Атаки на Battlefield 6: мошенничество с криптовалютой и новое направление кибервойн Attacks on Battlefield 6: Cryptocurrency Fraud and a New Direction in Cyber Warfare

Here’s a rewritten version of the text in English:

We have compiled the most significant cybersecurity news from the past week.

Experts from Bitdefender Labs have uncovered extensive malicious campaigns leveraging the October release of the shooter Battlefield 6. The malware is distributed through fake software designed to install pirated versions of the game—“repacks” from popular groups.

Cybercriminals are employing social engineering tactics and disguising themselves as known entities like InsaneRamZes and RUNE to deliver infected installers alongside stealers.

The malicious files lack the promised functionality and compromise the system immediately upon launch. The experts identified a suite of hacking tools:

Bitdefender researchers advised downloading software exclusively from official platforms like Steam or the EA App.

In Kyiv, a fraud ring has been dismantled, which had defrauded EU citizens by presenting fake cryptocurrency and stock investment opportunities. This was reported by the Cyber Police of Ukraine.

The victims numbered over 30 individuals. During a special operation, the police conducted 21 searches and seized more than $1.4 million, over 5.8 million hryvnias, and 17,000 euros in cash.

According to operational data, the mastermind and two accomplices established a call center in Kyiv with 20 workstations. The “VIP client managers” created a false impression of successful trades on global exchanges among the victims. To achieve this, the criminals installed specialized software on the «clients'» computers via remote access.

After receiving cryptocurrency, the group members cashed it out using physical exchange points in Kyiv. They face potential sentences of up to 12 years in prison.

Experts from Kaspersky Lab discovered the Tsundere botnet, which infiltrates Windows devices masquerading as installers for popular games like Valorant, CS2, and R6x.

This malware utilizes Ethereum smart contracts for its attacks, enhancing the botnet’s resilience. If one command server is blocked, the system automatically switches to pre-recorded backups in the blockchain.

To do this, hackers execute a 0 ETH transaction, introducing a new address into the contract state variable. The bot interacts with public Ethereum RPC, analyzes transactions, and extracts the current path.

The research revealed a link between Tsundere and a stealer distributed on hacker forums—123 Stealer. They share common infrastructure and are affiliated with a user known as koneko.

A new attack named JackFix utilizes fake adult websites and Windows update impersonation to widely deploy infostealers. This was reported by the Acronis Threat Research Unit.

The attackers distribute clones of popular platforms like Pornhub, which, when interacted with, display a full-screen window demanding the installation of “critical security updates for Windows.”

According to analysts, the attack is carried out within the victim’s browser via HTML and JavaScript, attempting to programmatically block exit keys from full-screen mode.

To bypass security systems, hackers use command arrays and specific files with a .odd extension for stealthy launches of malicious processes through the PowerShell interface.

Next, the script continuously targets the user with social engineering tactics until obtaining administrative rights. The code then sets exceptions for antivirus software and downloads the final payload from the attackers’ servers. The fake URLs are configured so that direct access redirects researchers to legitimate Google or Steam resources.

Experts observed that a single successful injection leads to the download and execution of eight different malware families, including the latest versions of stealers and Remote Access Trojans (RAT).

If a site has entered full-screen mode and blocked the interface, the Acronis Threat Research Unit recommends using the Esc or F11 keys to exit. If the problem persists, one should forcibly close the browser using Alt+F4 or the task manager (Ctrl+Shift+Esc).

Unofficial LLM models WormGPT 4 and KawaiiGPT are enhancing the capabilities of cybercriminals, according to specialists from Unit 42.

They note that the AI generates working malicious code, including scripts for ransomware and automation of movements within corporate networks.

WormGPT 4 is a revival of a project that was shut down in 2023 but resurfaced in September 2025. The model is marketed as a version of ChatGPT specifically designed for illegal operations. The software is sold for $50 per month or $220 for lifetime access.

In an experiment, WormGPT 4 successfully generated a PDF file ransomware for Windows. The script also featured an exfiltration option through the Tor network for executing real attacks.

Experts believe this model effectively crafts «convincing and intimidating» ransom notes mentioning «military-grade encryption» and doubling the ransom within 72 hours.

According to Unit 42, WormGPT 4 offers “credible linguistic manipulation tools” for compromising business correspondence and phishing attacks, making complex operations accessible even to novices.

Another software, KawaiiGPT 2.5, was discovered in July and is distributed for free. Researchers installed the model on Linux in about five minutes. This LLM generates realistic phishing emails and ready-to-execute scripts.

While KawaiiGPT has not created a fully-fledged “ransomware” like WormGPT 4, experts warned that its ability to generate scripts for remote command execution makes it a dangerous tool for data theft.

Researchers stated that both models have hundreds of followers in Telegram channels where they exchange experiences and alternative methods.

State-sponsored hacker groups have shifted from classical espionage to “cyber-enabled kinetic targeting” tactics to directly support military strikes. This was reported by Amazon Threat Intelligence (ATI) experts.

According to ATI, the group Imperial Kitten purportedly infiltrated navigation systems and cameras on unnamed vessels to gather precise coordinates of maritime targets. The acquired data allegedly enabled Houthi forces to carry out a targeted missile strike on a tracked ship on February 1, 2024.

They called for the implementation of enhanced threat modeling to protect physical assets from such attacks. In ATI’s view, critical infrastructure operators must consider their systems as potential targeting tools.