Connect with us

CyberSecurity

Russian APT28 Hackers Hijack Routers in Global Credential Theft Campaign

Published

on

Russian APT28 Hackers Hijack Routers in Global Credential Theft Campaign

A sophisticated Russian cyber-espionage group is conducting a widespread campaign by hijacking internet routers to steal sensitive credentials from targeted organizations. This APT28 router hijack operation, detailed in a new advisory from the UK’s National Cyber Security Centre (NCSC), reveals a methodical approach to digital surveillance and data theft. Consequently, businesses and individuals using common networking equipment are at significant risk.

The Mechanics of the Router Hijack Campaign

According to the NCSC, the threat actors, identified as APT28, are exploiting vulnerabilities in small office/home office (SOHO) routers. Their goal is to redirect internet traffic through servers they control. This process, known as DNS hijacking, allows them to intercept data flowing from connected devices like laptops and smartphones. Therefore, when a user tries to access a website or service, their request is secretly routed to a malicious server where login credentials can be harvested.

Building on this, the NCSC assesses the initial phase of these operations as “opportunistic.” The hackers cast a wide net to gain visibility on a large pool of potential targets. They then filter these candidates at each stage of their attack chain, ultimately focusing on victims deemed to have high intelligence value. This means that while the initial compromise is broad, the final theft is highly selective.

First Wave: Targeting TP-Link Devices

One distinct activity cluster focuses heavily on TP-Link routers. In this campaign, the hackers modify the router’s DHCP DNS settings to include IP addresses they own. A specific model, the TP-Link WR841N, is likely being exploited using a known vulnerability (CVE-2023-50224). This flaw lets an unauthenticated attacker obtain password credentials via crafted web requests.

Once a router is compromised, every device on its network inherits the malicious DNS settings. This allows APT28 to perform adversary-in-the-middle (AitM) attacks on user sessions. The primary objective is to harvest passwords, OAuth tokens, and other credentials for web and email services. Subsequently, the stolen data can be used for malicious logins from other infrastructure not yet identified by authorities.

Second Wave: Compromising MikroTik and More

In a separate but related cluster, the NCSC observed servers receiving DNS requests from likely compromised MikroTik and TP-Link routers. This campaign involves a more complex forwarding chain, where DNS requests are sent from the initial compromised server to further remote servers controlled by the attackers.

Notably, this infrastructure was used for interactive operations against a small number of MikroTik routers, often located in Ukraine. These targets were likely chosen for their specific intelligence value to the Russian group. This indicates a strategic shift from broad scanning to precise, interactive compromise of high-value assets. For more on defending critical infrastructure, see our guide on essential network security practices.

Who is Behind the APT28 Router Hijack?

The UK government attributes the APT28 router hijack campaign “almost certainly” to Unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU). This unit is also widely known by aliases such as Fancy Bear, Forest Blizzard, and Strontium. Their history includes high-profile attacks like the 2015 cyber-attack against the German parliament and an attempted breach of the Organisation for the Prohibition of Chemical Weapons (OPCW) in 2018.

Microsoft Threat Intelligence, in a separate report, corroborates these findings. They note that APT28 and a sub-group tracked as Storm-2754 have been compromising virtual private servers (VPS) to exploit SOHO routers since at least August 2025. This confirms a sustained, long-term investment in this particular attack vector by a state-sponsored actor.

How to Defend Against Router-Based Attacks

In response to this threat, the NCSC has issued critical mitigation advice. Organizations and individuals must take proactive steps to secure their networks. First and foremost, ensure all routers are running the latest supported firmware and that security updates are applied immediately. Outdated software is the primary entry point for these exploits.

Furthermore, adopting a browse-down network architecture can prevent attackers from easily gaining privileged access to vital assets. This means segmenting your network so that a compromise in one area doesn’t grant access to everything. Additionally, deploying robust endpoint protection, including host-based intrusion detection systems (HIDS), is crucial for spotting malicious activity.

On the authentication front, using multifactor authentication (MFA) universally is one of the most effective ways to neutralize stolen credentials. Even if a password is intercepted, MFA provides a critical second layer of defense. Implementing application allowlisting can also prevent unauthorized software from running on your network. For a deeper dive into authentication security, explore our resource on implementing MFA across your organization.

The Bigger Picture of Cyber Espionage

This campaign is not an isolated incident but part of a continuous trend of state-aligned cyber operations targeting critical infrastructure and sensitive data. The use of commodity hardware like consumer routers provides attackers with a low-cost, high-impact method of establishing a foothold. This APT28 router hijack tactic is particularly insidious because it compromises the very foundation of a network’s trust—its DNS resolution.

