The eyes of the poker world were focused squarely on Taipei
Taiwan on Saturday as the largest and most lucrative Asian Poker Tour Main Event in the tour's history played out
Akira Takasugi of Japan emerged as the champion and the biggest winner of the APT Taipei festival
claiming a first-place prize of over 19,009,440 TWD ($586,710)
The final table Takasugi defeated represented a small sample of the dramatic cross-section of countries and regions represented in the attendance for the festival – players representing India
2,570 entrants participated in the Main Event
eclipsing any other tournament ever run under the APT banner
It's an enormous amount of growth in comparison to the first ever event under the APT banner
the 2007 betfair APT Singapore Main Event that drew 313 total entries
The records set in the 2025 APT Taipei Event will only last
until November when the APT returns to Taiwan for the APT Championship Main Event with a guaranteed prize pool of TWD 165 million – eclipsing the prize pool of this recently concluded event by more than 25%
Iat Man Leong of Macau and Wayne Lam of Hong Kong have already locked up their seats to what is guaranteed to be another record-setting event
The APT Taipei Main Event is just one part of the overall success of the festival as a whole
From the very first tournament on the schedule
expectations were well exceeded across the board over the course of 126 scheduled tournaments
The APT Taipei National Cup drew 2,161 entries and set a record for the largest opening event of a festival in APT history – more than doubling the guarantee in the process
High roller action brought in big names from around the world
who each made final table appearances over the course of the festival
who finished 21st in the APT Taipei Main Event
was joined by her husband – poker streamer Frankie C – as both played a significant volume of events
Global Poker Award winner and content creator Greg Goes All in (Greg Liow) was also in attendance
Poker Hall of Famer John Juanda won a single-day high roller event on April 29 for TWD 3571700 (~$115,863) to add to his considerable list of career accomplishments
The APT will wrap up its 2025 calendar with a flourish at the aforementioned APT Championship Main Event in Taipei
Built around the bold TWD 165 million guaranteed Main Event is a festival that will stretch on for more than two weeks of action from November 14-30 and include TWD 276 million in total guarantees across all tournaments
The APT Korea Incheon festival will run from August 1-10 at Paradise Hotel & Resort
headlined by a main event with a $1 million guarantee
APT Korea Jeju will take place at Jeju Shinhwa World
The Main Event in Jeju carries a guarantee of $1.5 million
Images courtesy of the Asian Poker Tour.
The Aptos (APT) price surge has topped 9% in a single day
The token must first get through strong resistance at $5.53
This is what keeps crypto so unpredictable
The Aptos (APT) price surge picked up speed this week with a 9% gain in 24 hours
This came as the network’s role in Expo 2025 received more attention
With over 558,000 transactions and 133,000 new accounts on its Expo wallet
Aptos is seeing usage that few other Layer-1s match
APT moved past the 20-day EMA at $4.90 and cleared the 0.618 Fibonacci zone near $5.31
the path to $6.63 and even $10 could open up
Strong RSI and MACD indicators support the rally
showing the Aptos (APT) price surge could keep building from here
The Cosmos price is trying to rebound after a long decline
a shift in technicals has sparked talk of a recovery
Estimates for the 2025 Cosmos price now range from $4.08 to $6.80
upgrades like ShadeX and Cosmos reaching 100 active chains are positive signs
A breakout above $4.41 might confirm a rebound
the Cosmos price could test support near $4.00 again
but most solve only one part of the challenge
Bitsgap helps with automation and managing portfolios across exchanges
Growlonix handles blockchain assets with a focus on data
it offers a complete setup for crypto investing
and the buzz around it is already growing fast
This project has 12 AI tools that work together as a full investment system
From spotting trade signals to improving portfolios
That helps users save time, avoid risks, and catch trades they might miss using separate platforms. The $WAI token gives access to it all. Right now, it’s priced at $0.0003 in Stage 1 of the ai crypto presale
offering early users a possible 1,747% ROI
That’s why it stands out among the best presale crypto 2025 projects
The Aptos (APT) price surge added 9 percent in a single day
driven by over 558,000 Expo-linked transactions
This gives users a real chance to act before prices move
The $WAI token powers all of this. Still in Stage 1 of its presale, it’s being called one of the best presale crypto 2025 offers right now
With a starting price of $0.0003 and a launch target of $0.005242
the projected 1,747% ROI is still in reach
Telegram: https://t.me/Web3Ai_Token
Instagram: https://www.instagram.com/web3ai_token
When most people hear about Generative AI, they think of viral chatbots, image creators,...
Ever felt the sting of skipping a moonshot too early? You’re not alone. From...
TRON (TRX) has been hitting headlines this May with bullish sentiments, new technical upgrades,...
There’s a difference between chasing the next pump and actually holding a project that’s...
Indiana Jones and the Dial of Destiny isn’t just about ancient relics and Nazi-fighting...
Image credit Have you ever opened your laptop and suddenly felt like you were...
2025 is already coming in hot for blockchain. Between major banks testing digital currencies...
AI is rapidly reshaping businesses’ operations, and generic tools often fall short. That’s where...
Join the Legacy of Satoshi Nakamoto and Earn 1% to 5% Daily in USDT...
Maybe your current platform is no longer cost-effective or lacks the features your growing...
A conversation with Ali Moosani, the CEO of FORM, on how artificial intelligence is transforming the consumer packaged goods business. Over the...
Arek and Brian Zabierek, better known as The Zab Twins, are quietly rewriting what it means to build real wealth on Amazon....
Copyright © 2025 TechBullion. All Rights Reserved.
ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
Facundo Muñoz
ESET researchers provide an analysis of Spellbinder
a lateral movement tool for performing adversary-in-the-middle attacks
used by the China-aligned threat actor that we have named TheWizards
Spellbinder enables adversary-in-the-middle (AitM) attacks
through IPv6 stateless address autoconfiguration (SLAAC) spoofing
to move laterally in the compromised network
intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers.
In 2022, we noticed that a suspicious DLL had been downloaded by the popular Chinese input method software application known as Sogou Pinyin
named after a legitimate component of that software
was a dropper for a downloader that retrieved an encrypted blob from a remote server
The blob contained shellcode that loads the backdoor we have named WizardNet
Our research led to the discovery of a tool
that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network
allowing the attackers to redirect traffic and serve malicious updates targeting legitimate Chinese software
TheWizards has been constantly active since at least 2022 up to the time of writing
Its geographical distribution is shown in Figure 1
We initially discovered and analyzed this tool in 2022
and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024
Once the attackers gain access to a machine in a targeted network
they deploy an archive called AVGApplicationFrameHostS.zip
and extract its components into %PROGRAMFILES%\AVG Technologies
the attackers install winpcap.exe and run AVGApplicationFrameHost.exe
is a legitimate software component from AVG that is abused to side-load wsc.dll; this DLL simply reads the shellcode from the file log.dat and executes it in memory
The shellcode decompresses and loads Spellbinder in memory
Spellbinder uses the WinPcap library to capture packets and to reply to packets when needed
The first task is to select or find an adapter with which to perform the packet capture
The code uses the WinPcap API pcap_findalldevs to get all available adapter devices
The devices are itemized in a numbered list for the attacker
an index that can be used to pick one adapter from this list
Spellbinder uses the Windows APIs GetBestInterface and GetAdapterInfo to find a suitable adapter
Figure 2 shows the output of Spellbinder when no item number is supplied
the tool finds the most suitable adapter by itself
Spellbinder uses the WinPcap pcap_open_live API to start capturing packets
and creates two threads: one to send ICMPv6 Router Advertisement packets (explained in the next section)
The WinPcap pcap_loop API does the job of invoking a callback function from Spellbinder every time a new packet is captured
This attack vector was discussed by the IETF as early as 2008 and is caused by a commonly overlooked network misconfiguration of IPv4 and IPv6 coexistence. It was then thoroughly detailed in 2011 by Alec Waters
It takes advantage of IPv6’s Network Discovery Protocol in which ICMPv6 Router Advertisement (RA) messages advertise that an IPv6-capable router is present in the network so that hosts that support IPv6
can adopt the advertising device as their default gateway
Spellbinder sends a multicast RA packet every 200 ms to ff02::1 (“all nodes”); Windows machines in the network with IPv6 enabled will autoconfigure via stateless address autoconfiguration (SLAAC) using information provided in the RA message
and begin sending IPv6 traffic to the machine running Spellbinder
Figure 4 illustrates the first stage of the attack
The RA packet built by Spellbinder consists of four major parts:
Figure 5 shows one of the ICMPv6 RA messages sent by Spellbinder
Figure 6 shows the output of the Windows ipconfig /all command before and after running Spellbinder from a compromised machine in the network
a callback function processes the captured raw packets
Spellbinder implements its own parser to find packets to process
or print information on screen for the attacker
Table 1 describes some of the most relevant packet types processed and actions taken by the tool
Protocols and packet types to which Spellbinder can reply
Spellbinder checks whether the domain name from the query is present on a hardcoded list of subdomains
The code performing this check is shown in Figure 7
Figure 8 is a subset of the hardcoded list in Spellbinder
The full list of targeted domains contains many entries from domains associated with several popular Chinese platforms
When a domain from the DNS query is found in the list
Spellbinder crafts and sends a DNS answer message indicating the domain’s IP address
in the version from 2022 it was 43.155.116[.]7
Spellbinder informs the attacker that the tool is answering to the DNS query
which includes a stylized hexadecimal dump of the entire packet
For this blogpost we have focused on one of the latest cases in 2024
in which the update of Tencent QQ software was hijacked
The malicious server that issues the update instructions was still active at the time of writing
The legitimate software component QQ.exe sends an HTTP request to update.browser.qq.com
The Spellbinder tool intercepts the DNS query for that domain name and issues a DNS answer with the IP address of an attacker-controlled server used for hijacking
that at the time of writing was still serving malicious updates
When the request is received by the hijacking server
it replies with the following (beautified by us) JSON-formatted instructions to download an archive also hosted in the same server:
QQ.exe downloads the archive minibrowser11_rpl.zip and deploys its contents to the victim’s machine; the malicious minibrowser_shell.dll is then loaded
The execution of the malware on a compromised machine begins with the malicious minibrowser_shell.dll downloader
This DLL has three export functions and the execution of any of them triggers its main functionality but only if the name of the current process contains QQ — for example
It uses the WinSock API to connect via TCP to an attacker-controlled server
from where it obtains an encrypted blob containing position-independent loader code and the WizardNet backdoor
requiring a runtime version of either v2.0.50727 or v4.0.30319
Then the payload is decrypted using a simple combination of ADD and XOR
The payload is loaded into memory using the .NET runtime
The final payload is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine
During its initialization it creates a mutex named Global\<MD5(computer_name)> and reads shellcode from a file called ppxml.db in the current working directory or the value from the key HKCU\000000
and attempts to inject it into a new process of explorer.exe or %ProgramFiles%\Windows Photo Viewer\ImagingDevices.exe
