We’re proud to partner with Mahidol University to launch the Cybersecurity Center of Excellence, a pioneering initiative to strengthen the nation’s digital resilience.

By integrating Group-IB’s industry-leading technologies, including Managed XDR, Threat Intelligence, and Business Email Protection, into hands-on academic programs, we’re empowering students and professionals with the real-world skills needed to combat today’s and tomorrow’s cyber threats.

This collaboration merges Mahidol’s academic excellence with Group-IB’s global cybersecurity expertise to create a transformative hub for training, research, and workforce development.

Together, we’re empowering our next generation in building a safer digital future. Read More.

#ThreatIntelligence #ManagedXDR #BusinessEmailProtection #FightAgainstCybercrime

Group-IB launches its strategic Partner Program to fortify Europe’s cybersecurity ecosystem.

Designed for MSSPs, resellers, and tech partners, the program delivers cutting-edge solutions including threat intelligence, fraud protection, managed XDR, and more, alongside elite training, dedicated support, and tiered rewards (standard to platinum).

🤝 Partner with Group-IB to combat evolving threats with global intelligence and local expertise. Be part of the mission. Read More

#Cybersecurity #MSSP #FraudProtection #ThreatIntelligence #FightAgainstCybercrime

🚨 SMS Pumping Fraud: How Criminals Exploit SMS Verification for Profit 🚨

Our cyber fraud analysts have uncovered a sophisticated SMS Pumping scheme where fraudsters manipulate SMS verification systems to generate artificial traffic, costing businesses millions. By exploiting OTP requests, fake account sign-ups, and corrupt telecom partnerships, attackers inflate SMS volumes, leaving companies with soaring costs and operational disruptions.

Key Insights from the Blog:
✔️ Fraudsters use bots, telecom providers, and fake identities to trigger massive SMS traffic, often bypassing security measures.
✔️ Twitter lost $60M/year to this fraud before implementing stricter telecom provider controls.
✔️ Attacks can lead to system overloads, reputational damage, and penalties from telecom providers.

Businesses relying on SMS for 2FA or onboarding must act now to prevent exploitation. Read the full analysis here

#SMSPumping #ThreatIntelligence #CyberSecurity #FightAgainstCybercrime

Hyper-evolving threats. Expanding risk portfolios. And the board wants answers.

Today's CISOs are expected to lead through chaos, speak the business language, and prove the value of every decision.

Risk management isn’t just a checkbox — It demands foresight, strategy, and accountability.
Done right, it puts CISOs where they belong: in the boardroom, driving strategic decisions.

To step into every challenge with clarity and control, this blog puts things in perspective for CISOs and their team

Get real-world direction, critical communication cues, risk concepts, and decision-making clarity to navigate enterprise risk effectively.

#CISO #RiskManagement #FightAgainstCybercrime

Group-IB analysts shed light on the growing trend of fraudsters impersonating real threat actors to sell fake data leaks across dark web forums.

Many of these scammers never conducted any actual attacks and rely on recycled stealer logs (e.g., Raccoon, RedLine), repurposed public breaches, and hybrid datasets mixing real/fake entries. In one case, a fake VIP Telegram channel run by the group R00TK1T earned $10,000 by charging $500 per subscriber for access to freely available public leaks.

Key Insights:
✔️ Chinese-speaking darknet markets and Telegram channels offer nearly 100% fake data.
Impersonators mimic names like LockBit, Bjorka, and IntelBroker to deceive researchers and buyers.
✔️ Fraudsters use auto-generated IDs and rebranded aliases to bypass scrutiny.
✔️ Attackers offering "High-quality private data" in private telegram channels are, in most cases, scammers who present old reassembled data leaks as the result of their attacks.

👉 Read the full blog here

AI won’t replace your security team… but it will make your team faster, sharper, and happier.

That’s the idea behind Group-IB’s new AI Assistant — now available in beta for all Threat Intelligence customers.

This LLM-powered chatbot is a new way to interact with one of the industry’s largest threat intelligence datasets — with instant answers, deep context, and zero privacy compromises.

🔗 See it in action and learn how it works in our latest blog post.

