Nearly 12,000 API keys and passwords found in AI training dataset - Related to impacts, microsoft, 2025, outage, new

5 Active Malware Campaigns in Q1 2025

The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods.

Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments.

Additionally, this method involves injecting fake CAPTCHA pages into compromised websites, prompting individuals to execute malicious PowerShell commands that download and run the NetSupport RAT.

Once installed, this RAT grants attackers full control over the victim's system, allowing activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands.

Main technical characteristics of NetSupport RAT.

Attackers can view and control the victim's screen in real time.

Uploads, downloads, modifies, and deletes files on the infected system.

Runs system commands and PowerShell scripts remotely.

Captures copied text, including passwords and sensitive data.

Records user keystrokes for credential theft.

Starts, stops, and modifies system processes and services.

Installs itself in startup folders. Registry keys, or scheduled tasks to survive reboots.

Uses process injection and code obfuscation to evade detection.

Maintains a stealthy connection with attackers using encrypted traffic.

After running the NetSupport RAT payload inside 's Interactive Sandbox, we can see several activities.

Malicious archive opened inside sandbox.

When NetSupport RAT infects a system, it immediately establishes a connection with a command-and-control (C2) server, allowing attackers to operate the compromised machine remotely.

CnC connection detected by sandbox.

Through this connection, attackers can execute system commands, deploy additional malware, and modify system settings.

Equip your team with 's Interactive Sandbox to analyze unlimited malware in real time, uncover threats faster, and strengthen your defenses. Start your free trial today!

NetSupport RAT employs multiple Tactics, Techniques, and Procedures (TTPs) to maintain persistence, evade detection, and gather system data. Key TTPs include:

Persistence & Execution: Modifies registry startup keys, executes scripts via .

Discovery: Reads computer name, checks system language, and accesses environment variables.

Defense Evasion & C2 Communication: Drops legitimate Windows executables, creates internet connection objects for remote control.

Additionally, these techniques demonstrate how NetSupport RAT establishes control while avoiding detection, all of which are visible in 's ATT&CK mapping.

The Lynx Ransomware-as-a-Service (RaaS) group is known as a highly organized entity. Offering a structured affiliate program and robust encryption methods. Building upon the foundation of the earlier INC ransomware, Lynx has enhanced its capabilities and expanded its reach, targeting a diverse range of industries across multiple countries.

Lynx's affiliate panel allows its affiliates to configure victim profiles, generate custom ransomware samples. And manage data-leak schedules within a user-friendly interface. Because of its structured approach, it becomes one of the most accessible ransomware even for those with limited technical expertise.

To incentivize participation. Lynx offers affiliates an 80% share of ransom proceeds. The group maintains a leak site where stolen data is .

In the first quarter of 2025, the Lynx Ransomware-as-a-Service (RaaS) group has intensified its operations, targeting various industries with sophisticated attacks.

Particularly, in February 2025. Lynx claimed responsibility for breaching Brown and Hurley, a prominent Australian truck dealership. The group alleged the theft of approximately 170 gigabytes of sensitive data, including human resources documents, business contracts, customer information, and financial records.

In January 2025, Lynx also breached Hunter Taubman Fischer & Li LLC, a law firm specializing in corporate and securities law.

Main technical characteristics of Lynx ransomware.

Encrypts all files by default, including local drives, network shares, and removable media.

Configurable via RaaS to target specific file types, folders, or extensions.

Steals sensitive data before encryption, exfiltrating documents, credentials, and financial information.

Transfers stolen data over encrypted channels. Such as HTTPS or custom communication protocols.

Deletes Volume Shadow Copies and disables Windows recovery elements to prevent restoration.

Closes applications that may block encryption using RestartManager.

Utilizes credential dumping techniques to extract stored passwords from browsers, Windows Credential Manager, and networked devices.

Maintains a C2 connection with DGA-based domains and anonymized traffic via Tor.

Detects VMs and sandboxes, altering behavior to evade analysis.

Runs in memory without writing files to disk, avoiding detection.

