Connect with us

CyberSecurity

From Malware Hunter to Drone Hacker: The New Mission of Cybersecurity Legend Mikko Hyppönen

Published

on

From Malware Hunter to Drone Hacker: The New Mission of Cybersecurity Legend Mikko Hyppönen

For over three decades, the name Mikko Hyppönen has been synonymous with the fight against digital threats. Now, this cybersecurity pioneer is applying his formidable skills to a new battlefield: the sky. After a career spent dissecting malicious code, Hyppönen has turned his attention to countering drone threats, marking a significant pivot in his lifelong mission to protect people from evolving dangers.

The Invisible War of Cybersecurity

Mikko Hyppönen often describes cybersecurity work as a perpetual game of Tetris. When you succeed perfectly, the results vanish into thin air—nothing happens, systems remain secure, and life continues uninterrupted. This means that for security professionals, success is often invisible, while failures accumulate visibly and disastrously. Building on this analogy, Hyppönen has spent 35 years making sure those failures don’t pile up, becoming one of the most recognizable and respected figures in global cybersecurity.

His journey began in the late 1980s, when terms like “malware” were scarcely used and viruses spread via floppy disks. Starting at the Finnish company Data Fellows, which later became the renowned antivirus firm F-Secure, Hyppönen honed his skills by reverse-engineering software and analyzing early computer viruses. Consequently, he witnessed the entire evolution of digital threats firsthand, from simple curiosity-driven code to sophisticated nation-state attacks.

The Evolution of Digital Threats

In the early days, virus creation was often a hobbyist’s pursuit. The Form.A virus, prevalent in the early 1990s, sometimes did little more than display a message on a screen, yet it managed to travel globally, even reaching research stations in Antarctica. However, the landscape shifted dramatically with incidents like the ILOVEYOU virus in 2000, which Hyppönen and his team were first to discover. This worm infected millions of Windows computers worldwide, heralding a new era of automated, damaging attacks.

From Hobby to High-Stakes Crime

Today, the age of benign digital viruses is firmly over. Malware is now almost exclusively the tool of cybercriminals, state-sponsored spies, and mercenary spyware developers. Landmark attacks like the WannaCry ransomware and the NotPetya campaign demonstrated how digital weapons could cripple national infrastructure. This means that the cybersecurity industry has had to professionalize rapidly, growing into a $250 billion field dedicated to defense.

Interestingly, one major victory has been the hardening of consumer technology. Modern devices like the iPhone are extremely secure, making exploits so expensive that they are often only accessible to well-resourced governments rather than common criminals. Therefore, while malware remains a persistent threat, the industry’s progress in certain areas has allowed veterans like Hyppönen to explore new frontiers of defense.

A New Frontier: The Drone Battlefield

In 2025, Mikko Hyppönen made a decisive career shift. He joined Sensofusion, a Helsinki-based company, as Chief Research Officer, focusing on developing anti-drone systems for military and law enforcement. This pivot was deeply personal. Living just two hours from Finland’s border with Russia and serving in the military reserves, Hyppönen felt a direct connection to the drone-defined warfare witnessed in Ukraine. “It’s more meaningful to work fighting against drones, not just the drones we see today, but also the drones of tomorrow,” he explains. “We’re on the side of humans against machines.”

Parallels Between Fighting Malware and Drones

At first glance, cybersecurity and counter-drone technology seem unrelated. Yet, Hyppönen identifies striking similarities in the defensive strategies. In cybersecurity, defenders use “signatures” to identify and block malicious code. In the drone world, systems are built to locate, jam, and take control of unmanned aerial vehicles by analyzing their radio frequencies and protocols.

Specifically, Sensofusion’s technology involves recording a drone’s radio frequencies—known as IQ samples—to detect its communication protocol. From there, signatures can be built to identify even unknown drones. Moreover, once you understand the protocol, you can launch cyberattacks against the drone itself, causing it to malfunction or crash. “If you find a vulnerability, you’re done,” Hyppönen notes, highlighting a more direct path to neutralization compared to traditional malware battles.

The Unchanging Cat-and-Mouse Game

Despite the new domain, the core dynamic remains unchanged. It’s still a relentless cat-and-mouse game: defenders develop a countermeasure, adversaries adapt and find a workaround, and the cycle continues. For Hyppönen, even the adversary has a familiar face. “I spent a big part of my career fighting against Russian malware attacks,” he states. “Now I’m fighting Russian drone attacks.” This continuity underscores how geopolitical conflicts now span both digital and physical realms.

The Lasting Impact of a Cybersecurity Career

Mikko Hyppönen’s shift from malware to drones is not an abandonment of his past work but an evolution of it. The principles of analysis, defense, and adaptation remain central. His career arc mirrors the trajectory of modern security threats—constantly evolving, crossing domains, and demanding innovative responses. As drones become increasingly prevalent in conflict and crime, the need for experts who understand both the technology and the tactics of intrusion has never been greater.

