The campaign primarily focused on compromising REDCap (Research Electronic Data Capture) servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called INFINITERED, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.

Campaign Overview

The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.

Key Objectives

• Medical research intelligence
• Artificial Intelligence research
• Defense-related information
• Military health research Public health policy data

Researchers observed the activity from September 2023 through November 2025, indicating a highly patient and well-resourced espionage operation.

High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.

Initial Access Through REDCap Servers

Why REDCap Was Targeted

REDCap is extensively used across:

• Hospitals
• Clinical research organizations
• Universities
• Government research programs
• Military health institutions

Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.

Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.

Web Shell Deployment and Persistence

Following successful compromise, UNC6508 deployed a web shell identified as:

help.php

The web shell served multiple purposes:

• Persistent access
• File uploads
• Command execution
• Further malware deployment

This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.

INFINITERED Malware Analysis

Three months after the initial intrusion, researchers observed deployment of a custom malware family called INFINITERED. This malware was specifically engineered to operate inside REDCap environments.

Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.

Component 1 – Upgrade Interceptor

The malware monitors REDCap upgrade activities.

When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades

Component 2 – Credential Harvester

This module captures usernames and passwords entered into REDCap login pages.

Stolen credentials are stored within REDCap database tables and later retrieved by attackers.

Component 3 – Command-and-Control Backdoor

The third module acts as a fully functional backdoor.

Researchers found it could:

• Execute shell commands
• Upload files
• Download files
• Run SQL queries

Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.

Abuse of Google Workspace for Data Exfiltration

One of the most interesting aspects of the campaign was the attackers’ use of legitimate Google Workspace functionality.

After obtaining administrative access, UNC6508 created a content compliance rule named:

Patroit

The rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.

Attack Chain Breakdown

• External Reconnaissance
• Initial Compromise
• Persistence
• Privilege Escalation
• Intelligence Gathering

Potential Impact on Organizations

Organizations affected by this campaign could experience:

Research Theft

Loss of valuable intellectual property and scientific research.

Strategic Intelligence Exposure

Disclosure of defense and geopolitical information.

Credential Compromise

Unauthorized access to enterprise systems.

Regulatory Risks

Exposure of regulated healthcare and research data.

Alternative Indicators of Compromise (IOCs)

Security Recommendations

Upgrade REDCap Immediately

Remove legacy versions and apply the latest security updates.

Conduct Threat Hunting

Search for:

• help.php
• INFINITERED artifacts
• Unauthorized admin activity
• Credential harvesting indicators

The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.

The post PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations appeared first on First Hackers News.

The issue was initially noticed by a Motorola Razr 60 Ultra user who observed unusual behavior when opening the Amazon app. Instead of launching normally, the device briefly opened a web browser before redirecting back to Amazon with a tracking identifier attached.

Further investigation revealed that a preinstalled background application named Smart Feed was responsible for the redirects.

Hidden App Injects Affiliate Tracking Codes

Researchers found that the hidden app communicates with an external server identified as devicenative[.]com. The server appears to provide affiliate-related settings and redirect instructions used by the application.

When users tap shopping apps from the launcher, the hidden service intercepts the request and inserts affiliate tracking data before sending users to the final destination.

The observed behavior includes:

• Intercepting Amazon app launches
• Opening browser-based redirect links
• Injecting affiliate tracking parameters
• Connecting to remote servers for configuration updates
• Running silently in the background

Because Android automatically handles supported links inside apps, most users are unlikely to notice the redirection process.

Researchers Warn About Potential Risks

Security experts noted that the technique shares similarities with behaviors commonly seen in adware and mobile malware.

The concerns go beyond affiliate monetization because the same infrastructure could theoretically be modified to redirect users toward malicious websites, phishing pages, or credential theft portals.

Researchers also highlighted several worrying characteristics:

• Hidden system-level persistence
• External server-controlled behavior
• Intent interception techniques
• Limited user visibility or control
• Difficulty removing the application

Since the application relies on remote configuration from external servers, its behavior could potentially change without any operating system update.

The issue has currently been confirmed on the Motorola Razr 60 Ultra, although it is still unclear whether other Motorola devices are affected.

While reports suggest a third-party monetization partner may be involved, researchers argue that smartphone manufacturers remain responsible for software bundled with their devices.

