Cybersecurity researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona “badbullzvenom.”

Moses Staff made its first appearance on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations. The geopolitical group is believed to be sponsored by the Iranian government.

Move over Lockbit, there’s a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society. Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group.

The list of malware installed in these campaigns linked to the threat actor DEV-0569 so far includes RedLine Stealer, Gozi/Ursnif, Vidar, and potentially, Cobalt Strike and ransomware.

North Korean hackers known for cryptocurrency heists are expanding their targets to include education, government, and healthcare, according to researchers tracking the group.

Chinese 8220 Gang was seen targeting public cloud infrastructures and poorly secured applications with PwnRig miner and Tsunami IRC bot for cryptomining purposes. Its activities came to light after it attempted to infect one of Radware’s Redis honeypot…

The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.

The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised RDP credentials. The weaponized tool used is Cobalt Strike, which allows Vice Society to remotely access and control the infected endpoint.

Cybersecurity researchers say a Chinese for-profit threat group tracked as 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.

The latest findings from BlackBerry demonstrate an evolution in the group’s tactics, wherein a hard-coded Telegram channel is used to fetch the IP address of the server hosting the malware. The IP addresses are periodically rotated.