💸 “Easy money. Simple tasks. Work from your phone.”
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
🔹 Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
🔹 Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
🔹 Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront “deposits” are collected.
🔹The scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
🔹 Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
🔹 Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
🔹 Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront “deposits” are collected.
🔹The scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
🔥11❤2👍2
🚨 Tap-to-pay fraud has evolved into a remote, industrialized threat. Chinese cybercrime groups are now selling NFC relay malware on Telegram, enabling real-time payment fraud from anywhere in the world.
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. 🔗 Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. 🔗 Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
❤6👍3🔥2
Most organizations are stuck in survival mode. Real resilience is achieved when we move beyond reaction to planning ahead with real-world threat intelligence.
Gartner report highlights:
🔹 90% of attacks will exploit known vulnerabilities by 2028
🔹 Most can be prevented with strategic Threat Intelligence
🔹 Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
Gartner report highlights:
🔹 90% of attacks will exploit known vulnerabilities by 2028
🔹 Most can be prevented with strategic Threat Intelligence
🔹 Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
❤5
🚨 Group-IB has uncovered a sophisticated new threat rewriting the ransomware playbook. DeadLock leverages Polygon smart contracts to rotate proxy addresses, a stealthy, under-reported technique that bypasses traditional defenses by abusing decentralized infrastructure.
Key Highlights:
🔹 Decentralized Proxy Management: Uses Polygon smart contracts to dynamically retrieve and rotate proxy server addresses, complicating takedowns.
🔹 Service Disruption: Employs a custom PowerShell noscript to stop all non-whitelisted Windows services, sparing only native processes & its own RMM tool, AnyDesk.
🔹 Evolving Extortion: Ransom notes have matured from simple encryption alerts to explicit threats of selling stolen data, even offering "security reports" and promises not to re-target victims.
🔹Infrastructure Tracking: We traced proxy servers and smart contract transactions, revealing dedicated infrastructure & recent reactivation of operations.
Read the full technical analysis.
#ThreatIntelligence #DeadLockRansomware
Key Highlights:
🔹 Decentralized Proxy Management: Uses Polygon smart contracts to dynamically retrieve and rotate proxy server addresses, complicating takedowns.
🔹 Service Disruption: Employs a custom PowerShell noscript to stop all non-whitelisted Windows services, sparing only native processes & its own RMM tool, AnyDesk.
🔹 Evolving Extortion: Ransom notes have matured from simple encryption alerts to explicit threats of selling stolen data, even offering "security reports" and promises not to re-target victims.
🔹Infrastructure Tracking: We traced proxy servers and smart contract transactions, revealing dedicated infrastructure & recent reactivation of operations.
Read the full technical analysis.
#ThreatIntelligence #DeadLockRansomware
👍4❤1
🚨Peruvian Peaks: The Illusion of Digital Loans
Phishing scams based on fake digital loan offers are growing at an alarming rate in Peru and across Latin America. In this new technical blog, we present an in‑depth investigation into a fraudulent campaign that combines social media advertising, bank impersonation, and advanced credential‑harvesting techniques.
Since 2024, Group‑IB has identified approximately 370 fraudulent domains and dozens of malicious social‑media advertisements, all designed to mimic legitimate loan application processes in order to capture sensitive financial data, including card numbers, PINs, and online banking credentials, for sale on underground markets or use in further attacks.
👉 Discover how this scheme operates, why it is so effective, and what risks it poses to the regional financial ecosystem. Read the full technical analysis here.
#DigitalLoans #PhishingScams #CyberSecurity #FraudPrevention #LATAM #OnlineScams
Phishing scams based on fake digital loan offers are growing at an alarming rate in Peru and across Latin America. In this new technical blog, we present an in‑depth investigation into a fraudulent campaign that combines social media advertising, bank impersonation, and advanced credential‑harvesting techniques.
