- \n
- The new Battlefield 6 was weaponised to steal cryptocurrency.<\/li>\n
- Authorities dismantled a call centre in Kyiv.<\/li>\n
- Hackers leveraged Ethereum to boost attack resilience.<\/li>\n
- Fake adult sites were caught stealing data.<\/li>\n<\/ul>\n<\/div>\n
Pirated Battlefield 6 used to steal cryptocurrency<\/h2>\n
Researchers at Bitdefender Labs<\/a> uncovered large-scale malicious campaigns piggybacking on the October release of the shooter Battlefield 6. The malware is delivered via fake software for installing pirated versions of the game\u2014\u201crepacks\u201d attributed to popular teams.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-79f5f66ec69079be-10740190046178519-1024x576.png\")
Source: Electronic Arts<\/a>.<\/figcaption><\/figure>\n Attackers rely on social engineering and impersonate well-known groups such as InsaneRamZes and RUNE to deliver booby-trapped installers seeded with stealers.<\/p>\n
The malicious files do not do what they claim; they silently compromise systems on launch. Analysts found several strains:<\/p>\n
- \n
- a rudimentary infostealer that pilfers crypto\u2011wallet data and Discord authentication tokens;<\/li>\n
- software posing as an InsaneRamZes installer\u2014uses advanced techniques such as Windows API hashing while blocking execution of its payload in CIS countries;<\/li>\n
- a fake RUNE repack\u2014deploys a remote\u2011access agent via the regsvr32.exe system utility.<\/li>\n<\/ul>\n
Bitdefender urged users to download software only from official platforms such as Steam or the EA App.<\/p>\n
Authorities dismantled a call centre in Kyiv<\/h2>\n
In Kyiv, police exposed a ring that stole money from EU citizens under the guise of investments in cryptocurrency and shares of \u201cpromising\u201d companies, according to Ukraine\u2019s Cyber Police<\/a>.<\/p>\n
More than 30 victims were identified. During raids, officers conducted 21 searches and seized over $1.4m, more than 5.8m hryvnias and \u20ac17,000 in cash.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-756ba30b643a578f-10740191315665818-1024x768.png\")
Source: Ukraine\u2019s Cyber Police.<\/figcaption><\/figure>\n According to operational data, the ringleader and two accomplices set up a 20\u2011seat call centre in Kyiv. \u201cVIP client managers\u201d cultivated the illusion of successful trading on global exchanges. To that end, the scammers used remote access to install special software on victims\u2019 computers.\u00a0<\/p>\n
Once they received cryptocurrency, the group cashed it out through physical exchangers in Kyiv. They face up to 12 years in prison.<\/p>\n
Hackers used Ethereum to make their attacks more resilient<\/h2>\n
Researchers at Kaspersky discovered<\/a> the Tsundere botnet, which infiltrates Windows machines by masquerading as installers for popular games such as Valorant, CS2 and R6x.<\/p>\n
The malware uses Ethereum smart contracts to orchestrate attacks, greatly increasing the botnet\u2019s resilience. If one command server is blocked, the system automatically switches to backups pre\u2011recorded on the blockchain.<\/p>\n
To do this, the attackers send a 0 ETH transaction, writing a new address into a contract state variable. The bot queries public RPC<\/span> Ethereum endpoints, parses transactions and retrieves the current route.<\/p>\n
The research found a link between Tsundere and a stealer circulated on hacking forums\u2014123 Stealer. They share infrastructure and are affiliated with a user under the nickname koneko.<\/p>\n
Fake adult sites caught stealing data<\/h2>\n
A new campaign dubbed JackFix uses counterfeit adult sites and faux Windows update prompts to mass\u2011deploy infostealers, the Acronis Threat Research Unit reports<\/a>.<\/p>\n
The attackers distribute clones of popular platforms such as Pornhub that, on interaction, open a full\u2011screen window demanding installation of \u201ccritical Windows security updates\u201d.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-3bb6b23c53914948-10740175988065329-1024x615.png\")
Source: Acronis Threat Research Unit.<\/figcaption><\/figure>\n According to analysts, the attack runs entirely within the victim\u2019s browser via HTML and JavaScript, attempting to programmatically block the keys that exit full\u2011screen mode.<\/p>\n
To evade security controls, the hackers use command arrays and special .odd files to stealthily launch malicious processes via the PowerShell interface.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-36d87bd709b5d3ac-10740185608215882-1024x617.png\")
Source: Acronis Threat Research Unit.<\/figcaption><\/figure>\n The script then badgers the user with social\u2011engineering prompts until it gains administrator rights. It adds antivirus exclusions and fetches the final payload from attacker servers. The fake URLs are configured so that direct access redirects researchers to legitimate Google or Steam resources.<\/p>\n
