π¨ New Threat Report Released: UNC2891 β ATM Threats Never Die
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
π Get the full breakdown of UNC2891βs TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
A financially motivated threat actor infiltrated banking networks using a Raspberry Pi connected to an ATM switch, deployed custom malware like CAKETAP and SLAPSTICK, and maintained undetected access for years.
From DNS tunneling to money mule recruitment via Telegram see how modern attackers operate.
π Get the full breakdown of UNC2891βs TTPs, malware analysis, and incident response insights.
#CyberSecurity #ThreatIntelligence #ATMThreats #FinancialSecurity
π₯12
π¨Bloody Wolf Expands Across Central Asia π¨
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
πΉ Their spear-phishing techniques and localized PDF lures
πΉ How custom JAR loaders deploy NetSupport RAT
πΉ Infrastructure masquerading as government portals
πΉ Multi-layered persistence and evasion methods
πΉ IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by Bloody Wolf, an APT group weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders.
By impersonating Ministries of Justice and abusing legitimate remote-access software like NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence.
Key highlights:
πΉ Their spear-phishing techniques and localized PDF lures
πΉ How custom JAR loaders deploy NetSupport RAT
πΉ Infrastructure masquerading as government portals
πΉ Multi-layered persistence and evasion methods
πΉ IOCs, MITRE mapping, & defensive recommendations
Bloody Wolf shows how low-cost tools & precise social engineering can evolve into regionally impactful cyber operations. Read the full analysis.
#CyberSecurity #BloodyWolf
β€10π₯1
π¨ New launch: Fraud moves fast. Now defense does too.
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
πΉShare risk signals on suspicious activity, not just confirmed fraud.
πΉStop APP fraud & mule networks before funds are lost.
πΉGDPR-compliant, Bureau Veritas verified.
πΉPersonal data never leaves your organization.
Collective problem. Collective defense.
π Read the press release here.
π Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
Announcing the Cyber Fraud Intelligence Platform: real-time, privacy-preserving fraud intelligence sharing for banks, payment providers, e-commerce, gaming, and telecoms.
πΉShare risk signals on suspicious activity, not just confirmed fraud.
πΉStop APP fraud & mule networks before funds are lost.
πΉGDPR-compliant, Bureau Veritas verified.
πΉPersonal data never leaves your organization.
Collective problem. Collective defense.
π Read the press release here.
π Learn more.
#CFIP #Cybersecurity #GDPR #AppFraud
π₯9β€2π2
Group-IBβs latest threat report exposes the full scale of GoldFactoryβs mobile fraud operation, one of the most technically advanced campaigns currently targeting APAC.
Key insights:
πΉA surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
πΉOver 11,000 device infections traced through Group-IB Fraud Protection telemetry
πΉA unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
πΉNew Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
πΉInfrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
Key insights:
πΉA surge of 300+ modified banking apps, patched with injected modules to bypass security and retain full legitimate functionality
πΉOver 11,000 device infections traced through Group-IB Fraud Protection telemetry
πΉA unified ecosystem of loaders (Gigabud, Remo, MMRat) delivering secondary payloads such as SkyHook
πΉNew Gigaflower variant features experimental OCR and QR code scanning to auto-extract ID card data.
πΉInfrastructure overlaps linking open directories and shared S3 buckets hosting malicious binaries
This report reveals how GoldFactory has industrialized mobile fraud by weaponizing legitimate apps and what defenders need to know now. Read the full analysis.
#MobileBanking #CyberSecurity #APACThreats #BankingMalware #GoldFactory
β€7π₯5
As digital lending accelerates in Uzbekistan, cybercriminals are exploiting verification gaps, low financial awareness, and social engineering to weaponize online credit services at scale turning personal identity into a profitable attack surface.
Key Highlights:
πΉ Online credit fraud cases surged 42% in 2024 compared to 2023
πΉ 34% of incidents involved fraudsters posing as bank or government officials
πΉ Microcredits are approved using stolen passport, FaceID, and OTP data
πΉ Scammers deploy Telegram bots and SMS-stealers to bypass authentication
πΉ New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
Key Highlights:
πΉ Online credit fraud cases surged 42% in 2024 compared to 2023
πΉ 34% of incidents involved fraudsters posing as bank or government officials
πΉ Microcredits are approved using stolen passport, FaceID, and OTP data
πΉ Scammers deploy Telegram bots and SMS-stealers to bypass authentication
πΉ New regulations now allow victims to be exempt from repaying fraudulent loans
Our latest analysis breaks down the evolving fraud ecosystem, the social engineering tactics behind it, and the controls financial institutions must implement to stay ahead.
Read the full report here.
#FraudIntelligence #ThreatIntel #DigitalFraud #SocialEngineering #CyberSecurity
π6β€3π₯3
Group-IBβs Red Team has identified two previously unknown zero-day vulnerabilities in widely used enterprise platforms: Cisco UCCX and IBM Sterling.