Since 2024, Group‑IB has identified approximately 370 fraudulent domains and dozens of malicious social‑media advertisements, all designed to mimic legitimate loan application processes in order to capture sensitive financial data, including card numbers, PINs, and online banking credentials, for sale on underground markets or use in further attacks.
👉 Discover how this scheme operates, why it is so effective, and what risks it poses to the regional financial ecosystem. Read the full technical analysis here.
#DigitalLoans #PhishingScams #CyberSecurity #FraudPrevention #LATAM #OnlineScams
🔥8👍4
🚨Group-IB’s first Weaponized AI report reveals how cybercriminals are operationalizing artificial intelligence to drive a fifth wave of cybercrime.
Skills that once required human expertise, such as persuasion, impersonation, and malware development, are now being turned into on-demand services, available at scale and speed. From the abuse of publicly available LLMs to the rise of proprietary Dark LLMs traded on the dark web, AI crimeware is rapidly being commercialized across the underground economy.
Key insights from the report:
✅ Mentions of AI on dark web forums surged 371% between 2019 and 2025, signalling rapid adoption by threat actors.
✅ AI-powered phishing tools are selling for as little as $30 per month.
✅ A growing deepfake-as-a-service market, with synthetic identity kits from US$5 and activity up 52% YoY in 2025.
✅ Criminal-grade LLMs sold for $30–$200 per month, with customer bases exceeding 1,000 users.
👉 Download the full report.
#AI #DarkWeb #Deepfake
Skills that once required human expertise, such as persuasion, impersonation, and malware development, are now being turned into on-demand services, available at scale and speed. From the abuse of publicly available LLMs to the rise of proprietary Dark LLMs traded on the dark web, AI crimeware is rapidly being commercialized across the underground economy.
Key insights from the report:
✅ Mentions of AI on dark web forums surged 371% between 2019 and 2025, signalling rapid adoption by threat actors.
✅ AI-powered phishing tools are selling for as little as $30 per month.
✅ A growing deepfake-as-a-service market, with synthetic identity kits from US$5 and activity up 52% YoY in 2025.
✅ Criminal-grade LLMs sold for $30–$200 per month, with customer bases exceeding 1,000 users.
👉 Download the full report.
#AI #DarkWeb #Deepfake
🔥9
🎉 Group-IB announces the launch of Cloud Security Posture Management (CSPM) as part of our Unified Risk Platform. Designed to help organizations reduce risks associated with cloud transformation, it ensures business continuity by identifying misconfigurations, eliminating compliance gaps, and enhancing cloud security from initial development through to deployment.
What makes Group-IB CSPM different:
🔹 See the configurations that matter most: By enriching posture findings with real-world exposure data from Group-IB Attack Surface Management and industry-leading Group-IB Threat Intelligence, your team sees cloud risks as attackers would.
🔹 Combined with built-in CI/CD misconfiguration checks and a unified Group-IB ecosystem, it goes beyond traditional CSPM to give you deep visibility that closes active cloud risks.
Read the full press release to learn how Group-IB is redefining cloud security posture management.
#CloudSecurity #CSPM #CyberSecurity
What makes Group-IB CSPM different:
🔹 See the configurations that matter most: By enriching posture findings with real-world exposure data from Group-IB Attack Surface Management and industry-leading Group-IB Threat Intelligence, your team sees cloud risks as attackers would.
🔹 Combined with built-in CI/CD misconfiguration checks and a unified Group-IB ecosystem, it goes beyond traditional CSPM to give you deep visibility that closes active cloud risks.
Read the full press release to learn how Group-IB is redefining cloud security posture management.
#CloudSecurity #CSPM #CyberSecurity
👍5❤4🔥1
✨We are proud to continue our participation in the Hong Kong Cyber Security Action Task Force, following its extension by the Hong Kong Police Force for another 2 years. This ongoing collaboration reflects the trust placed in Group-IB’s predictive, adversary-focused threat and fraud intelligence, helping authorities and organizations anticipate and disrupt cyber threats before impact.
