Tea

Before the Oscars are handed out early March, the Motion Picture Association (MPA) has announced its own annual awards. Wicked director Jon Chu is a proud recipient, but the bulk of the accolades go to lawmakers and the U.S. Government's IPR Center, who helped to combat online piracy. Perhaps not coincidentally, those lawmakers could help to push a pirate site blocking bill over the line.

WTF!

Mozilla has just deleted the following:

“Does Firefox sell your personal data?”

“Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That’s a promise. "

Source: Lundke journal.

A sustained campaign by U.S. authorities has led to the seizure of a growing number of pirate sports streaming domains. The IPR Center is now listed as the owner of dozens of .DEV domains, which were signed over as part of the seizure operation. Previously, close to a hundred .APP domains linked to piracy suffered the same fate.

It may seem like AI chatbots are taking over every digital application, whether we like it or not. You might have noticed more AI note-taking bots in online conferencing platforms, some of which offer end-to-end encryption (E2EE). Then Apple Intelligence plans were announced, promising application redesigns to offer AI features across its phone and laptop operating systems. The latest changes have come from Meta AI’s integration in WhatsApp, replete with “bots nobody wants.”

Any time new features are added to an E2EE messaging app, it raises concerns about privacy and security. So, what concerns are raised by the addition of AI bots? How can we evaluate those concerns? As AI becomes more embedded into encrypted services, is it possible to resolve the tension between the privacy users expect from E2EE and the data access needed for AI functionality? With our colleagues at Cornell and NYU, we set out to answer these questions.

We uncovered several facets of this question from both a technical and legal perspective and published a paper laying practical recommendations for E2EE messaging platforms and regulators. It’s also important that we outline the practical solutions and recommendations for the public. You can read the full preprint paper here.

• Cisco Talos discovered multiple cyber espionage campaigns that target government, manufacturing, telecommunications and media, delivering Sagerunex and other hacking tools for post-compromise activities.
• Talos attributes these attacks to the threat actor known as Lotus Blossom. Lotus Blossom has actively conducted cyber espionage operations since at least 2012 and continues to operate today.
• Based on our examination of the tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside the deployment of Sagerunex, a backdoor family used exclusively by Lotus Blossom, we attribute these campaigns to the Lotus Blossom group with high confidence.
• We also observed Lotus Blossom gain persistence using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints.
• Lotus Blossom has also developed new variants of Sagerunex that not only use traditional command and control (C2) servers but also use legitimate, third-party cloud services such as Dropbox, Twitter, and the Zimbra open-source webmail as C2 tunnels.

A renewed attempt to introduce site blocking in the U.S. emerged in late January when U.S. Rep. Zoe Lofgren (D) introduced the Foreign Anti-Digital Piracy Act. The FADPA bill received the MPA's full support, and it now transpires that similar legislation is being prepared by U.S. Rep. Darrell Issa (R). A recent meeting to discuss the 'American Copyright Protection Act' was attended by Disney, Paramount, and Amazon, plus Google, YouTube, and Verizon.

The Russian influence operations Doppelganger and Operation Undercut utilized several tactics to spread content on X, TikTok, 9gag, and Americas Best Pics and Videos

The Russian disinformation operations known as Doppelganger and Operation Undercut promoted content attacking Ukraine, Europe, and the United States using nine different languages and four platforms. On X, thousands of accounts were created to post pro-Kremlin content in addition to promoting redirect links to fake media websites. The network relied on trending hashtags and bot-like accounts to share the content to reach wider audiences. On TikTok, at least twenty-four accounts posted hundreds of videos that garnered millions of views, often relying on AI-generated narration and content masking to evade detection. Identical video content also appeared on online platforms 9gag and Americas Best Pics and Videos.

Operation Doppelganger is a Russian malign information operation known for impersonating reputable media outlets, targeting users with fake articles that promote Russia’s narratives. The DFRLab, other organizations, tech companies, and governments previously covered the operation’s multiple and ongoing iterations targeting various countries on different platforms since August 2022. Operation Undercut runs in parallel to Doppelganger, prompting similar narratives using AI-edited videos and images, along with screenshots from legitimate media outlets taken out of context to undermine Ukraine. The operation has been attributed to at least three Russian companies under sanctions, including the Social Design Agency, Structura and ANO “Dialog”, allegedly with support from cybercriminal syndicates like the AEZA group.

