Posts

Showing posts from 2025

The Hacker News - Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes

Cybersecurity researchers have detailed a case of an incomplete patch for a previously addressed security flaw impacting the NVIDIA Container Toolkit that, if successfully exploited, could put sensitive data at risk. The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability that could lead to a container escape attack and allow for from The Hacker News https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html

KnowBe4 - Russian Threat Actor Launches Spear-Phishing Campaign Against Ukrainians

Image
The Russian threat actor Gamaredon is targeting Ukrainians with spear-phishing documents related to troop movements, according to researchers at Cisco Talos. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/russian-threat-actor-launches-spear-phishing-campaign-against-ukrainians

The Hacker News - Malicious npm Package Targets Atomic Wallet, Exodus Users by Swapping Crypto Addresses

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries to execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office, masquerades as a utility for converting PDF files to Microsoft Word documents. But, in from The Hacker News https://thehackernews.com/2025/04/malicious-npm-package-targets-atomic.html

Rapid 7 - Password Spray Attacks Taking Advantage of Lax MFA

Image
In the first quarter of 2025, Rapid7’s Managed Threat Hunting team observed a significant volume of brute-force password attempts leveraging FastHTTP, a high-performance HTTP server and client library for Go, to automate unauthorized logins via HTTP requests. This rapid volume of credential spraying was primarily designed to discover and compromise accounts not properly secured by multi-factor authentication (MFA). Out of just over a million unauthorized login attempts we observed, the distribution of originating traffic sources is similar to that previously seen in January 2025. Some of the most prominent nations serving as points of origin for these attempts are as follows: Brazil : 70% Venezuela : 3% Turkey : 3% Russia : 2% Argentina : 2% Mexico : 2% Analysis of attempted initial access via compromised or absent MFA revealed a significant success rate for defenders’ security controls. Overwhelmingly, 73% of attempts resulted in account lockouts, with an additional 26% fa...

The Hacker News - PlayPraetor Reloaded: CTM360 Uncovers a Play Masquerading Party

Overview of the PlayPraetor Masquerading Party Variants CTM360 has now identified a much larger extent of the ongoing Play Praetor campaign. What started with 6000+ URLs of a very specific banking attack has now grown to 16,000+ with multiple variants. This research is ongoing, and much more is expected to be discovered in the coming days.  As before, all the newly discovered play from The Hacker News https://thehackernews.com/2025/04/playpraetor-reloaded-ctm360-uncovers.html

The Hacker News - The Identities Behind AI Agents: A Deep Dive Into AI & NHI

AI agents have rapidly evolved from experimental technology to essential business tools. The OWASP framework explicitly recognizes that Non-Human Identities play a key role in agentic AI security. Their analysis highlights how these autonomous software entities can make decisions, chain complex actions together, and operate continuously without human intervention. They're no longer just tools, from The Hacker News https://thehackernews.com/2025/04/the-identities-behind-ai-agents-deep.html

The Hacker News - Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine

The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel. The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on from The Hacker News https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html

The Hacker News - Europol Arrests Five SmokeLoader Clients Linked by Seized Database Evidence

Law enforcement authorities have announced that they tracked down the customers of the SmokeLoader malware and detained at least five individuals. "In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as 'Superstar,' faced consequences such as arrests, house searches, arrest warrants or 'knock and talks,'" Europol said in a from The Hacker News https://thehackernews.com/2025/04/europol-arrests-five-smokeloader.html

KnowBe4 - The Real Deal: How Cybercriminals Exploit Legitimate Domains

Image
When it comes to secure email gateways (SEGs), the narrative is quite simple. For years, organizations have relied on SEGs as the foundation of their email security. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/the-real-deal-how-cybercriminals-exploit-legitimate-domains

The Hacker News - New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB. "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an from The Hacker News https://thehackernews.com/2025/04/new-tcesb-malware-found-in-active.html

The Hacker News - Explosive Growth of Non-Human Identities Creating Massive Security Blind Spots

GitGuardian's State of Secrets Sprawl report for 2025 reveals the alarming scale of secrets exposure in modern software environments. Driving this is the rapid growth of non-human identities (NHIs), which have been outnumbering human users for years. We need to get ahead of it and prepare security measures and governance for these machine identities as they continue to be deployed, creating an from The Hacker News https://thehackernews.com/2025/04/explosive-growth-of-non-human.html

Schneier - How to Leak to a Journalist

Neiman Lab has some good advice on how to leak a story to a journalist. from Schneier on Security https://www.schneier.com/blog/archives/2025/04/how-to-leak-to-a-journalist.html

