Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus - Related to leak, 1.6, worldwide, botnet, topsec's

Data Leak Exposes TopSec's Role in China’s Censorship-as-a-Service Operations

An analysis of a data leak from a Chinese cybersecurity corporation TopSec has revealed that it likely offers censorship-as-a-service solutions to prospective consumers, including a state-owned enterprise in the country.

Founded in 1995, TopSec ostensibly offers services such as Endpoint Detection and Response (EDR) and vulnerability scanning. But it's also providing "boutique" solutions in order to align with government initiatives and intelligence requirements, SentinelOne researchers Alex Delamotte and Aleksandar Milenkoski mentioned in a analysis shared with The Hacker News.

The data leak contains infrastructure details and work logs from employees, as well as references to web content monitoring services used to enforce censorship for public and private sector consumers.

It's believed that the enterprise provided bespoke monitoring services to a state-owned enterprise hit by a corruption scandal, indicating that such platforms are being used to monitor and control public opinion as necessary.

Present among the data leak is a contract for a "Cloud Monitoring Service Project" unveiled by the Shanghai Public Security Bureau in September 2024.

The project, the document reveals, involves continuous monitoring of websites within the Bureau's jurisdiction with the goal of identifying security issues and content changes, and providing incident alerts.

Specifically, the platform has been designed to look for the presence of hidden links in web content, along with those containing sensitive words related to political criticism, violence, or pornography.

While the exact goals are unclear, it's suspected that such alerts could be used by end-clients to take follow-on actions, such as issuing warnings, deleting content, or restricting access when sensitive words are detected. That revealed, Shanghai Anheng Smart City Security Technology Co. Ltd. won the contract, per public documents analyzed by SentinelOne.

The cybersecurity firm showcased the leak was detected after it analyzed a text file that was uploaded to the VirusTotal platform on January 24, 2025. The manner in which the data was leaked remains unclear.

"The main file we analyzed contains numerous work logs, which are a description of the work performed by a TopSec employee and the amount of time the task took, often accompanied by scripts, commands, or data related to the task," the researchers noted.

"In addition to work logs, the leak contains many commands and playbooks used to administrate TopSec's services via multiple common DevOps and infrastructure technologies that are used worldwide, including Ansible, Docker, ElasticSearch, Gitlab, Kafka, Kibana, Kubernetes, and Redis."

Also found are references to another framework named Sparta (or Sparda) that's supposedly designed to handle sensitive word processing by receiving content from downstream web applications via GraphQL APIs, once again suggestive of censorship keyword monitoring.

"These leaks yield insight into the complex ecosystem of relationships between government entities and China's private sector cybersecurity companies," the researchers unveiled.

"While many countries have significant overlap between government requirements and private sector cybersecurity firms, the ties between these entities in China are much deeper and represent the state's grasp on managing public opinion through online enforcement."

Das polnische CERT warnt vor einer Sicherheitslücke in der Video-Schnitt- und Postprocessing-Software DaVinci Resolve. Angreifer können sie missbrauch......

The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform appear to be readying a new version that allows prospective clients and ......

Angreifer können Sicherheitsbeschränkungen von IBMs Middleware für die Transaktionsverarbeitung umgehen und so PCs attackieren. Dagegen stehen gerüste......

Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant.

Cybersecurity business Kaspersky is tracking the activity under the name Angry Likho, which it stated bears a "strong resemblance" to Awaken Likho (aka Core Werewolf, GamaCopy, and PseudoGamaredon).

"However, Angry Likho's attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors," the Russian organization mentioned.

It's suspected that the threat actors are likely native Russian speakers given the use of fluent Russian in the bait files used to trigger the infection chain. Last month, cybersecurity corporation F6 (formerly [website] described it as a "pro-Ukrainian cyberspy group."

The attackers have been found to mainly single out organizations in Russia and Belarus, with hundreds of victims identified in the former.

Previous intrusion activities associated with the group have leveraged phishing emails as a conduit to distribute various malware families such as NetWire, Rhadamanthys, Ozone RAT, and a backdoor known as DarkTrack, the last of which is launched via a loader called Ande Loader.

The attack sequence involves the use of spear-phishing emails bearing a booby-trapped attachment ([website], archive files), within which are two Windows shortcut (LNK) files and a legitimate lure document.

The archive files are responsible for advancing the malicious activity to the next-stage, unleashing a complex multi-stage process to deploy the Lumma information stealer.

"This implant was created using the legitimate open-source installer, Nullsoft Scriptable Install System, and functions as a self-extracting archive (SFX)," Kaspersky stated.

The attacks have been observed incorporating steps to evade detection by security vendors by means of a check for emulators and sandboxed environments, causing the malware to either terminate or resume after a 10,000 ms delay, a technique also spotted in Awaken Likho implants.

