{"id":24408,"date":"2025-05-31T07:00:00","date_gmt":"2025-05-31T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/ai-installers-demand-monero-trickbots-leader-unmasked-and-other-cybersecurity-news\/"},"modified":"2025-05-31T07:00:00","modified_gmt":"2025-05-31T04:00:00","slug":"ai-installers-demand-monero-trickbots-leader-unmasked-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ai-installers-demand-monero-trickbots-leader-unmasked-and-other-cybersecurity-news\/","title":{"rendered":"AI installers demand Monero, Trickbot\u2019s leader unmasked, and other cybersecurity news"},"content":{"rendered":"<p>We have compiled the week\u2019s key cybersecurity stories.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Dark Partners hackers were tied to a network of fake crypto wallets and trading apps.<\/li>\n<li>Trickbot\u2019s leader was unmasked in Germany.<\/li>\n<li>A fake AI tool demanded $50,000 in Monero.<\/li>\n<li>A new service claimed it can locate where YouTube commenters live.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Dark Partners linked to a network of fake crypto wallets and trading apps<\/strong><\/h2>\n<p>Researcher g0njxa detailed Dark Partners, a group engaged in large-scale theft of digital assets.<\/p>\n<p>The hackers run numerous sites that distribute stealers disguised as AI services, VPNs and crypto software. Among the latter are fake builds of TradingView, MetaTrader 5, Ledger, Exodus, Koinly, AAVE and Unusual Whales.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Read about an ongoing malware campaign delivering &#8220;PayDay Loader&#8221; to Windows users and Poseidon Stealer to MacOS individuals on fake AI and software websites<\/p>\n<p>A bit of malware analysis and threat hunting, thanks to <a href=\"https:\/\/twitter.com\/anyrun_app?ref_src=twsrc%5Etfw\">@anyrun_app<\/a> <a href=\"https:\/\/twitter.com\/urlscanio?ref_src=twsrc%5Etfw\">@urlscanio<\/a><\/p>\n<p>???<a href=\"https:\/\/t.co\/5DqX3NMQQl\">https:\/\/t.co\/5DqX3NMQQl<\/a><\/p>\n<p>\u2014 Who said what? (@g0njxa) <a href=\"https:\/\/twitter.com\/g0njxa\/status\/1927003236294066635?ref_src=twsrc%5Etfw\">May 26, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The malware scans victims\u2019 devices for previously installed wallets \u2014 Electrum, Coinomi, Exodus, Atomic Wallet, Wasabi, Ledger Live, MetaMask and others. The hackers also collect host information, credentials, private keys and cookies for resale.<\/p>\n<p>g0njxa suggested Dark Partners use purchased code-signing certificates for Windows malware builds.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Trickbot\u2019s leader unmasked in Germany<\/strong><\/h2>\n<p>Germany\u2019s Federal Criminal Police Office (BKA) <a href=\"https:\/\/www.bka.de\/DE\/IhreSicherheit\/Fahndungen\/Personen\/BekanntePersonen\/Endgame_2\/KVN\/Sachverhalt.html\">identified<\/a> the leader of the Trickbot and Conti hacking groups, known as \u201cStern\u201d, as 36-year-old Russian national Vitaliy Kovalev. He was put on a wanted list on charges of forming a criminal organisation and is believed to be hiding in Russia.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXf2vKXoHfS6L4jVFInkTST5ci33k93fjw3T-0NADjWlV3dL3IZsIN7vePo6boGKpKC7UWEKYvCxQDp0pJzfHJUDaRyLsbDhsrbIF-LiM3sKGdpafiOKRx-_WRYM-aZyZOUalUc4-Q?key=hgMvAkoUheSs-RCUJDc3WQ\" alt=\"AI installers demand Monero, Trickbot\u2019s leader unmasked, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Vitaliy Kovalev. Source: <a href=\"https:\/\/www.secretservice.gov\/investigations\/mostwanted\/kovalev\">U.S. Secret Service<\/a>.<\/figcaption><\/figure>\n<p>In February 2023, Kovalev was one of seven individuals sanctioned by the United States for links to TrickBot and Conti. He was described at the time as a senior figure in the groups.