We collected data from X between December 12, 2024, to February 12, 2025, and observed Doppelganger activity primarily in French, German, Polish, English, and Hebrew. We also found some content in Turkish, Polish, Ukrainian, and Russian. We observed three main types of Doppelganger posts: posts with four captioned images, posts with one video or infographic, and posts with links that redirect to Doppelganger websites. As of February 21, 2025, 95 percent of accounts associated with the four captioned images posts and 73 percent of accounts associated with the single video/image posts in our sample had been suspended by X.

Malware targeting macOS systems is increasingly pervasive in our current threat landscape. Most of the associated threats are cybercrime-related, ranging from information stealers to cryptocurrency mining. Over the past year, we have witnessed an increase in cybercrime activity linked to North Korean nation-state APT groups.

In line with the public service announcement issued by the FBI regarding North Korean social engineering attacks, we have also witnessed several such social engineering attempts, targeting job-seeking software developers in the cryptocurrency sector.

In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update, as well as a previously undocumented macOS variant of a malware family known as Koi Stealer. During our investigation, we observed rare evasion techniques, namely, manipulating components of macOS to remain under the radar.

The characteristics of these attackers are similar to various reports during the past year of North Korean threat actors targeting other job seekers. We assess with a moderate level of confidence that this attack was carried out on behalf of the North Korean regime.

This article details the activity of attackers within compromised environments. It also provides a technical analysis of the newly discovered Koi Stealer macOS variant and depicts the different stages of the attack through the lens of Cortex XDR.

Following the arrest of Telegram founder Pavel Durov in France last summer, some positive changes were reported. The criminal probe is not centered on piracy, but Telegram appeared more responsive. Some reported that the speed at which takedown requests were processed, went from more than 24 hours to less than 20 minutes, for example.

In addition, Telegram updated its terms of service and privacy policy to clarify that, going forward, personal details of alleged infringers, including their IP addresses, would be handed over in response to valid legal requests.

This stricter policy was evident to outsiders as well. Telegram removed accounts of piracy associated websites and services, after initially leaving these untouched for years. That included the official Z-Library channel, which had more than half a million subscribers at its peak.

Although Z-Library’s communication channel didn’t directly link to pirated books, it served as a key information hub, providing updates on new features and access methods. That was enough to warrant a permanent suspension last month.

The Telegram ban was a setback for Z-Library, but the shadow library wasted no time creating a new account and regaining tens of thousands of subscribers. Progress ground to a halt last weekend when the ‘new’ @zlibrary_news account was also suspended for copyright infringement.

“The channel is unavailable due to copyright infringement,” Telegram reports.

In addition to the main communication channel, one of the most used Z-Library download bots on Telegram was also taken offline. The @1lib account had more than 20,000 monthly users, who presumably used it as a handy tool to download books for free.

According to a Z-Library representative posting on X, Telegram took action in response to complaints from a major publisher. Many other ‘personal’ bots are unaffected and remain online for the time being.

Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation.

The malware employs several methods to avoid detection, such as:

• Using benign-looking file names for operating
• Hiding remote command and control (C2) connections using an advanced technique similar to the one used by the Symbiote malware family
• Deploying proprietary encryption algorithms to hide communication and configuration information

Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software.

This article will cover aspects of this new Linux malware, including installation, obfuscation and evasion features. We will also discuss its capabilities and indicators of compromise (IoCs), to help others identify this threat on their systems too.

• There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms.
• Many of the general recommendations related to the use of these platforms are tailored towards purchasing items; however, there are several threats to those selling items as well.
• Recent phishing campaigns targeting sellers on these marketplaces have leveraged the platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts.
• Shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by these platforms.
• There are several steps that sellers can take to help protect themselves and their data from these threats. Being mindful of the common scams and threats targeting sellers can help sellers identify when they may be being targeted by malicious buyers while it is occurring so that they can take defensive actions to protect themselves.

This is pretty interesting:

The results highlight significant differences in browser security: while Google Chrome and Samsung Internet exhibited lower threat indices, Mozilla Firefox demonstrated consistently higher scores, indicating greater exposure to risks. These observations a slightly contradict widespread opinion.