Dozens of Ukrainian civilians filed a series of lawsuits in Texas this week, accusing some of the biggest US chip firms of negligently failing to track chips that evaded export curbs. Those chips were ultimately used to power Russian and Iranian weapon systems, causing wrongful deaths last year.
Their complaints alleged that for years, Texas Instruments (TI), AMD, and Intel have ignored public reporting, government warnings, and shareholder pressure to do more to track final destinations of chips and shut down shady distribution channels diverting chips to sanctioned actors in Russia and Iran.
Putting profits over human lives, tech firms continued using “high-risk” channels, Ukrainian civilians’ legal team alleged in a press statement, without ever strengthening controls.
I wrote a couple of weeks ago about my personal homebrew Steam Machine, a self-built desktop under my TV featuring an AMD Ryzen 7 8700G processor and a Radeon 780M integrated GPU. I wouldn’t recommend making your own version of this build, especially with RAM prices as they currently are, but there are all kinds of inexpensive mini PCs on Amazon with the same GPU, and they’ll all be pretty good at playing the kinds of games that already run well on the less-powerful Steam Deck.
But this kind of hardware is an imperfect proxy for the Steam Machine that Valve plans to launch sometime next year—that box will include a dedicated GPU with 8GB of dedicated video memory, presenting both benefits and possible pitfalls compared to a system with an integrated GPU.
As a last pre-Steam Machine follow-up to our coverage so far, we’ve run tests on several games we test regularly in our GPU reviews to get a sense of how current versions of SteamOS stack up to Windows running on the same hardware. What we’ve found so far is basically the inverse of what we found when comparing handhelds: Windows usually has an edge on SteamOS’s performance, and sometimes that gap is quite large. And SteamOS also exacerbates problems with 8GB GPUs, hitting apparent RAM limits in more games and at lower resolutions compared to Windows.
By Valve’s admission, its upcoming Steam Machine desktop isn’t swinging for the fences with its graphical performance. The specs promise decent 1080p-to-1440p performance in most games, with 4K occasionally reachable with assistance from FSR upscaling—about what you’d expect from a box with a modern midrange graphics card in it.
But there’s one spec that has caused some concern among Ars staffers and others with their eyes on the Steam Machine: The GPU comes with just 8GB of dedicated graphics RAM, an amount that is steadily becoming more of a bottleneck for midrange GPUs like AMD’s Radeon RX 7060 and 9060, or Nvidia’s GeForce RTX 4060 or 5060.
In our reviews of these GPUs, we’ve already run into some games where the RAM ceiling limits performance in Windows, especially at 1440p. But we’ve been doing more extensive testing of various GPUs with SteamOS, and we can confirm that in current betas, 8GB GPUs struggle even more on SteamOS than they do running the same games at the same settings in Windows 11.
Pat Gelsinger, the former Intel CEO who was pushed out in late 2024 during a five-year turnaround effort, told the Financial Times that the "decay" he found when he returned to the company in 2021 was "deeper and harder than I'd realized." In the five years before his return, "not a single product was delivered on schedule," he said. "Basic disciplines" had been lost. "It's like, wow, we don't know how to engineer anymore!"
Gelsinger was also unsparing about the Biden administration's implementation of the 2022 Chips Act, legislation he spent more time lobbying for than any other CEO. "Two and a half years later [and] no money is dispensed? I thought it was hideous!" There's what Gelsinger carefully calls "a touch of irony" in how things played out.
Intel's board forced him out four years into a five-year plan, then picked successor Lip-Bu Tan -- who Gelsinger says is following the same broad strategy. Tan has kept Intel in the manufacturing game and delivered the 18A process node within the five years Gelsinger originally promised. Asked what went wrong, Gelsinger conceded he was "very focused on managing 'down'" and should have managed "up" more. He also would have pushed harder for more semiconductor expertise on the board, he said.
It’s not a bad time to upgrade your gaming PC. Graphics card prices in the 2020s have undulated continuously as the industry has dealt with pandemic and AI-related shortages, but it’s actually possible to get respectable mainstream- to high-end GPUs like AMD’s Radeon RX 9060 XT and 9070 series or Nvidia’s RTX 5060, 5070, and 5080 series for at or slightly under their suggested retail prices right now. This was close to impossible through the spring and summer.
But it’s not a good time to build a new PC or swap your older motherboard out for a new one that needs DDR5 RAM. And the culprit is a shortage of RAM and flash memory chips that has suddenly sent SSD and (especially) memory prices into the stratosphere, caused primarily by the ongoing AI boom and exacerbated by panic-fueled buying by end users and device manufacturers.
To illustrate just how high things have jumped in a short amount of time, let’s compare some of the RAM and storage prices listed in our system guide from three months ago to the pricing for the exact same components today. Note that several of these are based on the last available price and are currently sold out; we also haven’t looked into things like microSD or microSD Express cards, which could also be affected.
Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat.
What it does
If the recipient had opened the attached Visual Basic Script (.vbs) file, it would have quietly installed a remote-access Trojan known as Backdoor.XWorm. Once active, it could have let attackers:
Steal files, passwords and other personal data
Record keystrokes
Spy on the user
Install other malware, including ransomware
Everything happens silently, with no alerts or windows. It’s built to avoid antivirus tools and hand over complete control of the PC.
“Hi,
Please find attached the list of invoices we have processed and payment has been made as of 8/1/2025 2:45:06 a.m.
Kindly review and confirm that these have been received on your end.
Additionally, we would appreciate it if you could send us an updated list of any outstanding or unpaid invoices for our records.
Looking forward to your response.