<\/p>\n<p>According to the BKA, Trickbot had more than 100 members. In total it is responsible for infecting several hundred thousand systems worldwide, causing damage worth hundreds of millions of dollars.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Fake AI installers demand $50,000 in Monero<\/strong><\/h2>\n<p>Cisco Talos researchers <a href=\"https:\/\/blog.talosintelligence.com\/fake-ai-tool-installers\/\">found<\/a> that malware is being distributed under the guise of legitimate AI-tool installers: the CyberLock and Lucky_Gh0$t ransomware, as well as the Numero wiper.<\/p>\n<p>CyberLock\u2019s operators claim they have full access to confidential business documents, personal files and databases. They demand $50,000 in Monero for a decryption key, pledging to direct the sum to humanitarian aid in various countries.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXd263YHM6Nw7z80J0fd3iISM6FPqFLk-b2OlZdf7WC5iS1rk9JjG2fY9W7hcSmfkDzbjBNTaQ35SK5BIaY8JAxMHnXWp4YGEOHDOCW8j7LphrnKeJn4Tm2RaskOwZmHsXcnOf2g?key=hgMvAkoUheSs-RCUJDc3WQ\" alt=\"AI installers demand Monero, Trickbot\u2019s leader unmasked, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">CyberLock ransom note. Source: Cisco Talos.<\/figcaption><\/figure>\n<p>They threaten to publish data if payment is not made within three days. However, analysts found no evidence of data\u2011exfiltration functionality in the ransomware\u2019s code.<\/p>\n<p>Lucky_Gh0$t follows a similar playbook. Numero, meanwhile, manipulates the <span data-descr=\"graphical user interface\" class=\"old_tooltip\">GUI<\/span> \u2014 overwriting window and button content with numeric sequences, rendering the operating system unusable.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Netherlands links AVCheck admins to cryptor services<\/strong><\/h2>\n<p>Dutch police, with support from U.S. counterparts, <a href=\"https:\/\/www.politie.nl\/nieuws\/2025\/mei\/30\/11-sleuteldienst-voor-ontwikkelaars-van-malware-onderuitgehaald.html\">took down<\/a> the AVCheck service, used by cybercriminals to assess how stealthy their malware is against commercial antivirus tools.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXdgC5gNj3U8L-qzW3fYoDwBo_7JOQgSuVC5hVHlfXCM1dP_pJ2FJJ0k0peEVGwoRKzfZvCY-W-sxVDAjXLoXlsreSFUrnezWCtBoHZr2Yu75d0uiAeNL34j0v5WvyVq67XpFAUS?key=hgMvAkoUheSs-RCUJDc3WQ\" alt=\"AI installers demand Monero, Trickbot\u2019s leader unmasked, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Domain seizure notice. Source: Bleeping Computer.<\/figcaption><\/figure>\n<p>Investigators also linked the site\u2019s administrators to the cryptor services Cryptor.biz and Crypt.guru. The former\u2019s domain was seized; the latter is offline.<\/p>\n<p>Such services help malware operators encrypt or obfuscate payloads, making them part of the same ecosystem.<\/p>\n<p>Undercover agents posing as customers helped shutter the services.<\/p>\n<h2 class=\"wp-block-heading\"><strong>New tool claims it can locate YouTube commenters\u2019 homes<\/strong><\/h2>\n<p>A service called YouTube-Tools has appeared online. It can find all of a user\u2019s comments on the platform and, using AI, compile a profile with a presumed home location, languages, interests and political views, according to <a href=\"https:\/\/www.404media.co\/developer-builds-tool-that-scrapes-youtube-comments-uses-ai-to-predict-where-users-live\/\">404 Media<\/a>.<\/p>\n<p>The tool was initially created to study League of Legends usernames, but its capabilities expanded after switching to a modified <span data-descr=\"large language model\" class=\"old_tooltip\">LLM<\/span> from Mistral.<\/p>\n<p>According to the developer, YouTube-Tools is intended for law enforcement. In practice, anyone can access it after registration for about $20 a month.<\/p>\n<p>Experts warned the tool could pose a serious privacy risk.