Group-IB is proud to have supported INTERPOL in “Operation Serengeti 2.0”, a landmark operation that has significantly disrupted cybercrime across Africa. Between June and August 2025, the operation led to:
✅ 1,209 cybercriminals arrested
✅ $97.4 MILLION recovered
✅ 11,432 malicious infrastructures dismantled
✅ Nearly 88,000 victims identified globally
Group-IB contributed circumstantial intelligence on cryptocurrency investment scams, business email compromise networks, and malicious infrastructure active in the African region. Leading up to the operation, our team also conducted a series of practical workshops for investigators on open-source intelligence techniques and techniques, as well as knowledge sharing on dark web investigations, enhancing investigative capabilities and directly contributing to the success of the operation. This operation highlights the powerful results achievable through global public-private partnership.
Read the full press release here.
#CyberSecurity #OperationSerengeti
✅ 1,209 cybercriminals arrested
✅ $97.4 MILLION recovered
✅ 11,432 malicious infrastructures dismantled
✅ Nearly 88,000 victims identified globally
Group-IB contributed circumstantial intelligence on cryptocurrency investment scams, business email compromise networks, and malicious infrastructure active in the African region. Leading up to the operation, our team also conducted a series of practical workshops for investigators on open-source intelligence techniques and techniques, as well as knowledge sharing on dark web investigations, enhancing investigative capabilities and directly contributing to the success of the operation. This operation highlights the powerful results achievable through global public-private partnership.
Read the full press release here.
#CyberSecurity #OperationSerengeti
❤7🔥3🏆3👍2🍾1
🚨 New Research Alert: ShadowSilk, a cross-border threat cluster with roots in YoroTrooper.
Since 2023, ShadowSilk has targeted government organizations across Central Asia and APAC, with operations continuing into July 2025. Group-IB’s joint investigation with CERT-KG uncovered:
🔹 Evidence of collaboration between two subgroups, one Russian and another Chinese-speaking
🔹 Use of Telegram bots, Cobalt Strike, Metasploit, and dark web–purchased panels (JRAT, MORF)
🔹 Campaigns focused on spear-phishing, persistence via registry keys, and stealthy data exfiltration
🔹 Infrastructure reuse linking ShadowSilk back to YoroTrooper, but with a distinct toolset and operational style
This research reveals ShadowSilk’s tactics, techniques, and procedures (TTPs), their underground ecosystem ties, and why we assess them as an evolving APT cluster rather than a mere extension of YoroTrooper. Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #ShadowSilk #YoroTrooper #FightAgainstCybercrime
Since 2023, ShadowSilk has targeted government organizations across Central Asia and APAC, with operations continuing into July 2025. Group-IB’s joint investigation with CERT-KG uncovered:
🔹 Evidence of collaboration between two subgroups, one Russian and another Chinese-speaking
🔹 Use of Telegram bots, Cobalt Strike, Metasploit, and dark web–purchased panels (JRAT, MORF)
🔹 Campaigns focused on spear-phishing, persistence via registry keys, and stealthy data exfiltration
🔹 Infrastructure reuse linking ShadowSilk back to YoroTrooper, but with a distinct toolset and operational style
This research reveals ShadowSilk’s tactics, techniques, and procedures (TTPs), their underground ecosystem ties, and why we assess them as an evolving APT cluster rather than a mere extension of YoroTrooper. Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #ShadowSilk #YoroTrooper #FightAgainstCybercrime
❤9👍4
🚨The most damaging APT attacks today begin with an ordinary email from a trusted partner.
Group-IB has analyzed infostealers delivered in emails that:
✅ Come from real accounts using trusted domains
✅ Include clean, reputation-safe links
✅ Pass all major vendor security checks
✅ Are written by AI with flawless grammar
Read the blog to see how attackers exploit your trust.
#CyberSecurity #EmailSecurity #ThreatIntelligence #CyberThreats #FightAgainstCybercrime
Group-IB has analyzed infostealers delivered in emails that:
✅ Come from real accounts using trusted domains
✅ Include clean, reputation-safe links
✅ Pass all major vendor security checks
✅ Are written by AI with flawless grammar
Read the blog to see how attackers exploit your trust.
#CyberSecurity #EmailSecurity #ThreatIntelligence #CyberThreats #FightAgainstCybercrime
👍7❤5
🚨From deepfakes to DarkLLMs, AI is no longer hype – it’s reshaping cybercrime in real time.