Best regards,
Account Officer”
The payload was identified by our research team as Backdoor.XWorm. XWorm is a known remote-access trojan (RAT) and backdoor used for spying, keylogging, stealing data, and even installing ransomware. It is sold as malware-as-a-service (MaaS), which means cybercriminals sell (or more often, rent) it to other criminals, who can then distribute and deploy it as they see fit while using the MaaS provider’s infrastructure to receive stolen data and maintain access through the backdoor.
Why this email was suspicious
The email itself had obvious warning signs: no names, just a generic “Hi” and a vague “Account Officer” signature. Real invoices or payment notices almost always include contact details, so this alone should raise suspicion.
That attachment immediately stood out because .vbs files are almost never used in business emails anymore. Visual Basic Script was a Windows automation tool from the late 1990s and 2000s—long since replaced by more versatile scripting languages like PowerShell.
Today, almost every company blocks .vbs attachments outright because they can execute code the moment you open them.
So when one still gets through, it usually means either a security filter failed or an attacker deliberately tried to bypass it. In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It’s retro, suspicious, and definitely not something you should plug in.
How to stay safe
Double-check unexpected attachments: If you weren’t expecting it, confirm first using a known contact method, rather than by replying to the same email.
Don’t open executable files: Anything ending in .exe, .vbs, .bat, or .scr can run code. Legitimate businesses don’t send these by email.
Watch for red flags: Generic greetings, odd job titles, or hidden file types are giveaways. Turn on the option to show file extensions so you can spot fakes like invoice.pdf.vbs.
Keep your protection on and updated: Use an up-to-date real-time anti-malware solution preferably with a web protection module.
Technical analysis
I wanted to know exactly what that attachment did and how it worked. For our technical readers, here’s my deep dive down the wormhole.
The email
The message itself was straightforward—a short “invoice” note with a polite request to confirm payment and a .vbs attachment named INV-20192,INV-20197.vbs. Nothing about the text was overtly malicious, but the presence of a Visual Basic Script attachment immediately stood out.
.vbs files are rarely, if ever, used in legitimate business correspondence anymore. Because they can execute code directly, most mail gateways block them outright. Seeing one arrive intact suggested either a configuration oversight or a deliberate attempt to bypass filtering.
That alone made the sample worth a closer look.
Delivery
Using an Excel file with a malicious VBA macro often makes more sense from a criminal’s perspective than sending a plain .vbs attachment. Excel files are common in business environments and can appear legitimate, making them less likely to raise suspicion than a raw script. Attackers also benefit because macro-enabled Office documents remain a frequent delivery mechanism. Many users and organisations still interact with these files and can be tricked into enabling macros for what seem like “legitimate” reasons.
Microsoft has made macros harder to execute by default, so some threat actors have shifted tactics. Macros still work where social engineering succeeds, but attackers increasingly experiment with other vectors when they can’t rely on macros.
Compared with an Excel document, a .vbs attachment immediately stands out as unusual in modern business email and is often blocked by gateway rules. In this case, the sender may also have been counting on hidden file extensions (invoice.pdf.vbs) to make the file look like a harmless invoice; a small deception that still fools busy users.
Although .vbs is largely obsolete, it’s not harmless. Visual Basic Script can run arbitrary commands on Windows and can download or create additional malicious files. It’s crude, but it still works if it gets past filters or lands with an unaware user.
I expected the code to be less-than-sophisticated, but only the first level was.
The .vbs dropped IrisBud.bat into %TEMP% (C:\Windows\Temp\IrisBud.bat) and invoked it via WMI. The .bat restarted itself in a way so it ran invisibly. The batch then copied itself to the user profile as aoc.bat and contained heavy obfuscation. Its end goal was to run a PowerShell loader that read encoded strings from aoc.bat and turn them into the real payload.
Our team identified that payload as Backdoor.XWorm—a remote-access trojan (RAT) sold as malware-as-a-service. If executed, it would give attackers stealthy access to the machine: steal files and credentials, record keystrokes, install more malware, or deploy ransomware.
The whole chain runs quietly and is designed to avoid detection. Simply opening the attachment would have put the user’s data at serious risk. If you have found Backdoor.XWorm on your machine, we advise you to follow the remediation and aftermath sections of this detection profile.
VBS
The .vbs file at first sight looked like alphabet soup, but the last line (of 429) provided the plan. I commented out that last line so INV-20192,INV-20197.vbs would create IrisBud.bat but not execute it.
A piece of the code inside the vbs file with the last line commented out
BAT
However, my hopes of the batch file being easier to read were quickly run into the ground. Most of the batch file consisted of simple WriteLine commands which wrote almost everything ad verbatim into IrisBud.bat.
But if you look closely you see a lot of repeated variables like %gkgqglgzhphupcp% in the first line and %viqfvdhc% in line 30. I determined that these variables were not assigned a value and only there for “padding.” Padding is a technique used by malware authors to make their malicious programs harder to detect or analyze.
Imagine you have a box with secret contents that you don’t want anyone to find easily. To hide what’s really inside, you fill the box with a lot of extra, useless material—like packing peanuts, shredded paper, or just empty space—so it’s difficult for someone to see or measure what’s actually important in the box.
So, my first move was to get rid of all the padding. Although not perfect, that cleared some things up.
Partly deobfuscated bat file
The line if not DEFINED Abc1 (set Abc1=1 & cmd /c start "" /min "%~dpnx0" %* & exit) is a classic malware technique to hide execution from the user while keeping the script running in the background. Let’s look at it step by step:
if not DEFINED Abc1 — Checks if the variable Abc1 doesn’t exist yet.
set Abc1=1 — Sets the variable to 1 (which marks that this check has been done).
start "" /min starts a program minimized (invisible to the user)
"%~dpnx0" is the full path to the current batch file itself
%* passes along any command-line arguments
exit — Exits the current (visible) instance
So, in other words the first time it runs:
It restarts itself in a minimized/hidden window.
