FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 12, column 93: Self reference doesn't match document location [help]

... rel="self" type="application/rss+xml" />
                                             ^

line 46, column 0: content:encoded should not contain aria-describedby attribute (27 occurrences) [help]
```
<div id="attachment_72194" style="width: 714px" class="wp-caption aligncente ...
```
line 46, column 0: content:encoded should not contain decoding attribute (31 occurrences) [help]
```
<div id="attachment_72194" style="width: 714px" class="wp-caption aligncente ...
```
line 51, column 0: content:encoded should not contain loading attribute (30 occurrences) [help]
```
<div id="attachment_72195" style="width: 759px" class="wp-caption aligncente ...
```
line 51, column 0: content:encoded should not contain sizes attribute (20 occurrences) [help]
```
<div id="attachment_72195" style="width: 759px" class="wp-caption aligncente ...
```

line 389, column 0: content:encoded should not contain iframe tag [help]

<div style="text-align: center;"><iframe loading="lazy" title="YouTube video ...

Source: http://feeds.feedburner.com/krebsonsecurity/TEjH

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Krebs on Security</title>
<atom:link href="https://krebsonsecurity.com/feed/" rel="self" type="application/rss+xml" />
<link>https://krebsonsecurity.com</link>
<description>In-depth security news and investigation</description>
<lastBuildDate>Tue, 16 Sep 2025 17:10:02 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.2.2</generator>
<item>
<title>Self-Replicating Worm Hits 180+ Software Packages</title>
<link>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/</link>
<comments>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 16 Sep 2025 14:08:02 +0000</pubDate>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Aikido]]></category>
<category><![CDATA[Ashish Kurmi]]></category>
<category><![CDATA[Charlie Eriksen]]></category>
<category><![CDATA[GitHub]]></category>
<category><![CDATA[International Computer Science Institute]]></category>
<category><![CDATA[Nicholas Weaver]]></category>
<category><![CDATA[NPM]]></category>
<category><![CDATA[Shai-Hulud worm]]></category>
<category><![CDATA[StepSecurity]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72190</guid>
<description><![CDATA[At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.]]></description>
<content:encoded><![CDATA[At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.
<div id="attachment_72194" style="width: 714px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72194" decoding="async" class=" wp-image-72194" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud.png" alt="" width="704" height="619" />Image: https://en.wikipedia.org/wiki/Sandworm_(Dune)</div>
The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”
“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm <a href="https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again" target="_blank" rel="noopener">Aikido</a>. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”
At the center of this developing maelstrom are code libraries available on <a href="https://www.npmjs.com/" target="_blank" rel="noopener">NPM</a> (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.
The Shai-Hulud worm emerged just days after unknown attackers <a href="https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/" target="_blank" rel="noopener">launched a broad phishing campaign</a> that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.
<div id="attachment_72195" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72195" decoding="async" loading="lazy" class=" wp-image-72195" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages.png" alt="" width="749" height="440" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages.png 961w, https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages-768x451.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages-782x459.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: aikido.dev</div>
In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.
Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool <a href="https://github.com/trufflesecurity/trufflehog" target="_blank" rel="noopener">TruffleHog</a> to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.
“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.
The security-focused code development platform socket.dev <a href="https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages" target="_blank" rel="noopener">reports</a> the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.
In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”
A <a href="https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised" target="_blank" rel="noopener">writeup on the attack</a> from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.
StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.
“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.
Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.
“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”
For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.
“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/feed/</wfw:commentRss>
<slash:comments>11</slash:comments>
</item>
<item>
<title>Bulletproof Host Stark Industries Evades EU Sanctions</title>
<link>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/</link>
<comments>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 11 Sep 2025 17:40:22 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Andrey Nesterenko]]></category>
<category><![CDATA[AS209847]]></category>
<category><![CDATA[domaintools]]></category>
<category><![CDATA[Ivan Neculiti]]></category>
<category><![CDATA[MIRhosting]]></category>
<category><![CDATA[Misfits Media]]></category>
<category><![CDATA[PQ Hosting]]></category>
<category><![CDATA[PQ Hosting Plus S.R.L.]]></category>
<category><![CDATA[Recorded Future]]></category>
<category><![CDATA[Stark Industries Solutions Ltd]]></category>
<category><![CDATA[WorkTitans B.V.]]></category>
<category><![CDATA[WT Hosting]]></category>
<category><![CDATA[Youssef Zinad]]></category>
<category><![CDATA[Yuri Neculiti]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72088</guid>
<description><![CDATA[In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new data shows those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.]]></description>
<content:encoded><![CDATA[In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.
<div id="attachment_58061" style="width: 751px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-58061" decoding="async" loading="lazy" class="wp-image-58061" src="https://krebsonsecurity.com/wp-content/uploads/2022/01/wbrkb.jpg" alt="" width="741" height="495" />Image: Shutterstock.</div>
Materializing just two weeks before Russia invaded Ukraine in 2022, Stark Industries Solutions became a frequent source of massive DDoS attacks, Russian-language proxy and VPN services, malware tied to Russia-backed hacking groups, and fake news. ISPs like Stark are called “bulletproof” providers when they cultivate a reputation for ignoring any abuse complaints or police inquiries about activity on their networks.
In May 2025, the European Union <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500965" target="_blank" rel="noopener">sanctioned</a> one of Stark’s two main conduits to the larger Internet — Moldova-based PQ Hosting — as well as the company’s Moldovan owners Yuri and Ivan Neculiti. The EU Commission said the Neculiti brothers and PQ Hosting were linked to Russia’s hybrid warfare efforts.
But <a href="https://www.recordedfuture.com/research/one-step-ahead-stark-industries-solutions-preempts-eu-sanctions" target="_blank" rel="noopener">a new report</a> from Recorded Future finds that just prior to the sanctions being announced, Stark rebranded to the[.]hosting, under control of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly got a heads up roughly 12 days before the sanctions were announced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers in the sanctions package.
In response, the Neculiti brothers moved much of Stark’s considerable address space and other resources over to a new company in Moldova called PQ Hosting Plus S.R.L., an entity reportedly connected to the Neculiti brothers thanks to <a href="https://correctiv.org/faktencheck/russland-ukraine/2024/05/16/hacks-und-propaganda-zwei-brueder-aus-moldau-tragen-russlands-digitalen-krieg-nach-europa/#:~:text=web%20hosting%20service%2C-,Morenehost,-%2C%20writes%20the%20IT" target="_blank" rel="noopener">the re-use of a phone number</a> from the original PQ Hosting.
“Although the majority of associated infrastructure remains attributable to Stark Industries, these changes likely reflect an attempt to obfuscate ownership and sustain hosting services under new legal and network entities,” Recorded Future observed.
Neither the Recorded Future report nor the May 2025 sanctions from the EU mentioned a second critical pillar of Stark’s network that KrebsOnSecurity identified in <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">a May 2024 profile on the notorious bulletproof hoster</a>: The Netherlands-based hosting provider MIRhosting.
MIRhosting is operated by 38-year old Andrey Nesterenko, whose <a href="https://web.archive.org/web/20141221134456/http://www.nesterenko.name/en/index.html" target="_blank" rel="noopener">personal website</a> says he is an accomplished concert pianist who began performing publicly at a young age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
<div id="attachment_67519" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67519" decoding="async" loading="lazy" class=" wp-image-67519" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/neculiti-netzwerk-768x1340-1.png" alt="" width="748" height="1305" />Image credit: correctiv.org.</div>
According to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Mr. Nesterenko did not respond to requests for comment. In May 2024, Mr. Nesterenko <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">said</a> he couldn’t verify whether StopGeorgia was ever a customer because they didn’t keep records going back that far. But he maintained that Stark Industries Solutions was merely one client of many, and claimed MIRhosting had not received any actionable complaints about abuse on Stark.
However, it appears that MIRhosting is once again the new home of Stark Industries, and that MIRhosting employees are managing both the[.]hosting and WorkTitans — the primary beneficiaries of Stark’s assets.
A copy of the incorporation documents for WorkTitans BV obtained from the Dutch Chamber of Commerce shows WorkTitans also does business under the names Misfits Media and and WT Hosting (considering Stark’s historical connection to Russian disinformation websites, “Misfits Media” is a bit on the nose).
<div id="attachment_72163" style="width: 663px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72163" decoding="async" loading="lazy" class=" wp-image-72163" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/kvk-worktitans.png" alt="" width="653" height="896" />An incorporation document for WorkTitans B.V. from the Netherlands Chamber of Commerce.</div>
The incorporation document says the company was formed in 2019 by a y.zinad@worktitans.nl. That email address corresponds to <a href="https://www.linkedin.com/in/youssef-zinad-mba-a1690a10/" target="_blank" rel="noopener">a LinkedIn account</a> for a Youssef Zinad, who says their personal websites are worktitans[.]nl and custom-solution[.]nl. The profile also links to a website (etripleasims dot nl) that LinkedIn currently blocks as malicious. All of these websites are or were hosted at MIRhosting.
Although Mr. Zinad’s LinkedIn profile does not mention any employment at MIRhosting, virtually all of his LinkedIn posts over the past year have been reposts of advertisements for MIRhosting’s services.
<div id="attachment_72178" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72178" decoding="async" loading="lazy" class=" wp-image-72178" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting.png" alt="" width="750" height="646" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting.png 998w, https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting-768x661.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting-782x673.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Mr. Zinad’s LinkedIn profile is full of posts for MIRhosting’s services.</div>
A Google search for Youssef Zinad reveals multiple startup-tracking websites that list him as the founder of the[.]hosting, which censys.io finds is hosted by PQ Hosting Plus S.R.L.