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Britain announces cyber force overhaul<\/strong><\/h2>\n<p>UK Defence Secretary John Healey outlined government plans to create a cyber command to defend the country from hacker attacks and to help the military organise such operations themselves, the <a href=\"https:\/\/www.bbc.com\/russian\/articles\/c5yqd4kypzdo\">BBC<\/a> reported.<\/p>\n<p>The new structure will modernise targeting and coordination systems for army units using AI technologies. The budget is \u00a31 billion ($1.3 billion).<\/p>\n<p>The cyber command will also play a leading role in electronic warfare, intercepting enemy communications and jamming drones.<\/p>\n<p>Over the past two years, UK authorities have faced roughly 90,000 cyberattacks by foreign intelligence services, mainly from Russia and China.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>An Euler user lost $500,000 due to a <a href=\"https:\/\/forklog.com\/en\/news\/euler-user-loses-500000-due-to-temporary-deusd-spike-on-avalanche\">temporary deUSD spike<\/a> on Avalanche.<\/li>\n<li>Analysts revealed the <a href=\"https:\/\/forklog.com\/en\/news\/analysts-uncover-cause-of-cetus-hack\">cause of the Cetus hack<\/a>, and the team unveiled a <a href=\"https:\/\/forklog.com\/en\/news\/cetus-team-unveils-recovery-plan\">recovery plan<\/a> approved by <a href=\"https:\/\/forklog.com\/en\/news\/sui-validators-approve-plan-to-restore-162-million-to-cetus-users\">validators<\/a>.<\/li>\n<li>A trust attack: how fake Ledger Live software steals crypto \u2014 and <a href=\"https:\/\/forklog.com\/en\/news\/trust-under-siege-the-threat-of-fake-ledger-live-software-and-how-to-protect-your-cryptocurrency\">what to do about it<\/a>.<\/li>\n<li>Three countries made <a href=\"https:\/\/forklog.com\/en\/news\/arrests-made-in-three-countries-over-bitcoin-extortion-allegations\">arrests<\/a> of suspects in Bitcoin extortion.<\/li>\n<li>A hacker <a href=\"https:\/\/forklog.com\/en\/news\/hacker-extracts-12-million-from-cork-protocol\">drained $12 million<\/a> from Cork Protocol.<\/li>\n<li>Michael Saylor came out <a href=\"https:\/\/forklog.com\/en\/news\/michael-saylor-criticizes-proof-of-reserves\">against Proof-of-Reserves<\/a>.<\/li>\n<li>Hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-leak-solana-co-founders-data-on-migos-instagram\">posted data<\/a> of a Solana co-founder to the Migos group\u2019s Instagram account.<\/li>\n<li>A crypto investor lost $2.6 million to a <a href=\"https:\/\/forklog.com\/en\/news\/crypto-investor-loses-2-6-million-in-zero-transfer-scam\">\u2018zero-transfer\u2019<\/a> scam.<\/li>\n<li>The market capitalisation of <a href=\"https:\/\/forklog.com\/en\/news\/market-capitalisation-of-privacy-coins-surpasses-10-billion-as-xmr-and-zec-continue-to-rise\">privacy coins<\/a> topped $10 billion. XMR and ZEC continued to rise.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>We examine the loopholes that Ethereum\u2019s account abstraction has opened up for cybercriminals.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the week\u2019s key cybersecurity stories. Dark Partners hackers were tied to a network of fake crypto wallets and trading apps. Trickbot\u2019s leader was unmasked in Germany. A fake AI tool demanded $50,000 in Monero. A new service claimed it can locate where YouTube commenters live. Dark Partners linked to a network of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":24407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-24408","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"200","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=24408"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/24408\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/24407"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=24408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=24408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=24408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}