North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack - Related to anniversary,, seized, who’s, ‘nulled’?, hijack

Happy 15th Anniversary, KrebsOnSecurity!

[website] turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service OneRep had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox customers.

A story digging into the consumer data broker Radaris found its CEO was a fabricated identity, and that the organization’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and ’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research . That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname Judische. Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans. That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

In November, KrebsOnSecurity ’s accomplice — a hacker known as Kiberphant0m — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or lately were a [website] Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled Cryptomus, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for [website] There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by your readership, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving real...

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that res...

Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant ...

Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’?

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of clients that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities demonstrates their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

On Jan. 30, the [website] Department of Justice noted it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million clients. The DOJ noted the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Cracked’s payment processor.

In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed end-clients to rent virtual servers: StarkRDP[.]io, and rdp[.]sh.

Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. .com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH presents the enterprise is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.

Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the monikers “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.

, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.

The Justice Department mentioned the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.

Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum clients. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.

Shoppy was not targeted as part of Operation Talent, and its website remains online. Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.

The DOJ noted one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain. The government has not presented any other arrests or charges associated with Operation Talent.

Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former clients they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.

“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] ‘StarkRDP.'”.

Brazilian Windows people are the target of a campaign that delivers a banking malware known as Coyote...

The Open Web Application Security Project has not long ago introduced a new Top 10 project - the Non-Hum...

As many as 768 vulnerabilities with designated CVE identifiers were reported as exploited in the wil...

North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them.

"To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment," the Microsoft Threat Intelligence team showcased in a series of posts shared on X.

Should the victim follow through, the malicious code downloads and installs a browser-based remote desktop tool, along with a certificate file with a hardcoded PIN from a remote server.

"The code then sends a web request to a remote server to register the victim device using the downloaded certificate and PIN. This allows the threat actor to access the device and carry out data exfiltration," Microsoft expressed.

The tech giant revealed it observed the use of this approach in limited attacks since January 2025, describing it as a departure from the threat actor's usual tradecraft.

It's worth noting that the Kimsuky is not the only North Korean hacking crew to adopt the compromise strategy. In December 2024, it was revealed that threat actors linked to the Contagious Interview campaign are tricking people into copying and executing a malicious command on their Apple macOS systems via the Terminal app so as to address a supposed problem with accessing the camera and microphone through the web browser.

Arizona woman pleads guilty to running laptop farm for N. Korean IT workers.

The development comes as the [website] Department of Justice (DoJ) mentioned a 48-year-old woman from the state of Arizona pleaded guilty for her role in the fraudulent IT worker scheme that allowed North Korean threat actors to obtain remote jobs in more than 300 [website] companies by posing as [website] citizens and residents.

The activity generated over $[website] million in illicit revenue for Christina Marie Chapman and for North Korea in violation of international sanctions between October 2020 and October 2023, the department stated.

"Chapman, an American citizen, conspired with overseas IT workers from October 2020 to October 2023 to steal the identities of [website] nationals and used those identities to apply for remote IT jobs and, in furtherance of the scheme, transmitted false documents to the Department of Homeland Security," the DoJ mentioned.

"Chapman and her coconspirators obtained jobs at hundreds of [website] companies, including Fortune 500 corporations, often through temporary staffing companies or other contracting organizations."

The defendant, who was arrested in May 2024, has also been accused of running a laptop farm by hosting multiple laptops at her residence to give the impression that the North Korean workers were working from within the country, when, in reality, they were based in China and Russia and remotely connected to the companies' internal systems.

"As a result of the conduct of Chapman and her conspirators, more than 300 [website] companies were impacted, more than 70 identities of [website] person were compromised, on more than 100 occasions false information was conveyed to DHS, and more than 70 [website] individuals had false tax liabilities created in their name," the DoJ added.

The increased law enforcement scrutiny has led to an escalation of the IT worker scheme, with reports emerging of data exfiltration and extortion.

"After being discovered on business networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands," the [website] Federal Bureau of Investigation (FBI) stated in an advisory last month. "In some instances, North Korean IT workers have publicly released victim companies' proprietary code."

Derzeit haben unbekannte Angreifer verschiedene Windows- und Windows-Server-Versionen im Visier. Admins sollten sicherstellen, dass Windows improvement akt......

In der Opensource-Sicherheitsplattform Wazuh klaffte eine kritische Lücke, die Angreifern erlaubte, eigenen Code einzuschleusen und verwundbare Server......

Cyberangriffe bedrohen die Existenzen von Unternehmen und verursachen jährlich Schäden in Milliardenhöhe. Wohl dem, der für den Ernstfall gut aufgeste......