The original visible instance exits immediately.
The new hidden instance continues running with Abc1=1 set, so it won’t trigger this restart loop again.
And this line: copy "%sourceFile%" "%userprofile%\aoc.bat" >nul is where the bat file copies itself to the user’s profile directory.
Breaking it down:
%sourceFile% — The source (set earlier to the current batch file’s full path).
%userprofile%\aoc.bat — The destination: the user’s profile directory (typically C:\Users\[username]\) with the new name aoc.bat.
>nul — Suppresses output (hides the “1 file(s) copied” message).
The setlocal enabledelayedexpansion is needed because exclamation marks (!) around variables are used for delayed variable expansion, which allows the batch script to update and use the value of variables dynamically within loops or code blocks where normal percent expansion wouldn’t work. This requires delayed expansion to be enabled which is done with the command setlocal enabledelayedexpansion.
From the next lines I can tell that the !xmgotoyfycqitjc! which we see can be replaced by the set command.
Because it is defined by:
set "xmgotoyfycqitjc=!ejlhixzkmttzgho!e!ugcqubmykdxgowp!" where earlier we saw: set "ejlhixzkmttzgho=s" set "ugcqubmykdxgowp=t" Together this makes xmgotoyfycqitjc = s + e + t so my next step was to replace all those instances. And with that we made a good start at mapping out all the variables that were not intended as padding.
Of specific interest in this case was one particular line (414) where all the mapped variables came together.
Last piece of the partly deobfuscated bat file
The only two other lines that stood out were two lines that begin with :: and contain a very long string. While these superficially appear to be ordinary batch comments, they actually hide encrypted payload data (lines 41 and 69 are the hidden payload).
We’ll get to those later on.
First, we need to construct line 414 into something readable.
After replacing all the defined variables, line 414 turned into this:
The replace command showed me that I had to remove even more padding—this time from the encoded PowerShell script which was padded with the hkfdo string.
PowerShell
After I did that and decoded the base64 string, this was the PowerShell script:
The resulting PowerShell script
What this PowerShell script does explains why the two long lines I referred to earlier are needed:
First part: the script looks for the hidden payload in aoc.bat (the copy it created). The script reads aoc.bat line by line, looking for lines that start with ::: (three colons). If it finds one, it treats everything after the colons as Base64-encoded data, decodes it, and runs it as PowerShell code. This is a way to hide malicious commands inside what looks like a batch file comment.
Second part: creates the main malicious payload. The big block (starting with $weiamnightfo) does several things:
Reads encrypted data from aoc.bat: It looks for a line starting with :: (two colons) in the batch file, which contains encrypted and compressed malware.
Decrypts the data: It uses AES encryption (with a hardcoded key and Initialization Vector (IV)) to decrypt the payload. Think of this like unlocking a safe with a specific combination.
Decompresses it: After decryption, it unzips the data using GZip compression. The malware was squeezed down to make it smaller and harder to detect.
Loads and runs the malware: The decrypted/decompressed data turns out to be two executable files. The script loads these files directly into memory and runs them without ever saving them to disk. This is called a “fileless attack” and helps avoid anti-malware detection.
By loading and running these malicious programs directly in memory, the attack avoids dropping visible files on disk, making it much harder for anti-malware solutions to spot or capture the real threat.
Payload
To extract the payload safely I wrote a Python script to reproduce steps 1–3 without executing the code in memory. That produced two executable samples which I ran in an isolated sandbox.
The sandbox revealed a mutex 5wyy00gGpG6LF3m6 which pointed to the XWorm family. “Mutex” stands for mutual exclusion, which is a special marker that a running program creates on a Windows computer to make sure only one copy of the process is running at once. Malware authors bake them into their code and security analysts catalog them, much like a “fingerprint.” So when our researchers see one of the known mutex names, they can easily classify the malware and move on to the next sample.
Indicators of Compromise (IOCs)
INV- 20192,INV-20197.vbs (email attachment) IrisBud.bat (in %temp% folder) aoc.bat (In %user% folder) SHA256: 0861f20e889f36eb529068179908c26879225bf9e3068189389b76c76820e74e ( for Backdoor.XWorm)
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Intel is suing a former employee who the chipmaker claims downloaded almost 18,000 corporate files days before leaving the company. The software engineer was told he was being let go effective July 31, likely part of Intel's larger effort to shed 15% of its workforce.
This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to.
The email is direct and to the point. Not a lot of social engineering happening here.
“Dear ,
Pls kindly find the attached PO please send us PI once its available.”
The sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.
The attached .shtml file is a tidy fake login screen that doesn’t really specify which credentials they want:
The pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.
We assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites.
Under the hood, the functionality of this attachment lies in this piece of JavaScript.
It starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.
Using Telegram bots provides the phishers with several advantages:
Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.
Telegram is a legitimate, globally distributed messaging service, making it difficult to block.
There’s no exposed web server or obvious phishing “drop site” that can be blocklisted or shut down.
This tries to open a file on the user’s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user’s mind off the fact that they just sent their credentials who knows where.
That’s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.
I suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.
This attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.
Don’t fall for phishing attempts
Even though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.
In phishing attempts like these, two simple rules can save you from lots of trouble.
Don’t open unsolicited attachments
Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).
Other important tips to stay safe from phishing in general:
Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
Check through an independent channel if the sender actually sent you an attachment or a link.
Use multi-factor authentication for every account you can.
Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.
If you already entered credentials on a page you don’t trust, change your passwords immediately.
Pro tip: You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Now that ARM’s memory tagging, used extensively by Android ROMs such as GrapheneOS and now also by Apple, is becoming the new norm to aid in improving memory safety, the x86 world can’t sit idly by. As such, Intel and AMD have announced a ChkTag, x86’s version of memory tagging.