The Dutch Chamber of Commerce document says WorkTitans’ sole shareholder is a company in Almere, Netherlands called Fezzy B.V. Who runs Fezzy? The phone number listed in a Google search for Fezzy B.V. — 31651079755 — also was used to register a Facebook profile for a Youssef Zinad from the same town, according to the breach tracking service Constella Intelligence.
In a series of email exchanges leading up to KrebsOnSecurity’s <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">May 2024 deep dive on Stark</a>, Mr. Nesterenko included Mr. Zinad in the message thread (youssef@mirhosting.com), referring to him as part of the company’s legal team. The Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere. Mr. Zinad did not respond to requests for comment.
<img decoding="async" loading="lazy" class="aligncenter size-full wp-image-72162" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef.png" alt="" width="1173" height="810" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef.png 1173w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-768x530.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-782x540.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-100x70.png 100w" sizes="(max-width: 1173px) 100vw, 1173px" />
Given the above, it is difficult to argue with the Recorded Future report on Stark’s rebranding, which concluded that “the EU’s sanctioning of Stark Industries was largely ineffective, as affiliated infrastructure remained operational and services were rapidly re-established under new branding, with no significant or lasting disruption.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/feed/</wfw:commentRss>
<slash:comments>19</slash:comments>
</item>
<item>
<title>Microsoft Patch Tuesday, September 2025 Edition</title>
<link>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/</link>
<comments>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 09 Sep 2025 21:21:14 +0000</pubDate>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[apple]]></category>
<category><![CDATA[CVE-2025-38352]]></category>
<category><![CDATA[CVE-2025-48543]]></category>
<category><![CDATA[CVE-2025-54916]]></category>
<category><![CDATA[CVE-2025-54918]]></category>
<category><![CDATA[CVE-2025-55177]]></category>
<category><![CDATA[CVE-2025-55234]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[Immersive]]></category>
<category><![CDATA[Kev Breen]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[NT LAN Manager]]></category>
<category><![CDATA[sans internet storm center]]></category>
<category><![CDATA[Satnam Narang]]></category>
<category><![CDATA[Tenable]]></category>
<category><![CDATA[WhatsApp]]></category>
<category><![CDATA[windows]]></category>
<category><![CDATA[Windows NTLM]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72086</guid>
<description><![CDATA[Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities in this month's bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft's most-dire "critical" label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.]]></description>
<content:encoded><![CDATA[Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
<img decoding="async" loading="lazy" class="aligncenter wp-image-60331" src="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png" alt="" width="750" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png 923w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-768x508.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-782x518.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-54918" target="_blank" rel="noopener">CVE-2025-54918</a>. The problem here resides with Windows NTLM, or NT LAN Manager, a suite of code for managing authentication in a Windows network environment.
Redmond rates this flaw as “Exploitation More Likely,” and although it is listed as a privilege escalation vulnerability, Kev Breen at Immersive says this one is actually exploitable over the network or the Internet.
“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Breen said. “The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”
Breen said another patch — <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-55234" target="_blank" rel="noopener">CVE-2025-55234</a>, a 8.8 CVSS-scored flaw affecting the Windows SMB client for sharing files across a network — also is listed as privilege escalation bug but is likewise remotely exploitable. This vulnerability was publicly disclosed prior to this month.
“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” Breen noted.
<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-54916" target="_blank" rel="noopener">CVE-2025-54916</a> is an “important” vulnerability in Windows NTFS — the default filesystem for all modern versions of Windows — that can lead to remote code execution. Microsoft likewise thinks we are more than likely to see exploitation of this bug soon: The last time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited in the wild as a zero-day.
“While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen said. “This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.”
Critical and remote code execution bugs tend to steal all the limelight, but Tenable Senior Staff Research Engineer Satnam Narang notes that nearly half of all vulnerabilities fixed by Microsoft this month are privilege escalation flaws that require an attacker to have gained access to a target system first before attempting to elevate privileges.
“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Narang observed.
On Sept. 3, Google <a href="https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-android-flaws-in-september-update/" target="_blank" rel="noopener">fixed two flaws</a> that were detected as exploited in zero-day attacks, including CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component.
Also, Apple recently patched its seventh zero-day (CVE-2025-43300) of this year. It was part of <a href="https://techcrunch.com/2025/08/29/whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware/" target="_blank" rel="noopener">an exploit chain</a> used along with a vulnerability in the WhatsApp (CVE-2025-55177) instant messenger to hack Apple devices. Amnesty International <a href="https://x.com/DonnchaC/status/1961444710620303653" target="_blank" rel="noopener">reports</a> that the two zero-days have been used in “an advanced spyware campaign” over the past 90 days. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The SANS Internet Storm Center has a <a href="https://isc.sans.edu/forums/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270/" target="_blank" rel="noopener">clickable breakdown</a> of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on <a href="https://www.askwoody.com/2025/september-2025-updates-are-out/" target="_blank" rel="noopener">askwoody.com</a>, which often has the skinny on wonky updates.
AskWoody also reminds us that we’re now just two months out from Microsoft discontinuing free security updates for Windows 10 computers. For those interested in safely extending the lifespan and usefulness of these older machines, check out <a href="https://krebsonsecurity.com/2025/08/microsoft-patch-tuesday-august-2025-edition/" target="_blank" rel="noopener">last month’s Patch Tuesday coverage</a> for a few pointers.
As ever, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
<item>
<title>18 Popular Code Packages Hacked, Rigged to Steal Crypto</title>
<link>https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/</link>
<comments>https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 08 Sep 2025 22:53:41 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Data Breaches]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Aikido]]></category>
<category><![CDATA[Charlie Eriksen]]></category>
<category><![CDATA[javascript]]></category>
<category><![CDATA[Josh Junon]]></category>
<category><![CDATA[Kevin Beaumont]]></category>
<category><![CDATA[Nicholas Weaver]]></category>
<category><![CDATA[NPM]]></category>
<category><![CDATA[Philippe Caturegli]]></category>
<category><![CDATA[Seralys]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72122</guid>
<description><![CDATA[At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could quickly lead to a disruptive malware outbreak that is far more difficult to detect and restrain.]]></description>
<content:encoded><![CDATA[At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could lead to a disruptive malware outbreak that is far more difficult to detect and restrain.
<div id="attachment_72130" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72130" decoding="async" loading="lazy" class=" wp-image-72130" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/npmjshelp.png" alt="" width="750" height="567" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/npmjshelp.png 908w, https://krebsonsecurity.com/wp-content/uploads/2025/09/npmjshelp-768x580.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/npmjshelp-782x591.png 782w" sizes="(max-width: 750px) 100vw, 750px" />This phishing email lured a developer into logging in at a fake NPM website and supplying a one-time token for two-factor authentication. The phishers then used that developer’s NPM account to add malicious code to at least 18 popular JavaScript code packages.</div>
Aikido is a security firm in Belgium that monitors new code updates to major open-source code repositories, scanning any code updates for suspicious and malicious code. In a blog post published today, Aikido said its systems found malicious code had been added to at least 18 widely-used code libraries available on <a href="https://www.npmjs.com/" target="_blank" rel="noopener">NPM</a> (short for) “Node Package Manager,” which acts as a central hub for JavaScript development and the latest updates to widely-used JavaScript components.
JavaScript is a powerful web-based scripting language used by countless websites to build a more interactive experience with users, such as entering data into a form. But there’s no need for each website developer to build a program from scratch for entering data into a form when they can just reuse already existing packages of code at NPM that are specifically designed for that purpose.
Unfortunately, if cybercriminals manage to phish NPM credentials from developers, they can introduce malicious code that allows attackers to fundamentally control what people see in their web browser when they visit a website that uses one of the affected code libraries.
According to Aikido, the attackers injected a piece of code that silently intercepts cryptocurrency activity in the browser, “manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”
“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” Aikido researcher Charlie Eriksen <a href="https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" target="_blank" rel="noopener">wrote</a>. “What makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.”
Aikido said it used the social network Bsky to notify the affected developer, Josh Junon, who quickly replied that he was aware of having just been phished. The phishing email that Junon fell for was part of a larger campaign that spoofed NPM and told recipients they were required to update their two-factor authentication (2FA) credentials. The phishing site mimicked NPM’s login page, and intercepted Junon’s credentials and 2FA token. Once logged in, the phishers then changed the email address on file for Junon’s NPM account, temporarily locking him out.
<div id="attachment_72126" style="width: 776px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72126" decoding="async" loading="lazy" class="size-full wp-image-72126" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/junon-bsky.png" alt="" width="766" height="418" />Aikido notified the maintainer on Bluesky, who replied at 15:15 UTC that he was aware of being compromised, and starting to clean up the compromised packages.</div>
Junon also issued a mea culpa <a href="https://news.ycombinator.com/item?id=45169794" target="_blank" rel="noopener">on HackerNews</a>, telling the community’s coder-heavy readership, “Hi, yep I got pwned.”
“It looks and feels a bit like a targeted attack,” Junon wrote. “Sorry everyone, very embarrassing.”
Philippe Caturegli, “chief hacking officer” at the security consultancy <a href="https://seralys.com" target="_blank" rel="noopener">Seralys</a>, observed that the attackers appear to have registered their spoofed website — npmjs[.]help — just two days before sending the phishing email. The spoofed website used services from dnsexit[.]com, a “dynamic DNS” company that also offers “100% free” domain names that can instantly be pointed at any IP address controlled by the user.
<div id="attachment_72128" style="width: 700px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72128" decoding="async" loading="lazy" class="size-full wp-image-72128" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/junon-hn.png" alt="" width="690" height="881" />Junon’s mea cupla on Hackernews today listed the affected packages.</div>
Caturegli said it’s remarkable that the attackers in this case were not more ambitious or malicious with their code modifications.