As a result, the responsibility for security extends beyond large corporations to include small businesses and even home users who may be unwitting participants in these attack chains. Regular security scans, vigilance for unusual network behavior, and a commitment to basic cyber hygiene are no longer optional. The convergence of geopolitical conflict and cyber warfare means that digital defense is now a universal concern.

CyberSecurity

Fake CAPTCHA Pages Deliver SCMBANKER Malware to Mexican Banking Users

Published

on

SCMBANKER malware

Fake CAPTCHA Pages Are the Hook

Cybercriminals are running a fresh campaign that preys on customers of Mexican banks, fintech platforms, payment processors, and even cryptocurrency exchanges. The method is deceptively simple: a fake CAPTCHA verification page that tricks users into copying and running a malicious command. Once executed, it installs a PowerShell-based toolkit known as SCMBANKER malware.

Security researchers at Elastic Security Labs are tracking this activity cluster under the name REF6045. The campaign relies on what the industry calls ClickFix lures — social engineering tricks that make victims believe they need to complete a security check. Instead of a harmless verification, they end up infecting their own machine.

This isn’t a spray-and-pray operation. The attackers are being selective about who they target. The lure pages are localized in Spanish and reference well-known Mexican financial institutions. That level of specificity suggests the group behind REF6045 has done its homework on the local banking ecosystem.

How the Infection Chain Works

The attack starts when a user lands on a compromised or malicious website. A pop-up appears, mimicking a standard CAPTCHA challenge. The page instructs the visitor to press a specific key combination — often Windows Key + R — then paste a provided script into the Run dialog and hit Enter.

Here’s the kicker: the script is not a CAPTCHA solver. It’s a PowerShell command that reaches out to a remote server, downloads the SCMBANKER malware, and executes it silently in the background. The victim sees nothing unusual — the page might even show a fake “Verification Successful” message — while the malware burrows into the system.

Elastic’s analysis shows the toolkit is modular. It can steal credentials, intercept SMS-based two-factor authentication codes, log keystrokes, and take screenshots. That’s a dangerous combination for anyone doing online banking.

Why Mexican Users Are in the Crosshairs

Mexico has seen a rapid shift toward digital payments and mobile banking over the past few years. That growth has caught the attention of cybercriminal groups. SCMBANKER malware is specifically designed to hook into banking sessions, read account balances, and initiate unauthorized transfers.

The campaign also targets users of cryptocurrency exchanges. That’s a notable development. Criminals are increasingly blending traditional banking fraud with crypto theft, siphoning funds from both fiat and digital wallets in a single sweep.

Elastic Security Labs notes that the infrastructure behind REF6045 is still active. New domains and command-and-control servers are being spun up regularly. This isn’t a one-off — it’s an ongoing threat that’s likely to evolve.

ClickFix: A Growing Social Engineering Trend

The ClickFix lure technique has been gaining traction across multiple malware families. It exploits a basic human tendency: people follow instructions when they think they’re solving a problem. By wrapping the infection chain inside a fake security check, attackers bypass many traditional defenses.

Static antivirus engines often miss these attacks because the initial payload is not a file — it’s a command typed directly by the user. That’s a blind spot. No email attachment to scan, no link to inspect. Just a few keystrokes, and the damage is done.

For users of WhatsApp HD photo sending or other everyday apps, this kind of social engineering can feel indistinguishable from a legitimate prompt. The attackers invest in good design — the fake CAPTCHA pages look polished, with proper logos and color schemes.

Protecting Yourself from CAPTCHA-Based Malware

Defense starts with skepticism. No legitimate CAPTCHA will ever ask you to open a Run dialog or paste a script. If a website demands that, close the tab immediately.

Organizations can also deploy application whitelisting and PowerShell execution policies to block unauthorized scripts. For individuals, using a standard (non-administrator) user account limits what the malware can do after installation.

Elastic Security Labs recommends monitoring for unusual PowerShell activity and outbound connections to unknown IPs. Their full report on REF6045 includes indicators of compromise — domains, hashes, and command patterns — that security teams can use for detection.

What Comes Next

The SCMBANKER malware campaign is a reminder that banking trojans are not a relic of the 2010s. They’ve adapted. They now use modern social engineering, modular code, and multi-target strategies that span both traditional banks and crypto platforms.

As Mexican financial institutions continue to digitize, the attack surface will only widen. Security awareness training, especially around unusual CAPTCHA prompts, is no longer optional — it’s a frontline defense.

For users who want to stay safe, the rule is simple: if a page asks you to paste code into a Run box, don’t. That’s not a verification. That’s an infection.