ChkTag is a set of new and enhanced x86 instructions to detect memory safety violations, such as buffer overflows and misuses of freed memory (use-after-free). ChkTag is designed to be suitable for hardening applications, operating system kernels, hypervisors for virtualization, and UEFI firmware. ChkTag places control in the software developers’ hands to balance their security needs with operational elements that often become prominent when deploying code. For example, ChkTag provides instruction-granular control over which memory accesses are checked. Compilers can offer optimizations and new language features or intrinsics. ChkTag prepares x86 for a future with increasing amounts of code written in memory-safe languages running alongside code in other languages. Furthermore, ChkTag loads tags from linear/virtual memory that can often be committed on demand.
It’s important to note that ChkTag – why not just call it CheckTag – isn’t ready yet, nor is there any indication when it will be included in any processors from Intel and AMD. The goal is to catch certain memory safety problems in hardware. According to Intel and AMD’s shared announcement, developers will have fine-grained control over the feature, allowing them to tap into the functionality in whatever way they deem necessary or valuable for their software in specific circumstances.
My fear is that Intel and AMD will use this feature as a product differentiator, restricting it to either more expensive processors or to Xeon/Threadripper processors, thereby fracturing the market. This would inevitably lead to spotty support for the feature across the x86 landscape, meaning most ordinary consumer won’t benefit from it at all.
We received a timely phishing email pretending to come from Home Depot. It claimed we’d won a Gorilla Carts dump cart (that’s a sort of four-wheeled wheelbarrow for anyone unfamiliar)—and said it was just one click away.
It wasn’t.
The whole image in the email was clickable, and it hid plenty of surprises underneath.
Sender:
The sender email’s domain (yula[.]org) is related neither to Home Depot nor the recipient.
The yula[.]org domain belongs to a Los Angeles high school. The email address or server may be compromised. We have notified them of the incident.
Hidden characters:
Below the main image, we found a block filled with unnecessary Unicode whitespace and control characters (like =E2=80=8C, =C3=82), likely trying to obfuscate its actual content and evade spam filters. The use of zero-width and control Unicode characters is designed to break up strings to confound automated phishing or spam filters, while being invisible to human readers.
Reusing legitimate content:
Below the image we found an order confirmation that appears to be a legitimate transactional message for trading-card storage boxes.
The message seems to be lifted from a chain (there’s a reply asking “When is the expected date of arrival?”), and includes an embedded, very old order confirmation (from 2017) from sales@bcwsupplies[.]com—a real vendor for card supplies.
So, the phisher is reusing benign, historic content (likely harvested from somewhere) to lend legitimacy to the email and to help it sneak past email filters. Many spam and phishing filters (both gateway and client-side) give higher trust scores to emails that look like they’re part of an existing, valid conversation thread or an ongoing business relationship. This is because genuine reply chains are rarely spam or phishing.
Tracking pixel:
We also found a one-pixel image in the mail—likely used to track which emails would be opened. They are almost invisible to the human eye and serve no purpose except to confirm the email was opened and viewed, alerting the attacker that their message landed in a real inbox.
The address of that image was in the subdomain JYEUPPYOXOJNLZRWMXQPCSZWQUFK.soundestlink[.]com. The domain soundestlink[.]com is used by the Omnisend/Soundest email marketing infrastructure for tracking email link clicks, opens, and managing things like “unsubscribe” links. In other words, when someone uses Omnisend to send a campaign, embedded links and tracking pixels in the email often go through this domain so that activity can be logged (clicks, opens, etc.).
Following the trail
That’s a lot of background, so let’s get to the main attraction: the clickable image.
The link leads to https://www.streetsofgold[.]co.uk/wp-content/uploads/2025/05/bluestarguide.html and contains a unique identifier. In many phishing campaigns, each recipient gets a unique tracking token in the URL, so attackers know exactly whose link was clicked and when. This helps them track engagement, validate their target list, and potentially personalize follow-ups or sell ‘confirmed-open’ addresses.
The streetsofgold[.]co.uk WordPress instance hasn’t been updated since 2023 and is highly likely compromised. The HTML file on that site redirects visitors to bluestarguide[.]com, which immediately forwards to outsourcedserver[.]com, adding more tracking parameters. It took a bit of tinkering and a VPN (set to Los Angeles) to follow the chain of redirects, but I finally ended up at the landing page.
Of course, urgency was applied so visitors don’t take the time to think things through. The site said the offer was only valid for a few more minutes. The “one-click” promise quickly turned into a survey—answering basic questions about my age and gender, I was finally allowed to “order” my free Gorilla Cart.
The fake reward
But no surprise here, now they wanted shipping details.
Wait… what? A small processing fee?!
This is as far as I got. After filling out the details, I kept getting this error.
“Something went wrong with the request, Please try again.”
The backend showed that the submitted data was handled locally at /prize/ajax.php?method=new_prospect on prizewheelhub[.]com with no apparent forwarding address. Likely, after “collecting” the personal info, the backend:
stores it for later use in phishing or identity theft,
possibly emails it to a criminal/“affiliate” scammer, and/or
asks for credit card or payment details in a follow-up.
We’re guessing all of the above.
Tips to stay safe
This campaign demonstrates that phishing is often an adaptive, multi-stage process, combining technical and psychological tricks. The best defense is a mix of technical protection and human vigilance.
The best way to stay safe is to be aware of these scams, and look out for red flags:
Don’t click on links in unsolicited emails.
Always check the sender’s address against the legitimate one you would expect.
Double-check the website’s address before entering any information.
You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. “Can you test my game?” they ask.