This overlap has raised the possibility that the attackers behind the two campaigns share the same technology or likely the same group using a different set of tools for different targets and tasks.

"The group's latest attacks use the Lumma stealer, which collects a vast amount of data from infected devices, including browser-stored banking details and cryptowallet files," Kaspersky mentioned.

"The group relies on readily available malicious utilities obtained from darknet forums, rather than developing its own tools. The only work they do themselves is writing mechanisms of malware delivery to the victim's device and crafting targeted phishing emails."

Die kriminelle Online-Bande Cl0p ist für das Kopieren von Daten von Unternehmen und die darauf folgende Erpressung mit der Datenveröffentlichung bekan......

Angreifer können Sicherheitsbeschränkungen von IBMs Middleware für die Transaktionsverarbeitung umgehen und so PCs attackieren. Dagegen stehen gerüste......

Mit verschlüsselten Daten zu arbeiten, ohne sie entschlüsseln zu müssen, klingt unmöglich. Und doch bietet die homomorphe Verschlüsselung genau diese ......

Vo1d malware botnet grows to 1.6 million Android TVs worldwide

A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks.

This is , which has been tracking the new campaign since last November, reporting that the botnet peaked on January 14, 2025, and currently has 800,000 active bots.

In September 2024, Dr. Web antivirus researchers found [website] million devices across 200 countries compromised by Vo1d malware via an unknown infection vector.

XLab's recent study indicates that the new version of the Vo1d botnet continues its operations on a larger scale, not deterred by the previous exposure.

Moreover, the researchers underline that the botnet has evolved with advanced encryption (RSA + custom XXTEA), resilient DGA-powered infrastructure, and enhanced stealth capabilities.

The Vo1d botnet is one of the largest seen in recent years, surpassing Bigpanzi, the original Mirai operation, and the botnet responsible for a record-breaking [website] Tbps DDoS attack handled by Cloudflare last year.

As of February 2025, nearly 25% of the infections impact Brazilian clients, followed by devices in South Africa ([website], Indonesia ([website], Argentina ([website], Thailand ([website], and China ([website].

The researchers study that the botnet has had notable infection surges, like going from 3,900 to 217,000 bots in India within just three days.

The largest fluctuations suggest that the botnet operators may be "renting" devices as proxy servers, which are commonly used to conduct further illegal activity or botting.

"We speculate that the phenomenon of "rapid surges followed by sharp declines" may be attributed to Vo1d leasing its botnet infrastructure in specific regions to other groups. Here's how this "rental-return" cycle could work: Leasing Phase: At the start of a lease, bots are diverted from the main Vo1d network to serve the lessee's operations. This diversion causes a sudden drop in Vo1d's infection count as the bots are temporarily removed from its active pool. Return Phase: Once the lease period ends, the bots rejoin the Vo1d network. This reintegration leads to a rapid spike in infection counts as the bots become active again under Vo1d's control. This cyclical mechanism of "leasing and returning" could explain the observed fluctuations in Vo1d's scale at specific time points." ❖ Xlab ❖ Xlab.

The scale of its command and control (C2) infrastructure is also impressive, with the operation using 32 domain generation algorithm (DGA) seeds to produce over 21,000 C2 domains.

C2 communication is protected by a 2048-bit RSA key, so even if researchers identify and register a C2 domain, they are not able to issue commands to the bots.

Most impacted countries as of February 25.

The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations.

Infected devices relay malicious traffic for the cybercriminals, hiding the origin of their activity and blending in with residential network traffic. This also helps the threat actors bypass regional restrictions, security filtering, and other protections.

The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots.

Given that the infection chain remains unknown, it is recommended that Android TV consumers follow a holistic security approach to mitigate the Vo1d threat.

The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit.

Secondly, it's crucially crucial to install firmware and security updates that close gaps that may be leveraged for remote infections.

Thirdly, consumers should avoid downloading apps outside of Google Play or third-party firmware images that promise extended and "unlocked" functionality.

Android TV devices should have their remote access functions disabled if not needed, while taking them offline when not used is also an effective strategy.

Ultimately, IoT devices should be isolated from valuable devices that hold sensitive data on the network level.

An analysis of a data leak from a Chinese cybersecurity enterprise TopSec has revealed that it likely offers censorship-as-a-service solutions to prospec......

Angreifer können Sicherheitsbeschränkungen von IBMs Middleware für die Transaktionsverarbeitung umgehen und so PCs attackieren. Dagegen stehen gerüste......

Remote Desktop Protocol (RDP) is an amazing technology developed by Microsoft that lets you access and control another computer over a network. It's l......