Our latest research uncovers how threat actors are:
🔹 Running live deepfake scams that have already cost victims $350M in Q2 2025 alone, according to a report by Resemble AI.
🔹 Equipping scam call centers with synthetic voices and LLM “coaches” for more persuasive fraud.
🔹 Deploying uncensored DarkLLMs to generate phishing kits, malware code, and scam noscripts.
🔹 Leveraging AI-powered spam tools to launch hyper-personalized phishing campaigns at scale.
🔹 Embedding AI into toolkits for reconnaissance, code obfuscation, and social engineering.
⚠️ The result? Faster, more scalable, and harder-to-detect cybercrime operations. Fully autonomous AI-driven attacks aren’t here yet, but hybrid human-AI campaigns already are.
Dive into Group-IB’s latest blog for a technical breakdown of 5 AI-driven use cases powering cybercrime and what defenders must prepare for next.
#Cybersecurity #FightAgainstCybercrime
Our latest research uncovers how threat actors are:
🔹 Running live deepfake scams that have already cost victims $350M in Q2 2025 alone, according to a report by Resemble AI.
🔹 Equipping scam call centers with synthetic voices and LLM “coaches” for more persuasive fraud.
🔹 Deploying uncensored DarkLLMs to generate phishing kits, malware code, and scam noscripts.
🔹 Leveraging AI-powered spam tools to launch hyper-personalized phishing campaigns at scale.
🔹 Embedding AI into toolkits for reconnaissance, code obfuscation, and social engineering.
⚠️ The result? Faster, more scalable, and harder-to-detect cybercrime operations. Fully autonomous AI-driven attacks aren’t here yet, but hybrid human-AI campaigns already are.
Dive into Group-IB’s latest blog for a technical breakdown of 5 AI-driven use cases powering cybercrime and what defenders must prepare for next.
#Cybersecurity #FightAgainstCybercrime
👍5🔥2
The recent conflict between Cambodia and Thailand triggered a sharp escalation in hacktivist activity. Between July 24 and August 7, Group-IB Threat Intelligence recorded 139 cyberattacks linked to 19 hacktivist groups, marking a 241% surge compared to pre-conflict levels.
Our latest report, Hacktivist at War: The Cambodia–Thailand Cyber Escalation (July–August 2025), provides:
🔹An overview of pro-Cambodian and pro-Thai threat actors
🔹Insights into common tactics such as DDoS, website defacement, and data leaks
🔹Actionable recommendations to defend against ongoing cyber threats
📘 Read the full analysis to strengthen your defenses.
#ThreatIntelligence #Cybersecurity #CyberWarfare #ThreatResearch #GroupIB
Our latest report, Hacktivist at War: The Cambodia–Thailand Cyber Escalation (July–August 2025), provides:
🔹An overview of pro-Cambodian and pro-Thai threat actors
🔹Insights into common tactics such as DDoS, website defacement, and data leaks
🔹Actionable recommendations to defend against ongoing cyber threats
📘 Read the full analysis to strengthen your defenses.
#ThreatIntelligence #Cybersecurity #CyberWarfare #ThreatResearch #GroupIB
❤8🔥2
Group-IB has officially signed a Memorandum of Understanding (MoU) with the Botswana Communications Regulatory Authority (BOCRA) to strengthen the nation’s cyber resilience.
Through this strategic partnership, Group-IB and BOCRA will:
🔹 Share actionable threat intelligence to counter evolving cyber risks
🔹 Conduct joint investigations into cybercrime activities
🔹 Build capacity in key areas like digital forensics, incident response, and cybercrime investigations
🔹 Support efforts to monitor scams, phishing campaigns, compromised payment records, and underground criminal activity relevant to Botswana
As Botswana rapidly embraces digital transformation, this collaboration aims to ensure companies, government agencies, and citizens are better protected against online threats.
This MoU marks a key milestone in Group-IB’s global mission to fight cybercrime through innovation, knowledge sharing, and international cooperation. 🔗 Learn more.