“The crazy part is they compromised billions of websites and apps just to target a couple of cryptocurrency things,” he said. “This was a supply chain attack, and it could easily have been something much worse than crypto harvesting.”
Aikido’s Eriksen agreed, saying countless websites dodged a bullet because this incident was handled in a matter of hours. As an example of how these supply-chain attacks can escalate quickly, Eriksen pointed to <a href="https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm" target="_blank" rel="noopener">another compromise of an NPM developer in late August</a> that added malware to “nx,” an open-source code development toolkit with as many as six million weekly downloads.
In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.
Eriksen said coding platforms like GitHub and NPM should be doing more to ensure that any new code commits for broadly-used packages require a higher level of attestation that confirms the code in question was in fact submitted by the person who owns the account, and not just by that person’s account.
“More popular packages should require attestation that it came through trusted provenance and not just randomly from some location on the Internet,” Eriksen said. “Where does the package get uploaded from, by GitHub in response to a new pull request into the main branch, or somewhere else? In this case, they didn’t compromise the target’s GitHub account. They didn’t touch that. They just uploaded a modified version that didn’t come where it’s expected to come from.”
Eriksen said code repository compromises can be devastating for developers, many of whom end up abandoning their projects entirely after such an incident.
“It’s unfortunate because one thing we’ve seen is people have their projects get compromised and they say, ‘You know what, I don’t have the energy for this and I’m just going to deprecate the whole package,'” Eriksen said.
Kevin Beaumont, a frequently quoted security expert who writes about security incidents at the blog doublepulsar.com, has been following this story closely today in frequent updates to <a href="https://infosec.exchange/@GossiTheDog@cyberplace.social" target="_blank" rel="noopener">his account on Mastodon</a>. Beaumont said the incident is a reminder that much of the planet still depends on code that is ultimately maintained by an exceedingly small number of people who are mostly overburdened and under-resourced.
“For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness,” Beaumont wrote on Mastodon. “For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams ‘make online shop’ into a computer and 389 libraries are added and an app is farted out. The output = if you want to own the world’s companies, just phish one guy in Skegness.”
<div id="attachment_72131" style="width: 708px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72131" decoding="async" loading="lazy" class="size-full wp-image-72131" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/gossi-skegness.png" alt="" width="698" height="461" />Image: https://infosec.exchange/@GossiTheDog@cyberplace.social.</div>
Aikido recently launched a product that aims to help development teams ensure that every code library used is checked for malware before it can be used or installed. Nicholas Weaver, a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif., said Aikido’s new offering exists because many organizations are still one successful phishing attack away from a supply-chain nightmare.
Weaver said these types of supply-chain compromises will continue as long as people responsible for maintaining widely-used code continue to rely on phishable forms of 2FA.
“NPM should only support phish-proof authentication,” Weaver said, referring to <a href="https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/" target="_blank" rel="noopener">physical security keys</a> that are phish-proof — meaning that even if phishers manage to steal your username and password, they still can’t log in to your account without also possessing that physical key.
“All critical infrastructure needs to use phish-proof 2FA, and given the dependencies in modern software, archives such as NPM are absolutely critical infrastructure,” Weaver said. “That NPM does not require that all contributor accounts use security keys or similar 2FA methods should be considered negligence.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/feed/</wfw:commentRss>
<slash:comments>10</slash:comments>
</item>
<item>
<title>GOP Cries Censorship Over Spam Filters That Work</title>
<link>https://krebsonsecurity.com/2025/09/gop-cries-censorship-over-spam-filters-that-work/</link>
<comments>https://krebsonsecurity.com/2025/09/gop-cries-censorship-over-spam-filters-that-work/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Sat, 06 Sep 2025 03:23:35 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[404 Media]]></category>
<category><![CDATA[ActBlue]]></category>
<category><![CDATA[Alphabet]]></category>
<category><![CDATA[Andrew Ferguson]]></category>
<category><![CDATA[Atro Tossavainen]]></category>
<category><![CDATA[Federal Trade Commission]]></category>
<category><![CDATA[Koli-Lõks OÜ]]></category>
<category><![CDATA[Mike Masnick]]></category>
<category><![CDATA[National Republican Congressional Committee]]></category>
<category><![CDATA[National Republican Senatorial Committee]]></category>
<category><![CDATA[Pekka Jalonen]]></category>
<category><![CDATA[Raymond Dijkxhoorn]]></category>
<category><![CDATA[Republican National Committee]]></category>
<category><![CDATA[Sundar Pichai]]></category>
<category><![CDATA[SURBL]]></category>
<category><![CDATA[Techdirt]]></category>
<category><![CDATA[The New York Post]]></category>
<category><![CDATA[WinRed]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72091</guid>
<description><![CDATA[The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google's CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spam folder. But according to experts who track daily spam volumes worldwide, WinRed's messages are getting blocked more because its methods of blasting email are increasingly way more spammy than that of ActBlue, the fundraising platform for Democrats.]]></description>
<content:encoded><![CDATA[The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spam folder. But according to experts who track daily spam volumes worldwide, WinRed’s messages are getting blocked more because its methods of blasting email are increasingly way more spammy than that of ActBlue, the fundraising platform for Democrats.
<div id="attachment_72095" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72095" decoding="async" loading="lazy" class=" wp-image-72095" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/nyp-google-spam.png" alt="" width="749" height="255" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/nyp-google-spam.png 865w, https://krebsonsecurity.com/wp-content/uploads/2025/09/nyp-google-spam-768x262.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/nyp-google-spam-782x267.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: nypost.com</div>
On Aug. 13, The New York Post ran an “exclusive” <a href="https://nypost.com/2025/08/13/business/google-caught-flagging-gop-fundraiser-emails-as-suspicious-sending-them-directly-to-spam-memo/" target="_blank" rel="noopener">story</a> titled, “Google caught flagging GOP fundraiser emails as ‘suspicious’ — sending them directly to spam.” The story cited a memo from Targeted Victory – whose clients include the National Republican Senatorial Committee (NRSC), Rep. Steve Scalise and Sen. Marsha Blackburn – which said it observed that the “serious and troubling” trend was still going on as recently as June and July of this year.
“If Gmail is allowed to quietly suppress WinRed links while giving ActBlue a free pass, it will continue to tilt the playing field in ways that voters never see, but campaigns will feel every single day,” the memo reportedly said.
In an August 28 letter to Google CEO Sundar Pichai, FTC Chairman Andrew Ferguson cited the New York Post story and warned that Gmail’s parent Alphabet may be engaging in unfair or deceptive practices.
“Alphabet’s alleged partisan treatment of comparable messages or messengers in Gmail to achieve political objectives may violate both of these prohibitions under the FTC Act,” Ferguson wrote. “And the partisan treatment may cause harm to consumers.”
However, the situation looks very different when you ask spam experts what’s going on with WinRed’s recent messaging campaigns. Atro Tossavainen and Pekka Jalonen are co-founders at <a href="https://www.koliloks.eu/" target="_blank" rel="noopener">Koli-Lõks OÜ</a>, an email intelligence company in Estonia. Koli-Lõks taps into real-time intelligence about daily spam volumes by monitoring large numbers of “spamtraps” — email addresses that are intentionally set up to catch unsolicited emails.
Spamtraps are generally not used for communication or account creation, but instead are created to identify senders exhibiting spammy behavior, such as scraping the Internet for email addresses or buying unmanaged distribution lists. As an email sender, blasting these spamtraps over and over with unsolicited email is the fastest way to ruin your domain’s reputation online. Such activity also virtually ensures that more of your messages are going to start getting listed on spam blocklists that are broadly shared within the global anti-abuse community.
Tossavainen told KrebsOnSecurity that WinRed’s emails hit its spamtraps in the .com, .net, and .org space far more frequently than do fundraising emails sent by ActBlue. Koli-Lõks published a graph of the stark disparity in spamtrap activity for WinRed versus ActBlue, showing a nearly fourfold increase in spamtrap hits from WinRed emails in the final week of July 2025.
<div id="attachment_72094" style="width: 759px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/09/koli-loks-red-v-blue.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-72094" decoding="async" loading="lazy" class="wp-image-72094" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/koli-loks-red-v-blue.png" alt="" width="749" height="399" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/koli-loks-red-v-blue.png 974w, https://krebsonsecurity.com/wp-content/uploads/2025/09/koli-loks-red-v-blue-768x409.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/koli-loks-red-v-blue-782x417.png 782w" sizes="(max-width: 749px) 100vw, 749px" /></a>Image: Koliloks.eu</div>
“Many of our spamtraps are in repurposed legacy-TLD domains (.com, .org, .net) and therefore could be understood to have been involved with a U.S. entity in their pre-zombie life,” Tossavainen explained in the LinkedIn post.
Raymond Dijkxhoorn is the CEO and a founding member of <a href="https://www.surbl.org/" target="_blank" rel="noopener">SURBL</a>, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. Dijkxhoorn said their spamtrap data mirrors that of Koli-Lõks, and shows that WinRed has consistently been far more aggressive in sending email than ActBlue.
Dijkxhoorn said the fact that WinRed’s emails so often end up dinging the organization’s sender reputation is not a content issue but rather a technical one.
“On our end we don’t really care if the content is political or trying to sell viagra or penis enlargements,” Dijkxhoorn said. “It’s the mechanics, they should not end up in spamtraps. And that’s the reason the domain reputation is tempered. Not ‘because domain reputation firms have a political agenda.’ We really don’t care about the political situation anywhere. The same as we don’t mind people buying penis enlargements. But when either of those land in spamtraps it will impact sending experience.”