We can observe Lynx Ransomware's behavior firsthand in a controlled environment. In the sandbox analysis, after executing the Lynx payload, the infected system undergoes several noticeable changes.

Desktop background changed inside sandbox.

The desktop background is replaced with a ransom message, and. The attackers leave a note warning that all data has been stolen and encrypted. Victims are instructed to download Tor to contact them.

The sandbox also detects how Lynx systematically renames files, appending its extension. For example, C:\people\admin\Desktop\ becomes C:\people\admin\Desktop\.

Files renaming with . lynx detected by .

Dozens of files across the system are modified this way, further confirming its encryption process. These are just a few of the many destructive actions Lynx carries out once inside a compromised system.

Modification of files by Lynx ransomware.

AsyncRAT: Leveraging Python Payloads and TryCloudflare Tunnels.

In early 2025, cybersecurity researchers uncovered a sophisticated malware campaign deploying AsyncRAT, a remote access trojan known for its efficient, asynchronous communication capabilities.

This campaign stands out due to its use of Python-based payloads and. The exploitation of TryCloudflare tunnels to enhance stealth and persistence.

This file, in turn, retrieves a Windows shortcut (LNK) file via a TryCloudflare URL. Executing the LNK file triggers a series of scripts, PowerShell, JavaScript, and batch scripts, that download and execute a Python payload.

This payload is responsible for deploying multiple malware families, including AsyncRAT, Venom RAT, and XWorm.

Allows attackers to execute commands, monitor user activity, and manage files on the compromised system.

Capable of stealing sensitive information, including credentials and personal data.

Employs techniques to maintain long-term access, such as modifying system registries and. Utilizing startup folders.

Uses obfuscation and encryption to evade detection by security solutions.

Inside 's analysis session, we can open the MalConf section to reveal the malicious configurations used by AsyncRAT.

Malicious configurations analyzed inside controlled environment.

As we can see, AsyncRAT connects to masterpoldo02[.]kozow[.]com over port 7575, allowing remote attackers to control infected machines. Blocking this domain and monitoring traffic to this port can help prevent infections.

Besides, AsyncRAT installs itself in %AppData% to blend in with legitimate applications and uses a mutex (AsyncMutex_alosh) to prevent multiple instances from running.

Furthermore, the malware also uses AES encryption with a hardcoded key and salt, making it difficult for security tools to analyze its communications.

Lumma Stealer: GitHub-Based Distribution.

Building on these developments, in early 2025, cybersecurity experts uncovered a sophisticated campaign involving Lumma Stealer, an information-stealing malware.

Attackers used GitHub's release infrastructure to distribute this malware, exploiting the platform's trustworthiness to bypass security measures.

Once executed, Lumma Stealer initiates additional malicious activities, including downloading and running other threats like SectopRAT, Vidar, Cobeacon, and additional Lumma Stealer variants.

Technical Characteristics of Lumma Stealer.

Distributed through GitHub releases, leveraging trusted infrastructure to evade security detection.

Sends stolen data to remote servers. Enabling real-time exfiltration.

Can download and execute additional malware, including SectopRAT, Vidar, and Cobeacon.

Uses registry modifications and startup entries to maintain access.

Detectable through network-based security monitoring tools, revealing malicious communication patterns.

Lumma Stealer analyzed inside virtual machine.

A detailed examination using the sandbox demonstrates Lumma Stealer's behavior.

Upon execution, the malware connects to its command-and-control server, facilitating the exfiltration of sensitive data. The analysis also reveals the triggering of specific Suricata rules:

Suricata rule triggered by Lumma Stealer.

Furthermore, the analysis session also reveals how Lumma steals credentials from web browsers and exfiltrates personal data:

Credentials and personal data theft by Lumma Stealer.

InvisibleFerret: The Silent Threat Lurking in Fake Job Offers.

In a wave of social engineering attacks, cybercriminals have been leveraging InvisibleFerret, a stealthy Python-based malware, to compromise unsuspecting victims.