The last step of the initialization phase is to create a unique identifier for the computer
It is the result of the MD5 hash of the computer name concatenated with the installation time of the backdoor and the serial number of the disk drive
with each hex-encoded byte of the hash value separated by @
The SessionKey is stored under the registry path HKCU\Software\<MD5(computer_name)>\<MD5(computer_name)>mid
WizardNet can then create a TCP or UDP socket to communicate with its C&C server
and the messages exchanged are padded using the PKCS7 algorithm and encrypted with AES-ECB; the SessionKey is used as the key for encryption and decryption and the IV is randomly generated for each packet and placed before the encrypted data
This variant of WizardNet supports five commands
The first three allow it to execute .NET modules in memory
thus extending its functionality on the compromised system
Overview of the commands supported by the orchestrator
ESET tracks the malware that Trend Micro named DarkNimbus as DarkNights (both for Windows and Android); amusingly, Trend Micro named the malware after the string DKNS present in the malware’s function names, and we did the same (DarkNights) when we discovered the malware. In April 2025, NCSC UK published an advisory about the BADBAZAAR malware and MOONSHINE
also mentioning UPSEC in relation to Trend Micro’s research on Earth Minotaur
While TheWizards uses a different backdoor for Windows (WizardNet)
the hijacking server is configured to serve DarkNights to updating applications running on Android devices
While we have not seen any victims in ESET telemetry
we managed to obtain a malicious update instruction for the Android version of Tencent QQ:
The file plugin-audiofirstpiece.ml is a ZIP archive that only contains a classes.dex file
This indicates that Dianke Network Security is a digital quartermaster to TheWizards APT group
ESET continues tracking TheWizards independently of Earth Minotaur
While both threat actors use DarkNights/DarkNimbus
according to ESET telemetry TheWizards has focused on different targets and uses infrastructure and additional tools (for example
Spellbinder and WizardNet) not observed to be used by Earth Minotaur
we discovered the activity of a China-aligned APT group that we have named TheWizards
We analyzed the custom malware and tools developed and used by TheWizards: the IPv6 AitM tool we’ve named Spellbinder
which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers
where the software is tricked into downloading and executing fake updates on victims’ machines
and the malicious components that launch the backdoor that we have named WizardNet
A comprehensive list of indicators of compromise and samples can be found in our GitHub repository
This table was built using version 16 of the MITRE ATT&CK framework
Shifting the sands of RansomHub’s EDRKillShifter
You will always remember this as the day you finally caught FamousSparrow
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
Evasive Panda APT group delivers malware via updates for popular Chinese software
Improve your risk posture with attack surface management
Gain visibility and meet business needs with security
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR
Maximize effectiveness with proactive risk reduction and managed services
Drive business value with measurable cybersecurity outcomes
Evolve your security to mitigate threats quickly and effectively
Gain visibility and control with security designed for cloud environments
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Realistic phishing simulations and training campaigns to strengthen your first line of defense
Stop adversaries faster with a broader perspective and better context to hunt
and respond to threats from a single platform
The most trusted cloud security platform for developers
Extend visibility to the cloud and streamline SOC investigations
and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Expand the power of XDR with network detection and response
and undisclosed vulnerabilities in your network
Redefine trust and secure digital transformation with continuous risk assessments
and targeted attacks from infiltrating your enterprise
and targeted attacks on any email service including Microsoft 365 and Google Workspace
End-to-end identity security from identity posture management to detection and response
respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection
Augment threat detection with expertly managed detection and response (MDR) for email
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity
leverage proven solutions designed for MSPs
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus
an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
Crowdstrike provides effective cybersecurity through its cloud-native platform
especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection
yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions
but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
You can still catch the virtual event of the year
Watch for exclusive cybersecurity insights
Trend Micro named Market Leader at the 2025 Global Infosec Awards for cybersecurity innovation
Trend uncovers zero-day attack hiding in Windows .LNK files
Spyware surge: CrazyHunter leverages familiar flaws in fresh attacks
Top GenAI threats revealed: From jailbreaks to data poisoning
Russian threat actor exploits CVE-2025-26633 in active campaign
50 reports later: The Russian-speaking cyber underground is more dangerous than ever
An APT group dubbed Earth Kurma is actively targeting government and telecommunications organizations in Southeast Asia using advanced malware
and trusted cloud services to conduct cyberespionage
we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia
We have named the threat actors behind this campaign “Earth Kurma.” Our analysis revealed that they primarily focused on government sectors
showing particular interest in data exfiltration
this wave of attacks involved rootkits to maintain persistence and conceal their activities
we provide the intelligence on Earth Kurma and their ongoing activities
Earth Kurma is a new APT group focused on countries in Southeast Asia
All of the identified victims belong to government and government-related telecommunications sectors
their activities dated back to November 2020
with data exfiltration as their primary objective
Our analysis indicates that they tend to exfiltrate data over public cloud services
they used various customized toolsets including TESDAT and SIMPOBOXSPY
Earth Kurma also developed rootkits such as KRNRAT and MORIYA to hide their activities
differences in the attack patterns prevent us from conclusively attributing these campaigns and operations to the same threat actors
we named this new APT group “Earth Kurma.”
Our telemetry shows that that Earth Kurma targeted victims primarily in Southeast Asia
Earth Kurma’s targets likely indicate cyberespionage as the motivation
The infection chain and malware used could be summarized as follows:
the threat actors used a tool named ICMPinger to scan the hosts
It is a simple network scanning tool based on the ICMP protocol to test if the specified hosts are still alive
They delete this tool once their operations conclude
They also used another open-source tool called Ladon to inspect the infrastructure
Ladon is wrapped in a reflective loader compiled by PyInstaller
The XOR keys used to decode the payload differ among all the samples we’ve collected
To move laterally, they also used another open-source tool called WMIHACKER
which could execute commands over port 135 without the need for SMB
they also execute commands over the SMB protocol (such as using “net use”) to inspect the infrastructure as well as deploy malware
The threat actors also tried to steal the credentials from the victims by using a custom tool called KMLOG
It’s a simple keylogger that logs every keystroke to a file named “%Appdata%\Roaming\Microsoft\Windows\Libraries\infokey.zip.”
it is prepended with a fake ZIP file header (PK header)
What follows the header is the real body of the logging content
The structure of the keystroke logging file
the actors deployed different loaders to maintain their foothold
These loaders are used to load payload files into memory and execute them
These loaders are then used to deploy more malware and exfiltrate data over public cloud services like Dropbox and OneDrive
were implanted by the loaders to bypass the scanning
we observed multiple loaders implanted in victim environments
Most of the final payloads are Cobalt Strike beacons
The first loader we encountered is DUNLOADER
It’s capable of loading the payloads from either of the locations and decode it in one-byte XOR operations:
This loader is a DLL file and always ensures that it’s executed by “rundll32.exe” by checking if the name of the parent process contains a specific string literal “und”
this DLL should contain an export function called “Start.”
The newer loader we later found is called TESDAT
It always loads a payload file with a “.dat” extension (like “mns.dat”)
Instead of using common APIs like CreateThread to execute the decoded shellcode
it always calls an API called “SwitchToFiber,” which we think is an attempt to avoid detection
Our analysis showed two variants for TESDAT loaders
It can be either an EXE file or a DLL file with an export function called “Init.”
We also noticed that the actors would name the loaders with some random strings and put them inside the folders that were often accessed by the victims instead of those commonly used by attackers (i.e.
This was presumably intended to blend the loaders with legitimate user files
Instead of loading an additional payload file
it loads the embedded payload and decodes it as an in-memory PE buffer
This loader usually has an export function called “DoMain” or “StartProtect.” In the decoded PE payload
it should have an export function called “MThread.”
After the loaders are implanted in the victim machines
we found rootkits installed on some compromised machines
the threat actor abused a living-off-the-land binary called “syssetup.dll” and dropped an INF file to install them
An example of the used command line is as follows:
C:\Windows\SysWOW64\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 c:\users\{user}\downloads\SmartFilter.inf
The first rootkit we observed is called MORIYA
which could hide the malicious payload in the TCP traffic
The MORIYA variant we found has an additional shellcode injection capability
it tries to load a payload file from the location ”\\SystemRoot\\system32\\drivers\\{driver_name}.dat.” The payload will be decrypted in AES and injected into the process of svchost.exe
This payload should be its user-mode agent
The shellcode will eventually be invoked by using the API NtCreateThreadEx. To bypass detection, it tries to invoke the call by directly using the syscall number. To get the valid syscall numbers on the targeted system, it enumerates the NTDLL’s export functions, finds the ones with names starting with “Zw” or “Nt” and saves the syscall number of each. This code snippet is reused from this post
The other rootkit we found is called KRNRAT
It’s a full-featured backdoor with various capabilities
We named this rootkit KRNRAT because of its internal name
just as written in its PDB string: N:\project\li\ThreeTools\KrnRat\code\x64\Debug\SmartFilter.pdb
Our analysis showed that KRNRAT is based upon multiple open-source projects:
KRNRAT supports numerous IOCTL codes and capabilities
Its debug strings are also self-explanatory
Here’s the full table of the supported IOCTL codes
it also loads the additional payload file and injects it into the svchost.exe process
This shellcode injection capability works exactly the same as the MORIYA variant we found
which turns out to be the user-mode agent for KRNRAT and is the backdoor
This means that its user-mode agent is always memory-resident
It connects to the C&C server and downloads the next-stage payload back
It tries to hide the process and connections by issuing the specific IOCTL codes to the KRNRAT rootkit
The structure of the backdoor’s configuration in the registry
The final payload from the C&C server would be the so-called SManager
we observed two customized tools used to exfiltrate specific documents to the attacker’s cloud services
several commands executed by the loader TESDAT collected specific document files with the following extensions: .pdf
The documents are first placed into a newly created folder named "tmp," which is then archived using WinRAR with a specific password
The first tool, SIMPOBOXSPY, is an exfiltration tool that can upload the archive files to Dropbox with a specified access token. This tool is exactly the “generic DropBox uploader” mentioned in this ToddyCat report
The command argument of SIMPOBOXSPY is shown below
dilx.exe {access_token} [-f {file_1} {file_2} ...]