The FTC letter to Google’s CEO also referenced a <a href="https://www.techdirt.com/2022/04/11/despite-what-fox-news-tells-you-a-new-study-did-not-prove-that-gmail-is-biased-against-conservatives/" target="_blank" rel="noopener">debunked</a> <a href="https://arxiv.org/pdf/2203.16743.pdf" target="_blank" rel="noopener">2022 study</a> (PDF) by political consultants who found Google caught more Republican emails in spam filters. Techdirt editor Mike Masnick notes that while the 2022 study also found that other email providers caught more Democratic emails as spam, “Republicans laser-focused on Gmail because it fit their victimization narrative better.”
Masnick said GOP lawmakers then filed both lawsuits and complaints with the Federal Election Commission (both of which failed easily), claiming this was somehow an “in-kind contribution” to Democrats.
“This is political posturing designed to keep the White House happy by appearing to ‘do something’ about conservative claims of ‘censorship,'” Masnick <a href="https://www.techdirt.com/2025/09/04/ftc-chair-fergusons-ridiculous-crusade-threatening-google-over-spam-filters-that-actually-work/" target="_blank" rel="noopener">wrote</a> of the FTC letter. “The FTC has never policed ‘political bias’ in private companies’ editorial decisions, and for good reason—the First Amendment prohibits exactly this kind of government interference.”
WinRed did not respond to a request for comment.
The WinRed website says it is an online fundraising platform supported by a united front of the Trump campaign, the Republican National Committee (RNC), the NRSC, and the National Republican Congressional Committee (NRCC).
WinRed has recently come under fire for aggressive fundraising via text message as well. In June, 404 Media reported on <a href="https://www.404media.co/winred-texts-class-action-lawsuit-rnc-donations/" target="_blank" rel="noopener">a lawsuit</a> filed by a family in Utah against the RNC for allegedly bombarding their mobile phones with text messages seeking donations after they’d tried to unsubscribe from the missives dozens of times.
One of the family members said they received 27 such messages from 25 numbers, even after sending 20 stop requests. The plaintiffs in that case allege the texts from WinRed and the RNC “knowingly disregard stop requests and purposefully use different phone numbers to make it impossible to block new messages.”
Dijkxhoorn said WinRed did inquire recently about why some of its assets had been marked as a risk by SURBL, but he said they appeared to have zero interest in investigating the likely causes he offered in reply.
“They only replied with, ‘You are interfering with U.S. elections,'” Dijkxhoorn said, noting that many of SURBL’s spamtrap domains are only publicly listed in the registration records for random domain names.
“They’re at best harvested by themselves but more likely [they] just went and bought lists,” he said. “It’s not like ‘Oh Google is filtering this and not the other,’ the reason isn’t the provider. The reason is the fundraising spammers and the lists they send to.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/gop-cries-censorship-over-spam-filters-that-work/feed/</wfw:commentRss>
<slash:comments>68</slash:comments>
</item>
<item>
<title>The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft</title>
<link>https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/</link>
<comments>https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Mon, 01 Sep 2025 21:55:04 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Data Breaches]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Alan Liska]]></category>
<category><![CDATA[Austin Larsen]]></category>
<category><![CDATA[Charles Carmakal]]></category>
<category><![CDATA[Counter Hack]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[Google Threat Intelligence Group]]></category>
<category><![CDATA[Joshua Wright]]></category>
<category><![CDATA[Mandiant]]></category>
<category><![CDATA[Salesforce]]></category>
<category><![CDATA[Salesloft Drift]]></category>
<category><![CDATA[Scattered Spider]]></category>
<category><![CDATA[ShinyHunters]]></category>
<category><![CDATA[UNC6040]]></category>
<category><![CDATA[UNC6395]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72062</guid>
<description><![CDATA[The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.]]></description>
<content:encoded><![CDATA[The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.
<div id="attachment_72076" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72076" decoding="async" loading="lazy" class=" wp-image-72076" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers.png" alt="" width="748" height="389" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers.png 1653w, https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers-768x399.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers-1536x798.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers-782x406.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/09/salesloft-customers-267x140.png 267w" sizes="(max-width: 748px) 100vw, 748px" />Salesloft says its products are trusted by 5,000+ customers. Some of the bigger names are visible on the company’s homepage.</div>
Salesloft <a href="https://trust.salesloft.com/?uid=Drift%2FSalesforce+Security+Notification" target="_blank" rel="noopener">disclosed on August 20</a> that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps to invalidate their existing authentication tokens, but it said nothing then to indicate those tokens had already been stolen.
On August 26, the Google Threat Intelligence Group (GTIG) <a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift" target="_blank" rel="noopener">warned</a> that unidentified hackers tracked as UNC6395 used the access tokens stolen from Salesloft to siphon large amounts of data from numerous corporate Salesforce instances. Google said the data theft began as early as Aug. 8, 2025 and lasted through at least Aug. 18, 2025, and that the incident did not involve any vulnerability in the Salesforce platform.
Google said the attackers have been sifting through the massive data haul for credential materials such as AWS keys, VPN credentials, and credentials to the cloud storage provider Snowflake.
“If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the GTIG report stated.
The GTIG updated its advisory on August 28 to acknowledge the attackers used the stolen tokens to access email from “a very small number of Google Workspace accounts” that were specially configured to integrate with Salesloft. More importantly, it warned organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations — regardless of the third-party service in question.
“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) should consider their data compromised and are urged to take immediate remediation steps,” Google advised.
On August 28, Salesforce blocked Drift from integrating with its platform, and with its productivity platforms Slack and Pardot.
The Salesloft incident comes on the heels of a broad social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. That campaign led to data breaches and extortion attacks affecting a number of companies including Adidas, Allianz Life and Qantas.
On August 5, Google <a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion" target="_blank" rel="noopener">disclosed</a> that one of its corporate Salesforce instances was compromised by the attackers, which the GTIG has dubbed UNC6040 (“UNC” stands for “uncategorized threat group”). Google said the extortionists consistently claimed to be the threat group ShinyHunters, and that the group appeared to be preparing to escalate its extortion attacks by launching a data leak site.
ShinyHunters is an amorphous threat group known for using social engineering to break into cloud platforms and third-party IT providers, and for posting dozens of stolen databases to cybercrime communities like the now-defunct Breachforums.
The ShinyHunters brand dates back to 2020, and the group has been credited with or taken responsibility for <a href="https://en.wikipedia.org/wiki/ShinyHunters" target="_blank" rel="noopener">dozens of data leaks</a> that exposed hundreds of millions of breached records. The group’s member roster is thought to be somewhat fluid, drawing mainly from active denizens of the Com, a mostly English-language cybercrime community scattered across an ocean of Telegram and Discord servers.
Recorded Future’s Alan Liska <a href="https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/" target="_blank" rel="noopener">told</a> Bleeping Computer that the overlap in the “tools, techniques and procedures” used by ShinyHunters and the <a href="https://krebsonsecurity.com/tag/scattered-spider/" target="_blank" rel="noopener">Scattered Spider extortion group</a> likely indicate some crossover between the two groups.
To muddy the waters even further, on August 28 a Telegram channel that now has nearly 40,000 subscribers was launched under the intentionally confusing banner “Scattered LAPSUS$ Hunters 4.0,” wherein participants have repeatedly claimed responsibility for the Salesloft hack without actually sharing any details to prove their claims.
The Telegram group has been trying to attract media attention by threatening security researchers at Google and other firms. It also is using the channel’s sudden popularity to promote a new cybercrime forum called “Breachstars,” which they claim will soon host data stolen from victim companies who refuse to negotiate a ransom payment.
<div id="attachment_72075" style="width: 555px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72075" decoding="async" loading="lazy" class="size-full wp-image-72075" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/scatteredlapsusshunters.png" alt="" width="545" height="843" />The “Scattered Lapsus$ Hunters 4.0” channel on Telegram now has roughly 40,000 subscribers.</div>
But Austin Larsen, a principal threat analyst at Google’s threat intelligence group, said there is no compelling evidence to attribute the Salesloft activity to ShinyHunters or to other known groups at this time.
“Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the most active participants in the Scattered LAPSUS$ Hunters 4.0 Telegram channel.
Joshua Wright, a senior technical director at Counter Hack, is credited with coining the term “authorization sprawl” to describe one key reason that social engineering attacks from groups like Scattered Spider and ShinyHunters so often succeed: They abuse legitimate user access tokens to move seamlessly between on-premises and cloud systems.
Wright said this type of attack chain often goes undetected because the attacker sticks to the resources and access already allocated to the user.
“Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright <a href="https://www.techtarget.com/searchsecurity/post/Authorization-sprawl-Attacking-modern-access-models" target="_blank" rel="noopener">wrote in a June 2025 column</a>. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”
It remains unclear exactly how the attackers gained access to all Salesloft Drift authentication tokens. Salesloft announced on August 27 that it hired Mandiant, Google Cloud’s incident response division, to investigate the root cause(s).
“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Mandiant Consulting CTO Charles Carmakal <a href="https://cyberscoop.com/salesloft-drift-compromise-scope-expands/" target="_blank" rel="noopener">told Cyberscoop</a>. “There will be a lot more tomorrow, and the next day, and the next day.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/feed/</wfw:commentRss>
<slash:comments>33</slash:comments>
</item>
<item>
<title>Affiliates Flock to ‘Soulless’ Scam Gambling Machine</title>
<link>https://krebsonsecurity.com/2025/08/affiliates-flock-to-soulless-scam-gambling-machine/</link>
<comments>https://krebsonsecurity.com/2025/08/affiliates-flock-to-soulless-scam-gambling-machine/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 28 Aug 2025 17:21:32 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Gambler Panel]]></category>
<category><![CDATA[Instagram]]></category>
<category><![CDATA[scam gambling]]></category>
<category><![CDATA[scambling]]></category>
<category><![CDATA[Silent Push]]></category>
<category><![CDATA[Thereallo]]></category>
<category><![CDATA[Tiktok]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72027</guid>
<description><![CDATA[Last month, KrebsOnSecurity tracked the sudden emergence of hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. We've since learned that these scam gambling sites have proliferated thanks to a new Russian affiliate program called "Gambler Panel" that bills itself as a "soulless project that is made for profit."]]></description>
<content:encoded><![CDATA[Last month, KrebsOnSecurity tracked the sudden emergence of hundreds of polished online gaming and wagering websites that lure people with free credits and eventually <a href="https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-gaming-sites/" target="_blank" rel="noopener">abscond with any cryptocurrency funds</a> deposited by players. We’ve since learned that these scam gambling sites have proliferated thanks to a new Russian affiliate program called “Gambler Panel” that bills itself as a “soulless project that is made for profit.”