Motorola has not publicly commented on the findings at the time of reporting.

The post Hidden Motorola App Redirects Amazon Traffic appeared first on First Hackers News.

Researchers from Mysk reported that WhatsApp uses a shared container linked to Meta applications, identified as group.com.facebook.family. On Apple devices, app group containers allow applications from the same developer to share data and resources.

Because Facebook, Instagram, and WhatsApp belong to the same ecosystem, the shared architecture could introduce privacy and security concerns if exploited alongside operating system vulnerabilities.

Shared Containers Raise Privacy Concerns

The researchers found that WhatsApp chat databases stored inside these containers are not encrypted at rest. This means the data may remain readable if attackers gain access to the device or exploit weaknesses in the operating system.

According to the report, the following risks were identified:

• Chat histories may be stored in plaintext
• Other Meta-owned apps could theoretically access shared data
• Users receive no alerts when such access occurs
• The issue affects both macOS and iOS environments

Researchers also demonstrated that WhatsApp chat histories could be extracted from iPhone backups, where the same unencrypted storage structure was observed.

The findings highlight an important distinction in security design. While WhatsApp uses end-to-end encryption to protect messages during transmission, that protection does not automatically secure data stored locally on the device.

macOS Vulnerability Increases Exposure Risk

The risk becomes more serious when combined with a recently disclosed macOS vulnerability tracked as CVE-2026-28910. The flaw affected Apple’s Archive Utility tool and reportedly allowed attackers to bypass App Sandbox protections.

By abusing this vulnerability, attackers could potentially:

• Access protected application containers
• Extract sensitive information from apps
• Bypass Apple’s Transparency, Consent, and Control protections
• Access chat histories from applications like WhatsApp

Researchers presented a proof-of-concept demonstration showing how the vulnerability could be combined with WhatsApp’s storage behavior to retrieve chat data.

Security Debate Around the Findings

Not all experts agree on the severity of the issue. WABetaInfo stated that although the databases may not be encrypted locally, Apple’s sandboxing system still provides strong isolation between applications.

From this perspective, attackers would still require elevated system privileges or a separate operating system exploit to access the stored data.

However, researchers at Mysk argue that shared app group permissions between Meta applications reduce isolation boundaries and increase the potential attack surface.

The discussion highlights broader concerns about local data protection in modern mobile ecosystems, especially when multiple applications share common storage environments.

Recommendations for Users

Security experts recommend several steps to reduce potential exposure risks:

• Enable encrypted Finder or iTunes backups
• Keep macOS and iOS updated with the latest security patches
• Use strong device passcodes and device encryption
• Limit unnecessary applications from the same developer ecosystem
• Regularly review application permissions and backup settings

At the time of reporting, there were no confirmed cases of widespread exploitation linked to the findings. However, the research highlights the importance of protecting sensitive data not only during transmission but also while stored on devices.

The post WhatsApp Chat Data Found Stored Without Encryption appeared first on First Hackers News.

Instead of relying on fake domains or compromised mail servers, attackers use Google AppSheet to send emails through Google’s own infrastructure. These messages are generated as part of automated workflows, meaning they pass authentication checks like SPF, DKIM, and DMARC without raising suspicion.

As a result, security tools and spam filters see them as trusted communications, allowing phishing messages to land directly in inboxes of targeted users—often business account owners managing Facebook pages.

Multi-Layered Attack Strategy

The campaign is not a single phishing page but a structured, multi-stage system designed to increase success rates. Victims are first directed to pages hosted on Netlify, where attackers replicate the Facebook Help Center with high accuracy. These pages are customized per victim using unique subdomains, making them difficult to block using traditional security measures.

From there, users are guided through a series of steps that collect not only login credentials but also deeper identity information such as date of birth and even government-issued ID images. In some cases, the attackers shift tactics by offering fake incentives, like verification badges, hosted on platforms such as Vercel. These pages are designed to look dynamic and legitimate, while quietly bypassing detection systems using techniques like hidden Unicode characters.

The operation becomes more advanced in later stages. Attackers host phishing documents on Google Drive, presenting them as official Meta notifications. These documents, often designed using Canva, contain embedded links that redirect victims into interactive phishing environments. These environments are powered by real-time communication frameworks, allowing attackers to actively engage with victims during the login process.