it will upload the file in the current folder with predefined extensions such as “.z”
which will upload the archive with the extension “.7z”
a folder named with the current date and time will be created on Dropbox
It will upload the collected files to OneDrive by specifying the OneDrive refresh token
It will upload the files in the current folder with the pattern “*.z.*”
The process of file collection and exfiltration is shown in the following:
It is a Windows feature that synchronizes AD policies across DC servers by replicating the contents of the “sysvol” folder among them
the stolen archives can be automatically synchronized to all DC servers
enabling exfiltration through any one of them
Our analysis identified weak links to two groups
we determined that this campaign merited a separate designation
The APT group ToddyCat was first disclosed in 2022. The "tailored loader,” mentioned in this ToddyCat report
was also found in the same victim machines infected by the TESDAT loaders
we did not find any process execution logs between these loaders
they share similar exfiltration PowerShell scripts
The tool SIMPOBOXSPY used by Earth Kurma was also used by ToddyCat before
Both Earth Kurma and ToddyCat highly targeted Southeast Asian countries
Reports on ToddyCat indicate that activities started in 2020
The timeline of their activities aligned closely to what we observed in Earth Kurma
SIMPOBOXSPY is a simple tool that could be shared among groups
and we did not observe other exclusive tools that can be directly attributed to ToddyCat
we cannot conclusively link Earth Kurma to ToddyCat
The second potentially related APT group is Operation TunnelSnake
which uses the same code base as the MORIYA variant we found
Operation TunnelSnake targeted countries in Southeast Asia
we didn’t observe any similarity in the post-exploitation stages
continuing to target countries around Southeast Asia
They have the capability to adapt to victim environments and maintain a stealthy presence
They can also reuse the same code base from previously identified campaigns to customize their toolsets
sometimes even utilizing the victim’s infrastructure to achieve their goals
Here are some best security practices to mitigate such threats:
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management
This comprehensive approach helps you predict and prevent threats
accelerating proactive security outcomes across your entire digital estate
Backed by decades of cybersecurity leadership and Trend Cybertron
the industry's first proactive cybersecurity AI
it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time
Security leaders can benchmark their posture and showcase continuous improvement to stakeholders
you’re enabled to eliminate security blind spots
and elevate security into a strategic partner for innovation
Trend Vision One customers can access a range of Intelligence Reports and Threat Insights
Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors
customers can take proactive steps to protect their environments
Trend Vision One Intelligence Reports App [IOC Sweeping]
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment
Scan for the Earth Kurma malware detections:
malName: (*DUNLOADER* OR *TESDAT* OR *DMLOADER* OR *MORIYA* OR *KRNRAT* OR *SIMPOBOXSPY* OR *ODRIZ* OR *KMLOG*) AND eventName: MALWARE_DETECTION
The indicators of compromise for this entry can be found here
Experience our enterprise cybersecurity platform for free
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Learn More
Threats
Categories
Other sections
and we have now confirmed that the software exploited in this campaign has all been updated to patched versions
Cross EX is designed to enable the use of such security software in various browser environments
and is executed with user-level privileges except immediately after installation
Although the exact method by which Cross EX was exploited to deliver malware remains unclear
we believe that the attackers escalated their privileges during the exploitation process as we confirmed the process was executed with high integrity level in most cases
The facts below led us to conclude that a vulnerability in the Cross EX software was most likely leveraged in this operation
while the malware we obtained targeted the more recent version 9.2.18.496
both of which appeared to be hastily created car rental websites using publicly available HTML templates
We have divided this operation into two phases based on the malware used. The first phase focused primarily on the execution chain involving ThreatNeedle and wAgent. It was then followed by the second phase which involved the use of SIGNBT and COPPERHEDGE
We derived a total of four different malware execution chains based on these phases from at least six affected organizations
we found a variant of the ThreatNeedle malware
We believe this is due to the quick and aggressive action we took with the first victim
the Lazarus group introduced three updated infection chains including SIGNBT
and we observed a wider range of targets and more frequent attacks
This suggests that the group may have realized that their carefully prepared attacks had been exposed
and extensively leveraged the vulnerability from then on
many updated versions of the malware previously used by the Lazarus group were used
The ThreatNeedle sample used in this campaign was also referred to as “ThreatNeedleTea” in a research paper published by ESET; we believe this is an updated version of the early ThreatNeedle
the ThreatNeedle seen in this attack had been modified with additional features
This version of ThreatNeedle is divided into a Loader and Core samples
The Core version retrieves five configuration files from C_27098.NLS to C_27102.NLS
references only two configuration files and implements only four commands
It ultimately loads the ThreatNeedle Loader component
Behavior flow to load ThreatNeedle Loader by target service
The data is sent and received in JSON format
LPEClient is a tool known for victim profiling and payload delivery (T1105) that has previously been observed in attacks on defense contractors and the cryptocurrency industry. We disclosed that this tool had been loaded by SIGNBT when we first documented SIGNBT malware
we did not observe LPEClient being loaded by SIGNBT in this campaign
It was only loaded by the variant of ThreatNeedle
Operational structure of the wAgent variant
Structure of the commands where additional data is passed
The open-source loader is built on top of another open-source loader named Tartarus’ Gate
Tartarus’ Gate is based on Halo’s Gate
which is in turn based on Hell’s Gate
All of these techniques are designed to bypass security products such as antivirus and EDR solutions
but they load the payload in different ways
Unlike the previously mentioned tools, the Innorix abuser is used for lateral movement. It is downloaded by the Agamemnon downloader (T1105) and exploits a specific version of a file transfer software tool developed in South Korea, Innorix Agent, to fetch additional malware on internal hosts (T1570)
Innorix Agent is another software product that is mandatory for some financial and administrative tasks in the South Korean internet environment
meaning that it is likely to be installed on many PCs of both corporations and individuals in South Korea
and any user with a vulnerable version is potentially a target
The malware embeds a license key allegedly bound to version 9.2.18.496
which allows it to perform lateral movement by generating malicious traffic disguised as legitimate traffic against targeted network PCs
The Innorix abuser is given parameters from the Agamemnon downloader: the target IP
It then delivers a request to that target IP to check if Innorix Agent is installed and running
the malware assumes that the software is running properly on the targeted host and transmits traffic that allows the target to download the additional files from the given URL due to a lack of traffic validation
Steps to deploy additional malware via the Innorix abuser
We reported this vulnerability to KrCERT due to the potentially dangerous impact of the Innorix abuser
but were informed that the vulnerability has been exploited and reported in the past
We have confirmed that this malware does not work effectively in environments with Innorix Agent versions other than 9.2.18.496
The second phase of the operation also introduces newer versions of malicious tools previously seen in Lazarus attacks
The SIGNBT we documented in 2023 was version 1.0
the 1.2 version had minimal remote control capabilities and was focused on executing additional payloads
The malware developers named this version “Hijacking”
SIGNBT 0.0.1 was the initial implant executed in memory in SyncHost.exe to fetch additional malware
the C2 server was hardcoded without reference to any configuration files
we found a credential dumping tool that was fetched by SIGNBT 0.0.1
identical to what we have seen in previous attacks
The actor primarily used the COPPERHEDGE malware to conduct internal reconnaissance in this operation
There are a total of 30 commands from 0x2003 to 0x2032
and 11 response codes from 0x2040 to 0x2050 inside the COPPERHEDGE backdoor
the malware used by the Lazarus group has been rapidly evolving to include lightweighting and modularization
This applies not only to newly added tools
but also to malware that has been used in the past
We have observed such changes for a few years
Throughout this operation, most of the C2 servers were legitimate but compromised websites in South Korea (T1584.001)
further indicating that this operation was highly focused on South Korea
other media sites were utilized as C2 servers to avoid detection of media-initiated watering hole attacks
as the infection chain turned to the second phase
legitimate sites in various other industries were additionally exploited
several malware samples were used that we managed to attribute to the Lazarus group through our ongoing and dedicated research conducted for a long time
Our attribution is supported by the historical use of the malware strains
all of which have been well documented by numerous security solutions vendors and governments
we have analyzed the execution time of the Windows commands delivered by the COPPERHEDGE malware
the build timestamps of all malicious samples we described above
and the time of initial compromise per host
demonstrating that the timeframes were mostly concentrated between GMT 00:00 and 09:00
Based on our knowledge of normal working hours in various time zones
we can infer that the actor is located in the GMT+09 time zone
semiconductor manufacturing and telecommunication organizations in South Korea that fell victim to “Operation SyncHole”
we are confident that there are many more affected organizations across a broader range of industries
given the popularity of the software exploited by Lazarus in this campaign
All of these cases targeted software developed by South Korean vendors that required installation for online banking and government services
Both of the software products exploited in this case are in line with past cases
meaning that the Lazarus group is endlessly adopting an effective strategy based on cascading supply chain attacks
The Lazarus group’s specialized attacks targeting supply chains in South Korea are expected to continue in the future
Our research over the past few years provided evidence that many software development vendors in Korea have already been attacked
and if the source code of a product has been compromised
other zero-day vulnerabilities may continue to be discovered
The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware
they introduce enhancements to the communication with the C2
More IoCs are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com
Operation SyncHole: Lazarus APT goes back to the well
Δdocument.getElementById( "ak_js_1" ).setAttribute( "value"
Δdocument.getElementById( "ak_js_2" ).setAttribute( "value"
Kaspersky GReAT experts uncovered a new campaign by Lazarus APT that exploits vulnerabilities in South Korean software products and uses a watering hole approach
MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021
Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia
Kaspersky researchers analyze GOFFEE’s campaign in H2 2024: the updated infection scheme
Kaspersky GReAT experts discovered a complex APT attack on Russian organizations dubbed Operation ForumTroll
which exploits zero-day vulnerabilities in Google Chrome
Δdocument.getElementById( "ak_js_3" ).setAttribute( "value"
Threats
Categories
Other sections
Δdocument.getElementById( "ak_js_4" ).setAttribute( "value"
Phoronix Premium allows ad-free access to the site
and other features while supporting this site's continued operations
The mission at Phoronix since 2004 has centered around enriching the Linux hardware experience. In addition to supporting our site through advertisements, you can help by subscribing to Phoronix Premium. You can also contribute to Phoronix through a PayPal tip or tip via Stripe
Legal Disclaimer, Privacy Policy, Cookies | Privacy Manager | Contact
Copyright © 2004 - 2025 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved.
who live in the neighborhood of East Elmurst
The housemates cook meals in shifts beginning at three in the morning.Illustrations by Medar de la CruzSave this storySave this storySave this storySave this storyIn my neighborhood
everyone knows the corners where migrants wait for work
where you can’t so much as step out the door without hearing a language other than English
Newcomers arrive in waves and settle like layers of sediment
there’s a contingent of elderly Polish ladies who have been living in their century-old co-ops for decades
A few blocks over in one direction is Calle Colombia
the official nickname for a corner of Eighty-second Street since 2009; countless times
I’ve walked past a street vender guarding tall stalks of sugarcane that she feeds through a machine to make juice
hawk prayer rugs and other religious goods from overturned milk crates on the sidewalk
the newest residents have come mostly from Venezuela
Such migrants line up each day at dawn at paradas—“stops”—hoping to get picked up for day jobs
paradas across New York are known by names that describe either their location or their purpose
such as “La de Limpieza” (“the Housecleaning One”) or “Home Depot.” How these spring up is less complicated than one might think—people learn to do whatever work is immediately available in the area
The main housecleaning parada is in Williamsburg
where women regularly find jobs in the homes of Hasidic Jews
close to a blocks-long stretch of Chinese-run kitchen-and-bathroom showrooms
there’s a street corner where the waiting Chinese men know how to install kitchens and bathrooms
These word-of-mouth spots exist all over the city and in the surrounding suburbs
but nowhere are they more crowded than in Queens
The most popular construction parada near my apartment is technically in Woodside: “La 69” is a section of Sixty-ninth Street between Roosevelt Avenue and Broadway
it was normal to see a few dozen men milling around there
but since 2022 hundreds of workers have been lining up in the mornings
nonprofits and church groups hand out jackets and hot breakfasts
some people sleep in a tiny plaza called Pigeon Paradise
after the Trump Administration took power and began what it called the “largest deportation effort in U.S
history,” the numbers lessened for a while—people are terrified of ICE
But attendance at the parada has since returned to pre-Trump levels
New York: A Centenary IssueSubscribers get full access. Read the issue »
“Don’t worry too much about that,” the day worker said, in Spanish, as he took his seat and cracked open a can of Coke. He went by Pato, and he was twenty-seven. “I’ve been here eight years, but it’s never been as bad as this,” he said. There were just too many migrants, Pato said, and not enough jobs. Guys would work for anything nowadays.