Disguised as legitimate software in fake job interview processes, this malware has been actively used in the fake interview campaign, where attackers pose as recruiters to trick professionals into downloading malicious tools.

Technical Characteristics of InvisibleFerret.

Additionally, the malware employs disorganized and obfuscated Python scripts, making analysis and detection challenging.

InvisibleFerret actively searches for and. Exfiltrates sensitive information, including source code, cryptocurrency wallets, and personal files.

Often delivered as a secondary payload by another malware called BeaverTail , which is an obfuscated JavaScript-based infostealer and loader.

, which is an obfuscated JavaScript-based infostealer and loader. The malware establishes persistence on the infected system, ensuring continued access and control.

A key element of the InvisibleFerret attack is the deployment of BeaverTail, a malicious NPM module that delivers a portable Python environment ( to execute the malware.

Acting as the first stage in a multi-layered attack chain, BeaverTail sets up InvisibleFerret, a stealthy backdoor with advanced obfuscation and persistence mechanisms, making detection difficult.

By submitting InvisibleFerret to 's Interactive Sandbox, we can analyze its behavior in real time:

InvisibleFerret behavior analyzed by sandbox.

Moving to another aspect, the malware starts by collecting system information, such as OS version. Hostname, username, and geolocation, using services like , a method also used by cryptocurrency drainers.

Exfiltrated information analyzed inside sandbox.

Malicious requests blend with normal traffic, making detection challenging. 's interface highlights these activities, showing network requests in orange and red beneath the virtual machine.

Malicious requests are blended with legitimate traffic, all directed by the same script.

Don't Let Threats Go Unnoticed - Detect Them with .

The first quarter of 2025 has been filled with stealthy and. Aggressive cyber threats, from ransomware operations to silent data stealers. But attackers don't have to win.

's Interactive Sandbox gives businesses the power to analyze malware in real time, uncover hidden behaviors, and strengthen defenses before an attack escalates.

Gather IOCs instantly to speed up threat hunting and incident response.

Get structured, in-depth reports for superior visibility into malware behavior.

Map threats to the ATT&CK framework to understand tactics and techniques used by attackers.

Collaborate seamlessly, sharing real-time analysis across teams.

Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced...

Brazil, South Africa, Indonesia. Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malw...

Die US-amerikanische IT-Sicherheitsbehörde warnt vor beobachteten Angriffen auf Schwachstellen in Cisco RV-Routern, Hitachi Vantara, WhatsUp Gold und ...

Nearly 12,000 API keys and passwords found in AI training dataset

Close to 12,000 valid secrets that include API keys and passwords have been found in the Common Crawl dataset used for training multiple artificial intelligence models.

The Common Crawl non-profit organization maintains a massive open-source repository of petabytes of web data collected since 2008 and is free for anyone to use.

Because of the large dataset, many artificial intelligence projects may rely, at least in part, on the digital archive for training large language models (LLMs), including ones from OpenAI, DeepSeek, Google, Meta, Anthropic, and Stability.

Researchers at Truffle Security - the enterprise behind the TruffleHog open-source scanner for sensitive data, found valid secrets after checking 400 terabytes of data from billion web pages in the Common Crawl December 2024 archive.

In relation to this, they discovered 11,908 secrets that authenticate successfully, which developers hardcoded, indicating the potential of LLMs being trained on insecure code.

It should be noted that LLM training data is not used in raw form and goes through a pre-processing stage that involves cleaning and filtering out unnecessary content like irrelevant data, duplicate, harmful, or sensitive information.

Despite such efforts, it is difficult to remove confidential data, and the process offers no guarantee for stripping such a large dataset of all personally identifiable information (PII), financial data, medical records. And other sensitive content.

After analyzing the scanned data, Truffle Security found valid API keys for Amazon Web Services (AWS), MailChimp, and WalkScore services.

Overall, TruffleHog identified 219 distinct secret types in the Common Crawl dataset, the most common being MailChimp API keys.

“Nearly 1,500 unique Mailchimp API keys were hard coded in front-end HTML and JavaScript” - Truffle Security.

