Cybersecurity Weekly: MassJackers Wallet Theft, AI-Powered Phishing, and More Shocking Events

Here’s the translated and rephrased version of the text while maintaining its original meaning:

We have gathered the most significant cybersecurity news from the past week.

CyberArk experts have identified the MassJacker malware campaign, which steals cryptocurrency by substituting wallet addresses in the clipboard. The attackers are associated with no less than 778,531 addresses used for collecting stolen assets.

During the analysis, most of these addresses were empty, but 423 wallets contained a combined total of $95,300. Moreover, historical data suggests that larger transactions have occurred.

There is also a singular Solana wallet that is believed to function as a central repository. Since its establishment, it has processed incoming transactions exceeding $300,000.

The MassJacker malware spreads through websites featuring pirated and malicious software.

CyberArk suspects that this malware is linked to a specific threat group because it employs identical file names and encryption keys.

Experts at Symantec utilized the AI agent Operator from OpenAI to orchestrate a phishing attack against one of their colleagues, using only their job title as input.

This open-source tool managed to uncover the target’s name and email address, develop a PowerShell script to collect system information from their computer, and send a convincing malicious email.

Meanwhile, researchers from Tenable leveraged a jailbreak to prompt the DeepSeek chatbot to create a keylogger and ransomware. To enhance their results, they applied the CoT capabilities of the model.

In both instances, the resulting code contained errors and required manual adjustments. However, after modifications, the malware functions were operational.

The keylogger was capable of intercepting keystrokes, while the ransomware demonstrated a file encryption mechanism along with a dialog box notifying the victim of the attack.

Russian and Israeli citizen Rostislav Panov, considered a key developer in the LockBit ransomware gang, was extradited to the US for a court hearing regarding his case. According to the Department of Justice, during his work from June 2022 to February 2024, the accused allegedly earned $230,000 in cryptocurrencies.

Panov was arrested in Israel in August 2024, with compromising evidence found on his laptop.

He admitted to performing coding, development, consultancy work, and technical leadership for the LockBit group.

In the US, over a hundred employees of the government agency CISA were laid off as part of a reduction conducted by DOGE. TechCrunch reported the news quoting those affected by the layoffs.

According to them, the situation impacted specialists in the Cyber Incident Response Team (CIRT), who were responsible for penetration testing and vulnerability management in government networks, as well as the «red team,» which engages in simulating real attacks to prevent them. The layoffs were conducted abruptly, with their access to the network revoked without prior notice, the sources added.

A CISA representative stated in response to media inquiries that the «red team» remains operational, and the agency is «reviewing all contracts to align with the priorities of the new administration.»

Additionally, according to The Register, House Democrats demanded that 24 federal agencies examine whether the DOGE team is transmitting confidential government data to «unauthorized and unaccountable» AI services.

The authors of the letter expressed concern that the department’s layoffs were based on an analysis of projects and workforce composition using commercial AI tools whose security is not verified.

Kaspersky Lab reported the spread of the DCRat backdoor via the video hosting platform YouTube. Attackers upload videos to fake or stolen accounts, promoting various cheats, cracks, gaming bots, and links supposedly for downloading them.

Instead of legitimate software, a Trojan is installed on the user’s device, capable of downloading additional modules. Its most dangerous functions include keylogging, webcam access, file downloading, and password exfiltration.

In 80% of cases, the victims of the backdoor were Russian users. The campaign also affected residents of Belarus, Kazakhstan, and China.

CISA, the FBI, and MS-ISAC issued a joint statement warning about the threat from the Medusa ransomware, which, as of February 2025, has affected more than 300 organizations in critical infrastructure sectors in the US.

Among the impacted are enterprises in medicine, education, law, insurance, technology, and manufacturing. All companies in sensitive sectors are advised to implement protective measures to reduce the likelihood and impact of potential attacks.

The first signs of Medusa activity were observed back in January 2021.

According to law enforcement, the virus developers hire brokers through darknet forums to gain initial access to potential victims. They offer partners rewards ranging from $100 to $1 million.

The Signal messenger has ceased responding to inquiries from Ukrainian law enforcement regarding Russian cyber threats. The Record reports this, citing Deputy Secretary of the NSDC, Sergey Demedyuk.

He stated that Signal remains one of the most popular messaging services among the Russian side for communication and planning espionage and phishing operations.

The official suggested that the change in Signal’s policy could be linked to political instability in the US, but he did not rule out the possibility of renewed cooperation in the near future.

Signal representatives have not commented on the situation.

By early March, courts in the Kirov region prohibited at least 33 sticker packs in the Telegram messenger based on requests from the prosecutor’s office. “Vertka” reported this.

According to the lawsuits, the agency discovered sticker packs containing «images of Nazi symbols and paraphernalia from banned extremist organizations» as a result of its inspection. The court decisions indicated that the stickers «propagate extremism on social networks.»

The media found that most of the banned packs were dedicated to Adolf Hitler and related memes or featured swastikas in some form. One of the sticker packs included images of the flag and coat of arms of Ukraine.

Anton Gorelkin, Deputy Chair of the State Duma IT Committee, stated that a «serious precedent» has been set and recommended that the Telegram administration «consider implementing mechanisms for reporting illegal content in stickers and emojis» outside of court proceedings.

We are concluding the debate on what is safer—P2P services or exchanges.