As Pato kept on through the afternoon, he told me that he lived in a shared house in Corona, some forty blocks from La 69, with other migrants from Guatemala, Mexico, and Ecuador. He considered himself lucky: you can never be entirely sure about living with anyone besides your own family, he said, but he got along fairly well with the other tenants.
In February, I paid a portion of one migrant’s rent for a bed in a two-family row house in East Elmhurst. I came and went as I pleased. Twelve migrants, all from Ecuador, lived on the first floor. The housemates told me that another large group lived on the second floor, though they weren’t allowed upstairs and rarely spoke with their neighbors. The house’s owners—an older woman and her adult son—lived in the basement.
“Heads up, guys. This is our last tour as the Klugs before we transition into the Klugs Wealth Management Certified Financial Planners.”Cartoon by Edward KorenCopy link to cartoonCopy link to cartoonLink copied
This past winter, the housemates seldom went out. Day jobs were scarce, and it was too cold for volleyball and soccer, their favorite pastimes. Perhaps more important, the Trump Administration had them terrified. Nobody had any kind of legal status, and although none of them personally knew anyone who had been deported, rumors of mass arrests were enough to restrict their behavior.
On the day of the nail-painting marathon, Elisa and Mercy kept at it until well after dark, becoming dizzy from the pungent chemical odor that hung in the stale kitchen air. When they finally stopped, Lilia’s cuticles were stained black.
All over Queens, especially along major thoroughfares such as Roosevelt Avenue, posters in Spanish affixed to lampposts, walls, and train pilings advertise rooms and apartments meant for migrants. “I rent an apartment. 4 Bedrooms. Available Now. Living Room, Kitchen, Bathroom. 7-8 people”; “I rent rooms. Veronica. ‘No Papers.’ Kitchen OK.”
Plenty of migrants have no choice but to depend on the ads. I recently came across a Facebook page called “Cuartos en renta Queens New York.” An affiliated website advertised apartments and single rooms for sublet in Queens. I messaged a number on WhatsApp and soon began texting with a broker named Renata, who wrote to me in Spanish, in all caps, and immediately began trying to persuade me to rent a room in a shared apartment in Woodside, two blocks from the 7 train.
“THEY ARE ASKING WHAT YOU DO FOR WORK AND WHAT COUNTRY YOU ARE FROM,” Renata texted. Just like some of the contractors hiring day workers, people frequently prefer to live with housemates from their own countries. Migrant communities in Queens have their own prejudices and stereotypes about one another. I’ve learned that many Ecuadorians think that Mexicans are drunks and Venezuelans are criminals; Mexicans and Guatemalans, in turn, often think of Ecuadorians as vagrants.
Plenty of these roommate arrangements are cordial. Everyone living at Janeth’s place ate dinner together at night. “There’s one gentleman from El Salvador living with us, and he’s gotten used to Ecuadorian food,” she said, adding that she sometimes lets fresh arrivals sleep in the living room for free.
Alcohol abuse, Carpio added, was another common problem. I thought of Pato, the Guatemalan man I’d met at La 69. After that work was done, he offered to return the next day with a companion to help haul out debris that he’d arranged in dusty heaps.
Lilia and Elisa, two of the Ecuadorians in the East Elmhurst unit, are sisters-in-law. In 2023, they were living together with their husbands in a smaller Corona apartment when they learned that a group of relatives was headed to the U.S. border. The two women set out to find a bigger place where all of them could live. After work, they knocked on the doors of local houses that had “For Rent” signs in the windows.
They found the East Elmhurst house after a few weeks. They didn’t know to check the Department of Buildings website, where they would have learned that there were no certificates of occupancy registered for the property, and that there had been numerous complaints, filed over the past ten years, alluding to overcrowding and illegal conversions. (One complaint, filed in 2015, reads, “The house is subdivided in many rooms and is renting the rooms like a hotel.”)
Frustratingly, the house came unfurnished. On Junction Boulevard, the tenants found the basics—mattresses, bed frames, kitchenware—but the items cost them a relative fortune. They learned to be wary of Facebook Marketplace, where sellers frequently asked for payment up front and then disappeared; they were surprised that things like that happened in America. The tenants began to trust only one another as they established a routine that marked the beginning of their American Dream.
Cartoon by Jeremy NguyenCopy link to cartoonCopy link to cartoonLink copied
We talked a lot about dreams during the days I spent there
Most of the housemates had left everything behind; some had parted with their kids without knowing when
as soon as they had enough money to take substantial savings back with them
the tenants discussed the infamous case of a social-media personality who’d offered to help transport the body of a dead migrant back to Ecuador—and then allegedly ran off with all the money
I told the residents that a business near my apartment offered a similar service: funeral transports to Latin American countries
and I sensed the years flashing before their eyes
many of their dreams had begun to feel more abstract
as they focussed on the day-to-day difficulties of surviving
though: he wanted to become a licensed plumber
so that he could start his own business and work for himself
Some friends had recommended a vocational school in New Jersey
But the tuition—about four thousand dollars—was prohibitive
told me that she was hoping to find an affordable after-school program for Yuri when she enrolled in kindergarten; currently
the couple was paying two hundred dollars a week for day care
Mercy didn’t realize that many public schools in the city provide after-school care for free
so that he could find a regular job and stop waiting for contractors at the parada every day at dawn
He was trying to figure out how to do the necessary paperwork
Lilia was determined to learn enough English to be able to communicate with her clients at the spa
all the housemates had the goal of mastering basic English
Some showed me notebooks that they had filled up at free classes around the city; Lilia told me that she had trekked all the way to Long Island City for her first such class
they had carefully written out Spanish phrases and their English equivalents
translated phonetically so that they could more easily pronounce the words
(“Uan mor taim pliz” for “One more time please”; “Si iu tumorou” for “See you tomorrow.”) But
they had found these classes “boring” and far too advanced
They needed to focus on the basics (“I,” “you,” “we”) and the essentials (“room,” “bed,” “job”)
The few words that they already knew were entirely trade-related: “roofing,” “plumbing,” “nails.”
when the housemates had returned from work
and were cooking in shifts—two people at a time using the four burners
reheating rabbit or potato stew—they asked me to hold casual English lessons
They wanted to learn how to ask very specific questions
Mercy’s: “Why are you discounting more from my paycheck than from hers?”
The only person who understood everything I said was Yuri
was too shy to speak English in front of her parents
She said that her bosses at the spa spoke mainly Korean but some English—and that she would be grateful for any chance to communicate with them
even if her own English were limited to halting sentences
she coined my house nickname: I became Profe
A prize-ribbon sticker—the kind that kids get for winning first or second place in a school competition—was stuck to the door of the bedroom where Anita slept with her husband
Yuri must have received the award at day care
The housemates didn’t know anything about the prior residents
A migrant dwelling doesn’t tend to break up all at once
unless something happens with the landlord—an eviction notice
their rooms or beds given to new occupants
until the home’s population looks nothing like it did a year or two earlier
A tenant could become financially secure enough to rent on their own
or a job offer could lead them to another city or state
a dispute or a vice churns up enough trouble to warrant a less amicable departure
Now another possibility loomed large: ICE might pick someone up at work
has been a “volleyball house” for more than twenty years
and has hosted generations of Latin American migrants who gather to play or watch anytime the weather is good.Even though the East Elmhurst housemates lived in such intimate quarters
and some of them had been well acquainted back home
especially when it came to matters such as money and their plans for the future
Why were some of the housemates unsure about exactly how much the group paid in total rent
Matías mentioned to me that he might be moving to another state
he’d heard about a potential long-term job at a building in Kansas—or maybe it was Minnesota
When I brought this up in the presence of some of the other housemates
“I didn’t tell them,” he revealed afterward
but Matías still contemplated leaving and finding a proper room that he could have to himself
instead of paying some seven hundred dollars a month to sleep in a bed inches from another tenant
drank too much one Saturday morning and caused an altercation
breaking the front door of the house before passing out in his bed
Messi ended up paying about a thousand dollars to repair the door
alliances formed over whether to kick Messi out
Some were vocal about wanting to expel him
was upset that the incident had happened while Yuri’s cousin was visiting
Matías was more willing to let Messi try to redeem himself
He noted that he and Messi had both left their wives and kids behind when they came to New York
of Pato—the Guatemalan migrant whose own removal had seemingly led him to spiral—and considered how lonely he must have been
Living with many others was no antidote to emotional solitude
the episode had made him intent on improving his own situation
He’d called numbers he’d seen on “For Rent” signs
and was considering some rooms a few blocks away
The only thing stopping him from moving out was that he didn’t want to leave his sister Elisa—the only family member he had nearby
even if many people remained fearful of the intensifying deportation efforts
People have been flocking back to Thirty-fourth Avenue—the longest pedestrian street in the city
Children play in the shade of budding oak trees
and women from Mexico and Ecuador ring handbells and scoop ice cream from red carts
The remaining members of the neighborhood’s old Argentine and Uruguayan communities—who were prominent here before they moved out to the suburbs—share sips of mate on park benches
A group of older Bangladeshi and Nepalese residents gather for tea
an elderly husband and wife from Eastern Europe
are wheeled out by their Caribbean aides to watch people stroll past
I’ve never seen the couple say a word to each other
but sometimes his finger grazes the side of her hand and
Everything in New York City is touched and shaped by these waves of people
not only those who came earlier but those who continue to arrive now
The idea of “making it” in the new country is inextricably linked to memories of the old country and those who remain there
it’s virtually never a mistake to ask someone where they are originally from
People’s eyes will widen—with happiness or with sadness
“Everyone has their own way to cope,” Matías told me in late March
“I play volleyball.” He led me to three houses on the same block whose residents had constructed elaborate volleyball courts in their back yards
and tall mesh fences around the courts’ perimeters
At least one of the homes had been a “volleyball house” for more than twenty years
and had hosted generations of Ecuadorian and other Latin American migrants who gathered to play or watch anytime the weather was good
The people who lived there worked the courts
Elderly Spanish-speaking women grilled chicken and pork off to the side
which they served in abundant portions alongside potatoes and rice; others sold hot and cold beverages and loose cigarettes
even when gusts of wind left us shivering in our windbreakers
The most competitive courts had dozens of onlookers
Matías and I ran into familiar faces: Iván
and even Messi also hung out at the volleyball houses
A long-ago crime, suddenly remembered
A limousine driver watches her passengers transform
The day Muhammad Ali punched me
What is it like to be keenly intelligent but deeply alienated from simple emotions? Temple Grandin knows
The harsh realm of “gentle parenting.”