Ultimately, whether the threat arrives via email or from the sky, the mission is the same: to protect. Hyppönen’s new chapter demonstrates that the skills honed in decades of digital warfare are precisely what’s needed to secure our physical world. For more insights on the evolution of cyber threats, explore our analysis on the future of cyber warfare or read about recent advances in anti-drone technology.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Fake CAPTCHA Pages Deliver SCMBANKER Malware to Mexican Banking Users

Published

on

SCMBANKER malware

Fake CAPTCHA Pages Are the Hook

Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.

Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.

This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.

How the Infection Chain Works

The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.

Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.

Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.

Why Mexican Users Are in the Crosshairs

Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.

The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.

Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.

ClickFix: A Growing Social Engineering Trend

The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.

Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.

For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.

Protecting Yourself from CAPTCHA-Based Malware

Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.

Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.

Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.

What Comes Next

The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.

As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.

For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.

Continue Reading

CyberSecurity

Four Security Vendors Rush Patches for Critical and High-Severity Product Bugs

Published

on

Trend Micro Tanium ESET Tenable patches

July has been a busy month for security teams inside four major cybersecurity vendors. Trend Micro, Tanium, ESET, and Tenable all shipped product updates targeting vulnerabilities that range from critical down to medium severity. No active exploitation has been reported for any of these bugs — but as recent attacks on Palo Alto Networks and Trend Micro itself have shown, security products are a prime target for sophisticated threat actors.

Here is what got patched, who is affected, and why these fixes matter now.

Tenable Agent: Critical Path Traversal Opens Door to RCE

The most severe of the bunch is a critical-severity path traversal vulnerability in the Tenable Agent, tracked as CVE-2026-15265. Tenable notified customers this week that the flaw could let an attacker achieve remote code execution on an affected system.

Path traversal bugs are a classic but still dangerous class of vulnerability. They allow an attacker to break out of restricted directories and write or execute files in places they should not have access to. When that happens inside a security agent — software designed to run with elevated privileges — the consequences can be severe. In this case, Tenable rates the bug as critical, meaning organizations should prioritize updating their agents immediately.

The advisory does not specify a CVSS score, but the critical designation alone signals urgency. Tenable has not published any workaround; the fix is the update itself.

ESET Inspect Connector: Local Privilege Escalation via ALPC

ESET disclosed a high-severity local privilege escalation vulnerability in its Inspect Connector for Windows on Tuesday. The company explained that an attacker with local access could send specially crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’s interface.

“Without proper authentication or origin validation in place, this message would be accepted and processed,” ESET wrote in its advisory. That means the attacker could access restricted functionality — essentially, they could elevate their privileges on the machine.

This is not a remote exploit. An attacker would need to already have some foothold on the system. But once inside, this bug makes lateral movement and deeper compromise much easier. ESET also published a separate advisory for a medium-severity denial-of-service (DoS) vulnerability affecting its security products for Linux.

Tanium Server: Unauthenticated DoS from the Network

Tanium informed customers last week about a high-severity flaw in the Tanium Server that could allow an unauthenticated, network-based attacker to launch a denial-of-service attack. The company’s advisory is characteristically sparse on technical details, but the risk is clear: an attacker who can reach the Tanium Server over the network does not need valid credentials to knock it offline.

For organizations that rely on Tanium for endpoint management and incident response, a DoS on the server could blind them to threats across the fleet. The update is recommended for all supported versions.

Trend Micro Cleaner One Pro: Local Privilege Escalation

Trend Micro warned users of Cleaner One Pro last week about a high-severity local privilege escalation vulnerability. The company said the bug could allow an attacker to delete privileged Trend Micro files — essentially letting a low-privileged user tamper with security software.

Cleaner One Pro is a system optimization tool, not a core security product like Apex One. Still, any vulnerability that lets an attacker delete files belonging to a Trend Micro application is concerning. It could be used to disable protections or corrupt logs.

Why Security Product Vulnerabilities Are a Bigger Deal

None of these vulnerabilities are known to have been exploited in the wild — yet. But there is a reason security teams pay close attention when a vendor like Trend Micro or ESET issues a patch. Security products run with high privileges by design. They have deep access to the operating system, the file system, and network traffic. A successful exploit against a security agent can give an attacker a beachhead that is extremely hard to detect.

Recent history bears this out. In June 2026, both Palo Alto Networks and Trend Micro confirmed that attackers had exploited vulnerabilities in their products in the wild. Those incidents served as a reminder that threat actors actively hunt for bugs in the very tools meant to stop them.

What Organizations Should Do Now

The message from all four vendors is the same: update now. For Tenable Agent, that means applying the latest version as soon as possible. For ESET Inspect Connector and Tanium Server, the same. For Trend Micro Cleaner One Pro, users should check for updates through the application or the vendor’s download portal.

If your organization uses any of these products, this is not a patch cycle to delay. The vulnerabilities are real, the fixes are available, and the window of opportunity for attackers is only getting wider.

For more context on recent security product vulnerabilities, see our coverage of Fortinet, Ivanti, and ServiceNow patches and the recent CrowdStrike and Tenable fixes.