The Hacker News - CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Gladinet CentreStack to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote from The Hacker News https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html

The Hacker News - Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft has released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild. Of the 126 vulnerabilities, 11 are rated Critical, 112 are rated Important, and two are rated Low in severity. Forty-nine of these vulnerabilities are classified as privilege escalation, 34 as remote code from The Hacker News https://thehackernews.com/2025/04/microsoft-patches-126-flaws-including.html

The Hacker News - Amazon EC2 SSM Agent Flaw Patched After Privilege Escalation via Path Traversal

Cybersecurity researchers have disclosed details of a now-patched security flaw in the Amazon EC2 Simple Systems Manager (SSM) Agent that, if successfully exploited, could permit an attacker to achieve privilege escalation and code execution. The vulnerability could permit an attacker to create directories in unintended locations on the filesystem, execute arbitrary scripts with root privileges, from The Hacker News https://thehackernews.com/2025/04/amazon-ec2-ssm-agent-flaw-patched-after.html

The Hacker News - Cryptocurrency Miner and Clipper Malware Spread via SourceForge Cracked Software Listings

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge, a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a from The Hacker News https://thehackernews.com/2025/04/cryptocurrency-miner-and-clipper.html

Black Hills InfoSec - Offline Memory Forensics With Volatility

Image
Volatility is a memory forensics tool that can pull SAM hashes from a vmem file. These hashes can be used to escalate from a local user or no user to a domain user leading to further compromise. The post Offline Memory Forensics With Volatility appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/offline-memory-forensics-with-volatility/

Rapid 7 - 2025 Ransomware: Business as Usual, Business is Booming

Image
Getting an edge on your adversaries involves understanding their behaviors and their mindset. Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware. The data highlights that businesses can’t afford to take their foot off the gas pedal when it comes to proactively tackling ransomware. Established threat actors and relative newcomers are taking an “if it ain’t broke, don’t fix it” approach, shunning unpredictability for proven revenue generation techniques. And, in almost all cases, the name of the game is data exfiltration and blackmail via leak site posts. At a glance The heavy hitters of the current ransomware landscape are a mixture of new and familiar faces, largely leaning into the affiliate model or announcing partnerships with well-known groups for a visibility boost. There were 80 active groups in Q1, 1...

Schneier - Arguing Against CALEA

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made. ...

The Hacker News - UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails from The Hacker News https://thehackernews.com/2025/04/uac-0226-deploys-giftedcrook-stealer.html

The Hacker News - CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has from The Hacker News https://thehackernews.com/2025/04/cisa-adds-crushftp-vulnerability-to-kev.html

The Hacker News - Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities

Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild. The two high-severity vulnerabilities are listed below - CVE-2024-53150 (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure CVE-2024-53197 (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel from The Hacker News https://thehackernews.com/2025/04/google-releases-android-update-to-patch.html

Rapid 7 - Don’t Miss Out: What You Need to Know Before Take Command 2025

Image
Take Command 2025 is just two days away, and there’s still time to secure your spot. Whether you’ve already registered or are building your agenda now, there’s plenty to look forward to — and it all starts this Wednesday, April 9. In the lead-up to the live summit, two new on-demand sessions are already available for viewing, giving you a head start on key themes like attacker behavior and regulatory change. And during the event itself, you’ll get an exclusive look at findings from Rapid7’s latest ransomware research — pulled directly from Q1 threat activity and shared publicly for the first time. This year’s event brings together top minds in cybersecurity for a full day of insights on exposure management, MDR, AI ,threat intelligence, red teaming, and more. It’s practical, high-impact content designed for practitioners, team leaders, and CISOs alike. Hear the Latest Findings First at Take Command If you want a pulse check on what’s happening across the threat landscape, don’t m...

