- \n
- North Korean hackers targeted blockchain developers to steal crypto.<\/li>\n
- The FBI dismantled ransomware\u2019s \u2018last refuge\u2019.<\/li>\n
- Hackers breached single sign-on systems to target corporations.<\/li>\n
- CISA\u2019s acting chief sparked a scandal by uploading agency documents to ChatGPT.<\/li>\n<\/ul>\n<\/div>\n
North Korean hackers targeted blockchain developers to steal crypto<\/h2>\n
The North Korean hacking group Konni used AI-generated malware to attack blockchain developers, according to<\/a> Check Point analysts.<\/p>\n
The attackers\u2019 main objective is to gain access to development environments, opening a path to API<\/span> credentials, infrastructure and, ultimately, company crypto wallets.<\/p>\n
Experts say the attack starts on Discord, where the victim receives a link to a ZIP archive. Inside are a PDF lure and a malicious LNK file. Launching the shortcut kicks off a complex chain:<\/p>\n
- \n
- A PowerShell loader starts and opens a DOCX document to distract the user.<\/li>\n
- In the background, a CAB archive is extracted with a backdoor, batch (BAT) files, and a tool to bypass user account control.<\/li>\n
- An hourly task is created in the scheduler disguised as a OneDrive process, which runs an encrypted script directly in memory and wipes traces after execution.<\/li>\n<\/ol>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-8453e273cf50b3d2-5023548041581332-1024x413.png\")
Infection chain. Source: Check Point.<\/figcaption><\/figure>\n Analysts concluded the malicious script was created with a LLM<\/span>. Several factors point to this:<\/p>\n
- \n
- an unusual structure. Clear documentation at the start of the code and a neat, modular layout rarely seen in \u201chand-made\u201d malware;<\/li>\n
- telling comments. The code contains the line # < \u2014 \u2014 your permanent project UUID (your permanent project UUID).<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-458c4e0be1a3fbda-5023548131317219-1024x341.png\")
Source: Check Point.<\/figcaption><\/figure>\n Researchers linked the campaign to Konni based on similarities in loader formats and file names used in previous operations.<\/p>\n
Active since 2014, the group has typically targeted South Korea, Russia and Europe. The new campaign focuses on three Asia-Pacific countries: India, Japan and Australia.<\/p>\n
The FBI dismantled ransomware\u2019s \u2018last refuge\u2019<\/h2>\n
The FBI, in coordination with the US Department of Justice, seized the popular cyber-extortion forum RAMP, BleepingComputer<\/a> reports.<\/p>\n
RAMP styled itself as the \u201clast refuge\u201d for ransomware operators, attracting numerous groups that used the forum to recruit affiliates and to buy and sell access to corporate networks.<\/p>\n
Though there has been no official statement yet, the domain\u2019s DNS servers were switched to those the FBI typically uses in seizures:<\/p>\n
- \n
- ns1.fbi.seized.gov;<\/li>\n
- ns2.fbi.seized.gov.<\/li>\n<\/ul>\n
An administrator known as Stallman confirmed the development, acknowledging that years of his work were wiped out.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-18061c40a9b8c186-5023548128779373-1024x296.png\")
Screenshot of the XSS hacker forum. Source: BleepingComputer.<\/figcaption><\/figure>\n According to the outlet, law enforcement obtained a vast trove of confidential data: users\u2019 IP addresses, private messages and mailboxes. For forum participants who failed to maintain strict anonymity, this poses a direct risk of de-anonymisation and arrest.<\/p>\n
The platform emerged in 2021 after other hacker portals such as Exploit and XSS banned ransomware advertising. The resource is run by<\/a> hacker Mikhail Matveev, known as Orange.<\/p>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-bd5259c074c088ff-5023548166794355-1024x766.png\")
Source: FBI<\/a>.<\/figcaption><\/figure>\n In 2023, the US Department of Justice charged Matveev with involvement in developing the Babuk, LockBit and Hive malware. He was added to the FBI\u2019s most-wanted cybercriminals list, and in November 2024 he was arrested<\/a> in Kaliningrad.<\/p>\n
Hackers breached single sign-on systems to target corporations<\/h2>\n
The ShinyHunters group launched a large wave of vishing<\/span> attacks aimed at single sign-on (SSO) systems from Okta, Microsoft and Google, the hackers told BleepingComputer<\/a>.<\/p>\n
The attackers use advanced social engineering: they call employees posing as support and convince them to enter logins and codes on spoofed sites.<\/p>\n
An Okta<\/a> report confirmed the use of sophisticated phishing kits. These tools include a web control panel that lets the hacker change site content in real time while talking to the victim by phone:<\/p>\n
- \n
- if the attacker needs a code when entering the stolen credentials, a matching field instantly appears on the victim\u2019s screen;<\/li>\n
- if push approval is required, the phishing site displays instructions on how to approve it.<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-40470f8ad17971cf-5023548063624436-1024x354.png\")
