"Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry.

The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and ultimately drop a developer-targeted credential stealer and remote access trojan. The C2 infrastructure is hosted on Vercel across 31 deployments.

The campaign, tracked by Socket and kmsec.uk's Kieran Miyamoto is being tracked under the moniker StegaBin.

"The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses," Socket researchers Philipp Burckhardt and Peter van der Zee said."

https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html

#CyberSecurity #NorthKorea #StateHacking #NPM

"Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks.

"The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. "This actor's target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information."

The tech giant's threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise.

UNC2970 is the moniker assigned to a North Korean hacking group that overlaps with a cluster that's tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. It's best known for orchestrating a long-running campaign codenamed Operation Dream Job to target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings.

GTIG said UNC2970 has "consistently" focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profiling including searches for "information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.""

https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html

#CyberSecurity #Gemini #AI #GenerativeAI #Google #NorthKorea #OSINT #StateHacking

"A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++.

The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7.

The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility.

The weakness was plugged in December 2025 with the release of version 8.8.9. It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker's access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials."

https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html

#CyberSecurity #Notepad #China #OpenSource #StateHacking

"The hackers behind a cyberattack that targeted Poland's grid infrastructure in December disabled communication devices for at least 30 sites across a number of energy facilities in different parts of the country.

The hackers succeeded in disabling the communication systems, known as remote terminal units or RTUs, that are used to monitor and control other equipment, and they were able to render the RTUs inoperable and beyond repair. But they did not cause an outage or otherwise have an impact on generation and transmission equipment at these nearly three dozens sites, according to Dragos, a US-based company that participated in the forensic investigation of one of the entities that was hit in the attack.

Most of the devices they targeted were not directly part of control infrastructure, Dragos says, but were instead systems related to grid safety and stability monitoring rather than active generation control. Nonetheless, the systems the attackers targeted do play a role in monitoring functions and maintaining grid stability, and had the attackers gained full operational control of these systems, could have created an impact that would have been "significantly different,” Dragos notes. Dragos also says the attack appears to have been "opportunistic" rather than fully targeted and well planned.

The sites that were impacted are managed by several energy entities, including two combined-heat-and-power plants and a number of facilities used to manage the dispatch of renewable energy from wind and solar sites. Dragos did not identify which entity was part of its investigation."

https://www.zetter-zeroday.com/attack-against-polands-grid-disrupted-communication-devices-at-about-30-sites/

#CyberSecurity #CyberWarfare #Poland #StateHacking #GridInfrastructure #Energy

"A cyberattack that targeted power plants and other energy producers in Poland at the end of December used malware known as a “wiper” that was intended to erase computers and in an operation that was intended to cause a power outage and other disruption to services, says European security firm ESET, which obtained a copy of the malware used in the attack.

Wipers are designed to delete or overwrite critical files on a computer in order to render them inoperable. They have been used extensively by Russia against targets in Ukraine before and during its current war with that country.

Robert Lipovsky, principal threat intelligence researcher for the Slovakian firm, whose team has examined the malware – which they're calling DynoWiper – says the operation is “unprecedented” in Poland, since past cyberattacks targeting that country were not disruptive in nature or intent.

“Pulling off a disruptive cyberattack against the Polish energy sector is a big deal,” he told Zero Day.

Although the attack was thwarted, Polish authorities have stated that if successful it could have taken out power to 500,000 people in Poland. Polish officials haven't revealed how the hackers pulled off the attack or how officials determined the intent was to be disruptive or destructive, but the use of a wiper supports a conclusion that this was the intent of the attack.

Officials there have attributed the attack to Russia, and Lipovsky says his team concurs."

https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/

#CyberWarfare #CyberSecurity #Poland #Russia #StateHacking #EnergyGrid

"Germany’s government is preparing to give its foreign intelligence service, the Bundesnachrichtendienst (BND), far broader powers over online surveillance and hacking than it has ever had before.

A draft amendment to the BND Act, circulating by German media, would transform the agency’s reach by authorizing it to break into foreign digital systems, collect and store large portions of internet traffic, and analyze those communications retroactively.