Continue Reading

CyberSecurity

Four Security Vendors Rush Patches for Critical and High-Severity Product Bugs

Published

on

Trend Micro Tanium ESET Tenable patches

July has been a busy month for security teams inside four major cybersecurity vendors. Trend Micro, Tanium, ESET, and Tenable all shipped product updates targeting vulnerabilities that range from critical down to medium severity. No active exploitation has been reported for any of these bugs — but as recent attacks on Palo Alto Networks and Trend Micro itself have shown, security products are a prime target for sophisticated threat actors.

Here is what got patched, who is affected, and why these fixes matter now.

Tenable Agent: Critical Path Traversal Opens Door to RCE

The most severe of the bunch is a critical-severity path traversal vulnerability in the Tenable Agent, tracked as CVE-2026-15265. Tenable notified customers this week that the flaw could let an attacker achieve remote code execution on an affected system.

Path traversal bugs are a classic but still dangerous class of vulnerability. They allow an attacker to break out of restricted directories and write or execute files in places they should not have access to. When that happens inside a security agent — software designed to run with elevated privileges — the consequences can be severe. In this case, Tenable rates the bug as critical, meaning organizations should prioritize updating their agents immediately.

The advisory does not specify a CVSS score, but the critical designation alone signals urgency. Tenable has not published any workaround; the fix is the update itself.

ESET Inspect Connector: Local Privilege Escalation via ALPC

ESET disclosed a high-severity local privilege escalation vulnerability in its Inspect Connector for Windows on Tuesday. The company explained that an attacker with local access could send specially crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’s interface.

“Without proper authentication or origin validation in place, this message would be accepted and processed,” ESET wrote in its advisory. That means the attacker could access restricted functionality — essentially, they could elevate their privileges on the machine.

This is not a remote exploit. An attacker would need to already have some foothold on the system. But once inside, this bug makes lateral movement and deeper compromise much easier. ESET also published a separate advisory for a medium-severity denial-of-service (DoS) vulnerability affecting its security products for Linux.

Tanium Server: Unauthenticated DoS from the Network

Tanium informed customers last week about a high-severity flaw in the Tanium Server that could allow an unauthenticated, network-based attacker to launch a denial-of-service attack. The company’s advisory is characteristically sparse on technical details, but the risk is clear: an attacker who can reach the Tanium Server over the network does not need valid credentials to knock it offline.

For organizations that rely on Tanium for endpoint management and incident response, a DoS on the server could blind them to threats across the fleet. The update is recommended for all supported versions.

Trend Micro Cleaner One Pro: Local Privilege Escalation

Trend Micro warned users of Cleaner One Pro last week about a high-severity local privilege escalation vulnerability. The company said the bug could allow an attacker to delete privileged Trend Micro files — essentially letting a low-privileged user tamper with security software.

Cleaner One Pro is a system optimization tool, not a core security product like Apex One. Still, any vulnerability that lets an attacker delete files belonging to a Trend Micro application is concerning. It could be used to disable protections or corrupt logs.

Why Security Product Vulnerabilities Are a Bigger Deal

None of these vulnerabilities are known to have been exploited in the wild — yet. But there is a reason security teams pay close attention when a vendor like Trend Micro or ESET issues a patch. Security products run with high privileges by design. They have deep access to the operating system, the file system, and network traffic. A successful exploit against a security agent can give an attacker a beachhead that is extremely hard to detect.

Recent history bears this out. In June 2026, both Palo Alto Networks and Trend Micro confirmed that attackers had exploited vulnerabilities in their products in the wild. Those incidents served as a reminder that threat actors actively hunt for bugs in the very tools meant to stop them.

What Organizations Should Do Now

The message from all four vendors is the same: update now. For Tenable Agent, that means applying the latest version as soon as possible. For ESET Inspect Connector and Tanium Server, the same. For Trend Micro Cleaner One Pro, users should check for updates through the application or the vendor’s download portal.

If your organization uses any of these products, this is not a patch cycle to delay. The vulnerabilities are real, the fixes are available, and the window of opportunity for attackers is only getting wider.

For more context on recent security product vulnerabilities, see our coverage of Fortinet, Ivanti, and ServiceNow patches and the recent CrowdStrike and Tenable fixes.

Continue Reading

CyberSecurity

Vidar Infostealer Targets SMBs in Malvertising Blitz: Cracked Software Lures Deliver Double Payload

Published

on

Vidar infostealer malvertising

Malvertising Delivers More Than Users Bargained For

A fresh wave of malvertising is battering small and medium-sized businesses, and the culprit is a familiar name in the cybercrime underworld: the Vidar infostealer. Researchers have tracked a financially motivated campaign that dangles cracked or pirated software as bait — but the catch is a nasty two-for-one payload that both steals sensitive data and hijacks system resources for cryptomining.