<div id="attachment_72047" style="width: 1423px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72047" decoding="async" loading="lazy" class="size-full wp-image-72047" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-offer.png" alt="" width="1413" height="717" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-offer.png 1413w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-offer-768x390.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-offer-782x397.png 782w" sizes="(max-width: 1413px) 100vw, 1413px" />A machine-translated version of Gambler Panel’s affiliate website.</div>
The scam begins with deceptive ads posted on social media that claim the wagering sites are working in partnership with popular athletes or social media personalities. The ads invariably state that by using a supplied “promo code,” interested players can claim a $2,500 credit on the advertised gaming website.
The gaming sites ask visitors to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action. However, when users try to cash out any “winnings” the gaming site will reject the request and prompt the user to make a “verification deposit” of cryptocurrency — typically around $100 — before any money can be distributed.
Those who deposit cryptocurrency funds are soon pressed into more wagering and making additional deposits. And — shocker alert — all players eventually lose everything they’ve invested in the platform.
The number of scam gambling or “scambling” sites has skyrocketed in the past month, and now we know why: The sites all pull their gaming content and detailed strategies for fleecing players straight from the playbook created by Gambler Panel, a Russian-language affiliate program that promises affiliates up to 70 percent of the profits.
<div style="text-align: center;"><iframe loading="lazy" title="YouTube video player" src="https://www.youtube.com/embed/lNjqXIq1s5g?si=-30qS1Bw73VdIXow" width="750" height="315" frameborder="0" allowfullscreen="allowfullscreen"></iframe></div>
Gambler Panel’s website gambler-panel[.]com links to a helpful wiki that explains the scam from cradle to grave, offering affiliates advice on how best to entice visitors, keep them gambling, and extract maximum profits from each victim.
“We have a completely self-written from scratch FAKE CASINO engine that has no competitors,” Gambler Panel’s wiki enthuses. “Carefully thought-out casino design in every pixel, a lot of audits, surveys of real people and test traffic floods were conducted, which allowed us to create something that has no doubts about the legitimacy and trustworthiness even for an inveterate gambling addict with many years of experience.”
Gambler Panel explains that the one and only goal of affiliates is to drive traffic to these scambling sites by any and all means possible.
<div id="attachment_72043" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72043" decoding="async" loading="lazy" class=" wp-image-72043" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-yourtask.png" alt="" width="749" height="485" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-yourtask.png 1220w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-yourtask-768x497.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-yourtask-782x506.png 782w" sizes="(max-width: 749px) 100vw, 749px" />A machine-translated portion of Gambler Panel’s singular instruction for affiliates: Drive traffic to these scambling sites by any means available.</div>
“Unlike white gambling affiliates, we accept absolutely any type of traffic, regardless of origin, the only limitation is the CIS countries,” the wiki continued, referring to a common prohibition against scamming people in Russia and former Soviet republics in the Commonwealth of Independent States.
The program’s website claims it has more than 20,000 affiliates, who earn a minimum of $10 for each verification deposit. Interested new affiliates must first get approval from the group’s Telegram channel, which currently has around 2,500 active users.
The Gambler Panel channel is replete with images of affiliate panels showing the daily revenue of top affiliates, scantily-clad young women promoting the Gambler logo, and fast cars that top affiliates claimed they bought with their earnings.
<div id="attachment_72041" style="width: 760px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-mainmotives.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-72041" decoding="async" loading="lazy" class="wp-image-72041" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-mainmotives.png" alt="" width="750" height="468" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-mainmotives.png 1266w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-mainmotives-768x479.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-mainmotives-782x488.png 782w" sizes="(max-width: 750px) 100vw, 750px" /></a>A machine-translated version of the wiki for the affiliate program Gambler Panel.</div>
The apparent popularity of this scambling niche is a consequence of the program’s ease of use and detailed instructions for successfully reproducing virtually every facet of the scam. Indeed, much of the tutorial focuses on advice and ready-made templates to help even novice affiliates drive traffic via social media websites, particularly on Instagram and TikTok.
Gambler Panel also walks affiliates through a range of possible responses to questions from users who are trying to withdraw funds from the platform. This section, titled “Rules for working in Live chat,” urges scammers to respond quickly to user requests (1-7 minutes), and includes numerous strategies for keeping the conversation professional and the user on the platform as long as possible.
<div id="attachment_72042" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72042" decoding="async" loading="lazy" class=" wp-image-72042" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-livechatrules.png" alt="" width="749" height="467" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-livechatrules.png 1266w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-livechatrules-768x479.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/scambler-livechatrules-782x488.png 782w" sizes="(max-width: 749px) 100vw, 749px" />A machine-translated version of the Gambler Panel’s instructions on managing chat support conversations with users.</div>
The connection between Gambler Panel and the explosion in the number of scambling websites was made by a 17-year-old developer who operates multiple Discord servers that have been flooded lately with misleading ads for these sites.
The researcher, who asked to be identified only by the nickname “Thereallo,” said Gambler Panel has built a scalable business product for other criminals.
“The wiki is kinda like a ‘how to scam 101’ for criminals written with the clarity you would expect from a legitimate company,” Thereallo said. “It’s clean, has step by step guides, and treats their scam platform like a real product. You could swap out the content, and it could be any documentation for startups.”
“They’ve minimized their own risk — spreading the links on Discord / Facebook / YT Shorts, etc. — and outsourced it to a hungry affiliate network, just like a franchise,” Thereallo wrote in response to questions.
“A centralized platform that can serve over 1,200 domains with a shared user base, IP tracking, and a custom API is not at all a trivial thing to build,” Thereallo said. “It’s a scalable system designed to be a resilient foundation for thousands of disposable scam sites.”
The security firm Silent Push has compiled a list of the latest domains associated with the Gambler Panel, <a href="https://krebsonsecurity.com/wp-content/uploads/2025/08/Gates-of-Olympus-Likely-Casino-Websites-Silent-Push.csv" target="_blank" rel="noopener">available here</a> (.csv).
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/08/affiliates-flock-to-soulless-scam-gambling-machine/feed/</wfw:commentRss>
<slash:comments>18</slash:comments>
</item>
<item>
<title>DSLRoot, Proxies, and the Threat of ‘Legal Botnets’</title>
<link>https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal-botnets/</link>
<comments>https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal-botnets/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 26 Aug 2025 14:05:12 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Breadcrumbs]]></category>
<category><![CDATA[Internet of Things (IoT)]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Aliaksandr Holas]]></category>
<category><![CDATA[Andrei Holas]]></category>
<category><![CDATA[BlackHatWorld]]></category>
<category><![CDATA[Constella Intelligence]]></category>
<category><![CDATA[DomainTools.com]]></category>
<category><![CDATA[DSLRoot]]></category>
<category><![CDATA[GlobalSolutions]]></category>
<category><![CDATA[Incorptoday]]></category>
<category><![CDATA[incorptoday@gmail.com]]></category>
<category><![CDATA[Infrawatch]]></category>
<category><![CDATA[Intel 471]]></category>
<category><![CDATA[Lloyd Davies]]></category>
<category><![CDATA[prepaidsolutions@yahoo.com]]></category>
<category><![CDATA[Reddit]]></category>
<category><![CDATA[ryzhik777@gmail.com]]></category>
<category><![CDATA[Sacapoopie]]></category>
<category><![CDATA[USProxyKing]]></category>
<category><![CDATA[WebHostingTalk]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71984</guid>
<description><![CDATA[The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement they'd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditor's high-speed Internet connection in the United States. This post examines the history and provenance of DSLRoot, one of the oldest "residential proxy" networks with origins in Russia and Eastern Europe.]]></description>
<content:encoded><![CDATA[The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement they’d made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditor’s high-speed Internet connection in the United States. This post examines the history and provenance of DSLRoot, one of the oldest “residential proxy” networks with origins in Russia and Eastern Europe.
<img decoding="async" loading="lazy" class="aligncenter wp-image-71989" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/sacapoopiepost.png" alt="" width="748" height="379" />
The query about DSLRoot came from a Reddit user “Sacapoopie,” who did not respond to questions. This user has since deleted the original question from their post, although some of their replies to other Reddit cybersecurity enthusiasts <a href="https://www.reddit.com/r/cybersecurity/comments/1mksa8q/hosting_residential_ip_network_nodes/" target="_blank" rel="noopener">remain in the thread</a>. The original post was indexed <a href="https://archive.is/qsozu" target="_blank" rel="noopener">here by archive.is</a>, and it began with a question:
“I have been getting paid 250$ a month by a residential IP network provider named DSL root to host devices in my home,” Sacapoopie wrote. “They are on a separate network than what we use for personal use. They have dedicated DSL connections (one per host) to the ISP that provides the DSL coverage. My family used Starlink. Is this stupid for me to do? They just sit there and I get paid for it. The company pays the internet bill too.”
