Bad actors that include nation-state groups to financially-motivated cybercriminals from across the globe are targeting the maximum-severity but easily exploitable React2Shell flaw, with threat researchers see everything from probes and backdoors to botnets and cryptominers.
The post Attackers Worldwide are Zeroing In on React2Shell Vulnerability appeared first on Security Boulevard.
In August 2020, Shahid Shushtari actors began a multi-faceted campaign targeting the US presidential election, combining computer intrusion activity with exaggerated claims of access to victim networks to enhance psychological effects. The US Treasury Department designated Shahid Shushtari and six employees on November 18, 2021, pursuant to Executive Order 13848 for attempting to influence the 2020 election.
Since 2023, Shahid Shushtari established fictitious hosting resellers named "Server-Speed" and "VPS-Agent" to provision operational server infrastructure while providing plausible deniability. These resellers procured server space from Europe-based providers including Lithuania's BAcloud and UK-based Stark Industries Solutions.
In July 2024, actors used VPS-Agent infrastructure to compromise a French commercial dynamic display provider, attempting to display photo montages denouncing Israeli athletes' participation in the 2024 Olympics. This cyberattack was coupled with disinformation including fake news articles and threat messages to Israeli athletes under the banner of a fake French far-right group.
Following the October 7, 2023, Hamas attack, Shahid Shushtari used cover personas including "Contact-HSTG" to contact family members of Israeli hostages, attempting to inflict psychological trauma. The group also undertook significant efforts to enumerate and obtain content from IP cameras in Israel, making images available via several servers.
Shahid Shushtari incorporated artificial intelligence into operations, including AI-generated news anchors in the "For-Humanity" operation that impacted a US-based Internet Protocol Television streaming company in December 2023. The group leverages AI services including Remini AI Photo Enhancer, Voicemod, Murf AI for voice modulation, and Appy Pie for image generation, a joint October advisory from the U.S. and Israeli agencies stated.
Since April 2024, the group used the online persona "Cyber Court" to promote activities of cover-hacktivist groups including "Makhlab al-Nasr," "NET Hunter," "Emirate Students Movement," and "Zeus is Talking," conducting malicious activity protesting the Israel-Hamas conflict.
FBI assessments indicate these hack-and-leak operations are intended to undermine public confidence in victim network security, embarrass companies and targeted countries through financial losses and reputational damage.
Anyone with information on Mohammad Bagher Shirinkar, Fatemeh Sedighian Kashi, or Shahid Shushtari should contact Rewards for Justice through its secure Tor-based tips-reporting channel.
AI vendor Anthropic says a China-backed threat group used the agentic capabilities in its Claude AI model to automate as much as 90% of the operations in a info-stealing campaign that presages how hackers will used increasingly sophisticated AI capabilities in future cyberattacks.
The post Anthropic Claude AI Used by Chinese-Back Hackers in Spy Campaign appeared first on Security Boulevard.
The AI executed thousands of requests per second.
That physically impossible attack tempo, sustained across multiple simultaneous intrusions targeting 30 global organizations, marks what Anthropic researchers now confirm as the first documented case of a large-scale cyberattack executed without substantial human intervention.
In the last two weeks of September, a Chinese state-sponsored group, now designated as GTG-1002 by Anthropic defenders, manipulated Claude Code to autonomously conduct reconnaissance, exploit vulnerabilities, harvest credentials, move laterally through networks, and exfiltrate sensitive data with human operators directing just 10 to 20% of tactical operations.
The campaign represents a fundamental shift in threat actor capabilities. Where previous AI-assisted attacks required humans directing operations step-by-step, this espionage operation demonstrated the AI autonomously discovering vulnerabilities in targets selected by human operators, successfully exploiting them in live operations, then performing wide-ranging post-exploitation activities including analysis, lateral movement, privilege escalation, data access, and exfiltration.
The threat actors bypassed Claude's extensive safety training through sophisticated social engineering. Operators claimed they represented legitimate cybersecurity firms conducting defensive penetration testing, convincing the AI model to engage in offensive operations under false pretenses.
The attackers developed a custom orchestration framework using Claude Code and the open-standard Model Context Protocol to decompose complex multi-stage attacks into discrete technical tasks. Each task appeared legitimate when evaluated in isolation, including vulnerability scanning, credential validation, data extraction, and lateral movement.
By presenting these operations as routine technical requests through carefully crafted prompts, the threat actor induced Claude to execute individual components of attack chains without access to broader malicious context. The sustained nature of the attack eventually triggered detection, but this role-playing technique allowed operations to proceed long enough to launch the full campaign.
Claude conducted nearly autonomous reconnaissance, using browser automation to systematically catalog target infrastructure, analyze authentication mechanisms, and identify potential vulnerabilities simultaneously across multiple targets. The AI maintained separate operational contexts for each active campaign independently.