The Hacker News - ⚡ Weekly Recap: VPN Exploits, Oracle's Silent Breach, ClickFix Comeback and More

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day. Hackers don’t need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough. This week, from The Hacker News https://thehackernews.com/2025/04/weekly-recap-vpn-exploits-oracles.html

The Hacker News - Security Theater: Vanity Metrics Keep You Busy - and Exposed

After more than 25 years of mitigating risks, ensuring compliance, and building robust security programs for Fortune 500 companies, I’ve learned that looking busy isn’t the same as being secure.  It’s an easy trap for busy cybersecurity leaders to fall into. We rely on metrics that tell a story of the tremendous efforts we’re expending - how many vulnerabilities we patched, how fast we from The Hacker News https://thehackernews.com/2025/04/security-theater-vanity-metrics-keep.html

Schneier - DIRNSA Fired

In “ Secrets and Lies ” (2000), I wrote: It is poor civic hygiene to install technologies that could someday facilitate a police state. It’s something a bunch of us were saying at the time, in reference to the vast NSA’s surveillance capabilities. I have been thinking of that quote a lot as I read news stories of President Trump firing the Director of the National Security Agency. General Timothy Haugh. A couple of weeks ago, I wrote : We don’t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn’t crazy to worry that the NSA might again start monitoring domestic communications. The NSA already spies on Americans in a variety of ways . But that’s always been a sideline to its main mission: spying on the rest of the world. Once Trump replaces Haugh with a loyalist, the NSA’s vast surveillance apparatus can be refocused domestically. Giving that agency all those powers in the 1990s, in the 2000s after the terrori...

The Hacker News - PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks

A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims' digital wallets. "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push said in an from The Hacker News https://thehackernews.com/2025/04/poisonseed-exploits-crm-accounts-to.html

The Hacker News - Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws

A likely lone wolf actor behind the EncryptHub persona was acknowledged by Microsoft for discovering and reporting two security flaws in Windows last month, painting a picture of a "conflicted" individual straddling a legitimate career in cybersecurity and pursuing cybercrime. In a new extensive analysis published by Outpost24 KrakenLabs, the Swedish security company unmasked the up-and-coming from The Hacker News https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html

The Hacker News - North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader. "These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation from The Hacker News https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html

KnowBe4 - Your KnowBe4 Fresh Content Updates from March 2025

Image
Check out the 58 new pieces of training content added in March, alongside the always fresh content update highlights, new features and events.  from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/knowbe4-content-updates-march-2025

Rapid 7 - Metasploit Wrap-Up 04/04/2025

Image
New RCEs Metasploit added four new modules this week, including three that leverage vulnerabilities to obtain remote code execution (RCE). Among these three, two leverage deserialization, showing that the exploit primitive is still going strong. The Tomcat vulnerability in particular CVE-2025-24813 garnered a lot of attention when it was disclosed; however, to function, the exploit requires specific conditions to be met, which may not be present in many environments. AD CS / PKCS12 Improvements With the popularity of exploiting AD CS misconfigurations over the past couple of years, Metasploit has been continuing to iterate over our support. This week saw two improvements; one added additional error handling, which notably calls out authorization errors more clearly to the user. These errors, now labeled no-access failures , are encountered when the user is successfully authenticated but lacks authorization privileges to enroll on either the certificate template or the certificate ...

Rapid 7 - Pentales: Red Team vs. N-Day (and How We Won)

Image
During a recent Vector Command operation, I had the chance to sit down with one of our red teamers to hear firsthand how they identified and exploited an N-Day vulnerability in a customer’s environment. It’s a clear example of how continuous red teaming can uncover and validate real-world risks before attackers do. While the organization involved remains anonymous, the events described are real. This story reflects how our always-on testing approach closely mirrors the creativity and persistence of actual threat actors. Initial Recon: Spotting an N-Day in the Wild Vector Command engagements begin with one core question: If someone wanted to break in, where would they start? That’s the mindset our red team brings to every operation. A red team is a group of security professionals who simulate real-world adversaries. Their goal isn't to check boxes or run automated scans, but to think and act like attackers—uncovering weaknesses that traditional assessments often miss. They com...

The Hacker News - SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token (PAT) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for from The Hacker News https://thehackernews.com/2025/04/spotbugs-access-token-theft-identified.html

Schneier - Troy Hunt Gets Phished

In case you need proof that anyone , even people who do cybersecurity for a living, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. from Schneier on Security https://www.schneier.com/blog/archives/2025/04/troy-hunt-gets-phished.html

The Hacker News - Have We Reached a Distroless Tipping Point?