Hackers\u2019 rapid-response toolkit. Source: Okta.<\/figcaption><\/figure>\n Compromising a single SSO account can give criminals access to an entire corporate ecosystem, including Google Workspace, Slack and Microsoft 365. To prepare their attacks, ShinyHunters use data from earlier breaches\u2014names, roles and phone numbers\u2014making their calls highly convincing.<\/p>\n
The group also relaunched its leak site, posting data on breaches at SoundCloud, Betterment and Crunchbase. The companies\u2019 representatives confirmed the incidents.<\/p>\n
CISA chief sparks furor by uploading agency documents to ChatGPT<\/h2>\n
Acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) Madhu Gottumukkala became the subject of an internal probe after uploading sensitive agency contract documents to ChatGPT, Politico<\/a> reports.<\/p>\n
Most CISA staff are blocked from accessing the chatbot, but Gottumukkala sought special permission to use OpenAI\u2019s product instead of approved secure tools.<\/p>\n
According to media reports, the federal network security system issued several data-leak warnings. While the uploaded information was not classified, it was marked \u201cfor official use only.\u201d The data can now be used by the model to answer users, putting the confidentiality of government contracts at risk.<\/p>\n
Gottumukkala could face discipline ranging from a formal reprimand to loss of clearance for classified information.<\/p>\n
Cyberattack on Poland\u2019s power sector: new details<\/h2>\n
In late December, Poland\u2019s energy infrastructure was hit by a coordinated attack targeting distributed energy facilities across the country. The strikes affected thermal power plants as well as wind and solar control systems, Reuters<\/a> reports.<\/p>\n
Although the attackers breached operating systems and damaged \u201ckey equipment beyond repair,\u201d they failed to interrupt electricity supply. The total capacity of affected assets was 1.2 GW, equivalent to 5% of Poland\u2019s power supply.<\/p>\n
Officially, 12 facilities were hit. However, cybersecurity firm Dragos<\/a> said the real number was as high as 30.<\/p>\n
Researchers \u201cwith moderate confidence\u201d attributed the attack to the Russian hacking group Electrum. Though its activity overlaps with the well-known Sandworm (APT44), the team classified it as a separate cluster.<\/p>\n
Electrum had previously been linked to attacks on Ukrainian networks using the Caddywiper and Industroyer2 malware. In Poland, the hackers deployed a new wiper<\/span>\u2014DynoWiper.<\/p>\n
According to Dragos, the attackers demonstrated deep knowledge of industrial equipment. They deliberately targeted:<\/p>\n
- \n
- vulnerable dispatching and communications systems;<\/li>\n
- remote terminals and border network devices;<\/li>\n
- Windows-based monitoring and control systems.<\/li>\n<\/ul>\n
![\"image\"](\"https:\/\/forklog.com\/wp-content\/uploads\/img-1ac55211565faeb2-5023548172289449-1024x533.png\")
Diagram of a renewable energy system\u2019s infrastructure. Source: Dragos.<\/figcaption><\/figure>\n The hackers successfully disabled communications equipment at several sites, depriving operators of remote control, though generation continued in autonomous mode.<\/p>\n
Experts believe the shutdowns did not trigger a blackout. However, a sudden 1.2 GW drop could have caused a critical frequency deviation. Similar fluctuations have led to cascading failures in other countries, including the large-scale collapse of the Iberian power system<\/a> in 2025.<\/p>\n
Also on ForkLog:<\/p>\n
- \n
- The US Department of Justice seized<\/a> $400 million from the Helix bitcoin mixer.<\/li>\n
- Hackers stole<\/a> $2.9 billion in crypto in 2025.<\/li>\n
- Critical vulnerabilities were found<\/a> in the Clawdbot AI agent.<\/li>\n
- Boasting on Telegram helped<\/a> uncover the theft of $40 million from the US government.<\/li>\n
- ZachXBT accused<\/a> Circle of inaction after the $16.8 million SwapNet hack.<\/li>\n<\/ul>\n
What to read this weekend?<\/h2>\n
Vasily Smirnov unpacks the UN\u2019s Hanoi Convention on cybercrime. In his new piece, he explores how signatory countries might apply it.<\/p>\n","protected":false},"excerpt":{"rendered":"
We gathered the most important cybersecurity news of the week.<\/p>\n","protected":false},"author":1,"featured_media":93768,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week\u2019s key cybersecurity stories.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-93767","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"218","promo_type":"1","layout_type":"1","short_excerpt":"This week\u2019s key cybersecurity stories.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=93767"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93767\/revisions"}],"predecessor-version":[{"id":93769,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/93767\/revisions\/93769"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/93768"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=93767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=93767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=93767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Hackers stole<\/a> $2.9 billion in crypto in 2025.<\/li>\n
- The US Department of Justice seized<\/a> $400 million from the Helix bitcoin mixer.<\/li>\n