#CyberSecurity #ThreatIntelligence #AIAssistant #FightAgainstCybercrime

🚨Sophisticated Toll Phishing Campaign Uncovered 🚨

Recently, our analysts uncovered an ongoing phishing campaign targeting toll road service users, where scammers impersonate legitimate providers via SMS to lure victims to fraudulent websites. These sites use third-party tools like FingerprintJS to fingerprint and filter visitors—blocking unwanted traffic such as researchers or automated scanners and Cleave.js for real-time input validation to ensure that the harvested payment data is in the correct format.

Key Highlights:
✅ Google AMP Abuse: Malicious links masked via trusted platforms to evade detection.
✅ Localized Lures: Messages tailored in French to target Canadian victims.
✅ Fingerprint Blocking: Filters out researchers/VPNs, ensuring only victims access phishing pages.
✅ Automated Data Theft: Heartbeat intervals exfiltrate input data every 3 seconds.

🔗 Read the full analysis here

#CyberSecurity #DataProtection #Phishing #FightAgainstCybercrime

🔍 New Research Alert: RansomHub’s Ransomware-as-a-Service (RaaS) Overview

Group-IB has conducted an analysis of #RansomHub, a rapidly emerging Ransomware-as-a-Service group that has attracted former LockBit and ALPHV affiliates through low fees (10%) and multi-platform ransomware targeting Windows, Linux, FreeBSD, and ESXi environments.

Key findings:

✅ Cross-platform encryption (x86, x64, ARM) via SMB/SFTP

✅ Evasion tactics like Safe Mode execution and process termination

✅ Extortion playbook scaling ransoms with victim revenue

✅ Regulatory pressure tactics (GDPR/PIPL threats) to force payments

The group’s sudden outage in April 2025 raises questions—did affiliates migrate to Qilin? Dive into the full analysis to understand the shifting RaaS landscape and how defenders can prepare.

#CyberSecurity #ThreatIntelligence #Ransomware #FightAgainstCybercrime

Got new-age cybersecurity tools, defined capabilities, and resources allocated to each?

But how does it all come together into one combined defense?

The answer is in your stack integration. Without it, you're left with fragmented data, alert fatigue, blind spots, and delayed response—all in the name of “ building capabilities.”

In Edition 1 of our new series, Pavel Shepetina, Group-IB’s Head of Global Pre-Sales & Engineering Department, Cybersecurity Unit, explores what happens when businesses lack a clear integration strategy and objectives—addressing the critical challenge of misconfigurations and:

✅ Potential integration issues with real-world scenarios, examples, and consequences
✅ How misconfigurations tamper with security workflows
✅ Key considerations when moving toward an integrated approach
✅ How to avoid misconfigurations from changes in infrastructure
✅ How to apply practical integration lessons to your own infrastructure

👉 Read the blog here

#Cybersecurity #FightAgainstCybercrime

Pluggable Authentication Modules (PAM) are at the heart of Linux and Solaris authentication—but what happens when that core component is compromised?

In our latest Group‑IB blog post, we examine a sophisticated attack vector in which threat actors modify the pam_unix.so module to harvest plaintext credentials and evade detection. Key takeaways include:
✅ Real‑World Case Studies: How UNC1945 and UNC2891 leveraged PAM backdoors on Solaris and Linux systems
✅ Detection Strategies: Best practices for module integrity audits, file integrity monitoring and SIEM alerting
✅ Mitigation Playbook: Step‑by‑step guidance on disabling password authentication, enforcing key‑only SSH, and securing private keys

Whether you’re responsible for infrastructure security or compliance, this analysis provides actionable insights to strengthen your authentication layer and reduce risk.

🔗 Read the full report here

#CyberSecurity #PAM #ThreatIntel #FightAgainstCybercrime

Today, we unveil the Top 10 Masked Actors of 2025 — the most active and dangerous cybercriminal groups reshaping the global threat landscape.

Based on insights from over 1,550 high-tech crime investigations, this ranking draws from our flagship High-Tech Crime Trends 2025 report. From RansomHub and Lazarus to GoldFactory’s deepfake-enabled banking fraud, these threat actors are more sophisticated—and more aggressive—than ever.

we’re launching the Masked Actors podcast, hosted by cybersecurity experts Gary Ruddell and Nick Palmer. Episode one kicks off with an inside look at GoldFactory creators of the first iOS trojan for deepfake fraud.

