Newsletters

For the first time in history it feels like law enforcement may actually be doing some damage to the ransomware ecosystem. Over the last few months Operation Endgame, a multinational joint law enforcement operation, has been tearing through the criminal underground like a bull in a china shop.

Last week Dutch police announced that, in collaboration with US and Finnish authorities, they had taken down AVCheck, a testing service used by cybercriminals. Per Risky Bulletin which has further coverage:

That same month authorities took down Lumma Stealer (aka LummaC2). Lumma is an infostealer, a type of malware that infects systems and extracts login and authorisation credentials from various apps and sends them to attacker-controlled servers. Risky Bulletin described what made Lumma popular amongst the criminal set: 

Four of today's biggest cybersecurity firms—Microsoft, CrowdStrike, Google, and Palo Alto Networks—have announced an initiative to deconflict and harmonize APT naming schemes.

The companies will publish documents on how each of their own APT names maps out to the other.

So far, CrowdStrike and Microsoft have released images, JSON, and Excel files on how their own APT names overlap with their competitors.

Law enforcement agencies from Finland, the Netherlands, and the US have seized AVCheck, an underground service used by cybercriminals.

The service has been around for over a decade and allowed malware developers to test their code against major antivirus engines and malware scanners.

It ran the engines and scanners in isolated cloud environments that cut off telemetry and prevented them from phoning back home to the security firms with warnings when malware was detected.

Microsoft will open up the Windows Update mechanism to third-party apps and driver makers so they can deliver updates to users in a faster and more seamless manner.

The new feature is currently under testing and will ship in a future Windows 11 release.

Microsoft has asked developers this week to sign up and help test out the new software update orchestration platform before its official release.

We've long known that Russian cybercriminals have worked to advance Russian state interests, but the details of the relationship between these criminals and the state has been hard to pin down concretely. 

Last week, however, the US Department of Justice (DoJ) used an indictment to tie the Russian cybercriminals behind the DanaBot malware to a second variant of the malware. Rather than stealing bank account credentials or cryptocurrency, the second variant was designed to conduct espionage for the Russian state. 

The DOJ's criminal complaint and indictment accuses 16 defendants of allegedly developing and deploying the DanaBot botnet and infostealer.

Dutch intelligence agencies have uncovered a new Russian cyber-espionage group while investigating a security breach of its police force last September.

The new group is tracked as Laundry Bear by Dutch intelligence services AIVD and MIVD and Void Blizzard by Microsoft, which aided in the Dutch investigation.

Among the panoply of Russian APTs, the group appears to be a new cluster that was formed and started operations in mid-2024.

Over the course of the past six months, the SVG image format has become a favorite method of hiding and delivering malicious code for email phishing campaigns.

More than a dozen cybersecurity firms have now noted the rise in SVG payloads in their email security detections: AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE.

In its Q1 2025 trends report, Sublime Security says SVG payloads now account for 1% of all phishing attempts the company sees.

A coalition of law enforcement agencies and cybersecurity firms have dealt two major blows to the cybercrime ecosystem this week by taking down a prodigious malware botnet named DanaBot and Lumma Stealer (aka LummaC2), today's most popular and widely used infostealer platform.

The Lumma Stealer takedown

The takedowns took place on separate days and were unrelated to each other. The first took place on Wednesday and targeted Lumma, a type of malware that infects Windows systems, extracts login credentials from various apps, and sends them to an attacker's servers.

Telegram's moderation policies have markedly improved, but the jury is out on whether its pivot to more responsible practices will be an enduring one.

This week the messaging app shut down Huoine Guarantee and Xinbi Guarantee, two massive Telegram-based criminal marketplaces that connected Southeast Asian fraudsters with criminal services. 

Both were 'guarantee marketplaces', where the market administrators facilitated illicit transactions between anonymous buyers and sellers. Its services included the vetting of merchants, escrow services, and bots that monitor transaction fulfillment. Tether's USDT stablecoin is the primary payment method.  

The European Union has sanctioned three new clusters associated with Russia's disinformation networks across Africa and Europe.

This is the EU's 17th round of sanctions against Russia over its 2022 invasion and ongoing war in Ukraine. The sanctions are far broader and also target Russia's oil sector, its shadow fleet of oil tankers, and its hybrid warfare activities across Europe, which included extensive sabotage and disinformation campaigns.

We will not cover the entire sanctions package since it's out of the scope of this newsletter, but only the three clusters that are cyber adjacent.