This live interaction is a critical aspect of the campaign. Instead of passively collecting credentials, attackers can request one-time passwords, monitor user actions, and even capture browser sessions as they happen. This significantly increases the likelihood of successful account takeover, even when multi-factor authentication is enabled.

Real-Time Data Exfiltration and Attribution

Once credentials are captured, they are immediately transmitted through a centralized system built around Telegram bots. This allows operators to monitor incoming data in real time and quickly take control of compromised accounts before victims notice suspicious activity.

Analysis of the infrastructure shows a strong operational scale, with thousands of records flowing into attacker-controlled channels. Most victims are concentrated in regions like the United States and Europe, indicating a focus on high-value targets such as businesses and influencers.

Investigators were also able to trace elements of the campaign back to Vietnamese actors. This attribution is supported by metadata found in phishing documents and developer comments embedded within the malicious code, providing insight into the origin of the operation.

A Shift Toward Industrialized Phishing

AccountDumpling reflects a broader shift in cybercrime, where phishing is no longer a simple tactic but part of a larger, industrialized ecosystem. Attackers are combining trusted services, automation, and real-time interaction to create highly effective campaigns that are difficult to detect and disrupt.

Compromised accounts are rarely the end goal. They are often reused for further scams, advertising fraud, or additional phishing attacks, creating a cycle that sustains and expands the operation. This approach shows how modern threat actors are leveraging legitimate platforms at scale, turning them into tools for widespread abuse while staying under the radar.

The post Facebook Phishing Campaign Targets Business Accounts appeared first on First Hackers News.

This activity was uncovered by the Atos Threat Research Center in early 2026. The goal is clear—compromise high-privilege users and gain direct access to critical systems.

How the Attack Starts

The attack begins with SEO poisoning across search engines like Bing, Yahoo, DuckDuckGo, and Yandex.

Attackers push fake GitHub repositories to the top of search results for queries related to popular admin tools. These repositories look legitimate and contain detailed documentation, but they don’t host malware directly.

The infection flow works like this:

• Fake GitHub repo acts as a trusted storefront
• README links redirect users to another repository
• Second repo hosts a malicious MSI installer
• Payload is executed on the victim system

This two-step setup helps attackers stay active even if one repository is removed.

Targeting High-Privilege Users

The campaign specifically mimics well-known administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and WinDbg. These tools are typically used by administrators, DevOps teams, and security analysts.

This approach acts as a filtering mechanism:

• Only users searching for these tools are targeted
• Most victims already have elevated privileges
• A successful infection gives immediate high-level access

By abusing trust in commonly used tools, attackers increase the chances of execution without suspicion.

Malware Behavior and Execution

Once the malicious installer runs, a multi-stage RAT is deployed using JavaScript and fileless techniques.

The behavior includes:

• Obfuscated scripts install Node.js and trigger execution
• Payloads are decrypted in memory using AES-256
• Persistence is created through Windows Registry Run keys
• Malware runs under legitimate processes like conhost.exe
• Continuous communication with attacker infrastructure

The RAT allows attackers to execute commands, monitor systems, and extract sensitive data without obvious signs.

Blockchain-Based Command and Control

One of the most unique aspects of EtherRAT is its use of blockchain for command-and-control.

Instead of fixed servers, the malware retrieves its C2 address from the Ethereum network. This makes it extremely difficult to block or disrupt.

Key advantages for attackers:

• No fixed IP or domain to blacklist
• C2 can be updated instantly via blockchain transactions

Because public blockchain infrastructure is widely accessible, traditional takedown strategies become ineffective.

Ongoing Activity and Threat Impact

Researchers observed at least 40+ malicious GitHub repositories over several months, showing this is not a one-time campaign but an ongoing operation.

There are also similarities with techniques used by groups like Lazarus Group and MuddyWater, though attribution is still being analyzed.

Unlike typical large-scale malware campaigns, EtherRAT focuses on stealth and persistence. After initial access, attackers perform quiet reconnaissance instead of immediate disruptive actions.

Why This Matters

This campaign highlights a shift in cyber threats:

• Attackers target fewer users but with higher value
• Legitimate platforms like GitHub are used to build trust
• Decentralized technologies like blockchain increase resilience

Organizations should verify software sources, limit administrative privileges, and monitor unusual outbound traffic—especially connections to blockchain services.