There’s a virtuous cycle in technology that pushes the boundaries of what’s being built and how it’s being used. A new technology development emerges and captures the world's attention. People start experimenting and discover novel applications, use cases, and approaches to maximize the innovation's potential. These use cases generate significant value, fueling demand for the next iteration of from The Hacker News https://thehackernews.com/2025/04/have-we-reached-distroless-tipping-point.html

HACKMAGEDDON - 1-15 December 2024 Cyber Attacks Timeline

In the first timeline of December 2024, I collected 115 events (7.67 events/day) with a threat landscape dominated... from HACKMAGEDDON https://www.hackmageddon.com/2025/04/04/1-15-december-2024-cyber-attacks-timeline/

The Hacker News - Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware

Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The from The Hacker News https://thehackernews.com/2025/04/microsoft-warns-of-tax-themed-email.html

KnowBe4 - Phishing Attacks Lead to Theft in the Shipping Industry

Image
Phishing attacks are driving a surge in “double brokering” scams in the shipping industry, according to Christian Reilly, Cloudflare’s Field CTO for EMEA. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/phishing-attacks-lead-to-theft-in-the-shipping-industry

KnowBe4 - Warning: QR Code Phishing (Quishing) Becoming Increasingly Stealthy

Image
Attackers are using new tactics in QR code phishing (quishing) attacks, according to researchers at Palo Alto Networks’ Unit 42. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/warning-qr-code-phishing-is-evolving

KnowBe4 - Malicious Memes: How Cybercriminals Use Humor to Spread Malware

Image
Internet memes and viral content have become a universal language of online culture. They're easily shareable, often humorous, and can spread rapidly across various platforms. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/malicious-memes-how-cybercriminals-use-humor-to-spread-malware

The Hacker News - Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware

The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by from The Hacker News https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html

The Hacker News - AI Threats Are Evolving Fast — Learn Practical Defense Tactics in this Expert Webinar

The rules have changed. Again. Artificial intelligence is bringing powerful new tools to businesses. But it's also giving cybercriminals smarter ways to attack. They’re moving quicker, targeting more precisely, and slipping past old defenses without being noticed. And here's the harsh truth: If your security strategy hasn’t evolved with AI in mind, you’re already behind. But you’re not alone—and from The Hacker News https://thehackernews.com/2025/04/ai-threats-are-evolving-fast-learn.html

The Hacker News - AI Adoption in the Enterprise: Breaking Through the Security and Compliance Gridlock

AI holds the promise to revolutionize all sectors of enterpriseーfrom fraud detection and content personalization to customer service and security operations. Yet, despite its potential, implementation often stalls behind a wall of security, legal, and compliance hurdles. Imagine this all-too-familiar scenario: A CISO wants to deploy an AI-driven SOC to handle the overwhelming volume of security from The Hacker News https://thehackernews.com/2025/04/ai-adoption-in-enterprise-breaking.html

Schneier - Web 3.0 Requires Data Integrity

If you’ve ever taken a computer security class, you’ve probably learned about the three legs of computer security—confidentiality, integrity, and availability—known as the  CIA triad . When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intelligence (AI) systems and artificial intelligent agents, integrity will be paramount. What is data integrity? It’s ensuring that no one can modify data—that’s the security angle—but it’s much more than that. It encompasses accuracy, completeness, and quality of data—all over both time and space. It’s preventing accidental data loss; the “undo” button is a primitive integrity measure. It’s also making sure that data is accurate when it’s collected—that it comes from a trustworthy source, that nothing important is missing, and that it doesn’t change as it moves from format to format. The ability to restart your computer...

The Hacker News - Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code. "The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact from The Hacker News https://thehackernews.com/2025/04/google-fixed-cloud-run-vulnerability.html

Black Hills InfoSec - Getting Started with AI Hacking: Part 1

Image
You may have read some of our previous blog posts on Artificial Intelligence (AI). We discussed things like using PyRIT to help automate attacks. We also covered the dangers of […] The post Getting Started with AI Hacking: Part 1 appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/getting-started-with-ai-hacking-part-1/

Rapid 7 - A Rebirth of a Cursed Existence? - The Babuk Locker 2.0

Image
Co-authored by Yaniv Allender and Anna Sirokova A Rebirth of a Cursed Existence? Examining ‘Babuk Locker 2.0’ Ransomware Introduction Ransomware remains a major threat, causing significant disruption and financial losses to organizations across various sectors. Cybercriminal groups behind these attacks constantly adapt their methods to maximize damage and profit. At Rapid7, we actively monitor new cyber threats, keeping an eye on ransomware groups and their changing tactics. In early 2025, we came across a channel promoting itself as Babuk Locker. Since the original group had shut down in 2021, we decided to investigate whether this was a rebrand or a new threat. Several underground forums and Telegram channels started mentioning ‘Babuk Locker 2.0,’ with some actors taking credit for recent attacks. Since Babuk’s leaked source code in 2021 had led to many spin-off ransomware strains, we wanted to find out whether this was a real comeback or just another group using Babuk’s name...