During the Inauguration Ceremony, Anastasia Tikhonova, Global Threat Research Lead at Group-IB, received the CSATF certificate from Commissioner of Police CHOW Yat-ming in recognition of Group-IB’s contribution to the Cyber Security Action Task Force and its support of law-enforcement efforts in Hong Kong.
At the same event, Vesta Matveeva, Head of Strategic Cybercrime Investigations at Group-IB, was awarded Silver at the Cyber Security Professional Awards 2025 (CSPA), a recognition of investigative excellence and real-world impact.
🔗 Read the full press release.
#LawEnforcement #ThreatIntelligence #CyberCrime #CSPA2025
During the Inauguration Ceremony, Anastasia Tikhonova, Global Threat Research Lead at Group-IB, received the CSATF certificate from Commissioner of Police CHOW Yat-ming in recognition of Group-IB’s contribution to the Cyber Security Action Task Force and its support of law-enforcement efforts in Hong Kong.
At the same event, Vesta Matveeva, Head of Strategic Cybercrime Investigations at Group-IB, was awarded Silver at the Cyber Security Professional Awards 2025 (CSPA), a recognition of investigative excellence and real-world impact.
🔗 Read the full press release.
#LawEnforcement #ThreatIntelligence #CyberCrime #CSPA2025
🔥8❤3
🚨ShadowSyndicate isn’t a single campaign or threat actor, it’s a malicious activity cluster formed by numerous servers sharing the same SSH fingerprints. That infrastructure is used for hosting of various attack frameworks and is involved in multiple, mostly ransomware, cyber operations.
Our latest research breaks down how reuse of SSH fingerprints performed with OPSEC inaccuracies reveals links between seemingly unrelated activities. Discovered server clusters have the same use as known ones: various C2 frameworks running on servers, connections to multiple cyber campaigns attributed to different threat actors. All of that points to ShadowSyndicate’s likely role as either an Initial Access Broker or a Bulletproof Hosting provider.
For threat intelligence teams, these patterns matter. Infrastructure reuse creates opportunities for earlier detection, stronger correlation, and more effective disruption across the cybercrime supply chain. Read the full technical analysis here.
#CyberSecurity #ShadowSyndicate
Our latest research breaks down how reuse of SSH fingerprints performed with OPSEC inaccuracies reveals links between seemingly unrelated activities. Discovered server clusters have the same use as known ones: various C2 frameworks running on servers, connections to multiple cyber campaigns attributed to different threat actors. All of that points to ShadowSyndicate’s likely role as either an Initial Access Broker or a Bulletproof Hosting provider.
For threat intelligence teams, these patterns matter. Infrastructure reuse creates opportunities for earlier detection, stronger correlation, and more effective disruption across the cybercrime supply chain. Read the full technical analysis here.
#CyberSecurity #ShadowSyndicate
🔥7❤1
🚨Many fraud programs cannot clearly answer two questions: where are we today, and where are we going?
Teams add tools, rules, and processes over time, but visibility and direction often lag behind. The result is fragmented controls, uneven governance, and reactive decisions.
Group-IB’s Unified Counter Fraud Framework provides a structured, seven-step lifecycle that helps organizations assess their current fraud maturity, define a target state, and plan measurable improvement.
Inside the white paper:
🔹 A practical implementation methodology
🔹 A maturity assessment tool for benchmarking
🔹 Guidance for financial institutions, fintechs, and regulators
🔹 Detailed mapping to ISO 37003:2025
Download the white paper.
#CyberSecurity #FraudPrevention #FinancialCrime #Fintech #Compliance
Teams add tools, rules, and processes over time, but visibility and direction often lag behind. The result is fragmented controls, uneven governance, and reactive decisions.
Group-IB’s Unified Counter Fraud Framework provides a structured, seven-step lifecycle that helps organizations assess their current fraud maturity, define a target state, and plan measurable improvement.