One successful injection can download and execute eight different malware families at once, including the latest stealers and a Remote Access Trojan (RAT).<\/p>\n
If a site enters full\u2011screen mode and locks the interface, the Acronis Threat Research Unit recommends using Esc or F11 to exit. If the problem persists, force\u2011close the browser via Alt+F4 or Task Manager (Ctrl+Shift+Esc).<\/p>\n
Hacker ChatGPT clones are gaining popularity<\/h2>\n
Unofficial LLM<\/span> models WormGPT 4 and KawaiiGPT are broadening attackers\u2019 capabilities, say researchers at Unit 42<\/a>.\u00a0<\/p>\n
They say the AI generates working malicious code, including ransomware scripts and tooling to automate lateral movement inside corporate networks.\u00a0<\/p>\n
WormGPT 4 is a revival of the WormGPT project, shuttered in 2023, and resurfaced in September 2025. It is marketed as a ChatGPT analogue trained specifically for illegal operations. The software sells for $50 a month or $220 for lifetime access.<\/p>\n
In testing, WormGPT 4 successfully generated a Windows PDF encryptor. The script also included an option to exfiltrate information via the Tor network for real\u2011world attacks.<\/p>\n
Experts say the model excels at writing \u201cpersuasive and intimidating\u201d ransom notes, invoking \u201cmilitary\u2011grade encryption\u201d and doubling the ransom after 72 hours.\u00a0<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-ab55d1887d15e361-10740176744512532-1024x584.png\")
Source: Unit 42.<\/figcaption><\/figure>\n According to Unit 42, WormGPT 4 provides \u201ccredible tools for linguistic manipulation\u201d to compromise business correspondence and mount phishing attacks, making complex operations accessible even to beginners.<\/p>\n
Another tool\u2014KawaiiGPT 2.5\u2014was spotted in July and is distributed free. Installing the model on Linux took researchers about five minutes. The LLM generates realistic phishing emails and ready\u2011to\u2011run scripts.<\/p>\n
Although KawaiiGPT did not create a full\u2011fledged \u201cransomware\u201d tool unlike WormGPT 4, the ability to generate scripts for remote command execution makes it a dangerous instrument for data theft.\u00a0<\/p>\n
According to the researchers, both models have hundreds of subscribers in Telegram channels where users exchange experience and workarounds.<\/p>\n
Amazon: cyberattacks are cueing kinetic strikes<\/h2>\n
State\u2011aligned hacking groups have shifted from classic espionage to the tactic of \u201ccyber\u2011enabled kinetic targeting\u201d to directly support military strikes, report<\/a> cybersecurity specialists at Amazon Threat Intelligence (ATI).<\/p>\n
According to ATI, Imperial Kitten allegedly infiltrated navigation systems and cameras on unnamed vessels to collect precise coordinates of maritime targets. The data enabled Houthi forces to conduct a targeted missile strike on a tracked ship on February 1, 2024, the researchers claim.\u00a0<\/p>\n
They called for the adoption of advanced threat modelling to protect physical assets from such attacks. In ATI\u2019s view, operators of critical infrastructure should treat their systems as potential targeting instruments.<\/p>\n
Also on ForkLog:<\/p>\n
- \n
- A malicious Chrome extension targeted<\/a> Solana traders.<\/li>\n
- Hackers stole<\/a> $37m from South Korean exchange Upbit.<\/li>\n
- The Monad network was flooded<\/a> with fake transactions.<\/li>\n
- Expert: quantum computers will break<\/a> Bitcoin policy.<\/li>\n<\/ul>\n
What to read this weekend?<\/h2>\n
How and why does Beijing help authoritarian regimes control the internet? In a new feature, ForkLog sought answers in leaked documents from Chinese technology companies Geedge Networks and KnownSec.<\/p>\n","protected":false},"excerpt":{"rendered":"
We have compiled the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":91562,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week\u2019s cybersecurity highlights: game stealers, botnets, scams and AI-driven attacks.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-91561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"234","promo_type":"1","layout_type":"1","short_excerpt":"This week\u2019s cybersecurity highlights: game stealers, botnets, scams and AI-driven attacks.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=91561"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91561\/revisions"}],"predecessor-version":[{"id":91563,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/91561\/revisions\/91563"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/91562"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=91561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=91561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=91561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Hackers stole<\/a> $37m from South Korean exchange Upbit.<\/li>\n
- A malicious Chrome extension targeted<\/a> Solana traders.<\/li>\n