Retirement the Margaritaville way
Fiction by F. Scott Fitzgerald: “Thank You for the Light.”
Sign up for our daily newsletter to receive the best stories from The New Yorker.
(Stateline) More new apartments were built in 2024 than in any other year since 1974
but the Trump administration’s tariffs and deportations of potential construction workers
A U.S. Census Bureau survey found almost 592,000 new apartments were finished last year, the most since the 1970s, when baby boomers sparked a construction surge as they moved out of their childhood homes
There were 693,000 new apartments built in 1974
when the country had about half as many households
But there has been a steep slowdown in construction starts
as the newly completed apartments come online
The increased supply has lowered rents and increased vacancy rates
Some experts also say tariffs on construction materials and labor shortages caused by dips in immigration will create headwinds for new construction
Apartment starts were down 27% in 2024 compared with 2023
and down 37% from a recent peak of 531,000 in 2022
Apartment starts were at their lowest ebb since 2013
Housing experts have long lamented that there aren’t enough apartments and single-family houses in the U.S. — at least not in places where people want to live and at prices they can afford. Estimates of the national housing shortage last year varied widely, from 1.5 million houses and apartments to 20.1 million; since then
another 1.6 million houses and apartments have been built. Most experts estimate a shortage of 1.5 million to 5.5 million
according to the Joint Center for Housing Studies of Harvard University
Some states are building apartments faster than others
Though completions aren’t tracked by state
permits that lead to new apartments have been granted at high rates in recent years in South Dakota
The massive jump in apartment construction has its roots in 2021 and 2022
when interest rates were low and rent growth was high
senior research associate for Apartment List
a company that posts rental listings online
“Those new apartments came online in 2023 and 2024
and while those deliveries are slowing down today
there are still many apartments in the pipeline,” said Warnock
who added that “supply and demand are coming back into balance.”
In response to greater supply, rents have fallen by about $50 per month (3.5%) from their 2022 peak, according to a report released this week by Apartment List. Apartment vacancy is at a 15-year high of 6.3%, keeping a lid on rents, but that could turn around as construction slows, according to an April report by Moody’s
sponsor of the proposal signed into law in 2023
told Stateline it was needed to address a housing shortage
“We have a drastic shortage of workers,” Crabtree said before a vote in 2023
“South Dakota businesses need more workers in our state
said overregulation is a barrier to housing construction in many areas that his party controls
“A lot of blue-government areas and cities have extremely restrictive zoning
impact fees and other rules that make it very difficult to build housing,” said Domalewski. Another barrier is local opposition
developers would want to build in the places like California
where prices are the highest and rents are the highest
because they’d make more money,” he added
South Dakota approved nearly 6,000 permits for apartment units in 2023 and 2024
which when completed would add about 1.4% to its 2023 total of 417,000 housing units
That’s the highest rate in the nation
Mississippi during that same period approved about 660 apartment units — a fraction of 1 percentage point to its 2023 base of about 1.4 million housing units
executive director of the South Dakota Housing Development Authority
said the full impact of the state infrastructure funding isn’t apparent yet
as many developments that received the help are still under construction
Completions are still strong this year with about 39,000 apartments finished in March
not much different from the 41,500 in March 2024
which was the biggest March number since 1985
Another impediment to apartment construction has been high interest rates
which make it harder to borrow money to build
an assistant vice president for forecasting and analysis at the National Association of Home Builders
She expects apartment building starts to slow until later this year
“We are going to be short of workers for a long time
And of course tariffs are going to have an impact,” Nanayakkara-Skillington said
More new apartments were built in 2024 than in any other year since 1974, but the Trump administration’s tariffs and deportations of potential construction workers, plus higher interest rates, could be a wet blanket on the boom.\nRead More
A U.S. Census Bureau survey found almost 592,000 new apartments were finished last year, the most since the 1970s, when baby boomers sparked a construction surge as they moved out of their childhood homes
Housing experts have long lamented that there aren’t enough apartments and single-family houses in the U.S. — at least not in places where people want to live and at prices they can afford. Estimates of the national housing shortage last year varied widely, from 1.5 million houses and apartments to 20.1 million; since then
In response to greater supply, rents have fallen by about $50 per month (3.5%) from their 2022 peak, according to a report released this week by Apartment List. Apartment vacancy is at a 15-year high of 6.3%, keeping a lid on rents, but that could turn around as construction slows, according to an April report by Moody’s
“We have a drastic shortage of workers,” Crabtree said before a vote in 2023
A 31-year-old man was arrested early morning on May 5 after crashing into an apartment building and multiple police cruisers in downtown Akron
Officers responded to reports of the vehicle crashing into an apartment building in the 100 block of Tate Terrace at about 3:34 a.m
officers found multiple vehicles had also been damaged
The suspect's vehicle was located shortly after
the suspect struck another police cruiser several times in the process of fleeing
The pursuit ended on Morningstar Drive when the suspect's vehicle came to a stop after being pinned against a tree
The suspect was subsequently apprehended after resisting arrest
and the vehicle was later determined to be stolen
Two officers were hospitalized and their conditions are unknown
was arrested and charged with multiple offenses including:
felonious assaultassault on a law enforcement officerresisting arrestreceiving stolen propertyvandalismcriminal damagingmolesting police equipmentdisruptiong public servicesfailure to complyobstructing official businessThe Akron Fire Department found Gamble had struck a gas meter when he collided with the apartment building
causing the building's residents to be evacuated for safety concerns
Reporter Anthony Thompson can be reached at ajthompson@gannett.com
MYNORTHWEST NEWS
(Photo courtesy of Everett Fire Department)
BY FRANK SUMRALL
One person died in a fire that occurred in an Everett apartment complex Monday morning
the Everett Fire Department (EPD) confirmed
Firefighters were called to Woodhaven Apartments
after people reported smoke was coming from one of the units
At 8:25 am this morning, Everett Fire was called to Woodhaven Apartments -4604 Fowler Avenue – for a report of a smoke coming from an apartment and the smoke alarm sounding. Firefighters arrived to find the same and made entry to the apartment. pic.twitter.com/Ax3Wo31xfW
— Everett Fire WA (@EverettFire) May 5, 2025
Crews worked to extinguish the fire while others attempted to save the victim’s life
The cause of the fire is under investigation
Follow Frank Sumrall on X. Send news tips here
ShareBy SC Staff(Adobe Stock Images)
SC StaffMay 5
GBHackers News reports that cybercriminals are escalating their tactics to circumvent multi-factor authentication
using adversary-in-the-middle attacks and reverse proxies to steal credentials and session cookies
Huntress unveiled major enhancements to its identity threat detection and response platform and launched a fully managed SIEM at the RSA Conference 2025
addressing the escalating challenge of credential theft
Malicious actors have used the MintsLoader malware loader to distribute the new GhostWeaver backdoor in an attack campaign that involved phishing and the ClickFix technique
By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms of Use.
FORECASTSHARE PHOTOS & VIDEOApartment complex in Tren de Aragua raid going into foreclosureby Jaie Avila / News 4 San Antonio
SAN ANTONIO - A huge apartment complex that's been plagued by crime and gang activity is going into foreclosure
leaving the future of hundreds of tenants uncertain
The owner tells the News 4 I-Team he believes the city's migrant policies and police response caused the downfall of his property
The owner of the 678-unit Palatia apartments says they never financially recovered after Tren de Aragua gang members broke into hundreds of apartments
and even rented them to people who had been staying at the city's migrant resource center
Last summer John Barker showed us how many of his apartments were being lived in by people who had left the migrant center or the airport shelter operated by the city
Some had paid money to gang members to stay there
“They had their own leases they were signing with these residents
taking their money and breaking into their units," Barker said
but at first an assistant city attorney responded with indifference
we refuse to acknowledge there's a migration issue and if there's any issues on site
In a statement today the city said it made extensive efforts to keep the area safe:
"SAPD increased patrols in the complex
dedicated specialized units to investigate criminal activity
and worked closely with property owners and management to respond to ongoing concerns."