The webpage they send over a link to looks legit: screenshots, dev blurb, itch.io-style layout, and the download button is right there, waiting to be clicked.
The problem is these lookalike pages don’t give you the real game. Instead they drop a stealthy loader that quietly prepares your PC for follow-up malware.
One lure we’ve seen impersonates the popular 2D platformer Archimoulin (the real game can be found here: nicolasduboc.itch.io/archimoulin).
How they spread it – social engineering 101
This scam nails two things gamers trust: friends and downloads.
A trusted delivery channel. The lure often arrives in a DM from someone in your friends list—usually because the attacker used a compromised account. People are far more likely to click links from friends.
Familiar hosting and UI. The impersonators use Blogspot subdomains or cloud links and fake itch-style pages so the site looks legitimate. Sometimes downloads are served via Dropbox or similar service people trust.
A convincing sign-in page. Some variants present a fake Discord sign-in page first to harvest credentials. This hands the attacker control of your account, which they can use to spread the link to your contacts.
Reddit threads from victims show this pattern again and again: an innocuous “test my game” DM, a convincing page, then account takeover and mass-messaging to the victim’s friends.
What actually happens when you click?
Here’s what the user sees, and what the stealth loader is really doing:
Double-click the downloaded Setup Game.exe and… nothing obvious happens. No installer UI, no progress bar. (That’s deliberate – the attacker wants the install to happen without alarming you.)
The executable spawns PowerShell with a long, encoded command. (Attackers hide commands in encoded strings so the malicious script isn’t obvious at first glance.)
The command decodes another script and runs it directly in memory. (Running in memory means the malware doesn’t leave a neat file on disk for antivirus to find, so it’s harder to detect.)
That inner script hides the PowerShell window using a tiny .NET trick, so there’s no black console popping up to make you suspicious. (With no visible window there’s nothing to make you stop and ask what’s running.)
The code tries to relaunch itself with admin rights (runAs) and compiles a small helper on the fly using csc.exe. (You’ll see temp folders and RES*.tmp files while it runs.)
It unpacks a Node.js runtime and native modules into your user cache (C:\Users\<you>\.cache\pkg\...). (The malware is giving itself a toolkit, making it more flexible in what it can do next.)
The installer even runs taskkill to force-close major browsers (Chrome, Brave, Firefox, Edge, and Opera). (That stops you from immediately googling what’s happening and then stopping the install.)
In our sandbox run it didn’t phone home right away; instead it performed checks (net session, registry queries, BIOS/network checks) to confirm it’s on a “real” machine, then waits for the right moment to download the main payload. (Malware often avoids sandboxes, looking for signs it’s on a real user’s computer before unleashing the main payload.)
Bottom line: The Setup Game.exe is a stager/loader – quiet on purpose, ready to pull down follow-up malware (backdoors, keyloggers, coinminers, or worse) when conditions match what the attacker wants.
What to watch out for
Unexpected DM with a download link: If you get a messageoffering an indie game you didn’t expect, verify it with the sender on another channel first.
No installer UI but strange behavior after running: If there’s no installer window or progress bar, but your browsers crash or you see temporary compile folders appear, that’s a red flag.
Unexpected folders appear: Look for new folders you didn’t create, like C:\Users\<you>\.cache\pkg\… or %TEMP%\xlfvhkx3\… especially if you haven’t installed developer tools.
PowerShell showing -EncodedCommand: Check running processes logs for signs a hidden script is running.
What to do if you already ran it
Act quickly and use a different, clean device for the first steps.
From another device, change your passwords (Discord, email, Steam) and enable 2FA.
Log out all sessions and revoke authorised apps/tokens.
Disconnect the infected PC and run a full Malwarebytes scan.
Remove obvious new files/folders (e.g., C:\Users\<you>\.cache\pkg\…, %TEMP%\xlfvhkx3\…).
Tell your friends not to click links from your account and report the pages to the host (Blogger/Dropbox) and your platform (Discord/Steam).
If you see signs of deeper compromise, back up essentials and do a clean reinstall or get professional help.
Final note—indie communities are built on trust
Archimoulin is an indie game; the fake pages are not. Scammers are exploiting the goodwill between players and creators. That’s the worst bit of all: it weaponizes the community itself.
A quick sanity check—to pause, verify the URL, and ask the sender via another app—is all it takes to avoid the hassle of cleaning up a compromised PC (or losing your account and friends). Share this with your clan: one click is all it takes for an attacker to turn a fun, indie moment into a mess.
Indicators of compromise (IOCs)
cakewind[.]blogspot.com
carnagev1[.]blogspot.com
kelarigame[.]blogspot.com
klorigame[.]blogspot.com
meraliagame[.]blogspot.com
ravielchy[.]blogspot.com
ravielchygame[.]blogspot.com
tamunagame[.]blogspot.com
veriliagame[.]blogspot.com
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing.
For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in XML (eXtensible Markup Language), they can contain HTML and JavaScript code, which cybercriminals can exploit for malicious purposes.
Another advantage for phishers is that, on a Windows computer, SVG files get opened by Microsoft Edge, regardless of what your default browser is. Since most people prefer to use a different browser, such as Chrome, Edge can often be overlooked when it comes to adding protection like ad-blockers and web filters.
The malicious SVG we’ve found uses a rather unusual method to send targets to a phishing site.
Inside RECElPT.SVG we found a script containing a lot of food/recipe-related names (“menuIngredients”, “bakingRound”, “saladBowl”, etc.), which are all simply creative disguises for obfuscating the code’s malicious intentions.
This is the part of the code where the phishers hid a redirect:
Upon close inspection, the illusion of an edible recipe quickly disappears. 141 cups of eggs, anyone?
But picking the code apart, we noticed that the decoder works like this:
Search for data-ingredients=”…” in the given text.