Inside the white paper:
🔹 A practical implementation methodology
🔹 A maturity assessment tool for benchmarking
🔹 Guidance for financial institutions, fintechs, and regulators
🔹 Detailed mapping to ISO 37003:2025
Download the white paper.
#CyberSecurity #FraudPrevention #FinancialCrime #Fintech #Compliance
👍9❤3
🎉 Our High-Tech Crime Trends (HTCT) 2026 Report is here!
Supply chain attacks have become the dominant force reshaping the global cyber threat landscape.
Group-IB's HTCT Report 2026 reveals a decisive shift in cybercrime away from isolated intrusions toward ecosystem-wide compromise. Attackers are now exploiting trusted vendors, open-source software, SaaS platforms, and managed service providers to gain inherited access to hundreds of downstream organizations.
Key findings:
🔹 Open-source ecosystems under siege npm and PyPI targeted with stolen credentials & automated malware worms
🔹 Malicious browser extensions weaponized to harvest credentials and hijack sessions
🔹 AI-powered phishing campaigns bypassing MFA through OAuth workflows
🔹 Data breaches triggering multi-tenant, cascading downstream impact
🔹 Industrialized ransomware supply chains coordinating upstream access
📥 Download the High-Tech Crime Trends Report 2026.
🔗 Read the full press release.
#CyberSecurity #SupplyChainAttack #HTCT2026
Supply chain attacks have become the dominant force reshaping the global cyber threat landscape.
Group-IB's HTCT Report 2026 reveals a decisive shift in cybercrime away from isolated intrusions toward ecosystem-wide compromise. Attackers are now exploiting trusted vendors, open-source software, SaaS platforms, and managed service providers to gain inherited access to hundreds of downstream organizations.
Key findings:
🔹 Open-source ecosystems under siege npm and PyPI targeted with stolen credentials & automated malware worms
🔹 Malicious browser extensions weaponized to harvest credentials and hijack sessions
🔹 AI-powered phishing campaigns bypassing MFA through OAuth workflows
🔹 Data breaches triggering multi-tenant, cascading downstream impact
🔹 Industrialized ransomware supply chains coordinating upstream access
📥 Download the High-Tech Crime Trends Report 2026.
🔗 Read the full press release.
#CyberSecurity #SupplyChainAttack #HTCT2026
🔥12❤5⚡3
🤝Group-IB has signed a strategic partnership with the National Polytechnic University of Armenia to advance cybersecurity education, research, and workforce development.
By embedding predictive threat intelligence, real-world investigative methodologies, and industry-grade tools into academic programs, the collaboration connects students to the same ecosystem that supports global cybercrime investigations bridging education with practical defense capabilities.
The initiative reinforces a shared commitment to developing future cybercrime fighters, strengthening Armenia’s cyber resilience, and building a new generation of professionals ready to anticipate and disrupt evolving threats. Read the full announcement here.
#IncidentResponse #Cybersecurity #ThreatIntelligence #Infosec
By embedding predictive threat intelligence, real-world investigative methodologies, and industry-grade tools into academic programs, the collaboration connects students to the same ecosystem that supports global cybercrime investigations bridging education with practical defense capabilities.
The initiative reinforces a shared commitment to developing future cybercrime fighters, strengthening Armenia’s cyber resilience, and building a new generation of professionals ready to anticipate and disrupt evolving threats. Read the full announcement here.
#IncidentResponse #Cybersecurity #ThreatIntelligence #Infosec
🔥10
🔐 How to share suspicious fraud data without breaking privacy laws
Until now, banks couldn't share intelligence on suspicious accounts without risking GDPR violations.
Group-IB's Cyber Fraud Intelligence Platform solves this with Bureau Veritas-validated Distributed Tokenization.