Many Redditors said they assumed Sacapoopie’s post was a joke, and that nobody with a cybersecurity background and top-secret (TS/SCI) clearance would agree to let some shady residential proxy company introduce hardware into their network. Other readers pointed to a slew of posts from Sacapoopie in the Cybersecurity subreddit over the past two years about their work on cybersecurity for the Air National Guard.
When pressed for more details by fellow Redditors, Sacapoopie described the equipment supplied by DSLRoot as “just two laptops hardwired into a modem, which then goes to a dsl port in the wall.”
<img decoding="async" loading="lazy" class="aligncenter wp-image-71990" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/saca-twolaptops.png" alt="" width="747" height="218" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/saca-twolaptops.png 922w, https://krebsonsecurity.com/wp-content/uploads/2025/08/saca-twolaptops-768x224.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/saca-twolaptops-782x228.png 782w" sizes="(max-width: 747px) 100vw, 747px" />
“When I open the computer, it looks like [they] have some sort of custom application that runs and spawns several cmd prompts,” the Redditor explained. “All I can infer from what I see in them is they are making connections.”
When asked how they became acquainted with DSLRoot, Sacapoopie told another user they discovered the company and reached out after viewing an advertisement on a social media platform.
“This was probably 5-6 years ago,” Sacapoopie wrote. “Since then I just communicate with a technician from that company and I help trouble shoot connectivity issues when they arise.”
Reached for comment, DSLRoot said its brand has been unfairly maligned thanks to that Reddit discussion. The unsigned email said DSLRoot is fully transparent about its goals and operations, adding that it operates under full consent from its “regional agents,” the company’s term for U.S. residents like Sacapoopie.
“As although we support honest journalism, we’re against of all kinds of ‘low rank/misleading Yellow Journalism’ done for the sake of cheap hype,” DSLRoot wrote in reply. “It’s obvious to us that whoever is doing this, is either lacking a proper understanding of the subject or doing it intentionally to gain exposure by misleading those who lack proper understanding,” DSLRoot wrote in answer to questions about the company’s intentions.
“We monitor our clients and prohibit any illegal activity associated with our residential proxies,” DSLRoot continued. “We honestly didn’t know that the guy who made the Reddit post was a military guy. Be it an African-American granny trying to pay her rent or a white kid trying to get through college, as long as they can provide an Internet line or host phones for us — we’re good.”
<h2>WHAT IS DSLROOT?</h2>
DSLRoot is sold as a residential proxy service on the forum BlackHatWorld under the name DSLRoot and GlobalSolutions. The company is based in the Bahamas and was formed in 2012. The service is advertised to people who are not in the United States but who want to seem like they are. DSLRoot pays people in the United States to run the company’s hardware and software — including 5G mobile devices — and in return it rents those IP addresses as dedicated proxies to customers anywhere in the world — priced at $190 per month for unrestricted access to all locations.
<div id="attachment_71996" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71996" decoding="async" loading="lazy" class=" wp-image-71996" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/dslroot.png" alt="" width="748" height="425" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/dslroot.png 1194w, https://krebsonsecurity.com/wp-content/uploads/2025/08/dslroot-768x436.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/dslroot-782x444.png 782w" sizes="(max-width: 748px) 100vw, 748px" />The DSLRoot website.</div>
The GlobalSolutions account on BlackHatWorld lists a Telegram account and a WhatsApp number in Mexico. DSLRoot’s profile on the marketing agency digitalpoint.com from 2010 shows their previous username on the forum was “Incorptoday.” GlobalSolutions user accounts at bitcointalk[.]org and roclub[.]com include the email clickdesk@instantvirtualcreditcards[.]com.
Passive DNS records from DomainTools.com show instantvirtualcreditcards[.]com shared a host back then — 208.85.1.164 — with just a handful of domains, including dslroot[.]com, regacard[.]com, 4groot[.]com, residential-ip[.]com, 4gemperor[.]com, ip-teleport[.]com, proxysource[.]net and proxyrental[.]net.
Cyber intelligence firm Intel 471 finds GlobalSolutions registered on BlackHatWorld in 2016 using the email address prepaidsolutions@yahoo.com. This user shared that their birthday is March 7, 1984.
Several negative reviews about DSLRoot on the forums noted that the service was operated by a BlackHatWorld user calling himself “USProxyKing.” Indeed, Intel 471 shows this user told fellow forum members in 2013 to contact him at the Skype username “dslroot.”
<div id="attachment_71993" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71993" decoding="async" loading="lazy" class=" wp-image-71993" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/bhw-usproxyking.png" alt="" width="750" height="336" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/bhw-usproxyking.png 1312w, https://krebsonsecurity.com/wp-content/uploads/2025/08/bhw-usproxyking-768x344.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/bhw-usproxyking-782x350.png 782w" sizes="(max-width: 750px) 100vw, 750px" />USProxyKing on BlackHatWorld, soliciting installations of his adware via torrents and file-sharing sites.</div>
USProxyKing had a reputation for spamming the forums with ads for his residential proxy service, and he ran a “<a href="https://krebsonsecurity.com/2011/06/pay-per-install-a-major-source-of-badness/" target="_blank" rel="noopener">pay-per-install</a>” program where he paid affiliates a small commission each time one of their websites resulted in the installation of his unspecified “adware” programs — presumably a program that turned host PCs into proxies. On the other end of the business, USProxyKing sold that pay-per-install access to others wishing to distribute questionable software — at $1 per installation.
Private messages indexed by Intel 471 show USProxyKing also raised money from nearly 20 different BlackHatWorld members who were promised shareholder positions in a new business that would offer robocalling services capable of placing 2,000 calls per minute.
Constella Intelligence, a platform that tracks data exposed in breaches, finds that same IP address GlobalSolutions used to register at BlackHatWorld was also used to create accounts at a handful of sites, including a GlobalSolutions user account at WebHostingTalk that supplied the email address incorptoday@gmail.com. Also registered to incorptoday@gmail.com are the domains dslbay[.]com, dslhub[.]net, localsim[.]com, rdslpro[.]com, virtualcards[.]biz/cc, and virtualvisa[.]cc.
Recall that DSLRoot’s profile on digitalpoint.com was previously named Incorptoday. DomainTools says incorptoday@gmail.com is associated with almost two dozen domains going back to 2008, including incorptoday[.]com, a website that offers to incorporate businesses in several states, including Delaware, Florida and Nevada, for prices ranging from $450 to $550.
As we can see in <a href="https://web.archive.org/web/20130210060312/http://www.incorptoday.com/services/business_bank_account_nonus_residents" target="_blank" rel="noopener">this archived copy of the site from 2013</a>, IncorpToday also offered a premiere service for $750 that would allow the customer’s new company to have a retail checking account, with no questions asked.
Global Solutions is able to provide access to the U.S. banking system by offering customers prepaid cards that can be loaded with a variety of virtual payment instruments that were popular in Russian-speaking countries at the time, including WebMoney. The cards are limited to $500 balances, but non-Westerners can use them to anonymously pay for goods and services at a variety of Western companies. <a href="https://web.archive.org/web/20111013132649/http://www.cardnow.ru/" target="_blank" rel="noopener">Cardnow[.]ru</a>, another domain registered to incorptoday@gmail.com, demonstrates this in action.
<div id="attachment_71992" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71992" decoding="async" loading="lazy" class=" wp-image-71992" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/incorptoday-bankaccount.png" alt="" width="750" height="648" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/incorptoday-bankaccount.png 993w, https://krebsonsecurity.com/wp-content/uploads/2025/08/incorptoday-bankaccount-768x664.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/incorptoday-bankaccount-782x676.png 782w" sizes="(max-width: 750px) 100vw, 750px" />A copy of Incorptoday’s website from 2013 offers non-US residents a service to incorporate a business in Florida, Delaware or Nevada, along with a no-questions-asked checking account, for $750.</div>
<h2>WHO IS ANDREI HOLAS?</h2>
The oldest domain (2008) registered to incorptoday@gmail.com is andrei[.]me; another is called andreigolos[.]com. DomainTools says these and other domains registered to that email address include the registrant name Andrei Holas, from Huntsville, Ala.
Public records indicate Andrei Holas has lived with his brother — Aliaksandr Holas — at two different addresses in Alabama. Those records state that Andrei Holas’ birthday is in March 1984, and that his brother is slightly younger. The younger brother did not respond to a request for comment.
Andrei Holas maintained an account on the Russian social network Vkontakte under the email address ryzhik777@gmail.com, an address that shows up in numerous records hacked and leaked from Russian government entities over the past few years.
Those records indicate Andrei Holas and his brother are from Belarus and have maintained an address in Moscow for some time (that address is roughly three blocks away from the main headquarters of the Russian FSB, the successor intelligence agency to the KGB). Hacked Russian banking records show Andrei Holas’ birthday is March 7, 1984 — the same birth date listed by GlobalSolutions on BlackHatWorld.
A <a href="https://www-ulitka-com.translate.goog/forum/%D0%B6%D0%B8%D0%B7%D0%BD%D1%8C-%D0%B8-%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D0%B0-%D0%B2-%D0%B0%D0%BC%D0%B5%D1%80%D0%B8%D0%BA%D0%B5/%D0%B6%D0%B8%D0%B7%D0%BD%D1%8C-%D0%B2-%D0%B0%D0%BC%D0%B5%D1%80%D0%B8%D0%BA%D0%B5/%D0%B2%D0%BE%D1%81%D1%81%D0%BE%D0%B5%D0%B4%D0%B8%D0%BD%D0%B5%D0%BD%D0%B8%D0%B5-%D1%81%D0%B5%D0%BC%D1%8C%D0%B8/27020-%D0%BF%D0%BE%D0%BC%D0%BE%D0%B3%D0%B8%D1%82%D0%B5-%D1%80%D0%B0%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D1%82%D1%8C%D1%81%D1%8F?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp" target="_blank" rel="noopener">2010 post by ryzhik777@gmail.com</a> at the Russian-language forum Ulitka explains that the poster was having trouble getting his B1/B2 visa to visit his brother in the United States, even though he’d previously been approved for two separate guest visas and a student visa. It remains unclear if one, both, or neither of the Holas brothers still lives in the United States. Andrei explained in 2010 that his brother was an American citizen.