#Cybersecurity #ThreatIntelligence #DigitalResilience
Through this strategic partnership, Group-IB and BOCRA will:
🔹 Share actionable threat intelligence to counter evolving cyber risks
🔹 Conduct joint investigations into cybercrime activities
🔹 Build capacity in key areas like digital forensics, incident response, and cybercrime investigations
🔹 Support efforts to monitor scams, phishing campaigns, compromised payment records, and underground criminal activity relevant to Botswana
As Botswana rapidly embraces digital transformation, this collaboration aims to ensure companies, government agencies, and citizens are better protected against online threats.
This MoU marks a key milestone in Group-IB’s global mission to fight cybercrime through innovation, knowledge sharing, and international cooperation. 🔗 Learn more.
#Cybersecurity #ThreatIntelligence #DigitalResilience
❤10👍5
Group-IB provided critical investigative intelligence supporting INTERPOL's Operation Contender 3.0, a successful multinational cybercrime takedown across Africa. The operation resulted in the arrest of 260 suspects and the seizure of 1,235 electronic devices linked to 81 cybercriminal infrastructures.
These networks, involved in romance scams and sextortion schemes, caused nearly US$2.8 million in financial losses affecting 1,463 identified victims. Our collaboration with international law enforcement underscores a shared commitment to dismantling criminal operations that cause both financial devastation and profound psychological harm.
This operation highlights the critical importance of public-private partnerships in the ongoing fight against cybercrime.
Read the full press release for detailed insights.
#INTERPOL #OperationContender #RomanceScams #FightAgainstCybercrime
These networks, involved in romance scams and sextortion schemes, caused nearly US$2.8 million in financial losses affecting 1,463 identified victims. Our collaboration with international law enforcement underscores a shared commitment to dismantling criminal operations that cause both financial devastation and profound psychological harm.
This operation highlights the critical importance of public-private partnerships in the ongoing fight against cybercrime.
Read the full press release for detailed insights.
#INTERPOL #OperationContender #RomanceScams #FightAgainstCybercrime
👍5🔥4😁1
AI-powered voice cloning and caller ID spoofing are reshaping the fraud landscape. With only seconds of audio and inexpensive tools, cybercriminals can now replicate voices with near-perfect accuracy, bypassing trust and exploiting weaknesses in global telecom infrastructure.
Key insights:
🔹 Global losses from AI-enabled fraud are projected to hit US$40B by 2027 (up from US$12B in 2023).
🔹 Fraudsters can generate convincing deepfake voices with only a few seconds of publicly available audio.
🔹 Telecom vulnerabilities allow spoofed calls to appear legitimate, undermining traditional security checks.
🔹 Real cases ranging from a US$243K corporate scam in the UK to an $18.5M stablecoin theft in Hong Kong show the devastating financial impact.
This report combines real-world cases, a live CNA experiment, and defense strategies for corporations, telecom providers, and individuals to counter the next wave of AI-driven social engineering.
Download the report.
#CyberSecurity #Deepfake #FightAgainstCybercrime
Key insights:
🔹 Global losses from AI-enabled fraud are projected to hit US$40B by 2027 (up from US$12B in 2023).
🔹 Fraudsters can generate convincing deepfake voices with only a few seconds of publicly available audio.
🔹 Telecom vulnerabilities allow spoofed calls to appear legitimate, undermining traditional security checks.
🔹 Real cases ranging from a US$243K corporate scam in the UK to an $18.5M stablecoin theft in Hong Kong show the devastating financial impact.
This report combines real-world cases, a live CNA experiment, and defense strategies for corporations, telecom providers, and individuals to counter the next wave of AI-driven social engineering.
Download the report.
#CyberSecurity #Deepfake #FightAgainstCybercrime
❤7🔥5
We are proud to announce our contribution in supporting the Spanish Guardia Civil in dismantling the "GXC Team," a sophisticated Crime-as-a-Service ecosystem.
This operation led to the arrest of the mastermind, "GoogleXcoder," who provided AI-powered phishing kits and Android malware to criminals, targeting financial institutions and citizens across Spain and beyond. Our intelligence was crucial in connecting digital traces to the threat actor.
This case underscores the dangerous evolution of AI in cybercrime and the critical need for public-private partnerships to protect the digital ecosystem. Read the full press release.
#ThreatIntelligence #FinTech #CyberSecurity #FightAgainstCybercrime
This operation led to the arrest of the mastermind, "GoogleXcoder," who provided AI-powered phishing kits and Android malware to criminals, targeting financial institutions and citizens across Spain and beyond. Our intelligence was crucial in connecting digital traces to the threat actor.