Split the string inside the attribute by commas to get a list. E.g., 219cups_flour, 205tbsp_eggs,…
For each element, extract the leading numeric value (e.g., 219 from 219cups_flour).
Subtract 100 from this value.
If the result is an ASCII printable character (ranging from 32–126), then convert it to the character with that number.
Join all characters together to form the final decoded string.
Using this method we arrived at window.location.replace("https://outuer.devconptytld[.]com.au/");
window.location.replace is a JavaScript method that replaces the current resource with the one at the provided URL. In other words, it redirects the target to that location if they open the SVG file.
When redirected, the user will see this prompt, which is basically intended to hide the real location of the server behind Cloudflare services, but also provides some sense of legitimacy for the visitor.
It doesn’t matter what the user does here, they will get forwarded again with the code passing the e parameter (the target’s email address) on to the next destination.
But this is where our adventure ended. For us, the next site was an empty one.
We couldn’t determine what conditions had to be met to get to the next stage of the phishing expedition. But it is highly likely it will display a fake login form (almost certainly Microsoft 365- or Outlook-themed), to capture the target’s username and password.
Microsoft flagged a similar campaign which was clearly obfuscated with AI assistance and appeared even more legitimate at first glance.
Some remarks we want to share about this campaign:
We found several versions of the SVG file dating back to August 26, 2025.
The attacks are very targeted with the target’s email address embedded in the SVG file.
The phishing domain could be a typosquat for the legitimate devconptyltd.com.au, so it could mean the targets were doing business with Devcon Pty Ltd who owns that domain. This is a tactic we often see in Business Email Compromise (BEC) attacks.
We found several subdomains of devconptytld[.]com.au associated with this campaign. The domain’s TLS certificate dates back to August 24, 2025 and is valid for 3 months.
How to stay safe from SVG phishing attacks
SVG files are an uncommon attachment to receive, so it’s good to keep in mind that:
They are not always “just” image files.
Several phishing and malware campaigns use SVG files, so they deserve the same treatment as any other attachment: don’t open until the trusted sender confirms sending you one.
Always check the address of a website asking for credentials. Or use a password manager, they will not auto-fill your details on a fake website.
Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
Use an email security solution that can detect and quarantine suspicious attachments.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
In the ever-evolving landscape of cyber threat actors, the lines between ideologically driven hacktivism and financially motivated cybercriminals have become increasingly blurred. Originally fueled by political, social, or ethical causes, hacktivist groups have historically engaged in digital protest through website defacements, data leaks, and distributed denial of service (DDoS) attacks.
However, in recent years, a noticeable trend has emerged. Some hacktivist groups are evolving into ransomware operations and even becoming ransomware affiliates. This transformation is driven by a mix of ideological fatigue, opportunity for financial gain, access to sophisticated tools, and the growing profitability of extortion-based attacks. The result is a new hybrid threat actor—one that merges the disruptive zeal of hacktivism with the ruthless efficiency of cybercrime.
Understanding this shift is crucial for defenders, as it represents a convergence of motives that complicates attribution, response, and mitigation strategies. To this end, we have examined three prominent examples of relevant threat actors, namely FunkSec, KillSec, and GhostSec, identifying the drivers behind their transition to financially motivated campaigns and exploring the shift in their modus operandi.
Threat actor analysis
FunkSec
The FunkSec ransomware group emerged within the cybercrime ecosystem as a rising star in December 2024. The ransomware-as-a-service (RaaS) group has claimed at least 172 victims to date. The group proudly promotes itself as an AI-driven ransomware group, with their encryptor, FunkLocker, and some of the malware’s source code allegedly generated using generative AI tools.
The group targets organizations from various sectors and regions, such as government, education, automotive, energy, IT, and manufacturing, located in countries like the United States, Israel, France, Italy, Germany, India, and Australia.
FunkSec started as a politically motivated hacking (hacktivist) group, specifically interested in targeting the United States (Figure 1). The group was known to be aligned with the “Free Palestine” movement (Figure 2), and associated itself with other hacktivist groups, such as Ghost Algeria and Cyb3r Fl00d. Among its affiliates are Scorpion (AKA DesertStorm, a suspected Algeria-based hacker), El_farado, XTN, Blako, and Bjorka (an alleged Indonesian hacktivist). In its early days, the group offered tools commonly associated with hacktivist activities, including services for DDoS and defacement attacks.
Figure 1 - FunkSec’s activities as a hacktivistFigure 2 - FunkSec’s statement against the USA and Israel
At some point, the group transitioned its focus from politically motivated attacks to a RaaS model, offering customizable tools to its affiliates. Its victimology also changed from government entities to organizations across various sectors, such as education, technology, telecommunications, and agriculture (Figure 3).
Figure 3 - FunkSec’s latest active DLS
FunkSec’s reliance on relatively simple malware development using AI-based tools also explains the fast transition of the group from targeted hacktivism campaigns to broader, financially-motivated activities, with a large number of victims in a short period of time (Figure 4).
Figure 4 - FunkSec’s victims on their DLS
The group’s transition has also been referenced on a Russian-speaking dark web forum, where the author mentioned a cybersecurity vendor’s article on FunkSec (Figure 5).
Figure 5 - FunkSec’s transition being referenced on a Russian-speaking dark web forum
KillSec
The KillSec hacktivist group (AKA Kill Security) has been active since at least 2021. The Russia-aligned group targets organizations from various sectors, such as government, finance, transportation, electronics, manufacturing, travel and recreation, retail, and consumer services, located in countries like India, Bangladesh, Romania, Poland, and Brazil. The group considers itself a “prominent hacktivist group operating in the cyber realm, with a focus on both disruption and digital activism."
