GroupIB_DFIR

Group-IB is the first to uncover a real-world bank heist where threat actor #UNC2891 used a 4G-enabled Raspberry Pi to create physical access to breach the bank’s ATM infrastructure, evading defenses with stealth #Linux backdoors. #ThreatIntel

Fake shipment tracking #scams are rapidly scaling across the #MEA region, exploiting the 161B annual parcel volume that fuels global e-commerce. Attackers use Sender ID spoofing to insert #phishing messages directly into legitimate courier SMS threads, claiming failed deliveries. Victims who click to "update address details" or "pay small fees" are led to pages stealing both credentials and payment data in a two-stage theft process. #ThreatIntel

Threat actors behind #GTFire are systematically abusing Google's trusted infrastructure to evade detection at scale. By chaining Google Firebase hosting with Google Translate's proxy, they create a multi-stage redirect chain that obfuscates final phishing destinations. The translate.goog layer acts as a "phishing shield," leveraging Google's reputation to bypass email security filters and web gateways, with the malicious *.web.app domain only visible deep in the network traffic. #Phishing #ThreatIntel

🚨 Tracking the Rise of Chinese Tap-to-Pay Android Malware Tap-to-pay fraud is no longer limited to stolen cards or physical proximity. Threat actors are now abusing NFC-enabled #Androidmalware to relay #paymentdata in real time, enabling remote, contactless fraud at scale. Our latest research uncovers how Chinese #cybercrime communities are industrializing this technique and turning it into a fully operational fraud ecosystem. Key Highlights: 🔹 Over 54 NFC-enabled Android malware samples identified, designed to relay payment APDUs remotely 🔹 Multiple Telegram-based vendors offering tap-to-pay malware as a service, complete with subscriptions, support, and custom regional builds 🔹 At least $355,000 in fraudulent transactions linked to a single illicit POS vendor between Nov 2024 and Aug 2025 🔹 #Smishing and #vishing campaigns actively used to trick victims into installing malware and tapping their cards 🔹 Mule networks and compromised mobile wallets enabling global, card-present fraud without physical cards Alongside these findings, the research provides in-depth technical analysis of TX-NFC, #NFU, and related variants, examining code overlaps, cash-out infrastructure, and key defensive considerations for #financialinstitutions and payment networks. Read the full research now: link.group-ib.com/3Li56bI

🚨Bloody Wolf Expands Across Central Asia 🚨 Since June 2025, Group-IB analysts have been tracking a rapidly evolving campaign by #BloodyWolf, an #APTGroup weaponizing trusted government identities to deliver lightweight but highly effective JAR-based loaders. By impersonating Ministries of Justice and abusing legitimate remote-access software like #NetSupport Manager, the group has quietly scaled its operations from Kyrgyzstan to Uzbekistan supported by geo-fenced infrastructure, tailored lures, and a custom JAR generator designed for stealth and persistence. Our latest technical blog provides a deep dive into: 🔹 Their #spearphishing techniques and localized PDF lures 🔹 How custom JAR loaders deploy NetSupport RAT 🔹 Infrastructure masquerading as #government portals 🔹 Multi-layered persistence and evasion methods 🔹 IOCs, MITRE mapping, and defensive recommendations Bloody Wolf shows how low-cost tools and precise #SocialEngineering can evolve into regionally impactful cyber operations. Read the full analysis: link.group-ib.com/49YTwfF

A coordinated scam campaign is spreading across several regions, including Latin America, using fake news pages and #deepfakes to promote alleged investment platforms. Goal? to steal personal and payment data by exploiting politically sensitive periods, such as pre- and post-election moments. #ScamAlert

Adversaries can bind-mount a manipulated workspace over /proc/<pid> to rewrite what tools like ps/top show, renaming #malicious processes into benign tokens and sabotaging initial triage. We reproduce this technique end-to-end in our lab walkthrough. #CyberSecurity

Attackers are abusing /proc to spoof process names and start times, making ps & top lie. Our latest investigation shows the technique end to end, with detection and mitigations. Read more: link.group-ib.com/4nAh51r #CyberSecurity #Linux

🚨 #LockBit has unveiled LockBit 5.0, timed with the 6th anniversary of its affiliate program in a bid to regain market share. Early reporting suggests a modular architecture, faster multi-threaded encryption, enhanced EDR bypass techniques, and updated affiliate incentives.