EtherRAT shows how modern attackers are blending trusted platforms with advanced techniques to create highly targeted and durable threats.

The post EtherRAT Attack Targets Enterprise Admins appeared first on First Hackers News.

With this approach, users will no longer have to depend on shared cloud storage limits. Instead, WhatsApp aims to provide its own storage environment specifically built for messaging data. This is especially important as chat backups today include large files like high-resolution images, videos, and voice notes, which quickly consume available space.

All data stored in this system will be protected with end-to-end encryption by default. This means that messages remain private, and even WhatsApp itself cannot access the content. By keeping backups encrypted at all times, the platform is aiming to reduce the risk of unauthorized access or data exposure.

Enhanced Security with Passkeys

To strengthen protection further, WhatsApp is planning to introduce passkey-based authentication for backup access. Instead of using traditional passwords or long encryption keys, users will be able to unlock their backups using biometric methods such as fingerprint or facial recognition.

This makes the process both simpler and more secure. The authentication is tied directly to the user’s device, which reduces the risk of attacks like phishing, credential theft, or brute-force attempts. The passkey is securely stored and can sync across trusted devices, allowing users to restore backups without needing to remember complex credentials.

At the same time, WhatsApp is expected to keep alternative options available. Users who prefer using passwords or encryption keys will still have that choice, ensuring flexibility for different security preferences.

Storage Options and Rollout Plans

The upcoming system is also expected to introduce dedicated storage plans for backups. Early expectations suggest a small free storage tier for basic use, along with larger paid options for users who need more capacity. This would allow users to manage their backup storage without affecting their personal cloud accounts.

Despite this shift, WhatsApp is likely to continue supporting third-party backups for users who prefer their current setup. This ensures a smoother transition without forcing immediate changes.

The feature is still in development and has not yet been released publicly. It is expected to go through multiple testing phases to ensure stability, security, and compatibility with existing systems before a wider rollout begins.

This move reflects a broader industry trend toward building self-contained ecosystems that prioritize privacy, security, and better control over user data, rather than relying entirely on external platforms.

The post WhatsApp Tests Safer Cloud Backup for Messages appeared first on First Hackers News.

The attack starts with a targeted phishing email sent to specific organizations, particularly government-related entities. The email is designed to look legitimate, pretending to come from an internal consultant and referencing a real-looking project to gain trust.

To make the message more convincing, it is marked as urgent and includes a request for a read receipt. This increases the chances that the recipient will open the attachments without suspicion.

This multi stage malware attack poses serious threats to organizations, as its multi-layered nature complicates detection and remediation efforts.

The email contains two files with slightly misspelled names to appear like quick internal documents:

• A Word file pretending to be a report
• A PDF file that looks like an official document

These small tricks are used to make the attack look normal and believable.

How the Multi-Stage Attack Works

The infection process is carefully designed and happens in multiple steps. This layered approach helps the malware stay hidden during each stage.

When the Word file is opened, it asks the user to enable macros. If the user allows it, hidden code runs in the background and downloads a malicious file from an external server. This technique helps bypass basic security checks.

At the same time, the PDF file acts as another attack path. It shows a fake error message asking the user to update their PDF reader. If the user clicks the prompt, it downloads another malicious file disguised as a legitimate application.

Once installed, the malware:

• Connects to remote servers using trusted services
• Uses tools like developer tunnels to maintain access
• Sends stolen data through platforms like Discord
• Executes commands on the infected system

By using legitimate platforms, the malware blends in with normal network traffic, making it difficult to detect.

Evasion Techniques and Why It’s Dangerous

This malware uses several techniques to avoid being detected by security systems. It checks for analysis environments, hides its code, and uses trusted services to carry out its activities.

Some of its key evasion methods include:

• Hiding malicious code inside compiled scripts
• Using trusted cloud services for communication
• Disguising files with familiar names and branding
• Delivering payloads in stages instead of all at once

Because of these methods, the malware can remain active for a long time without being noticed. It can steal data, monitor systems, and give attackers remote access.

