Today’s roundup
Credential-harvesting attacks by APT28 hit Turkish, European, and Central Asian organizations
GoBruteforcer Botnet Targets Crypto Project Databases by Exploiting Weak Credentials
Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud
Europol and Spanish Police arrest 34 in crackdown on Black Axe criminal network
Illicit Crypto Activity Hits Record $158bn in 2025
California bans data broker reselling health data of millions
Anthropic Launches Claude AI for Healthcare with Secure Health Record Access
Summary
Russia-linked cyberespionage group APT28, also known as BlueDelta, conducted widespread credential-harvesting campaigns between February and September 2025. The attacks targeted Turkish energy and nuclear agency staff, European think tank personnel, and organizations in North Macedonia and Uzbekistan. APT28 utilized fake login pages mimicking Microsoft Outlook Web Access (OWA), Google, and Sophos VPN services, hosted on free hosting and tunneling services like Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok. Campaigns incorporated legitimate PDF lure documents to enhance credibility and bypass email security. After stealing credentials, victims were redirected to authentic websites. This activity, attributed to GRU Unit 26165, demonstrates the group's ongoing low-cost, high-yield approach to intelligence gathering.
A new wave of attacks by the GoBruteforcer botnet is actively targeting databases of cryptocurrency and blockchain projects. The botnet aims to co-opt these systems into its network by brute-forcing weak credentials for various services, including FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers. Researchers note that these campaigns are partly fueled by the mass reuse of AI-generated server deployment examples, which often propagate common and insecure configurations. This development poses a significant threat to the security of crypto-related infrastructure.
Cybersecurity researchers have exposed two key service providers that are instrumental in facilitating industrial-scale "pig butchering" fraud operations. These providers supply online criminal networks with the necessary tools and infrastructure to support a "pig butchering-as-a-service" (PBaaS) economy. Investigations indicate that Chinese-speaking criminal organizations have been establishing large-scale scam centers across Southeast Asia, including dedicated economic zones, for these fraudulent investment schemes since at least 2016. This research highlights the sophisticated and organized nature of these financial scams.
Europol, in cooperation with Spanish police and Bavarian authorities, announced the arrest of 34 suspected members of the Black Axe criminal network in Spain. The operation, with most arrests occurring in Seville, targeted a highly structured, hierarchical organization originating in Nigeria with a global presence, linked to cyber fraud, trafficking, and robbery. Investigators estimate the group caused over €5.93 million in fraud losses, leading to the freezing of €119,352 in bank accounts and seizure of €66,403 in cash. The network exploited vulnerable individuals, primarily Spanish nationals in high-unemployment areas, as money mules to facilitate its illicit activities.
A report by TRM Labs indicates that illicit cryptocurrency activity reached a record high of $158 billion in 2025. This figure represents the total value of illegal crypto flows channeled into digital wallets throughout the year. The surge in illicit transactions highlights ongoing challenges in combating financial crime within the cryptocurrency ecosystem and underscores the need for enhanced regulatory oversight and security measures.
The California Privacy Protection Agency (CalPrivacy) has taken enforcement action against Datamasters, a marketing firm, banning it from reselling the health and personal data of millions of users. The action was initiated because Datamasters operated as a data broker without proper registration in California. This move by CalPrivacy aims to enforce data privacy regulations and protect sensitive user information from unauthorized sale and distribution.
Anthropic has launched "Claude for Healthcare," a new initiative enabling U.S. subscribers of its Claude Pro and Max AI plans to securely access their lab results and health records. This feature allows users to connect their health information to the Claude platform for better understanding. The company emphasized secure health record access, positioning Claude as a tool for individuals to interpret their personal health data, aligning with efforts to integrate AI into sensitive sectors like healthcare.
Want to dig deeper?
Cyber Groups
| APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch |
Malware Families