Following responsible disclosure, both vendors validated the findings and released security updates to protect their customers.
This discovery highlights the strength of Group-IBβs approach to rigorous, dependable, and attributable analysis. By leveraging deep empirical threat intelligence to replicate highly advanced attacks, our teams reveal critical risks that many other security assessments overlook.
Full technical details are available in our press release.
#CyberSecurity #ZeroDay #VulnerabilityAssessment #ThreatIntelligence #EnterpriseSecurity #SecurityUpdates #FightAgainstCybercrime
Following responsible disclosure, both vendors validated the findings and released security updates to protect their customers.
This discovery highlights the strength of Group-IBβs approach to rigorous, dependable, and attributable analysis. By leveraging deep empirical threat intelligence to replicate highly advanced attacks, our teams reveal critical risks that many other security assessments overlook.
Full technical details are available in our press release.
#CyberSecurity #ZeroDay #VulnerabilityAssessment #ThreatIntelligence #EnterpriseSecurity #SecurityUpdates #FightAgainstCybercrime
β€14π1
π¨Android-based financial fraud in Uzbekistan has entered a new stage of operational maturity, with threat actors shifting from simple SMS stealers to sophisticated, multi-stage infection chains built around stealthy droppers, advanced obfuscation, and automated infrastructure.
Key Highlights:
πΉOver $2M stolen by a single tracked group since January 2025
πΉTwo primary dropper families, MidnightDat and RoundRift, were identified using native decryption and encrypted asset storage.
πΉWonderland, a new SMS stealer with bidirectional WebSocket Cβ, enables real-time command execution, SMS sending, and USSD control.
πΉTelegram remains the central distribution channel, fueled by stolen sessions sold on dark web markets.
πΉThousands of unique samples generated through automated build pipelines to evade signature-based detection
π Read the full analysis here.
#ThreatIntelligence #AndroidMalware
Key Highlights:
πΉOver $2M stolen by a single tracked group since January 2025
πΉTwo primary dropper families, MidnightDat and RoundRift, were identified using native decryption and encrypted asset storage.
πΉWonderland, a new SMS stealer with bidirectional WebSocket Cβ, enables real-time command execution, SMS sending, and USSD control.
πΉTelegram remains the central distribution channel, fueled by stolen sessions sold on dark web markets.
πΉThousands of unique samples generated through automated build pipelines to evade signature-based detection
π Read the full analysis here.
#ThreatIntelligence #AndroidMalware
π10π₯3
πΈ βEasy money. Simple tasks. Work from your phone.β
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
πΉ Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
πΉ Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
πΉ Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront βdepositsβ are collected.
πΉThe scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
Our latest analysis exposes a coordinated wave of fake online job ads sweeping across the Middle-East and Africa region. These aren't isolated scams, they are a large-scale, organized operation exploiting the demand for remote work to steal personal data and funds.
Key insights from our investigation:
πΉ Over 1,500 fraudulent job ads identified in 2025, impersonating trusted e-commerce platforms, banks, and even government ministries.
πΉ Ads are highly localized, using Arabic dialects and regional currencies to appear authentic.
πΉ Victims are funneled from social media into private Telegram and WhatsApp groups, where sensitive information and upfront βdepositsβ are collected.
πΉThe scam infrastructure includes fake registration portals, cloned branding, and repeat behavioral patterns among attackers.
Read More.
#CyberSecurity #OnlineScams #MENA #Phishing #DigitalRisk #FraudPrevention #ThreatIntelligence
π₯11β€2π2
π¨ Tap-to-pay fraud has evolved into a remote, industrialized threat. Chinese cybercrime groups are now selling NFC relay malware on Telegram, enabling real-time payment fraud from anywhere in the world.
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. π Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
Our latest research breaks down the full ecosystem from malware vendors and illicit POS terminals to mule networks and provides technical analysis of key families like TX-NFC and NFU.
Learn how this threat works and how to defend against it. π Read the full report.
#CyberSecurity #MalwareAnalysis #NFCFraud #AndroidSecurity #FraudPrevention #ThreatIntelligence #FightAgainstCybercrime
β€5π2π₯1
Most organizations are stuck in survival mode. Real resilience is achieved when we move beyond reaction to planning ahead with real-world threat intelligence.
Gartner report highlights:
πΉ 90% of attacks will exploit known vulnerabilities by 2028
πΉ Most can be prevented with strategic Threat Intelligence
πΉ Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
Gartner report highlights:
πΉ 90% of attacks will exploit known vulnerabilities by 2028
πΉ Most can be prevented with strategic Threat Intelligence
πΉ Threat intelligence reduces MTTD & MTTR and strengthens overall readiness.
Download the report.
#ThreatIntelligence #CyberSecurity #IncidentResponse #CyberAwareness #GartnerReport
β€5