At the core of this plan is Frankfurt’s DE-CIX internet exchange, one of the largest data junctions on the planet.

For thirty years, global traffic has passed through this node, and for just as long, the BND has quietly operated there under government supervision, scanning international data streams for intelligence clues.

Until now, this monitoring has been limited. The agency could capture metadata such as connection records, but not the full content of messages, and any data collected had to be reviewed and filtered quickly.

The proposed legal reform would overturn those restrictions.

The BND would be permitted to copy and retain not only metadata but also entire online conversations, including emails, chats, and other content, for up to six months."

https://reclaimthenet.org/germany-bnd-surveillance-law-expansion-de-cix-data-retention-hacking

#Germany #EU #Surveillance #Metadata #DataRetention #StateHacking

"Cisco’s Networking Academy, a global training program designed to educate IT students in the basics of IT networks and cybersecurity, proudly touts its accessibility to participants around the world: “We believe education can be the ultimate equalizer, enabling anyone, regardless of background, to develop expertise and shape their destiny in a digital era,” reads the first line on its website.

That laudable statement, however, reads a bit differently when the “destiny” of those students appears to be owning a majority stake in companies linked to one of the most successful Chinese state-sponsored hacking operations ever to target the West—and many of Cisco's own products.

That's the surprising conclusion of Dakota Cary, a researcher at cybersecurity firm SentinelOne and the Atlantic Council, who, like many security analysts, has closely tracked the Chinese state-sponsored hacker group known as Salt Typhoon. That cyberespionage group gained notoriety last year when it was revealed that the hackers had penetrated at least nine telecom companies and gained the ability to spy on Americans’ real-time calls and texts, specifically targeting then-presidential and vice presidential candidates Donald Trump and JD Vance, among many others."

https://www.wired.com/story/2-men-linked-to-chinas-salt-typhoon-hacker-group-likely-trained-in-a-cisco-academy/

#CyberSecurity #China #SaltTyphoon #StateHacking #Cisco #CiscoAcademy

"The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.

As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.

“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California."

https://www.justice.gov/opa/pr/justice-department-announces-actions-combat-two-russian-state-sponsored-cyber-criminal

#CyberCrime #CyberSecurity #Russia #StateHacking #DDoS #USA #Hacktivism

"Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices.

The hacking tool, believed to be a successor of MFSocket, is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd., which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products.

According to a report published by Lookout, Massistant works in conjunction with a corresponding desktop software, allowing for access to the device's GPS location data, SMS messages, images, audio, contacts, and phone services."

https://thehackernews.com/2025/07/chinas-massistant-tool-secretly.html

#China #Surveillance #CyberSecurity #Hacking #StateHacking #PoliceState

"China’s state-owned aircraft maker had just announced the Western engine it had chosen for its new aircraft.

One month later, in January 2010, American cyber researchers started to see the “preparatory activity” of a Chinese hacking group focusing on an American turbine company that made a part needed for jet engines.

For years afterwards, a division of China’s intelligence apparatus could be seen trying to steal engine design information from Western companies. By 2017 and 2018, the US government had opened indictments – with convictions to follow – against figures in the US and China trying to steal Western aerospace information.

The subterfuge, now largely forgotten by the public, is an essential chapter in the origin story of the C919, which was developed to compete with two of the world’s most widely used passenger aircraft – the Boeing 737 and the Airbus A320neo. It was also the foundation of establishing the Commercial Aircraft Corporation of China (COMAC) as a serious player in the global commercial aviation market.

The C919 is now in regular production, and it’s taking its first steps in aiding China’s systematic efforts to both develop its aerospace industry and to produce a viable passenger aircraft.
But years after concerns were raised over Chinese intellectual property theft, few of the affected parties are keen to talk openly about the alleged cyber-espionage."

https://www.smh.com.au/business/companies/prisoner-s-dilemma-how-china-is-using-the-west-to-break-an-aviation-duopoly-20250530-p5m3ir.html

#China #Boeing #Airbus #COMAC #C919 #IPTheft #StateHacking #CyberSecurity