🔗 Read More here

🎧 Listen to the Masked Actors podcast, Episode 1: on Spotify, Apple Podcasts, or wherever you listen to your podcasts

Explore the full list here

Deep dive into GoldFactory

#MaskedActors #DeepfakeFraud #Ransomware #PodcastLaunch

Cybercriminals are exploiting Colombia’s mandatory vehicle insurance (SOAT) to run sophisticated scams — using fake websites, public data, and targeted social media ads to mislead victims.

📉 Since early 2024, Group-IB analysts have tracked 100+ fake domains posing as trusted insurers.

🤖 These scams combine social engineering with cross-channel fraud tactics to create a false sense of trust — a trend our LATAM team, led by Vlada Govorova, is closely monitoring.

🔍 Read the full breakdown in our latest blog

Uncover how digital trust is manipulated — and what can be done to stop it.

#ScamAlert #SOATFraud #DigitalTrust #FraudPrevention #FightAgainstCybercrime

Lazarus: Is your best IT worker really a North Korean cybercriminal?

In December 2014, Sony Pictures announced they were cancelling the release of Seth Rogan’s newest venture, The Interview, due to a large-scale cyberattack. And in February of this year, global cryptocurrency exchange Bybit suffered a massive attack resulting in the theft of $1.5 billion.

Join hosts Gary Ruddell and Nick Palmer as they speak with Geoff White, one of the world’s leading journalists covering organized crime and tech.

In this episode, they delve into the group’s latest modus operandi—infiltration campaigns, whereby North Korean hackers pose as remote IT employees to funnel information through the backdoor and leave logic bombs in code that they can trigger years or months down the line. They look at how this shifts the responsibility model for cybersecurity, requiring vigilance from across the organization for unusual behavior.

Subscribe and Listen to it now on Spotify and Apple Podcasts.

🚨 Group-IB supported INTERPOL’s Operation Secure — dismantling infostealer malware infrastructure across Asia.

From Jan–Apr 2025, our Threat Intelligence and High-Tech Crime Investigation teams provided critical information about the command and control infrastructure of the infostealers to INTERPOL, and law enforcement agencies in Vietnam, Sri Lanka, Nauru, and Hong Kong that led to:
✔️ The arrest of 32 suspects and takedown of over 20,000 malicious IPs and domains
✔️ Seizure of 41 servers containing 100GB+ of data linked to cybercriminal activity
✔️ Analysis of 1,700+ intelligence items by the Hong Kong Police Force, identifying 117 C2 servers across 89 ISPs used for phishing, fraud, and scams
✔️ Vietnamese police arresting 18 suspects (including the ringleader) and seizing VND$300 million, SIM cards, and corporate registration documents tied to a corporate account fraud scheme

Infostealers like Lumma, Risepro, and META Stealer are key enablers of ransomware and financial fraud. 🔗 Read more

PSR IT Solutions launched Pulsar SoftPOS to give merchants a new, flexible way to accept payments. But proving that the platform is secure required undergoing rigorous certification and attack simulation.

With Group-IB’s vulnerability assessment and penetration testing, PSR achieved PCI MPoC certification and strengthened trust among acquiring partners.

Read how security became the company’s market differentiator.

#Fintech #PaymentSecurity #PCICompliance #FightAgainstCybercrime

🚨Fear is the new phishing hook — and crypto holders are the prime target.

Group-IB’s latest investigation uncovers a phishing campaign impersonating European tax bodies (primarily Dutch), exploiting public confusion around 2025 crypto tax rules to drain crypto wallets.

Key highlights:
✅ Fake emails demand urgent crypto declarations under threat of fines
✅ Phishing sites mimic official government portals with flawless branding
✅ Two attack vectors: seed phrase theft or malicious smart contract approvals via WalletConnect
✅ Even smart contract wallets like Safe and Argent are at risk
✅ Campaign linked to Inferno Drainer’s Drainer-as-a-Service infrastructure
✅ Telegram bots and admin panels used for real-time exfiltration
✅ JavaScript prevents inspection and blocks analysis

🎯 Real scams. Real tactics. Real consequences.