This attack shows a growing trend where cybercriminals rely on trusted platforms and multi-step infections to bypass traditional defenses. Organizations should focus on monitoring behavior, restricting macros, and educating users to recognize suspicious emails.

The post Multi Stage Malware Attack Uses Obfuscation to Evade Detection appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

The new approach uses Merkle Tree Certificates (MTCs), developed through the IETF PLANTS working group, to strengthen web security without slowing down the internet.

Why This Is Needed

Quantum computers could one day break today’s encryption methods used in HTTPS.

Post-quantum cryptography already exists, but it creates much larger keys. Larger keys mean:

• Bigger certificate sizes
• Slower TLS handshakes
• Higher bandwidth usage
• Performance issues in traditional X.509 certificate chains

Because of this, Chrome is not adding post-quantum X.509 certificates to its Root Store right now.

What Are Merkle Tree Certificates (MTCs)?

Instead of using large signature chains, MTCs use compact cryptographic proofs.

Here’s how it works:

• A Certification Authority (CA) signs one “Tree Head”
• That Tree Head can represent millions of certificates
• The browser receives only a small proof showing the certificate is included

This keeps security strong while reducing data size.

Key Benefits of MTCs

• Smaller TLS handshakes
• Better performance
• Built-in transparency
• Easier scaling for millions of certificates
• Strong post-quantum protection

Chrome’s Rollout Plan

Chrome is rolling this out in three phases.

Phase 1 (Now Ongoing)
Chrome is working with Cloudflare to test MTCs in real-world conditions. A traditional X.509 certificate is still used as a backup during testing.

Phase 2 (Q1 2027)
Trusted Certificate Transparency log operators will help launch public MTC systems.

Phase 3 (Q3 2027)
Chrome will introduce a new Quantum-Resistant Root Store (CQRS). This will support only MTC-based certificates and run alongside the current root program.

Websites will also have the option to enforce quantum-resistant connections only.

What’s Next

Google sees this as a major step in modernizing TLS.

Future plans include:

• Improved automated certificate management (ACME)
• Better revocation systems to replace old CRLs
• Stronger domain validation methods
• Continuous external monitoring instead of yearly audits

Chrome aims to build a faster, simpler, and quantum-safe web while maintaining compatibility with today’s ecosystem.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Chrome Introduces Quantum-Safe HTTPS Protection appeared first on First Hackers News.

The vulnerability required no clicks, no extensions, and no user interaction. Simply visiting a malicious website could trigger the attack.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours.

How the Attack Worked

When a developer visited an attacker-controlled website, malicious JavaScript executed in the browser. That script initiated a WebSocket connection directly to the local OpenClaw gateway.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

Because the gateway exempted localhost connections from rate limiting, attackers could perform rapid brute-force password attempts — often hundreds per second — significantly increasing the likelihood of bypassing human-created passwords.

Once authentication was successful, the malicious script silently registered itself as a trusted device. This bypassed normal user confirmation prompts and granted persistent access.

From there, the attacker effectively controlled the AI agent and the connected environment.

What Attackers Could Do

With gateway-level access, attackers could:

• Send instructions to the AI agent and retrieve responses
• Access configuration data, including AI providers and integrations
• Enumerate connected nodes and internal IP addresses
• Read logs for operational and reconnaissance insights
• Search Slack or messaging history for API keys and credentials
• Extract sensitive files from the workstation
• Execute shell commands on connected systems

In practical terms, this equated to a full workstation compromise.

This incident highlights a growing cybersecurity concern: shadow AI. Developer-adopted AI tools often operate outside traditional IT visibility while maintaining deep access to local systems, credentials, APIs, and internal communications.

Earlier this year, OpenClaw’s ecosystem also faced issues with malicious community “skills” distributed through its marketplace. However, this newly discovered vulnerability was more severe because it resided in the core gateway architecture itself — not in third-party plugins.

The OpenClaw team classified the issue as High severity and released a fix within 24 hours. Users and organizations must immediately upgrade to version 2026.2.25 or later to mitigate risk.

Beyond patching, enterprises should implement stronger governance, monitoring, and security controls for AI-powered developer tools.

As AI agents gain deeper system access, their compromise no longer represents just an application breach — it represents full environment exposure.

The post OpenClaw Exploit Compromises Developer AI Agents appeared first on First Hackers News.