KillSec initially emerged as a hacktivist group aligned with the Anonymous collective, with its operations primarily including DDoS attacks and website defacements, before pivoting to ransomware operations in October 2023. KillSec’s ransomware variants, namely KillSecurity 2.0 and KillSecurity 3.0, are designed to encrypt files and demand ransom payments for decryption.
In June 2024, KillSec introduced a RaaS operation, advertising a locker for Windows environments written in C++ and a dashboard, enabling affiliates to observe detailed statistics, conduct chat communications, and customize ransomware configurations using a builder tool. In November 2024, the group launched an additional locker for ESXi environments, expanding the breadth of its operations (Figure 6).
Figure 6 - KillSec launches locker for ESXi environments
The group’s shift is aligned with the overall proliferation of RaaS programs, enabling less technically skilled individuals to conduct ransomware attacks with relative ease in exchange for a fee. The group has been advertising its RaaS offering in an attempt to attract cybercriminals and further broaden its affiliate network (Figure 7).
Figure 7 - KillSec looking for affiliates
Although in certain incidents, KillSec leveraged solely stolen data to extort the victims, the group appears to adopt mainly double extortion tactics, exfiltrating data in addition to encrypting it and demanding a ransom payment to prevent it from being leaked. The group operates an active dedicated leak site (DLS) to which it uploads the data of victims who refuse to pay the ransom. The group also uses its DLS to advertise its services, which include penetration testing, data gathering, and its RaaS program (Figure 8).
Figure 8 - KillSec’s services
It should be noted that KillSec’s DLS also features a “For Sale” section, offering data allegedly exfiltrated from the targeted companies for sale, with the prices ranging between $5,000 and $350,000 (Figure 9). The group likely introduced this section in an attempt to further monetize the exfiltrated data. This offering of stolen data and additional services further suggests the financially motivated nature of the group’s activity.
Figure 9 - “For Sale” section on KillSec’s DLS
GhostSec
The GhostSec hacktivist group (AKA Ghost Security, GhostSecMafia, and GSM) has been active since at least 2015. The Anonymous-affiliated group gained prominence with the #OpIsis and #OpParis campaigns, in which various hacktivist groups took down thousands of ISIS websites and social media accounts using defacement and DDoS attacks. Since then, GhostSec has participated in campaigns, such as #OpLebanon, #OpNigeria, #OpMyanmar, #OpEcuador, and #OpColombia. The group has also continuously launched cyberattacks on Israel in response to alleged war crimes, primarily defacing their websites to spread “Free Palestine” messages.
GhostSec’s shift towards financially motivated operations overlaps with the group’s collaboration with cybercriminals. In July 2023, GhostSec announced that they formed a partnership with the Stormous ransomware group to target organizations in Cuba (Figure 10). Following this announcement, Stormous and GhostSec jointly claimed extortion attacks against three Cuban government ministries, and GhostSec also expressed the potential for future joint operations against other countries. In August 2023, GhostSec, together with ThreatSec, Stormous, Blackforums, and SiegedSec, collectively formed a unified collective, naming themselves “The Five Families” (Figure 11). This collective attempted to extort the presidential website of Cuba and the Brazilian organization Alfa Comercial.
Figure 10 - Announcement of the alliance between GhostSec and Stormous on their Telegram channelFigure 11 - Announcement of the “Five Families” formation on their Telegram channel
GhostSec solidified its presence in the cybercriminal ecosystem with the launch of its RaaS program “GhostLocker” in October 2023, which was shortly followed by the release of its infostealer tool, GhostStealer (Figure 12). In January 2024, the updated “REWRITE” (aka GhostLocker 2.0) version of GhostLocker was released, with a fully featured management panel allowing affiliates to track campaigns and payouts. The threat actor promoted its malware-as-a-service (MaaS) tools heavily on its Telegram channels, demonstrating its intention to attract affiliates and, in turn, maximize its profits.
Figure 12 - GhostLocker’s release announcement
On May 15, 2024, GhostSec announced its retirement from cybercriminal activities and its return to hacktivism. The group stated that it reached this decision after having obtained enough funding to support its hacktivist operations. GhostSec further mentioned that Stormous would remain in charge of the management and operation of GhostLocker (Figure 13).
Figure 13 - GhostSec’s retirement from cybercriminal activities
It should be noted that Stormous seemingly had already incorporated GhostLocker into its operations, even before GhostSec’s retirement. As of May 2025, the group is still active and operates the Stormous RaaS program, which appears to be a continuation of GhostLocker. This development signifies the mutual assistance and influence among united threat groups, as collectives like the Five Families allow them to maximize the impact and breadth of their operations by sharing resources, audience, and knowledge.
Two sides of the same coin?
This analysis shows that the threat actors in scope, FunkSec, KillSec, and GhostSec, have followed a similar trajectory, pivoting from politically motivated, disruptive campaigns to financial extortion. This transition is likely facilitated by the public availability of leaked ransomware builders, such as LockBit 3.0, which threat actors can leverage to develop their payloads.
The groups specifically appear to have adopted double extortion tactics, exfiltrating data from their victims and then encrypting it, in an attempt to pressure them to comply with their ransom demands. However, despite their seeming ability to conduct ransomware operations, these groups appear to lack the level of sophistication and specialization that characterize top-tier cybercriminal groups, such as Cl0p and LockBit, which are mentioned in the Rapid7 Q1 2025 ransomware report.
Interestingly enough, all three groups embraced RaaS as their business model while pivoting towards cybercrime. This evolution is aligned with the overall current status of the ransomware ecosystem, as RaaS programs have become increasingly more common. Such programs, demonstrating the financial nature of their activities, enable threat actors to maximize their profits by allowing affiliates to use their ransomware kit for a fee and a percentage of the collected ransom.