Continue Reading

CyberSecurity

Vidar Infostealer Targets SMBs in Malvertising Blitz: Cracked Software Lures Deliver Double Payload

Published

on

Vidar infostealer malvertising

Malvertising Delivers More Than Users Bargained For

A fresh wave of malvertising is battering small and medium-sized businesses, and the culprit is a familiar name in the cybercrime underworld: the Vidar infostealer. Researchers have tracked a financially motivated campaign that dangles cracked or pirated software as bait — but the catch is a nasty two-for-one payload that both steals sensitive data and hijacks system resources for cryptomining.

The operation, active since at least early 2025, relies on malicious ads that appear in search results for popular business tools. Think project management suites, accounting software, and design apps — all offered for free. Click one of these ads, and you’re not downloading a freebie. You’re inviting Vidar straight onto your network.

This isn’t a lone actor. The campaign shows signs of professional organization, with multiple ad accounts and constantly refreshed domains. For SMBs already stretched thin on IT security, it’s a brutal reminder that free software rarely comes without a cost.

How the Vidar Infostealer Campaign Works

The infection chain starts with a search. An employee at a small business types “free [popular software] download” into a search engine. A sponsored ad appears, looking legitimate — complete with a convincing logo and landing page. The user clicks, downloads what appears to be an installer, and runs it.

Inside that installer is a multi-stage dropper. It unpacks Vidar infostealer first, which immediately begins scraping credentials, browser cookies, cryptocurrency wallet files, and even two-factor authentication tokens. Then, almost as an afterthought, it deploys a cryptominer that eats CPU cycles in the background.

The result? Data exfiltration happens fast — often within minutes. And the cryptominer runs quietly, draining electricity and slowing systems until someone notices the fan noise or a spike in the power bill.

Why SMBs Are the Prime Target

Large enterprises have robust security stacks, endpoint detection, and dedicated threat-hunting teams. SMBs? Not so much. A 2024 report from the Ponemon Institute found that 60% of small businesses that suffer a cyberattack go out of business within six months. Attackers know this. They also know SMBs are more likely to search for cheap or free software alternatives.

“SMBs are the sweet spot for malvertising,” says one threat analyst who tracks Vidar. “They have valuable data but not the budget for top-tier defenses. Cracked software is an easy hook.”

The campaign’s use of legitimate ad networks makes it even harder to block. Malicious ads slip through automated review systems, and by the time they’re flagged, the damage is often done.

The Double Payload: Data Theft Meets Cryptomining

Vidar has been around since 2018, marketed on Russian-language cybercrime forums as an off-the-shelf infostealer. It’s known for its speed — it can grab browser data, email client credentials, and cryptocurrency wallets in under a minute. In this campaign, it’s paired with a cryptominer that targets Monero (XMR), a privacy coin favored by attackers because transactions are harder to trace.

The combination is ruthless. First, Vidar exfiltrates everything it can. Then the miner establishes persistence, running as a background process that survives reboots. The victim loses both data and computing power. For an SMB with limited IT staff, detecting the miner might take weeks. By then, credentials stolen by Vidar could already be sold on dark web forums or used in follow-up attacks like ransomware.

Security firm Proofpoint first flagged the uptick in Vidar activity tied to malvertising in late 2024. Since then, the volume has only grown. In one observed cluster, attackers registered over 40 domains in a single week, each mimicking a legitimate software vendor.

Protecting Your Business From Malvertising and Infostealers

There’s no silver bullet, but a few practical steps can dramatically reduce risk. Start with the basics:

  • Ban cracked software outright. Write a clear policy. No exceptions. Free or pirated versions of paid tools are the #1 delivery mechanism for infostealers like Vidar.
  • Use ad-blocking or DNS filtering. Tools like uBlock Origin or a DNS filter (e.g., NextDNS) can block malicious ad domains before they load.
  • Deploy endpoint detection and response (EDR). Free options exist for small businesses, like Microsoft Defender for Business. EDR can catch the unusual process behavior of a cryptominer.
  • Train employees to spot malvertising. Show them what a malicious sponsored ad looks like. Teach them to hover over links before clicking. A skeptical eye is still one of the best defenses.
  • Monitor for unusual CPU usage. A sudden, sustained spike in processor load — especially on idle machines — is a telltale sign of cryptomining.

For SMBs that rely on cloud services, enabling multi-factor authentication on every account is critical. Vidar often steals session cookies that bypass MFA, but it’s still a strong layer of defense. Also consider endpoint security best practices that include application whitelisting to block unauthorized installers.

The Bottom Line on Vidar and Malvertising

This campaign isn’t revolutionary in technique — malvertising and cracked software lures are old tricks. What’s new is the scale and the double payload. Vidar’s operators have industrialized the process, buying ads at scale and rotating infrastructure faster than most blocklists can keep up.

For SMB owners, the takeaway is simple: if an ad promises free access to expensive software, it’s almost certainly a trap. The Vidar infostealer campaign proves that the cost of “free” can be your company’s data — and your bottom line.

Continue Reading

Trending