This case underscores the dangerous evolution of AI in cybercrime and the critical need for public-private partnerships to protect the digital ecosystem. Read the full press release.
#ThreatIntelligence #FinTech #CyberSecurity #FightAgainstCybercrime
❤15🔥8
89% of IT departments allow bring-your-own-device policies. At the same time 46% of compromised systems are unmanaged devices mixing personal and corporate accounts.
But how do you detect threats from unmanaged devices if you only monitor the perimeter?
This is the problem with many NDR deployments. They cover north-south traffic, but miss the internal connections where credential theft and lateral movement unfold.
Group-IB’s new blog post explains what real internal visibility looks like and why it matters.
#CyberSecurity #NDR #EndpointProtection #DataSecurity #ThreatDetection #FightAgainstCybercrime
But how do you detect threats from unmanaged devices if you only monitor the perimeter?
This is the problem with many NDR deployments. They cover north-south traffic, but miss the internal connections where credential theft and lateral movement unfold.
Group-IB’s new blog post explains what real internal visibility looks like and why it matters.
#CyberSecurity #NDR #EndpointProtection #DataSecurity #ThreatDetection #FightAgainstCybercrime
🔥9👍5🍌1
We are proud to unveil our first Cyber Fusion Center in the Asia-Pacific region, located within the Digital Crime Resistance Center, Singapore.
The Cyber Fusion Center integrates core capabilities, including Threat Intelligence, Digital Forensics & Incident Response, Managed XDR, Attack Surface Management, Digital Risk Protection, and Fraud Protection, into one unified, intelligence-driven ecosystem.
Unlike conventional SOCs, the Cyber Fusion Center delivers proactive, AI-powered threat hunting and fraud prevention, giving organizations real-time visibility and rapid response across their digital environments. Read the full announcement.
#CyberFusionCenter #ThreatIntelligence #ManagedXDR #FraudPrevention #FightAgainstCybercrime
The Cyber Fusion Center integrates core capabilities, including Threat Intelligence, Digital Forensics & Incident Response, Managed XDR, Attack Surface Management, Digital Risk Protection, and Fraud Protection, into one unified, intelligence-driven ecosystem.
Unlike conventional SOCs, the Cyber Fusion Center delivers proactive, AI-powered threat hunting and fraud prevention, giving organizations real-time visibility and rapid response across their digital environments. Read the full announcement.
#CyberFusionCenter #ThreatIntelligence #ManagedXDR #FraudPrevention #FightAgainstCybercrime
❤8👍3🖕1
Group-IB has uncovered a coordinated scam operation exploiting verified Google Ads, deepfake videos, and fake news outlets to impersonate Singapore’s government officials and noted public figures in a fraudulent investment campaign known as the “Immediate Era” scam.
Our latest Threat Intelligence Report details how this operation leveraged:
🔹28 verified Google advertiser accounts targeting Singapore users
🔹Over 50 intermediary redirect domains to evade detection
🔹Fabricated media sites mimicking CNA and Yahoo! News
🔹AI-generated deepfakes used to build false credibility
This case highlights a new era of organized, cross-border financial fraud, where legitimacy is simulated through verified platforms and regulatory loopholes. Read the full technical breakdown here.
#CyberSecurity #DeepfakeAwareness #ScamAlert #FightAgainstCybercrime
Our latest Threat Intelligence Report details how this operation leveraged:
🔹28 verified Google advertiser accounts targeting Singapore users
🔹Over 50 intermediary redirect domains to evade detection
🔹Fabricated media sites mimicking CNA and Yahoo! News
🔹AI-generated deepfakes used to build false credibility
This case highlights a new era of organized, cross-border financial fraud, where legitimacy is simulated through verified platforms and regulatory loopholes. Read the full technical breakdown here.
#CyberSecurity #DeepfakeAwareness #ScamAlert #FightAgainstCybercrime
❤14👏2🖕1
Group-IB Threat Intelligence has uncovered a global phishing campaign orchestrated by MuddyWater (TA450). The phishing campaign targeted international organizations and more than 100 governments worldwide to gather foreign intelligence using the Phoenix V4 malware.