Barker says by the time SAPD raided the complex last October
arresting 19 people including four Tren de Aragua members
60 percent of the units were damaged or vacant
Repairs were so extensive and costly he's now forced to give the property back to the bank next week
RELATED | San Antonio ICE enforcement officers arrest confirmed Tren de Aragua gang member
“We spent a lot of money trying to bring this thing back but we're just past the point of return," Barker said
Barker says if the bank can't find someone else to salvage the complex it will have a big impact on a city that's already short on low-income housing
Every product is independently selected by editors
Things you buy through our links may earn Vox Media a commission
This article first appeared in The Listings Edit newsletter, a weekly digest of the most worth-it apartments in New York City. Sign up to get it first
it’s not as though getting an apartment in New York has ever been easy
But one could probably argue it has never been harder than it is right now
The most god-awful studios are regularly renting for thousands and thousands of dollars with lines of interested tenants out the door
and the surprisingly affordable-for-those-parquet-floors from all around the internet
A hastening of spring into summer means it’s time to decamp at the nearest park
you barely need an apartment as long as it’s 72 degrees and sunny
Say good-bye to those four walls until further notice
we might as well scroll through some listings
I randomly hung out around Gramercy Park (in keeping with the theme of this newsletter) and found out the going price for a one-bedroom apartment in those parts is around $7,000
$1,900, studio: Did I mention that I have a friend looking for a studio in this price range
$2,450, studio: Same goes for this one
$2,700, 1-bedroom: I have a feeling this is a sneaky gem
The people won’t flock here because of the nighttime photo shoot
$2,900, 1-bedroom: The kitchen is actually maybe the smallest I’ve ever seen on StreetEasy
$3,000, 1-bedroom: Cute and simple
with a sweet arched passageway and great light
$3,150, 2-bedroom: Unusual and charming window orientation
Another shitty kitchen — a shame when they’re so clearly an afterthought
$3,595, 2-bedroom: I don’t mind the windows (though they’re new)
and I’ll take the Astroturf in the backyard because at least it’s outdoor space
never a great sign when there are more photos of the neighborhood than the apartment
that picture of Saraghina’s sign is not gonna be the deciding factor for me
$3,650, 2-bedroom: Petition to remove all ceiling fans from New York City apartments
$12,500, 5-bedroom: It feels like the owners should not have purchased a beautiful historic brownstone
because the modernization efforts feel forced and often unnatural
They get points for trying — and for not demolishing the place
$4,900, 1-bedroom: It’s clean
There is truly nothing more to speak to here
$4,500, 1-bedroom: It’s feeling a little AI rendered
this is on the more affordable side for Gramercy Park
$3,250, 1-bedroom: I like that this place has some personality
I lied when I said the above was the most affordable
$4,025, studio: Okay
and more like the crawl space in the intestines of a boat
$7,975, 2-bedroom: I considered not listing because it’s sort of ugly and sort of expensive
At least it’s unique and the roof deck is quite nice
$2,150, studio: Okay
this one is in the running for most pathetic kitchens
but otherwise it’s got an arched passageway and is basically on the (best) park
$8,000, 2-bedroom: Why is this apartment $8,000
And is that “Kitchen Open Crazy Late” fluorescent sign detracting or jacking the price point
$9,500, 2-bedroom: I guess this is just the going rate for Fort Greene duplexes
This one has some unexpected design choices — a glass block in the stairway
which actually provides an unexpected spill of light
and some particularly uninspiring wallpaper
$4,500, 1-bedroom: I’m sorry for dragging us over to Cobble Hill
Password must be at least 8 characters and contain:
you’ll receive occasional updates and offers from New York
NORTH PORT – McDowell Housing Partners completed construction of the first phase of Ekos at Arbor Park, a 136-unit affordable apartment community for residents age 55 and older.
The $40 million complex at 1320 Citizens Parkway includes 76 one-bedroom and 60-two bedroom apartments available to people making 20% to 70% of the Area Median Income
Rents are anticipated to be between $330 and $1,235 a month for one-bedroom units and $385 and $1,471 for two-bedroom units
“We are incredibly proud to celebrate the completion of the first phase of Ekos at Arbor Park
It’s an incredibly well appointed and managed community with rent levels that are far lower than anywhere else in North Port and Sarasota County,” Chris Shear
Ekos at Arbor Park Phase I is accepting applications at https://www.ekosarborpark.com
The Miami-based company first proposed the 55-and-older community in 2020 and received funding in 2021
The complex is just west of The Shoppes at Price Crossing
the Publix-anchored shopping center at the intersection of Price and Toledo Blade boulevards
Amenities include a clubhouse with a multipurpose social/community room
media center and outdoor grills on the lanai overlooking the resort-style pool
Forum Architecture and Interior Design served as the architect and MHP-Hennessy Construction
a joint venture between MHP Builders and Hennesy Construction Services was the general contractor
The apartments range in size from 700 square feet to 946 square feet
Each apartment offers kitchens incorporating energy efficient appliances
granite countertops with tile back-splashes
Residents can also participate in numerous service programs
including quarterly financial planning courses
Last winter, North Port city leaders cleared the way for construction of 66 affordable apartments and approved changes to the development master plan for Ekos at Arbor Park II on the southeast corner of Price Boulevard and Citizens Parkway.
The change allows for construction of three, three-story buildings and 7,779 square feet of commercial space on about 4.4 acres.
Shear noted that McDowell Housing Partners is close to securing the property for those homes.
“We remain dedicated to addressing the housing crisis in Sarasota County as we advance toward the closing of the land adjacent to Phase 1, where Ekos Arbor Park Phase II will be built, providing an additional 66 high-quality affordable apartments to families and individuals of all ages,” he added.
The community was funded through 4% tax credits purchased by Wells Fargo, a Wells Fargo construction loan, Freddie Mac permanent senior debt and subordinate loans from Florida Housing Finance Corporation.
In a presentation to the City Commission, attorney Jeff Boone, who along with his son Jackson Boone represented McDowell Housing Partners, stressed that the new units will benefit residents who earn less than the area median.
“What we're proposing here is real affordable housing,” Boone said.
The current proposal calls for 12 units to be available to households that earn up to 30% AMI, which would mean $21,150 for an individual and $31,200 for a family of four; 18 units to rent to households that earn up to 60% of AMI; and 36 units would be rented to those earning up to 70% AMI.
A person with multiple gunshot wounds was found in at an apartment complex off Cliffdale Road and later died from his injuries, according to a news release by the Fayetteville Police Department.
Officers responded to a call at around 10:22 a.m. to the 600 block of Barton's Landing Place, according to the release. They found a person who had suffered "multiple gunshots to the upper torso." Medical personnel on the scene treated the person, who was transported to a local hospital where the person died, the release states.
The name of the victim is being withheld due to the nature of the investigation and until next of kin can be notified, the release states. The case is being investigated by the Police Department's Homicide Unit.
Anyone with information regarding is asked to contact Detective C. Johnson (910) 584-6703 or Crimestoppers at (910) 483-TIPS (8477). Crimestoppers information can also be submitted electronically, by visiting http://fay-nccrimestoppers.org and completing the anonymous online tip sheet, or by downloading the FREE “P3 Tips”app available for Apple devices in the Apple App Store and available for Android devicesin Google Play.
Opinion Editor Myron B. Pitts can be reached at mpitts@fayobserver.com.
READ MOREFederal Way community shaken after fatal shooting in apartment parking lotby KOMO News Staff
FEDERAL WAY, Wash. — A significant police presence was established in a local parking lot following a shooting incident that left one person dead, according to the Federal Way police.
A temporary barrier has been erected, and a body, believed to be that of a minor, lies covered by a tarp, according to several neighbors.
The shooting occurred in the middle of the afternoon, a time when children and teenagers are often present in the area. Federal Way police said the call came in at 4:22 p.m. to the Uptown Square Apartments. When officers arrived, they found a man in his late teens or early 20s with a gunshot wound. Crews attempted first aid, but he died at the scene.
Authorities have not been able to identify the man or his age, however, three individuals at the scene have indicated that the victim is a minor.
"You fear for your kids to even go outside, and it’s sad because as children, they deserve to grow up and have fun and play and shouldn’t be worried about going outside from gun violence," said a concerned resident.
Authorities have deployed the Guardian One helicopter to assist in the search for the shooter or shooters, but no arrests have been reported at this time. There are no current suspects either, according to Federal Way police.
Detectives are continuing to investigate the scene, and they are expected to remain on-site throughout the evening. Anyone with information is asked to call 253-835-2121.
Text description provided by the architects. Homu Arquitectos transforms former ice warehouse into historical essence apartments in El Cabanyal. Valencia-based Homu Arquitectos has transformed a 243 m² former ice warehouse in El Cabanyal into two tourist apartments that respect the neighborhood's identity. Through this intervention, the studio recovers original materials, textures, and elements, giving them new life while highlighting the value of local architecture
Located in Valencia's historic maritime district of El Cabanyal, Los Ángeles apartments breathe new life into a former ice warehouse, transforming it into two tourist accommodations that combine history, identity, and contemporary design. The rehabilitation, carried out by Valencia-based Homu Arquitectos, stems from an exercise in architectural respect, where the original materiality and essence of the building have been carefully preserved.
© Jorge PeiróThe bathroom areas become the backbone of the space, functioning as a hinge between the day areas and bedrooms. Despite their structural magnitude, they have been designed to integrate subtly, without breaking the fluidity and visual language of the apartments.
this Homu Arquitectos project demonstrates that it is possible to intervene in historical architecture without stripping it of its identity
results in a harmonious proposal where past and present coexist in perfect harmony
You'll now receive updates based on what you follow
Personalize your stream and start following your favorite authors
If you have done all of this and still can't find the email
Share
Share
Marketplace focuses on the latest business news both nationally and internationally
and wider events linked to the financial markets
It is noted for its accessible coverage of business
Philadelphia’s Kings Highway Apartments comprises 27 buildings along Frankford Avenue
Odin Properties bought and renovated them last year
Kings Highway Apartments on Frankford Avenue in Philadelphia (Aaron Moselle/WHYY)
The $6.3 billion plan is designed to help address Philadelphia's deepening affordable housing crisis
The class-action complaint calls on Odin Properties to make Bentley Manor safe and repay tenants who unlawfully paid rent
City and state law requires landlords to keep their properties safe and habitable
violators are barred from collecting rent until the property is compliant
Balderston pushed back on the suit’s allegations
“We care deeply about our residents and take tremendous pride in our relationships with them
so we take any allegations to the contrary very seriously
We are carefully considering the allegations of the recent complaint and plan to respond appropriately,” said Balderston
whose company owns and manages at least 1,500 apartments in Philadelphia
Tenants at other Odin properties have also targeted the company for allegedly failing to make urgent repairs
The free WHYY News Daily newsletter delivers the most important local stories to your inbox
WHYY is your source for fact-based, in-depth journalism and information. As a nonprofit organization, we rely on financial support from readers like you. Please give today.
The legislation is designed to make it easier for developers to build homes in certain sections of the city
the shallow rent program has helped keep vulnerable residents housed amid an affordable housing crisis
Together we can reach 100% of WHYY’s fiscal year goal
local news and information and world-class entertainment to everyone in our community
WHYY offers a voice to those not heard, a platform to share everyone’s stories, a foundation to empower early and lifelong learners and a trusted space for unbiased news. Learn more about Social Responsibility at WHYY
She’s driven from Long Beach to Azusa searching for apartments, spending her days scanning listings for those that would accept her Federal Emergency Management Agency housing assistance and calling 211 for help. Most nights, she’s slept in her van. The worst came when a truck smashed into the back of her vehicle one morning as she was pulling into a fast food parking lot. Johnson got a rental car and then slept in that.
“I’m going through all this,” said Johnson, 62. “And I just came through a disaster.”
Johnson said relying on FEMA for a home would have put her on a path to recovery rather than living in an “emergency mode” where she’s just trying to make it through each day.
“It would stabilize you a lot faster,” she said.
California
Todd Smoyer was thrust into a desperate house hunt alongside thousands of other families
but there were plenty of obstacles along the way
Federal and state emergency officials said that they have not started the program
Their analysis of available apartments in L.A
County shows more than 5,600 listed at prices within the limits of FEMA reimbursements
“The data does not support a rental shortage,” said Monica Vargas
spokesperson for the California Governor’s Office of Emergency Services
This stance baffles national and local disaster relief advocates who contend that the public agencies are overlooking precedents across the country and realities on the ground
Brenda Sharpe drives past fire damage in Altadena
she was renting a three-bedroom house for $1,200 a month
co-founder of Altadena nonprofit My Tribe Rise
said she believes there are potentially thousands of Eaton fire survivors with insecure housing like Johnson
including those doubling up with relatives
sleeping on couches or packing into hotel rooms
“If these agencies are set up to show compassion and care
to have these people have some type of normalcy
the first part would be helping people find housing,” Hughes said
“It’s sad there has to be this much talking when they should know we need it.”