Watch our 18-minute panel discussion with experts explaining:
✅ Why SHA-256 hashing fails privacy standards
✅ How distributed tokenization enables compliant collaboration
✅ How to stop APP scams as early as during the warm-up phase before any losses
👉 Watch now!
Until now, banks couldn't share intelligence on suspicious accounts without risking GDPR violations.
Group-IB's Cyber Fraud Intelligence Platform solves this with Bureau Veritas-validated Distributed Tokenization.
Watch our 18-minute panel discussion with experts explaining:
✅ Why SHA-256 hashing fails privacy standards
✅ How distributed tokenization enables compliant collaboration
✅ How to stop APP scams as early as during the warm-up phase before any losses
👉 Watch now!
🔥5
🚨 Indonesia’s tax season exposed a coordinated fraud campaign powered by industrialized malware infrastructure.
Our latest technical deep dive reveals how the GoldFactory threat cluster leveraged shared infrastructure to deploy multiple malware families across an entire national digital ecosystem.
Key highlights:
🔹 A highly synchronized campaign targeted ~67 million tax residents during the 2026 tax season.
🔹 Infrastructure extended beyond tax services, abusing 16+ trusted brands with an estimated USD 1.5–2M systemic impact.
🔹 A multi-stage attack chain combined phishing, vishing, and malicious APK sideloading for full device takeover.
🔹 228 new Gigabud.RAT and MMRat samples were identified, highlighting rapid malware evolution.
🔹 Attribution confirms GoldFactory’s shift toward unified, cross-border fraud infrastructure.
🔹 Proactive infrastructure mapping reduced fraud success to just 0.027% among protected, compromised devices
Read the full technical breakdown.
#CyberSecurity #MalwareAnalysis
Our latest technical deep dive reveals how the GoldFactory threat cluster leveraged shared infrastructure to deploy multiple malware families across an entire national digital ecosystem.
Key highlights:
🔹 A highly synchronized campaign targeted ~67 million tax residents during the 2026 tax season.
🔹 Infrastructure extended beyond tax services, abusing 16+ trusted brands with an estimated USD 1.5–2M systemic impact.
🔹 A multi-stage attack chain combined phishing, vishing, and malicious APK sideloading for full device takeover.
🔹 228 new Gigabud.RAT and MMRat samples were identified, highlighting rapid malware evolution.
🔹 Attribution confirms GoldFactory’s shift toward unified, cross-border fraud infrastructure.
🔹 Proactive infrastructure mapping reduced fraud success to just 0.027% among protected, compromised devices
Read the full technical breakdown.
#CyberSecurity #MalwareAnalysis
❤10
🚨MuddyWater is back, and Operation Olalampo reveals how the actor continues to refine its intrusion tradecraft. This campaign combines macro-delivered payload chains, stealthy in-memory loaders, and a Rust-based Telegram C2 backdoor to maintain persistence and evade detection. Our analysis exposes sandbox-evasion techniques, fragmented encrypted communications, infrastructure reuse, and operator telemetry that provides rare insight into post-exploitation behavior.
Key highlights include the discovery of new malware variants, selective loader execution paths, AI-assisted development indicators, and backend infrastructure revealing how victims are tracked and managed with defensive recommendations including RMM tool restrictions, Telegram API monitoring, and memory integrity controls.
Dive into the full technical breakdown to understand the tooling, tactics, and defensive implications behind MuddyWater's latest operation.
#CyberSecurity #ThreatIntelligence #MalwareAnalysis #MuddyWater #Infosec
Key highlights include the discovery of new malware variants, selective loader execution paths, AI-assisted development indicators, and backend infrastructure revealing how victims are tracked and managed with defensive recommendations including RMM tool restrictions, Telegram API monitoring, and memory integrity controls.
Dive into the full technical breakdown to understand the tooling, tactics, and defensive implications behind MuddyWater's latest operation.
#CyberSecurity #ThreatIntelligence #MalwareAnalysis #MuddyWater #Infosec
🔥9👏1