This transition of FunkSec, KillSec, and GhostSec has also affected and amplified the victimology of their operations. While these groups once operated as hacktivists that primarily targeted government entities, their scope of activities broadened significantly as they shifted to ransomware attacks. Along this process, their attacks shifted from targeted to opportunistic, against organizations of different sizes, operating in diverse sectors and geographies, that could be relatively easily compromised.
While all of these groups follow the pattern, shifting from hacktivism to cybercrime, and specifically financially motivated RaaS operations, the reason behind this transition remains unclear. As an exception, GhostSec appears to have embraced cybercrime in an attempt to gather funding for its hacktivist operations, according to its exit message. It should be noted that other threat actors, such as CyberVolk, have also launched RaaS programs to fund their operations, but these efforts remain scarce.
Finally, other hacktivist groups, such as Ikaruz Red Team and their affiliates, also operate ransomware, but they do so to cause disruption and make political statements. Thus, the scope of their operations differs from financial gain and is not comparable to that of the groups included in this analysis.
Conclusion
The evolution of FunkSec, KillSec, and GhostSec from hacktivist collectives to RaaS operations highlights a recent trend of a shift in motivations, driving cybercriminal behavior. Initially, these groups were propelled by political and ideological aims, targeting governments and organizations in alignment with their perceived causes. However, over time, their focus has clearly shifted towards financial gain, as evidenced by their adoption of RaaS models that prioritize profit over ideology. As cybercriminals adapt to “market demands,” it becomes clear that financial motivation has come to dominate their activities, leaving behind the ideological roots of their earlier campaigns.
IP addresses: 82[.]147[.]84[.]98, 77[.]91[.]77[.]187, 93[.]123[.]39[.]65
Rapid7 customers
InsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to the FunkSec, KillSec, and GhostSec ransomware activity. We will also continue to iterate detections as new variants emerge, giving customers continuous detection without manual tuning:
Suspicious Process - Malicious Hash On Asset
While this specific detection directly covers malicious binaries linked to ransomware operations, customers also benefit from a comprehensive suite of detections that alert on post-exploitation behavior often observed prior to ransomware deployment. These include detections for lateral movement, privilege escalation, and suspicious persistence mechanisms, providing layered defense even when the specific ransomware payload is novel or obfuscated.
NEVER MISS AN EMERGING THREAT
Be the first to learn about the latest vulnerabilities and cybersecurity news.
Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.
Some of the core developers and sellers of Heartsender posing at a work outing in 2021. WeCodeSolutions boss Rameez Shahzad (in sunglasses) is in the center of this group photo, which was posted by employee Burhan Ul Haq, pictured just to the right of Shahzad.
A report from the Pakistani media outlet Dawn states that authorities there arrested 21 people alleged to have operated Heartsender, a spam delivery service whose homepage openly advertised phishing kits targeting users of various Internet companies, including Microsoft 365, Yahoo, AOL, Intuit, iCloud and ID.me. Pakistan’s National Cyber Crime Investigation Agency (NCCIA) reportedly conducted raids in Lahore’s Bahria Town and Multan on May 15 and 16.
The NCCIA told reporters the group’s tools were connected to more than $50m in losses in the United States alone, with European authorities investigating 63 additional cases.
“This wasn’t just a scam operation – it was essentially a cybercrime university that empowered fraudsters globally,” NCCIA Director Abdul Ghaffar said at a press briefing.
In January 2025, the FBI and the Dutch Police seized the technical infrastructure for the cybercrime service, which was marketed under the brands Heartsender, Fudpage and Fudtools (and many other “fud” variations). The “fud” bit stands for “Fully Un-Detectable,” and it refers to cybercrime resources that will evade detection by security tools like antivirus software or anti-spam appliances.
The FBI says transnational organized crime groups that purchased these services primarily used them to run business email compromise (BEC) schemes, wherein the cybercrime actors tricked victim companies into making payments to a third party.
Dawn reported that those arrested included Rameez Shahzad, the alleged ringleader of the Heartsender cybercrime business, which most recently operated under the Pakistani front company WeCodeSolutions. Mr. Shahzad was named and pictured in a 2021 KrebsOnSecurity story about a series of remarkable operational security mistakes that exposed their identities and Facebook pages showing employees posing for group photos and socializing at work-related outings.
Prior to folding their operations behind WeCodeSolutions, Shahzad and others arrested this month operated as a web hosting group calling itself The Manipulaters. KrebsOnSecurity first wrote about The Manipulaters in May 2015, mainly because their ads at the time were blanketing a number of popular cybercrime forums, and because they were fairly open and brazen about what they were doing — even who they were in real life.
Sometime in 2019, The Manipulaters failed to renew their core domain name — manipulaters[.]com — the same one tied to so many of the company’s business operations. That domain was quickly scooped up by Scylla Intel, a cyber intelligence firm that specializes in connecting cybercriminals to their real-life identities. Soon after, Scylla started receiving large amounts of email correspondence intended for the group’s owners.
In 2024, DomainTools.comfound the web-hosted version of Heartsender leaked an extraordinary amount of user information to unauthenticated users, including customer credentials and email records from Heartsender employees. DomainTools says the malware infections on Manipulaters PCs exposed “vast swaths of account-related data along with an outline of the group’s membership, operations, and position in the broader underground economy.”
Shahzad allegedly used the alias “Saim Raza,” an identity which has contacted KrebsOnSecurity multiple times over the past decade with demands to remove stories published about the group. The Saim Raza identity most recently contacted this author in November 2024, asserting they had quit the cybercrime industry and turned over a new leaf after a brush with the Pakistani police.
The arrested suspects include Rameez Shahzad, Muhammad Aslam (Rameez’s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.
Login