Key highlights:
🔹 Over 100 governments and international organizations targeted globally
🔹 Use of FakeUpdate injector and Phoenix v4 malware with new persistence methods
🔹 Integration of legitimate RMM tools (Action1, PDQ) and a custom Chromium credential stealer
🔹 C2 infrastructure hosted behind Cloudflare and active for just five days, indicating strong OPSEC discipline
This campaign highlights how MuddyWater continues to evolve its tradecraft, blending social engineering, custom malware, and legitimate tools to gather foreign intelligence.
Read the full technical analysis here.
#ThreatIntelligence #APT #Phishing #MuddyWater #CyberSecurity #MalwareAnalysis
Key highlights:
🔹 Over 100 governments and international organizations targeted globally
🔹 Use of FakeUpdate injector and Phoenix v4 malware with new persistence methods
🔹 Integration of legitimate RMM tools (Action1, PDQ) and a custom Chromium credential stealer
🔹 C2 infrastructure hosted behind Cloudflare and active for just five days, indicating strong OPSEC discipline
This campaign highlights how MuddyWater continues to evolve its tradecraft, blending social engineering, custom malware, and legitimate tools to gather foreign intelligence.
Read the full technical analysis here.
#ThreatIntelligence #APT #Phishing #MuddyWater #CyberSecurity #MalwareAnalysis
🔥6👏2❤1🖕1
Investment scams are no longer isolated schemes, they have evolved into industrialized, multi-actor fraud networks operating at a global scale.
Key highlights:
🔹 A shared centralized backend powers hundreds of fake trading platforms, linked through recurring API endpoints, reused SSL certificates, and identical admin panels.
🔹 Chatbots act as automated operators screening victims, simulating support, and distributing payment instructions that expose valuable artifacts for attribution.
🔹 Fraud groups exploit weak KYB/KYC processes using forged documents and biometric bypass services traded on Telegram to open mule accounts.
🔹 Auxiliary infrastructure such as chat simulators and exposed admin panels fabricates investor activity and leaves technical footprints that analysts can pivot on.
Our report maps the Victim Manipulation Flow, details the infrastructure links, and exposes the mechanics behind the illusion.
Read the full technical report.
#InvestmentScams #Cybersecurity
Key highlights:
🔹 A shared centralized backend powers hundreds of fake trading platforms, linked through recurring API endpoints, reused SSL certificates, and identical admin panels.
🔹 Chatbots act as automated operators screening victims, simulating support, and distributing payment instructions that expose valuable artifacts for attribution.
🔹 Fraud groups exploit weak KYB/KYC processes using forged documents and biometric bypass services traded on Telegram to open mule accounts.
🔹 Auxiliary infrastructure such as chat simulators and exposed admin panels fabricates investor activity and leaves technical footprints that analysts can pivot on.
Our report maps the Victim Manipulation Flow, details the infrastructure links, and exposes the mechanics behind the illusion.
Read the full technical report.
#InvestmentScams #Cybersecurity
❤7👍3🖕1
🚨 New technical deep-dive: “Ghosts in / proc” 🚨
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linux’s / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
🔹Malicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
🔹Timeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
🔹When / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
🔹Full lab walkthrough, indicators, and practical mitigations included
🔗 Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
Attackers are no longer just hiding files, they are rewriting what the OS shows. Our new research demonstrates how adversaries manipulate Linux’s / proc filesystem to spoof process names and corrupt forensic timelines, effectively making malicious activity look benign.
Key Highlights:
🔹Malicious processes spoofing / proc/<pid>/cmdline so tools like ps and top report harmless names
🔹Timeline corruption via modified / proc/<pid>/stat start times processes can appear to start in the future
🔹When / proc is trusted in isolation, triage, timeline stitching, and attribution can all fail
🔹Full lab walkthrough, indicators, and practical mitigations included
🔗 Read the full analysis here.
#ThreatIntel #LinuxSecurity #DFIR #CyberSecurity #IncidentResponse
👍5🔥1🖕1
🚨Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure
Phishing has evolved, becoming industrialized, automated, and powered by underground ecosystems that mirror legitimate SaaS businesses.
Our latest investigation exposes a professional phishing framework impersonating Aruba S.p.A., Italy’s major IT and web services provider.