🔗 Dive into the full technical breakdown and get the IOCs.

#CryptoScam #Cybersecurity #Phishing #ThreatIntelligence #FightAgainstCybercrime

Group-IB is proud to have contributed critical threat intelligence to INTERPOL’s Africa Cybercrime Threat Assessment Report 2025.

Key Insights:
✅ South Africa was the most frequently targeted country by ransomware operators in 2024.
✅ A spike in ransomware (LockBit most active), phishing, and stealer malware activity across Africa
✅ The education sector and internet service providers were the most frequently impacted by these leaks across the region.
✅ South Africa, Egypt, and Morocco among the most targeted countries

Broader impact:
🔹 Group-IB shared insights on phishing infrastructure, stealer malware, and DDoS attack vectors to support INTERPOL’s African Joint Operation against Cybercrime
🔹 The report estimates $3B+ in cybercrime losses across Africa since 2019 — highlighting the urgent need for public-private cooperation

This collaboration strengthens regional cyber resilience and underscores the power of public-private partnerships in the fight against cybercrime. 🔗 Read more here.

🚨 Cyber conflict in the Middle East is escalating and going far beyond DDoS and defacements.

Between June 13–20, 2025, Group-IB’s threat intel reveals a surge in hacktivism, GPS spoofing, infrastructure breaches, and disinformation—with real-world impact on maritime, aviation, and civilian safety.

Key insights:
✅ Hacktivist activity surged 46% on June 13, with over 250 attacks claimed in 7 days.
✅ GPS spoofing disrupted 1,155 vessels on June 16 and aviation navigation—with IATA reporting 220% rise in GPS failures since 2021.
✅ Iranian-nexus threat actors weaponized emergency alerts, sending fake SMS warnings to lure civilians from shelters.
✅ Israeli IP cameras exploited for real-time strike assessment.
✅ Predatory Sparrow burned ~$90M in crypto, leaked Nobitex source code


From cyber-enabled psychological operations to geopolitical sabotage — this blog breaks down the tactics, timeline, and defenses you need to know. Read the full blog here.

#Hacktivism #GroupIB #FightAgainstCybercrime

Group-IB is proud to partner with the National CERT of the Republic of Serbia to enhance national cybersecurity capabilities. The partnership delivers Group-IB’s advanced Threat Intelligence solution to enhance the CERT’s threat detection precision and accelerate incident response workflows at a national level.

Key outcomes include:
1️⃣ Measurable improvements in threat verification and response times
2️⃣ Enhanced public and institutional cybersecurity awareness
3️⃣ Strengthened global collaboration through mutual memberships in FIRST and Trusted Introducer networks

This partnership underscores the critical role of public-private collaboration in building national digital resilience against evolving cyber threats. Learn More.

#CyberSecurity #ThreatIntelligence #CERT #GroupIB #FightAgainstCybercrime

Is it Classiscam, a fake CEO, or maybe a deepfake?

Scams wear different faces, and even global scam gangs tailor their attacks to local languages, habits, and culture. At the same time, some threats are universal enough to keep everyone on edge.

Want a fast track to catch up on what’s happening in the scam landscape — globally and in your region?

Visualize your scam landscape with key schemes, figures, and trends that matter. Check out the datasheet.

#CyberSecurity #OnlineScams #ScamAlert #DigitalSafety #FraudDetection #FightAgainstCybercrime

🚨 Qwizzserial: The New Face of Android SMS Stealers primarily in Uzbekistan!
A previously unknown malware family is making waves across Uzbekistan, blending social engineering with technical stealth to bypass defenses and hijack finances.

Key Highlights:
🔹 Over 100,000 Android infections in just 3 months
🔹 Telegram bots used to auto-generate malware disguised as government aid apps
🔹 $62,000+ stolen by a single group using fake “financial support” schemes
🔹 Advanced evasion techniques: USSD SIM hijacking, infinite preloaders, obfuscation with NP Manager and Allatori

This is not just another stealer — it’s the evolution of the Classiscam model.

Read the full breakdown, infrastructure, attribution, and mitigation tips in our technical blog.

#AndroidMalware #ThreatIntel #Classiscam #Qwizzserial #SMSStealer #FightAgainstCybercrime