Furthermore, the researchers explain that the developers’ mistake was to hardcode them into HTML forms and JavaScript snippets and did not use server-side environment variables.

MailChimp API key leaked in front-end HTML.

An attacker could use these keys for malicious activity such as phishing campaigns and brand impersonation. Furthermore, leaking such secrets could lead to data exfiltration.

Another highlight in the analysis is the high reuse rate of the discovered secrets. Saying that 63% were present on multiple pages. One of them though, a WalkScore API key, “appeared 57,029 times across 1,871 subdomains.”.

The researchers also found one webpage with 17 unique live Slack webhooks, which should be kept secret because they allow apps to post messages into Slack.

“Keep it secret. Keep it safe. Your webhook URL contains a secret. Don't share it online, including via public version control repositories,” Slack warns.

Following the research, Truffle Security contacted impacted vendors and. Worked with them to revoke their individuals' keys. “We successfully helped those organizations collectively rotate/revoke several thousand keys,” the researchers say.

Even if an artificial intelligence model uses older archives than the dataset the researchers scanned, Truffle Security's findings serve as a warning that insecure coding practices could influence the behavior of the LLM.

The US Cybersecurity and Infrastructure Security Agency says that media reports about it being directed to no longer follow or research on Russian cyber...

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets. ...

Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware ...

New Microsoft 365 outage impacts Teams, causes call failures

Microsoft is investigating a new Microsoft 365 outage that is affecting Teams clients and causing call failures.

Since the incident started more than one hour ago, outage monitoring service Downdetector has received hundreds of reports, with affected consumers saying they're also experiencing authentication problems.

"consumers may not be able to receive calls placed through Microsoft Teams-provisioned auto attendants and call queues," the corporation expressed in a new service alert (TM1022107) in the Microsoft 365 admin center.

"We're analyzing service telemetry and call metadata to superior understand the nature of impact and. Determine our next steps."

Microsoft has yet to share what regions are impacted by this ongoing outage and more information on the incident's root cause.

Despite Redmond saying the incident only affects the Teams communication platform, clients analysis a much broader impact. They're also experiencing issues connecting to Outlook, OneDrive, and Exchange or checking email messages.

"It affects multiple services, including Teams, Exchange, SharePoint. Bing, and so on. So, it's bigger than this," one customer mentioned.

"Can only access outlook and teams via mobile, and only accessing my 365 emails via the outlook app will not load on apples native mail app," another added.

Today, the enterprise also warned on its service health status page that clients in Canada are experiencing authentication and connectivity issues when trying to access multiple Microsoft 365 services, including Exchange Online, Microsoft Teams, and. The Microsoft 365 admin center.

Connectivity issues affecting Canada (BleepingComputer).

Over the weekend, Microsoft stated it addressed another Microsoft 365 outage that affected Outlook and Exchange Online authentication and caused Teams and Power Platform degraded functionality. Redmond linked this weekend's incident to a coding issue in a recent revision to Microsoft 365 authentication systems.

However, a Monday advisory revealed that Exchange Online individuals still have issues accessing their calendars and email messages using the iOS native mail app.

Last week, Microsoft fixed another issue caused by a DNS change that triggered Entra ID authentication failures for clients using Seamless SSO and Microsoft Entra Connect Sync.

enhancement March 03. 14:42 EST: Added details on Microsoft 365 affecting clients in Canada.

improvement March 03, 16:53 EST: Microsoft says the authentication issue has been addressed.

"We've identified a recent change that inadvertently caused impact to auto attendant and call queues. We've deployed a fix to restore service," the corporation revealed.

"After an extended period of monitoring. We've confirmed that the service has successfully recovered following our fix."

Vor zwei Sicherheitslücken in der Bedienoberfläche zu IBM Storage-Virtualize-Produkten warnt der Hersteller derzeit. Angreifer aus dem Netz können dad...

A large-scale malware campaign has been found leveraging a vulnerable Windows driver associated with Adlice's product suite to sidestep detection effo...

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets. ...