#InvestmentScam platforms are run by sophisticated multi-actor networks, not lone operators. Our analysis breaks down the roles of Masterminds, Target Intelligence, Backend Operators, and Payment Handlers that enable these fraud campaigns. Discover how these ecosystems operate and how you can detect them. #CyberCrime #FinSec

🎯 Cybercriminals don’t need to hack your system. They just need to hack your trust. From fake job offers to “verified account” messages, social media has become a playground for scammers who prey on emotion, urgency, and curiosity. Understanding how these tactics work is the first step in stopping them. Our latest carousel breaks down the most common social media scams and how to stay ahead of them. Think before you click. Verify before you trust. #CyberSecurityAwarenessMonth #GroupIB #FraudProtection #OnlineSafety #FightAgainstCybercrime #CyberSecurity #OnlineScams #SocialMedia

Group-IB Threat Intelligence uncovered a global espionage operation by #MuddyWater (TA450). MuddyWater targeted international organizations and more than 100 governments worldwide to gather foreign intelligence using the Phoenix v4 malware #phishingawareness

Can you trust the voice on the other end? #Cybercriminals are leveraging accessible #AI voice cloning platforms, needing only seconds of public audio, combined with telecom SS7/PSTN vulnerabilities for caller ID spoofing to execute highly convincing Vishing attacks. Explore technical analysis of real-world incidents, including a $243K UK scam and an $18.5M Hong Kong stablecoin theft, and learn actionable defense strategies for telecom providers and enterprises to counter AI-driven #SocialEngineering. Download the report to understand how to defend against #Deepfake enabled fraud: link.group-ib.com/3IzDe1p

Group-IB provided critical investigative intelligence supporting @INTERPOL_HQ’s #OperationContender 3.0, a successful multinational cybercrime takedown across Africa. The operation resulted in law enforcement agencies across 14 countries arresting 260 suspects and the seizure of 1,235 electronic devices linked to 81 cybercriminal infrastructures. These networks, involved in #RomanceScams and #sextortionschemes, caused nearly US$2.8 million in financial losses affecting 1,463 identified victims. Our collaboration with international law enforcement underscores a shared commitment to dismantling criminal operations that cause both financial devastation and profound psychological harm. This operation highlights the critical importance of public-private partnerships in the ongoing fight against cybercrime. Read the full press release for detailed insights: link.group-ib.com/4nqyJW6 #INTERPOL #ThreatIntelligence

Between July 24 and August 7, 2025, we observed a 241% surge in #Hacktivist attacks, with 139 incidents linked to 19 distinct groups (11 pro-Cambodian, 8 pro-Thai). The conflict saw a clear division in targeting: Cambodian groups focused on Thai government, education, and healthcare sectors, while Thai groups retaliated against Cambodian government, banking, and education systems. #DDoS attacks constituted the vast majority (103 out of 139) of the offensive operations. Our report provides unique actor profiles, details their TTPs, and offers actionable defense strategies against DDoS, website defacement, and data leak campaigns. Understand the cyber front of modern #Geopolitical conflict. Read the full analysis: link.group-ib.com/4mOJjpp #ThreatIntelligence #Cybersecurity #CyberWarfare #ThreatResearch

From live #deepfakes to scam call centers powered by synthetic voices, #AI is no longer hype—it’s already embedded in cybercrime workflows. According to a report by Resemble AI, in just Q2 2025, deepfake fraud alone caused $350M in damages. Threat actors are scaling impersonation, #phishing, and fraud with AI as a force multiplier.

Since 2023,#ShadowSilk has targeted government entities across Central Asia & #APAC. Our investigation uncovered direct infrastructure & toolset overlaps with the known group #YoroTrooper, linking these campaigns to a broader, ongoing operation focused on data exfiltration. #APT

Group-IB is proud to have supported @INTERPOL_HQ's #OperationSerengeti 2.0, a large-scale multinational crackdown on cybercrime conducted between June and August 2025. Investigators from 18 #African countries and the #UnitedKingdom took part in the operation, which led to the arrest of 1,209 cybercriminals who targeted nearly 88,000 victims worldwide. The coordinated efforts also resulted in US $97.4 million being recovered and 11,432 malicious infrastructure and networks dismantled that were used to facilitate #ransomwareattacks, online scams, and business email compromise (BEC). Read more: link.group-ib.com/478Q14F

#FraudMule operators in the #META region have shifted tactics rapidly. Group-IB analysis of 200M+ mobile sessions outlines six evolutionary stages, from VPN obfuscation to physical device muling, and the countermeasures that neutralized each step. #Cybersecurity

From custom toolkits to anti-forensics, UNC2891 shows what modern bank heists look like. Dive into Group-IB’s full investigation to learn how we exposed them and how you can defend against such threats: link.group-ib.com/3UywMKg

UNC2891’s goal? To deploy CAKETAP, a #Rootkit designed to spoof HSM responses and authorize fake #ATM withdrawals. Classic financial motivation—executed with modern precision.

Group-IB is the first to uncover a real-world bank heist where threat actor #UNC2891 used a 4G-enabled Raspberry Pi to create physical access to breach the bank’s ATM infrastructure, evading defenses with stealth #Linux backdoors. #ThreatIntel