically switches to backups pre‑recorded on the blockchain.

To do this, the attackers send a 0 ETH transaction, writing a new address into a contract state variable. The bot queries public RPC Ethereum endpoints, parses transactions and retrieves the current route.

The research found a link between Tsundere and a stealer circulated on hacking forums—123 Stealer. They share infrastructure and are affiliated with a user under the nickname koneko.

Fake adult sites caught stealing data

A new campaign dubbed JackFix uses counterfeit adult sites and faux Windows update prompts to mass‑deploy infostealers, the Acronis Threat Research Unit reports.

The attackers distribute clones of popular platforms such as Pornhub that, on interaction, open a full‑screen window demanding installation of “critical Windows security updates”.

According to analysts, the attack runs entirely within the victim’s browser via HTML and JavaScript, attempting to programmatically block the keys that exit full‑screen mode.

To evade security controls, the hackers use command arrays and special .odd files to stealthily launch malicious processes via the PowerShell interface.

The script then badgers the user with social‑engineering prompts until it gains administrator rights. It adds antivirus exclusions and fetches the final payload from attacker servers. The fake URLs are configured so that direct access redirects researchers to legitimate Google or Steam resources.

One successful injection can download and execute eight different malware families at once, including the latest stealers and a Remote Access Trojan (RAT).

If a site enters full‑screen mode and locks the interface, the Acronis Threat Research Unit recommends using Esc or F11 to exit. If the problem persists, force‑close the browser via Alt+F4 or Task Manager (Ctrl+Shift+Esc).

Hacker ChatGPT clones are gaining popularity

Unofficial LLM models WormGPT 4 and KawaiiGPT are broadening attackers’ capabilities, say researchers at Unit 42. 

They say the AI generates working malicious code, including ransomware scripts and tooling to automate lateral movement inside corporate networks. 

WormGPT 4 is a revival of the WormGPT project, shuttered in 2023, and resurfaced in September 2025. It is marketed as a ChatGPT analogue trained specifically for illegal operations. The software sells for $50 a month or $220 for lifetime access.

In testing, WormGPT 4 successfully generated a Windows PDF encryptor. The script also included an option to exfiltrate information via the Tor network for real‑world attacks.

Experts say the model excels at writing “persuasive and intimidating” ransom notes, invoking “military‑grade encryption” and doubling the ransom after 72 hours. 

According to Unit 42, WormGPT 4 provides “credible tools for linguistic manipulation” to compromise business correspondence and mount phishing attacks, making complex operations accessible even to beginners.

Another tool—KawaiiGPT 2.5—was spotted in July and is distributed free. Installing the model on Linux took researchers about five minutes. The LLM generates realistic phishing emails and ready‑to‑run scripts.

Although KawaiiGPT did not create a full‑fledged “ransomware” tool unlike WormGPT 4, the ability to generate scripts for remote command execution makes it a dangerous instrument for data theft. 

According to the researchers, both models have hundreds of subscribers in Telegram channels where users exchange experience and workarounds.

Amazon: cyberattacks are cueing kinetic strikes

State‑aligned hacking groups have shifted from classic espionage to the tactic of “cyber‑enabled kinetic targeting” to directly support military strikes, report cybersecurity specialists at Amazon Threat Intelligence (ATI).

According to ATI, Imperial Kitten allegedly infiltrated navigation systems and cameras on unnamed vessels to collect precise coordinates of maritime targets. The data enabled Houthi forces to conduct a targeted missile strike on a tracked ship on February 1, 2024, the researchers claim. 

They called for the adoption of advanced threat modelling to protect physical assets from such attacks. In ATI’s view, operators of critical infrastructure should treat their systems as potential targeting instruments.

Also on ForkLog:

• A malicious Chrome extension targeted Solana traders.
• Hackers stole $37m from South Korean exchange Upbit.
• The Monad network was flooded with fake transactions.
• Expert: quantum computers will break Bitcoin policy.

What to read this weekend?

How and why does Beijing help authoritarian regimes control the internet? In a new feature, ForkLog sought answers in leaked documents from Chinese technology companies Geedge Networks and KnownSec.