A Times analysis shows that half the homes destroyed in Pacific Palisades and Altadena were rentals
raising questions about the future of affordable housing in the communities
Direct Lease provides a necessary backstop for people suddenly in need
manager of disaster recovery at D.C.-based nonprofit National Low Income Housing Coalition
“If they can’t find a landlord that’s willing to take the money that FEMA is paying
“The idea is to have a list of eligible properties you could give to a disaster survivor and say
The public agencies’ response “paints a pretty rosy picture of the rental market absorbing a significant amount of fire survivors,” Patton said.
“Based on the things that I know, this doesn’t really make any sense,” he said.
In late January, FEMA formally solicited interest from L.A. landlords to make buildings available for the Direct Lease program. Soon after, the effort stalled.
FEMA spokesperson Brandi Richard Thompson said that while the agency understands that individual survivors are facing hardships, state and federal data show rental housing is accessible. Evidence from disaster-affected households supports that view, she said.
“The number of applicants eligible for and requesting continued FEMA rental assistance remained comparatively low, suggesting that, on a broad scale, many eligible survivors were able to find housing solutions within the available rental market,” Richard Thompson said.
Brenda Sharpe loads her car with items that she needs to store. FEMA subsidy amounts vary by neighborhood and household size. Under current rules, a family of four could rent a two-bedroom in central Pasadena for up to $3,410 a month.
The agency already has rejected a state proposal to increase these rates, and would be unlikely to approve the Direct Lease program if asked, Richard Thompson said.
She encouraged those facing difficulties to reconnect with FEMA for help.
“We remain committed to helping each survivor find the best path to recovery, even in a very challenging housing environment like Los Angeles County,” Richard Thompson said.
The Palisades and Eaton fires destroyed or damaged more than 8,500 homes in an already tight housing market
Experts said the disaster will probably put upward pressure on rents in areas close to the fires
Advocates said the state and federal position minimizes the problems fire survivors
Hughes noted that the agencies’ estimate of available rentals spans the entire county
shouldn’t be forced to move 50 miles away to the Antelope Valley
when FEMA could potentially offer closer options
Hughes said the decision also ignores the local context in Altadena
a longtime haven for Black residents where many elderly homeowners don’t meet private landlords’ income or rental history requirements
That leaves them at further disadvantage in a tough market
they know that price gouging is happening everywhere,” Hughes said
the Altadena renter who has been living in her van
landlords pressed her to show she earned twice the rent
Some places she looked at were charging upwards of $2,000 a month for a few hundred square feet or a room in a boarding house with shared kitchen and bathroom
she found a one-bedroom apartment in Azusa in a building that typically caters to low-income residents
A nonprofit covered the hotel’s $1,900 cost in April
Brenda Sharpe has to come up with the money herself
although she lost most of her neighborhood housecleaning work after the fires
For survivors still struggling to receive federal help
five generations of Brenda Sharpe’s family lived in multiple homes in Altadena
from Sharpe’s 102-year-old grandmother to her 2-year-old grandson
and her three younger children were renting a three-bedroom house owned by a friend for $1,200 a month
FEMA denied her application for rental assistance
the fire caused Sharpe to lose nearly all of her housecleaning work in the community
Sharpe and her children have bounced between six hotels and Airbnbs
In the Pasadena hotel where they’re now staying
Sharpe has lined up air mattresses between the room’s two double beds so everyone has their own place to sleep
A nonprofit covered the hotel’s $1,900 cost in April
The thought of finding something she can afford on the open market seems impossibly daunting — even harder while having to process the loss her family has experienced
whom police officers carried out of her home with flames bearing down
“Trying to find affordable housing has been the problem
Brenda Sharpe’s family lost their Altadena home in the Eaton fire
(Carlin Stiehl / Los Angeles Times) U.S
said locating long-term housing has been the most consistent concern she’s heard from her constituents
they’ve had to move multiple times and still are unable to settle
Chu said she planned to press CalOES and FEMA for more details on why the agencies believed that the Direct Lease program wasn’t needed
“I’m just stunned at the determination that there’s enough housing at the parameters given costwise,” Chu said
Brian Ferguson, a Newsom spokesperson, said that in response to The Times’ inquiries the administration is reevaluating its stance on Direct Lease.
“As Los Angeles continues its rapid recovery, providing resources and support to individuals that have been displaced is our top priority,” Ferguson said. “The state remains open to all viable solutions to provide housing and aid to fire survivors.”
Politics
Subscribe for unlimited accessSite Map
With state-backed threats and budget cuts squeezing cybersecurity teams
experts have urged organizations to watch over their environments more closely
The threat posed by China-backed groups to enterprises is at an unprecedented level and continues to be underappreciated
Perlroth and Mandia focused heavily on the threat posed by China-backed threat groups
“China's almost doubled their aggression in cyber because there's no agreed upon rules of engagement,” Mandia stated
adding that he’s not confident that such rules could ever be agreed upon
To illustrate how the threat China poses to Western organizations has worsened over time
Mandia recalled a cyber attack response he led in 1996 in which a number of US Air Force bases were compromised by Beijing-based attackers
the threat actors routed through a West Coast university IP address linked to a former Chinese international student
“I've had three or four cases in my life
where I had no remediation plan,” Mandia said
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI
cybersecurity and other IT challenges as per 700+ senior executives
You didn't have a phone number to call.”
publications had failed to connect the dots between these attacks and coordinated campaigns by the Chinese government
with Mandia adding that Mandiant clients weren’t yet sold on the idea that a nation state would bother to hack them
evidence linking the group to the Chinese military
and details on its infrastructure and indicators of compromise (IOCs)
Despite this growing awareness of the threat posed by China-backed groups
Perlroth said people still don’t have a firm grasp on the extent to which China has infiltrated enterprise systems primarily for IP theft purposes
Perlroth said the aim may simply be to breach
“We haven’t seen them jump over to the OT yet
you've heard these public comments from government officials that we know they have the capability
but it's very clear that they're there waiting
“I think the most generous theory is mutually assured digital destruction – we're all holding guns to each other's heads
And it's our new form of deterrence.”
Perlroth warned that this could be used in the case of a geopolitical upset, to cause the equivalent of four or five attacks on the scale of the Colonial Pipeline breach
In her phone call with the General Manager
he questioned how the attack could possibly benefit the threat group
“That's the question we should all be reckoning with right now: Why is China compromising the little local water electric utility department in Littleton
Looking at the threat landscape more broadly
Mandia predicted a rise in cyber crime driven by geopolitical tensions and rising economic turmoil
as people looked to obtain funds using cyber attacks and nation states offered sovereign hackers safe harbor from US extradition
Stating the US has “basically a trade war going on”
Mandia warned security teams will be ordered to tighten their belts by CEOs cutting discretionary spending
be thinking ‘How can I meet the expanding threat landscape by using the same resources or even less?’”
Using AI to boost security productivity and oversight has been a running theme at RSAC Conference 2025 and Mandia agreed that the technology could be used to help security teams meet their goals amid these budget cuts
He advised attendees to leverage AI to whatever extent they could
Mandia also freely admitted that he had changed his tune on cyber hygiene
having argued for years that it was good practice to follow but largely meaningless in the face of the most sophisticated threat actors
I finally got there,” he told attendees
it always has – I just ignored it because I saw the upper echelon attacks and said ‘Great hygiene wouldn’t help much here’
Mandia also stressed there is a clear need for identity controls at an enterprise level
particularly as organizations move to use everything at their disposal to fend off automated attacks
“I advise all security professionals to constantly revisit their identity security posture and impact it
either directly because you're in charge of it
or indirectly with your government and subject matter expertise to lock it down,” he said
Without proper identity management and a controlled environment that can detect suspicious lateral movement
Mandiant warned that organizations could already be breached and not know it
overseeing all in-depth content and case studies
He can also be found co-hosting the ITPro Podcast with Jane McCallion
swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn
Cooking oil on a stove caused a fire at an apartment building in Clifton Park
Firefighters tell NewsChannel 13 that it took crews around two hours to get the fire under control
The resident was able to exit safely with her children and called 911
according to a statement from the Solomon Organization
Two neighboring buildings had smoke and water damage and were expected to be fixed as early as Wednesday
Twin Lakes staff put the residents up in a hotel
Staff is assisting displaced residents to find permanent housing.
The station representative that can assist any person with disabilities with issues related to the content of the public file is Brittany Moroukian. She can be contacted at bmoroukian@wnyt.com or 518-207-4710
Please enable JS and disable any ad blocker
"It's going to happen again,'' Joyce Allen said in a panicked voice as heavy rain came down Thursday afternoon outside the Kirby Avenue Apartments in Mount Airy
where she has lived for the past nine years
you got people standing in water in their apartments every time it rains,'' said Allen
who lives in unit 57 of the 116-unit complex at 5469 Kirby Ave
but my neighbor has a hole in her roof that lets the water right in
She's been trying to have it fixed for months.''
Flooding is just one of the issues plaguing Allen and her neighbors in the apartment complex once owned by Vision & Beyond
an international real estate investment group based in Herzliya
The company owned more than 70 multifamily buildings in the Cincinnati area before abandoning the properties late last year after the company collapsed and laid off most of its employees.
More than 30 of the multifamily buildings once owned by Vision & Beyond and in some stage of foreclosure have been taken over by Oakley-based Prodigy Properties − a court-appointed receiver charged with collecting rents and maintaining the properties.
The city of Cincinnati recently fined Prodigy $500 and ordered the receiver to keep the property free of litter.
And Cincinnati Health Department inspectors were on site Thursday.
But Kirby residents told The Enquirer they're still dealing with backed-up toilets, plumbing leaks and other unresolved maintenance issues, and Prodigy hasn't been much help.
"When they took over in February, they (Prodigy) did some cleanup and made a few minor fixes like putting locks on some doors,'' said Lisa Green, who has lived in the Kirby apartments for the past two years.
'It's dangerous living here,' resident says"But you still got holes in walls, plumbing leaks, toilets don't work, and mold is everywhere,'' Green said. "It's dangerous living here, and nothing's being done about it.''
Green was among dozens of former Vision & Beyond tenants who joined a petition drive by the Cincinnati Tenants Union, a volunteer group of renters and activists, demanding that Prodigy meet with them to negotiate an action plan immediately.
"Every time it rains there, it’s a mess,'' said Brad Hirn, one of the founders of the tenant union. "There are kids there, and elders. The tenant union has been seeking to negotiate immediate provisions regarding their health and safety.