[caption id="attachment_106770" align="aligncenter" width="600"] The lifecycle of the cyberattack. (Image source: Anthropic)[/caption]
In one validated successful compromise, Claude autonomously discovered internal services, mapped complete network topology across multiple IP ranges, and identified high-value systems including databases and workflow orchestration platforms. Similar autonomous enumeration occurred against other targets, with the AI independently cataloging hundreds of discovered services and endpoints.
Exploitation proceeded through automated testing with Claude independently generating attack payloads tailored to discovered vulnerabilities, executing testing through remote command interfaces, and analyzing responses to determine exploitability without human direction. Human operators maintained strategic oversight only at critical decision gates, including approving progression from reconnaissance to active exploitation and authorizing use of harvested credentials.
Upon receiving authorization, Claude executed systematic credential collection across targeted networks, querying internal services, extracting authentication certificates, and testing harvested credentials autonomously. The AI independently determined which credentials provided access to which services, mapping privilege levels and access boundaries.
Collection operations demonstrated the most extensive AI autonomy. Against one targeted technology company, Claude independently queried databases, extracted data, parsed results to identify proprietary information, and categorized findings by intelligence value without human analysis.
In documented database extraction operations spanning two to six hours, Claude authenticated with harvested credentials, mapped database structure, queried user account tables, extracted password hashes, identified high-privilege accounts, created persistent backdoor user accounts, downloaded complete results, parsed extracted data for intelligence value, and generated summary reports. Human operators reviewed findings and approved final exfiltration targets in just five to twenty minutes.
The operational infrastructure relied overwhelmingly on open-source penetration testing tools orchestrated through custom automation frameworks built around Model Context Protocol servers. Peak activity included thousands of requests representing sustained request rates of multiple operations per second, confirming AI actively analyzed stolen information rather than generating explanatory content for human review.
An important operational limitation emerged during investigation. Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that did not work or identifying critical discoveries that proved to be publicly available information.
This AI hallucination in offensive security contexts required careful validation of all claimed results. Anthropic researchers assess this remains an obstacle to fully autonomous cyberattacks, though the limitation did not prevent the campaign from achieving multiple successful intrusions against major technology corporations, financial institutions, chemical manufacturing companies, and government agencies.
Upon detecting the activity, Anthropic immediately launched a ten-day investigation to map the operation's full extent. The company banned accounts as they were identified, notified affected entities, and coordinated with authorities.
Anthropic implemented multiple defensive enhancements including expanded detection capabilities, improved cyber-focused classifiers, prototyped proactive early detection systems for autonomous cyber attacks, and developed new techniques for investigating large-scale distributed cyber operations.
This represents a significant escalation from Anthropic's June 2025 "vibe hacking" findings where humans remained very much in the loop directing operations.
Anthropic said the cybersecurity community needs to assume a fundamental change has occurred. Security teams must experiment with applying AI for defense in areas including SOC automation, threat detection, vulnerability assessment, and incident response. The company notes that the same capabilities enabling these attacks make Claude crucial for cyber defense, with Anthropic's own Threat Intelligence team using Claude extensively to analyze enormous amounts of data generated during this investigation.
Cybercrime is now a global, professionalised industry. Learn how AI, ransomware, and organised groups are reshaping cybersecurity and business defence.
The post The Professionalised World of Cybercrime and the New Arms Race appeared first on Security Boulevard.
October 12 Telegram post by Cyber Toufan claiming Maya hack[/caption]
However, the group claims to have had access to Maya’s systems for more than a year.
“One and a half years after gaining full access to the network, we have explored every part of it and reached the QNAP archive,” claims a Cyber Toufan post reported by International Cyber Digest on X. “Through the systems, we have breached Elbit and Rafael's through then. Their phones, printers, routers and cameras as well. We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!”
Footage released by the group shows company employees allegedly working on several defense systems, including missile and drone systems, and the group also claims to possess technical drawings of sensitive parts like missile components.
Threat actors are working with organized crime groups to target freight operators and transportation companies, infiltrate their systems through RMM software, and steal cargo, which they then sell online or ship to Europe, according to Proofpoint researchers, who saw similar campaigns last year.
The post Hackers Targeting Freight Operators to Steal Cargo: Proofpoint appeared first on Security Boulevard.
The rapid rise of AI and automation has helped create a new breed of researcher — the bionic hacker. Think of a Steve Austen-type researcher, only instead of body parts replaced by machines, human creativity is being augmented by automation. These bionic hackers use “AI as a catalyst, accelerating recon, triage, scaling pattern recognition, and..
The post Bionic Hackbots Rise, Powerful Partners to Humans appeared first on Security Boulevard.
Login