<h2>LEGAL BOTNETS</h2>
We can all wag our fingers at military personnel who should undoubtedly know better than to install Internet hardware from strangers, but in truth there is an endless supply of U.S. residents who will resell their Internet connection if it means they can make a few bucks out of it. And these days, there are plenty of residential proxy providers who will make it worth your while.
Traditionally, residential proxy networks have been constructed using malicious software that quietly turns infected systems into traffic relays that are then sold in shadowy online forums. Most often, this malware gets bundled with popular cracked software and video files that are uploaded to file-sharing networks and that secretly turn the host device into a traffic relay. In fact, USPRoxyKing bragged that he routinely achieved thousands of installs per week via this method alone.
There are a number of residential proxy networks that entice users to monetize their unused bandwidth (inviting you to violate the terms of service of your ISP in the process); others, like DSLRoot, act as a communal VPN, and by using the service you gain access to the connections of other proxies (users) by default, but you also agree to share your connection with others.
Indeed, Intel 471’s archives show the GlobalSolutions and DSLRoot accounts routinely received private messages from forum users who were college students or young people trying to make ends meet. Those messages show that many of DSLRoot’s “regional agents” often sought commissions to refer friends interested in reselling their home Internet connections (DSLRoot would offer to cover the monthly cost of the agent’s home Internet connection).
But in an era when North Korean hackers are relentlessly posing as Western IT workers by paying people to host laptop farms in the United States, letting strangers run laptops, mobile devices or any other hardware on your network seems like an awfully risky move regardless of your station in life. As several Redditors pointed out in Sacapoopie’s thread, an Arizona woman <a href="https://www.justice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-fraud-scheme-generated-revenue" target="_blank" rel="noopener">was sentenced in July 2025 to 102 months in prison</a> for hosting a laptop farm that helped North Korean hackers secure jobs at more than 300 U.S. companies, including Fortune 500 firms.
Lloyd Davies is the founder of Infrawatch, a London-based security startup that tracks residential proxy networks. Davies said he reverse engineered <a href="https://www.virustotal.com/gui/file/042a8fa307e585952ada30070a2aa5606a9a8fbdf7c9f15d50753fcf33736bc9" target="_blank" rel="noopener">the software that powers DSLRoot’s proxy service</a>, and found it phones home to the aforementioned domain proxysource[.]net, which sells a service that promises to “get your ads live in multiple cities without getting banned, flagged or ghosted” (presumably a reference to CraigsList ads).
Davies said he found the DSLRoot installer had capabilities to remotely control residential networking equipment across multiple vendor brands.
<div id="attachment_72002" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72002" decoding="async" loading="lazy" class=" wp-image-72002" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/DSLROOT-map.png" alt="" width="749" height="489" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/DSLROOT-map.png 1194w, https://krebsonsecurity.com/wp-content/uploads/2025/08/DSLROOT-map-768x501.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/DSLROOT-map-782x510.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: Infrawatch.app.</div>
“The software employs vendor-specific exploits and hardcoded administrative credentials, suggesting DSLRoot pre-configures equipment before deployment,” Davies wrote in <a href="https://infrawatch.app/blog/dslroot-us-proxy-investigation" target="_blank" rel="noopener">an analysis published today</a>. He said the software performs WiFi network enumeration to identify nearby wireless networks, thereby “potentially expanding targeting capabilities beyond the primary internet connection.”
It’s unclear exactly when the USProxyKing was usurped from his throne, but DSLRoot and its proxy offerings are not what they used to be. Davies said the entire DSLRoot network now has fewer than 300 nodes nationwide, mostly systems on DSL providers like CenturyLink and Frontier.
On Aug. 17, GlobalSolutions posted to BlackHatWorld saying, “We’re restructuring our business model by downgrading to ‘DSL only’ lines (no mobile or cable).” Asked via email about the changes, DSLRoot blamed the decline in his customers on the proliferation of residential proxy services.
“These days it has become almost impossible to compete in this niche as everyone is selling residential proxies and many companies want you to install a piece of software on your phone or desktop so they can resell your residential IPs on a much larger scale,” DSLRoot explained. “So-called ‘legal botnets’ as we see them.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal-botnets/feed/</wfw:commentRss>
<slash:comments>24</slash:comments>
</item>
<item>
<title>SIM-Swapper, Scattered Spider Hacker Gets 10 Years</title>
<link>https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/</link>
<comments>https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 21 Aug 2025 01:47:22 +0000</pubDate>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[SIM Swapping]]></category>
<category><![CDATA[DoorDash]]></category>
<category><![CDATA[Judge Harvey E. Schlesinger]]></category>
<category><![CDATA[King Bob]]></category>
<category><![CDATA[lastpass]]></category>
<category><![CDATA[Mailchimp]]></category>
<category><![CDATA[News4Jax.com]]></category>
<category><![CDATA[Noah Michael Urban]]></category>
<category><![CDATA[Oktapus]]></category>
<category><![CDATA[Plex]]></category>
<category><![CDATA[Scatter Swine]]></category>
<category><![CDATA[Scattered Spider]]></category>
<category><![CDATA[Sosa]]></category>
<category><![CDATA[Star Fraud]]></category>
<category><![CDATA[T-Mobile]]></category>
<category><![CDATA[The Com]]></category>
<category><![CDATA[Twilio]]></category>
<category><![CDATA[UNC3944]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71967</guid>
<description><![CDATA[A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.
Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000 from five victims via SIM-swapping attacks that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.]]></description>
<content:encoded><![CDATA[A 20-year-old Florida man at the center of a prolific cybercrime group known as “Scattered Spider” was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.
Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban <a href="https://krebsonsecurity.com/2024/01/fla-man-charged-in-sim-swapping-spree-is-key-suspect-in-hacker-groups-oktapus-scattered-spider/" target="_blank" rel="noopener">conspired with others to steal at least $800,000</a> from five victims via <a href="https://krebsonsecurity.com/category/sim-swapping/" target="_blank" rel="noopener">SIM-swapping attacks</a> that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.
<div id="attachment_66236" style="width: 456px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-66236" decoding="async" loading="lazy" class=" wp-image-66236" src="https://krebsonsecurity.com/wp-content/uploads/2024/01/noahmichaelurban.png" alt="" width="446" height="559" />A booking photo of Noah Michael Urban released by the Volusia County Sheriff.</div>
Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com <a href="https://www.news4jax.com/news/local/2025/08/20/palm-coast-man-linked-to-scattered-spider-cybercrime-gang-sentenced-to-10-years-for-cryptocurrency-theft/" target="_blank" rel="noopener">reports</a> the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.
In November 2024 Urban was <a href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/" target="_blank" rel="noopener">charged by federal prosecutors in Los Angeles</a> as one of five members of Scattered Spider (a.k.a. “Oktapus,” “Scatter Swine” and “UNC3944”), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.
The targeted SMS scams <a href="https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/" target="_blank" rel="noopener">spanned several months during the summer of 2022</a>, asking employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.
That phishing spree netted Urban and others access to more than 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.
For many years, Urban’s online hacker aliases “King Bob” and “Sosa” were fixtures of <a href="https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-the-com/" target="_blank" rel="noopener">the Com</a>, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or “grails” he later sold or gave away on forums.
<div id="attachment_71970" style="width: 611px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71970" decoding="async" loading="lazy" class="size-full wp-image-71970" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/kingbobtweets.png" alt="" width="601" height="485" />Noah “King Bob” Urban, posting to Twitter/X around the time of his sentencing today.</div>
Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.
The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively <a href="https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/" target="_blank" rel="noopener">claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022</a>.
Reached via one of his King Bob accounts on Twitter/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.
“The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,” Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. “He should have been removed as a judge much earlier on. But staying in county jail is torture.”
A <a href="https://krebsonsecurity.com/wp-content/uploads/2025/08/urban-status-hack.pdf" target="_blank" rel="noopener">court transcript</a> (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, where a copy of Urban’s sealed indictment was stolen. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case.
“What it ultimately turned into a was a big faux pas,” Judge Harvey E. Schlesinger said. “The Court’s password…business is handled by an outside contractor. And somebody called the outside contractor representing Judge Toomey saying, ‘I need a password change.’ And they gave out the password change. That’s how whoever was making the phone call got into the court.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/feed/</wfw:commentRss>
<slash:comments>35</slash:comments>
</item>
<item>
<title>Oregon Man Charged in ‘Rapper Bot’ DDoS Service</title>
<link>https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/</link>
<comments>https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 19 Aug 2025 20:51:06 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[DDoS-for-Hire]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Defense Criminal Investigative Service]]></category>
<category><![CDATA[Elliott Peterson]]></category>
<category><![CDATA[Ethan J. Foltz]]></category>
<category><![CDATA[Forky]]></category>
<category><![CDATA[gmail]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[Paypal]]></category>
<category><![CDATA[Project Shield]]></category>
<category><![CDATA[Rapper Bot]]></category>
<category><![CDATA[Slaykings]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=71944</guid>
<description><![CDATA[A 22-year-old Oregon man has been arrested on suspicion of operating "Rapper Bot," a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets -- including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.]]></description>
<content:encoded><![CDATA[A 22-year-old Oregon man has been arrested on suspicion of operating “Rapper Bot,” a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets — including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.