The operation, active since at least early 2025, relies on malicious ads that appear in search results for popular business tools. Think project management suites, accounting software, and design apps — all offered for free. Click one of these ads, and you’re not downloading a freebie. You’re inviting Vidar straight onto your network.

This isn’t a lone actor. The campaign shows signs of professional organization, with multiple ad accounts and constantly refreshed domains. For SMBs already stretched thin on IT security, it’s a brutal reminder that free software rarely comes without a cost.

How the Vidar Infostealer Campaign Works

The infection chain starts with a search. An employee at a small business types “free [popular software] download” into a search engine. A sponsored ad appears, looking legitimate — complete with a convincing logo and landing page. The user clicks, downloads what appears to be an installer, and runs it.

Inside that installer is a multi-stage dropper. It unpacks Vidar infostealer first, which immediately begins scraping credentials, browser cookies, cryptocurrency wallet files, and even two-factor authentication tokens. Then, almost as an afterthought, it deploys a cryptominer that eats CPU cycles in the background.

The result? Data exfiltration happens fast — often within minutes. And the cryptominer runs quietly, draining electricity and slowing systems until someone notices the fan noise or a spike in the power bill.

Why SMBs Are the Prime Target

Large enterprises have robust security stacks, endpoint detection, and dedicated threat-hunting teams. SMBs? Not so much. A 2024 report from the Ponemon Institute found that 60% of small businesses that suffer a cyberattack go out of business within six months. Attackers know this. They also know SMBs are more likely to search for cheap or free software alternatives.

“SMBs are the sweet spot for malvertising,” says one threat analyst who tracks Vidar. “They have valuable data but not the budget for top-tier defenses. Cracked software is an easy hook.”

The campaign’s use of legitimate ad networks makes it even harder to block. Malicious ads slip through automated review systems, and by the time they’re flagged, the damage is often done.

The Double Payload: Data Theft Meets Cryptomining

Vidar has been around since 2018, marketed on Russian-language cybercrime forums as an off-the-shelf infostealer. It’s known for its speed — it can grab browser data, email client credentials, and cryptocurrency wallets in under a minute. In this campaign, it’s paired with a cryptominer that targets Monero (XMR), a privacy coin favored by attackers because transactions are harder to trace.

The combination is ruthless. First, Vidar exfiltrates everything it can. Then the miner establishes persistence, running as a background process that survives reboots. The victim loses both data and computing power. For an SMB with limited IT staff, detecting the miner might take weeks. By then, credentials stolen by Vidar could already be sold on dark web forums or used in follow-up attacks like ransomware.

Security firm Proofpoint first flagged the uptick in Vidar activity tied to malvertising in late 2024. Since then, the volume has only grown. In one observed cluster, attackers registered over 40 domains in a single week, each mimicking a legitimate software vendor.

Protecting Your Business From Malvertising and Infostealers

There’s no silver bullet, but a few practical steps can dramatically reduce risk. Start with the basics:

  • Ban cracked software outright. Write a clear policy. No exceptions. Free or pirated versions of paid tools are the #1 delivery mechanism for infostealers like Vidar.
  • Use ad-blocking or DNS filtering. Tools like uBlock Origin or a DNS filter (e.g., NextDNS) can block malicious ad domains before they load.
  • Deploy endpoint detection and response (EDR). Free options exist for small businesses, like Microsoft Defender for Business. EDR can catch the unusual process behavior of a cryptominer.
  • Train employees to spot malvertising. Show them what a malicious sponsored ad looks like. Teach them to hover over links before clicking. A skeptical eye is still one of the best defenses.
  • Monitor for unusual CPU usage. A sudden, sustained spike in processor load — especially on idle machines — is a telltale sign of cryptomining.

For SMBs that rely on cloud services, enabling multi-factor authentication on every account is critical. Vidar often steals session cookies that bypass MFA, but it’s still a strong layer of defense. Also consider endpoint security best practices that include application whitelisting to block unauthorized installers.

The Bottom Line on Vidar and Malvertising

This campaign isn’t revolutionary in technique — malvertising and cracked software lures are old tricks. What’s new is the scale and the double payload. Vidar’s operators have industrialized the process, buying ads at scale and rotating infrastructure faster than most blocklists can keep up.

For SMB owners, the takeaway is simple: if an ad promises free access to expensive software, it’s almost certainly a trap. The Vidar infostealer campaign proves that the cost of “free” can be your company’s data — and your bottom line.

Continue Reading

Trending