The key findings:
🔹 Multi-stage kit automating every phase of the attack from CAPTCHA evasion to OTP interception
🔹 Pre-filled login URLs designed to increase credibility and lower suspicion
🔹 Fake payment pages harvesting full credit card and 3D Secure/OTP data
🔹 Telegram bots used for real-time exfiltration and backup data logging
🔹 Evidence of Phishing-as-a-Service (PhaaS) scaling fraud through automation and community support
Phishing may be one of the oldest cyber threats, but today, it operates like a fully industrialized ecosystem.
🧩 Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #Phishing #CyberCrime
Phishing has evolved, becoming industrialized, automated, and powered by underground ecosystems that mirror legitimate SaaS businesses.
Our latest investigation exposes a professional phishing framework impersonating Aruba S.p.A., Italy’s major IT and web services provider.
The key findings:
🔹 Multi-stage kit automating every phase of the attack from CAPTCHA evasion to OTP interception
🔹 Pre-filled login URLs designed to increase credibility and lower suspicion
🔹 Fake payment pages harvesting full credit card and 3D Secure/OTP data
🔹 Telegram bots used for real-time exfiltration and backup data logging
🔹 Evidence of Phishing-as-a-Service (PhaaS) scaling fraud through automation and community support
Phishing may be one of the oldest cyber threats, but today, it operates like a fully industrialized ecosystem.
🧩 Read the full technical analysis here.
#ThreatIntelligence #CyberSecurity #Phishing #CyberCrime
👍7🔥4😁2❤1🖕1
🚨 New Threat Report Released: UNC2891 — ATM Threats Never Die
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
🔗 Get the full breakdown of UNC2891’s TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
🔗 Get the full breakdown of UNC2891’s TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
🔥12
🚨Bloody Wolf Expands Across Central Asia 🚨
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
🔹 Their spear-phishing techniques and localized PDF lures
🔹 How custom JAR loaders deploy NetSupport RAT
🔹 Infrastructure masquerading as government portals
🔹 Multi-layered persistence and evasion methods
🔹 IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
🔹 Their spear-phishing techniques and localized PDF lures
🔹 How custom JAR loaders deploy NetSupport RAT
🔹 Infrastructure masquerading as government portals
🔹 Multi-layered persistence and evasion methods
🔹 IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
❤10🔥1
🚨 New launch: Fraud moves fast. Now defense does too.
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
🔹Share risk signals on suspicious activity, not just confirmed fraud.
🔹Stop APP fraud & mule networks before funds are lost.
🔹GDPR-compliant, Bureau Veritas verified.
🔹Personal data never leaves your organization.
Collective problem. Collective defense.
📄 Read the press release here.
🔗 Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
🔹Share risk signals on suspicious activity, not just confirmed fraud.
🔹Stop APP fraud & mule networks before funds are lost.
🔹GDPR-compliant, Bureau Veritas verified.
🔹Personal data never leaves your organization.
Collective problem. Collective defense.
📄 Read the press release here.
🔗 Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
🔥9❤2👍2
Group-IB’s latest threat report exposes the full scale of GoldFactory’s mobile fraud operation, one of the most technically advanced campaigns currently targeting APAC.
Key insights:
🔹A surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
🔹Over 11,000 device infections traced through Group-IB Fraud Protection telemetry
🔹A unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
🔹New Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
🔹Infrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
Key insights:
🔹A surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
🔹Over 11,000 device infections traced through Group-IB Fraud Protection telemetry
🔹A unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
🔹New Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
🔹Infrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
❤7🔥5
As digital lending accelerates in Uzbekistan, cybercriminals are exploiting verification gaps, low financial awareness, and social engineering to weaponize online credit services at scale turning personal identity into a profitable attack surface.
Key Highlights:
🔹 Online credit fraud cases surged 42% in 2024 compared to 2023
🔹 34% of incidents involved fraudsters posing as bank or government officials
🔹 Microcredits are approved using stolen passport, FaceID, and OTP data
🔹 Scammers deploy Telegram bots and SMS-stealers to bypass authentication
🔹 New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
Key Highlights:
🔹 Online credit fraud cases surged 42% in 2024 compared to 2023
🔹 34% of incidents involved fraudsters posing as bank or government officials
🔹 Microcredits are approved using stolen passport, FaceID, and OTP data
🔹 Scammers deploy Telegram bots and SMS-stealers to bypass authentication
🔹 New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
👍6🔥3❤2