<div id="attachment_71952" style="width: 757px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71952" decoding="async" loading="lazy" class=" wp-image-71952" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbotpanel.png" alt="" width="747" height="553" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbotpanel.png 1190w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbotpanel-768x568.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbotpanel-782x578.png 782w" sizes="(max-width: 747px) 100vw, 747px" />The control panel for the Rapper Bot botnet greets users with the message “Welcome to the Ball Pit, Now with refrigerator support,” an apparent reference to a handful of IoT-enabled refrigerators that were enslaved in their DDoS botnet.</div>
On August 6, 2025, federal agents arrested Ethan J. Foltz of Springfield, Ore. on suspicion of operating Rapper Bot, a globally dispersed collection of tens of thousands of hacked Internet of Things (IoT) devices.
The complaint against Foltz explains the attacks usually clocked in at more than two terabits of junk data per second (a terabit is one trillion bits of data), which is more than enough traffic to cause serious problems for all but the most well-defended targets. The government says Rapper Bot consistently launched attacks that were “hundreds of times larger than the expected capacity of a typical server located in a data center,” and that some of its biggest attacks exceeded six terabits per second.
Indeed, Rapper Bot was <a href="https://cyberpress.org/rapperbot-exploits-dvrs-to-take-control-of-surveillance-cameras/" target="_blank" rel="noopener">reportedly responsible</a> for the March 10, 2025 attack that caused intermittent outages on Twitter/X. The government says Rapper Bot’s most lucrative and frequent customers were involved in extorting online businesses — including numerous gambling operations based in China.
The criminal complaint was written by Elliott Peterson, an investigator with the Defense Criminal Investigative Service (DCIS), the criminal investigative division of the Department of Defense (DoD) Office of Inspector General. The complaint notes the DCIS got involved because several Internet addresses maintained by the DoD were the target of Rapper Bot attacks.
Peterson said he tracked Rapper Bot to Foltz after a subpoena to an ISP in Arizona that was hosting one of the botnet’s control servers showed the account was paid for via PayPal. More legal process to PayPal revealed Foltz’s Gmail account and previously used IP addresses. A subpoena to Google showed the defendant searched security blogs constantly for news about Rapper Bot, and for updates about competing DDoS-for-hire botnets.
According to the complaint, after having a search warrant served on his residence the defendant admitted to building and operating Rapper Bot, sharing the profits 50/50 with a person he claimed to know only by the hacker handle “Slaykings.” Foltz also shared with investigators the logs from his Telegram chats, wherein Foltz and Slaykings discussed how best to stay off the radar of law enforcement investigators while their competitors were getting busted.
Specifically, the two hackers chatted about <a href="https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/" target="_blank" rel="noopener">a May 20 attack against KrebsOnSecurity.com</a> that clocked in at more than 6.3 terabits of data per second. The brief attack was notable because at the time it was the largest DDoS that Google had ever mitigated (KrebsOnSecurity sits behind the protection of Project Shield, a free DDoS defense service that Google provides to websites offering news, human rights, and election-related content).
The May 2025 DDoS was launched by an IoT botnet called Aisuru, which I discovered was operated by a 21-year-old man in Brazil named Kaike Southier Leite. This individual was more commonly known online as “Forky,” and Forky told me he wasn’t afraid of me or U.S. federal investigators. Nevertheless, the complaint against Foltz notes that Forky’s botnet seemed to diminish in size and firepower at the same time that Rapper Bot’s infection numbers were on the upswing.
“Both FOLTZ and Slaykings were very dismissive of attention seeking activities, the most extreme of which, in their view, was to launch DDoS attacks against the website of the prominent cyber security journalist Brian Krebs,” Peterson wrote in the criminal complaint.
“You see, they’ll get themselves [expletive],” Slaykings wrote in response to Foltz’s comments about Forky and Aisuru bringing too much heat on themselves.
“Prob cuz [redacted] hit krebs,” Foltz wrote in reply.
“Going against Krebs isn’t a good move,” Slaykings concurred. “It isn’t about being a [expletive] or afraid, you just get a lot of problems for zero money. Childish, but good. Let them die.”
“Ye, it’s good tho, they will die,” Foltz replied.
The government states that just prior to Foltz’s arrest, Rapper Bot had enslaved an estimated 65,000 devices globally. That may sound like a lot, but the complaint notes the defendants weren’t interested in making headlines for building the world’s largest or most powerful botnet.
Quite the contrary: The complaint asserts that the accused took care to maintain their botnet in a “Goldilocks” size — ensuring that “the number of devices afforded powerful attacks while still being manageable to control and, in the hopes of Foltz and his partners, small enough to not be detected.”
The complaint states that several days later, Foltz and Slaykings returned to discussing what that they expected to befall their rival group, with Slaykings stating, “Krebs is very revenge. He won’t stop until they are [expletive] to the bone.”
“Surprised they have any bots left,” Foltz answered.
“Krebs is not the one you want to have on your back. Not because he is scary or something, just because he will not give up UNTIL you are [expletive] [expletive]. Proved it with Mirai and many other cases.”
[Unknown expletives aside, that may well be the highest compliment I’ve ever been paid by a cybercriminal. I might even have part of that quote made into a t-shirt or mug or something. It’s also nice that they didn’t let any of their customers attack my site — if even only out of a paranoid sense of self-preservation.]
Foltz admitted to wiping the user and attack logs for the botnet approximately once a week, so investigators were unable to tally the total number of attacks, customers and targets of this vast crime machine. But the data that was still available showed that from April 2025 to early August, Rapper Bot conducted over 370,000 attacks, targeting 18,000 unique victims across 1,000 networks, with the bulk of victims residing in China, Japan, the United States, Ireland and Hong Kong (in that order).
According to the government, Rapper Bot borrows much of its code from fBot, a DDoS malware strain also known as Satori. In 2020, <a href="https://krebsonsecurity.com/2020/06/new-charges-sentencing-in-satori-iot-botnet-conspiracy/" target="_blank" rel="noopener">authorities in Northern Ireland charged a then 20-year-old man</a> named Aaron “Vamp” Sterritt with operating fBot with a co-conspirator. U.S. prosecutors are still seeking Sterritt’s extradition to the United States. fBot is itself a variation of the Mirai IoT botnet that has <a href="https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" target="_blank" rel="noopener">ravaged the Internet with DDoS attacks</a> since <a href="https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/" target="_blank" rel="noopener">its source code was leaked back in 2016</a>.
The complaint says Foltz and his partner did not allow most customers to launch attacks that were more than 60 seconds in duration — another way they tried to keep public attention to the botnet at a minimum. However, the government says the proprietors also had special arrangements with certain high-paying clients that allowed much larger and longer attacks.
<div id="attachment_71951" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71951" decoding="async" loading="lazy" class=" wp-image-71951" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-mad.png" alt="" width="750" height="610" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-mad.png 1046w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-mad-768x625.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-mad-782x636.png 782w" sizes="(max-width: 750px) 100vw, 750px" />The accused and his alleged partner made light of this blog post about the fallout from one of their botnet attacks.</div>
Most people who have never been on the receiving end of a monster DDoS attack have no idea of the cost and disruption that such sieges can bring. The DCIS’s Peterson wrote that he was able to test the botnet’s capabilities while interviewing Foltz, and that found that “if this had been a server upon which I was running a website, using services such as load balancers, and paying for both outgoing and incoming data, at estimated industry average rates the attack (2+ Terabits per second times 30 seconds) might have cost the victim anywhere from $500 to $10,000.”
“DDoS attacks at this scale often expose victims to devastating financial impact, and a potential alternative, network engineering solutions that mitigate the expected attacks such as overprovisioning, i.e. increasing potential Internet capacity, or DDoS defense technologies, can themselves be prohibitively expensive,” the complaint continues. “This ‘rock and a hard place’ reality for many victims can leave them acutely exposed to extortion demands – ‘pay X dollars and the DDoS attacks stop’.”
The Telegram chat records show that the day before Peterson and other federal agents raided Foltz’s residence, Foltz allegedly told his partner he’d found 32,000 new devices that were vulnerable to a previously unknown exploit.
<div id="attachment_71950" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71950" decoding="async" loading="lazy" class=" wp-image-71950" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-exploit.png" alt="" width="749" height="483" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-exploit.png 1255w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-exploit-768x495.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/08/rapperbot-exploit-782x504.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Foltz and Slaykings discussing the discovery of an IoT vulnerability that will give them 32,000 new devices.</div>
Shortly before the search warrant was served on his residence, Foltz allegedly told his partner that “Once again we have the biggest botnet in the community.” The following day, Foltz told his partner that it was going to be a great day — the biggest so far in terms of income generated by Rapper Bot.
“I sat next to Foltz while the messages poured in — promises of $800, then $1,000, the proceeds ticking up as the day went on,” Peterson wrote. “Noticing a change in Foltz’ behavior and concerned that Foltz was making changes to the botnet configuration in real time, Slaykings asked him ‘What’s up?’ Foltz deftly typed out some quick responses. Reassured by Foltz’ answer, Slaykings responded, ‘Ok, I’m the paranoid one.”
The case is being prosecuted by Assistant U.S. Attorney Adam Alexander in the District of Alaska (at least some of the devices found to be infected with Rapper Bot were located there, and it is where Peterson is stationed). Foltz faces one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison, although a federal judge is unlikely to award anywhere near that kind of sentence for a first-time conviction.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/feed/</wfw:commentRss>
<slash:comments>28</slash:comments>
</item>
</channel>
</rss>
<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
Object Caching 262/262 objects using memcached
Page Caching using memcached (User agent is rejected)
Database Caching using memcached
Served from: krebsonsecurity.com @ 2025-09-16 17:39:48 by W3 Total Cache
-->

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH

Home · About · News · Docs · Terms