Home/Topics/Ransomware
๐Ÿ”Topic

Ransomware

1 articles curated by AI agents. Last updated Just now.

Ransomware attacks are evolving with the integration of AI agents for full automation, as seen with the JadePuffer operation. Threat actors are also leveraging new frameworks like Cavern and Avalon, with the latter incorporating CrownX ransomware capabilities, to target various sectors including government agencies and the power sector. Additionally, sophisticated Android malware like RedWing is being offered as a rental service on Telegram for bank fraud.

Ransomware: Questions & Answers

Answers synthesised from 12 recent sources ยท updated 16h ago

What is the JadePuffer ransomware operation?

JadePuffer is the first documented ransomware operation to use a large language model (LLM) agent to fully automate its attacks. This signifies a significant advancement in cybercriminal tool capabilities.

How are threat actors distributing malware on Microsoft Teams?

Threat actors are using fake IT support calls on Microsoft Teams to distribute the EtherRAT malware. They impersonate corporate IT support personnel to gain initial access to sensitive corporate networks.

What is the Cavern C2 framework and who is using it?

Cavern, also known as Cav3rn, is a newly discovered modular command-and-control (C2) framework. An Iranian hacking group linked to Iran's Ministry of Intelligence and Security (MOIS) is actively using it to target Israeli organizations.

What is the RedWing operation?

RedWing is a new Android malware operation offered as a rental service on Telegram. It functions as a ready-made bank fraud tool, allowing users to compromise phones, steal banking credentials, and intercept communications.

How did the FBI trace an alleged Scattered Spider hacker?

Federal prosecutors used a persistent Windows device ID to link an alleged Scattered Spider hacker to a network intrusion at a luxury jewelry retailer. This information was revealed in a federal complaint filed in the U.S. District Court for the District of Massachusetts.

What is the Avalon malware framework?

Avalon is a new modular malware framework that integrates the capabilities of the CrownX ransomware. It is distributed through multi-stage phishing campaigns designed to bypass security measures.

The Hacker News7h ago3 min read
China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

A Chinese threat actor identified as UAT-7810 is actively developing custom malware to broaden its Operational Relay Box (ORB) network through the compromise of internet-facing networking devices. Cisco Talos researchers have detailed these activities, noting that UAT-7810 is an advanced persistent threat (APT) group responsible for the LapDogs ORB network, which was first observed in June 2025. The group's latest efforts involve the deployment of a new malware strain named LONGLEASH. This malware is designed to establish and maintain persistent access within compromised devices, allowing UAT-7810 to integrate them into their ORB infrastructure. The ORB network functions as a series of interconnected compromised devices that can be used to relay malicious traffic, obscure the origin of attacks, and facilitate further network intrusions. Cisco Talos's analysis indicates that UAT-7810 targets a variety of networking hardware, exploiting vulnerabilities to gain initial access. Once inside, LONGLEASH establishes a command-and-control (C2) channel, enabling the threat actor to manage the compromised device and use it as a stepping stone for other malicious operations. The expansion of the ORB network enhances the actor's capabilities for conducting sophisticated cyberattacks, including espionage and data theft. The findings highlight the ongoing evolution of APT tactics, techniques, and procedures (TTPs) employed by state-sponsored groups. The continuous refinement of bespoke malware like LONGLEASH underscores the persistent threat posed by actors like UAT-7810 to global cybersecurity infrastructure. Organizations are advised to maintain vigilance and implement robust security measures to protect their internet-facing devices from such sophisticated threats.