“Prodigy has said publicly that conditions are getting worse,'' Hirn said. "It’s up to Prodigy to figure out a solution that doesn’t take months.''
Prodigy officials did not respond to emails and phone calls from The Enquirer seeking comment.
Hirn said he's been told by Prodigy officials that the problems at many of the properties under the receiver's control were preexisting and are too widespread and extensive to be fixed quickly.
Our Standards: The Thomson Reuters Trust Principles., opens new tab
, opens new tab Browse an unrivalled portfolio of real-time and historical market data and insights from worldwide sources and experts.
, opens new tabScreen for heightened risk individual and entities globally to help uncover hidden risks in business relationships and human networks.
© 2025 Reuters. All rights reserved
BETHLEHEM, Pa. — A rooftop cigarette butt may have caused the massive blaze Friday that heavily damaged the Five10 Flats apartment and retail complex on Bethlehem's South Side.
Former Bethlehem Mayor John Callahan, director of business development for Peron Development, which built Five10 Flats, told LehighValleyNews.com Friday evening that officials believe they have identified the source of the blaze.
"We've got a rooftop deck on the building and we have not identified the resident yet," Callahan said in a phone interview.
"It appears a resident was smoking on the rooftop deck and put a cigarette butt in one of the plants and... on the [security] cameras... we watched it smolder.
"The first fire sensor went off in the elevator shaft that services the rooftop."
Callahan said firefighters had cleared the building, including residents and their pets.
"We're making arrangements now for hotels for the residents," he said, sharing thanks to Staybridge Suites Allentown West and WoodSpring Suites Easton Nazareth for "stepping up" to house residents.
While "it appears that only one of the sprinkler heads went off," Callahan said he expects extensive water damage throughout the building.
That includes Starbucks and the El Jefe Mexican Restaurant and Grill, though, Callahan said he couldn't say how long those businesses might be closed.
"I want to praise the Bethlehem Fire Department and all the other fire departments that stepped up to assist," he said.
"It was a multiple-alarm fire and we're very fortunate that Bethlehem has a paid fire department that was available, and a very rapid response time.
"There was a lot of volunteer fire departments that stepped up, as well. We were very fortunate — super fortunate — to have the police, fire, EMS, first responders we have in our community."
Northampton County Dispatch said the initial call came in at 1:17 p.m. and it was upgraded to a fourth alarm fire nearly half an hour later.
Firefighters were on the roof of the building by about 1:30 p.m., shortly after flames broke out.
Massive plumes of black smoke shrouded the area as police and additional first responders raced to the scene.
Bethlehem Fire Department crews used a ladder hose to battle the flames as reinforcements arrived.
One woman driving through East First Street near the SteelStacks about 1:30 p.m. said the smoggy scene "looks like 9/11."
Allentown Fire Department, Easton Fire Department and Nancy Run Fire Company were some of the first to arrive to offer mutual aid.
Northampton County Dispatch said at least five fire departments assisted in battling the fire.
Firefighters were going “door to door inside the building” about 1:40 p.m., a Bethlehem police officer told a woman who lives on the fifth floor.
The American Red Cross of Greater Pennsylvania was assisting residents at the scene.
Cristina Maisel, Regional Communications Manager for the Red Cross, said the organization got the initial call about 1:30 p.m.
"Right now, the American Red Cross Pennsylvania Rivers Chapter is supporting displaced residents with comfort and care at a temporary evacuation point at the Northampton Community College Fowler Family Center," Maisel said in an email to LehighValleyNews.com early Friday evening.
Firefighters were opening up the roof of the building around 2 p.m. as smoke continued billowing into the sky.
They still were fighting the blaze more than an hour after it started, with charred pieces of the building falling to the ground, some drifting across the street into the parking lot of Northampton Community College's Fowler Center.
Crews left the roof around 4:30 p.m. Friday, while other firefighters worked to retrieve residents' pets, medication and other necessities from inside.
Bethlehem Mayor J. William Reynolds, speaking to LehighValleyNews.com across the street from the fire, paid tribute to the many emergency workers involved Friday.
"Our fire department, our paramedics, our police are second to none," Reynolds said. "And in situations like this, that's the difference between saving lives and saving property [and not]."
The four-alarm fire drew help from across the region.
"We cannot say thank you enough to the first responders" who showed up Friday, he said.
The five-story building on East Third Street opened in 2018 with 95 one- and two-bedroom apartments on the upper floors.
Social Still Distillery, just east of Five10 Flats, said on social media it would be closed Friday due to the fire next door.
Country Club Brewing announced on Facebook that it opened and is offering food and beverages from other local businesses for "everyone that has been affected, displaced, and all of the emergency personnel."
READ MOREStandoff at Pine Bluff apartments ends with suspect in custody
one deadby Kylon Williams | Daniela Dehaghani
officers of the Pine Bluff Police Department were dispatched to the Park View Apartments at 300 W
13th Street for a domestic disturbance call
The call was said to have been called in by a family member
officers were unable to get the occupants of the apartment to come to the door
The male inside had also barricaded himself in the apartment and was refusing to come out
and negotiators were both called to the scene to assist with the incident
A standoff between law enforcement and 54-year-old Melvin Sanders went on for almost three hours before Sanders exited his apartment around 1 p.m
Sanders was taken into custody by officers without incident and was transported to the Jefferson Regional Medical Center to be treated for an apparent self-inflicted gunshot wound in his hand
officers entered the apartment and found 43-year-old Yashika Morris
who was pronounced deceased from an apparent gunshot wound
After his release from the Jefferson Regional Medical Center
Sanders will be booked into the Jefferson County Jail for Capital Murder
If anyone has any more information about this homicide
they are asked to call the detective office tip line at 870-730-2106
News & Reviews News Wire Former Caltrain official convicted of embezzling for construction of apartment at train station
Jury rejects defense claim that $42,000 project at Burlingame
— A former Caltrain official has been convicted of embezzling public funds to build a secret apartment in the historic Burlingame
station used by the commuter rail operator
The San Jose Mercury News reports a jury found Joseph Navarro guilty of one felony count of misappropriation of public funds
2025) rejected defense arguments that Navarro’s supervisor had given him permission to use funds to renovate the space and reside there while working 80-hour weeks
and that the charges had not been filed within the three-year statute of limitations
Navarro will be sentenced on June 11 and could face up to four years in state prison
Navarro, formerly a deputy director at Caltrain, was charged just over a year ago [see “Former Caltrain official, contractor face felony charges …,” Trains News Wire
He was alleged to have conspired with a contractor to spend $42,000 to remodel office space inside the station opened in 1894 and added to the National Register of Historic Places in 1978
Receipts were kept under $3,000 so they did not require further approval
Prosecutors said the work resulted in an apartment with a living room
The contractor, Seth Worden, pleaded no contest to misdemeanor embezzlement by a public officer in a plea deal earlier this year
He faces up to five months in jail and was ordered to pay $8,144 in restitution
but Navarro’s apartment wasn’t detected until Caltrain received a tip in 2022
officials said when the charges were announced
San Mateo County District Attorney Stepehn Wagstaffe told the Mercury News he was “pleased that the jury was able to see through the defense and recognize that he had no authorization from anybody to build this little apartment there at the train station with taxpayer money.”
If this employee was working 80 hours a week,and I am assuming he did not live close to this location
it seems reasonable to me that he have a room to stay at
instead of a motel.On the other hand if he used it like in the movie THE APARTMENT with Jack Lemmon.He personally did not gain any monetary amount
and to be charged with a felony seems overkill
I cant imagine who sent the tip off to Caltrain
Members enjoy 15% off any purchase in our store. Join Today
Get updates and special offers via email from Trains.com brands
“APT.” held relatively steady on the Official Singles Chart (which is widely regarded as the U.K
equivalent to Billboard’s Hot 100 in the United States)
Source (1)
Maritime and logistics companies in South and Southeast Asia
and Africa have become the target of an advanced persistent threat (APT) group dubbed SideWinder
Other targets of interest include nuclear power plants and nuclear energy infrastructure in South Asia and Africa
In what appears to be a wider expansion of its victimology footprint, SideWinder has also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. The targeting of India is significant as the threat actor was previously suspected to be of Indian origin
"It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems," researchers Giampaolo Dedola and Vasily Berdnikov said
describing it as a "highly advanced and dangerous adversary."
The latest attack chains align with what has been reported before, with the spear-phishing emails acting as a conduit to deliver booby-trapped documents that leverage a known security vulnerability in Microsoft Office Equation Editor (CVE-2017-11882) in order to activate a multi-stage sequence
employs a .NET downloader named ModuleInstaller to ultimately launch StealerBot
Kaspersky said some of the lure documents are related to nuclear power plants and nuclear energy agencies
while others included content referencing maritime infrastructures and various port authorities
"They are constantly monitoring detections of their toolset by security solutions," Kaspersky said
they respond by generating a new and modified version of the malware
SideWinder tries to change the techniques used to maintain persistence and load components
they change the names and paths of their malicious files."
and SOC security to respond quicker and stop breaches early
AI agents boost business—but create risks
and strategies from industry leaders – all for free
2023.Now may be the time for Denver’s apartment residents to ask for a break on rent
After years of landlords having the upper hand
the Denver metro has become a renter’s market
according to the Apartment Association of Metro Denver
according to the organization’s first quarter rent and vacancy report
Denver County’s median rent is down 5 percent and metro-wide rent is down 3.6 percent compared to this time last year
Many landlords are offering more amenities and lower fees to keep units full
Tenants are better positioned to negotiate lower rents or move to a more affordable place with more rooms and better appliances
The Denver metro’s median rent for two-bedroom apartments is $1,659 — lower than any time since 2023
Read the full story on Denverite
You want to know what is really going on these days
We can help you keep up. The Lookout is a free
daily email newsletter with news and happenings from all over Colorado
Sign up here and we will see you in the morning
Colorado Postcards are snapshots of our colorful state in sound. They give brief insights into our people and places, our flora and fauna, and our past and present, from every corner of Colorado. Listen now.
© 2025 Colorado Public Radio. All Rights Reserved. Privacy Policy
As an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments
UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet
The threat actor will subsequently use various open-source tools for network reconnaissance to move through the compromised enterprise
UAT-5918 overlaps with the other APT groups in terms of targeted geographies and industry verticals
indicating that this threat actor’s operations align with the strategic goals of the threat actors
“The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft,” Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura, Cisco Talos researchers wrote in a Thursday blog post
it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations
UAT-5918’s intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access
such as RDP to endpoints of significance to the threat actor.”
They added that the typical tooling used by UAT-5918 includes networking tools such as FRPC
“Credential harvesting is accomplished by dumping registry hives
and using tools such as Mimikatz and browser credential extractors
These credentials are then used to perform lateral movement via either RDP
The researchers noted “We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon
Cisco Talos identified a significant overlap in post-compromise tooling and TTPs with Volt Typhoon
such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names
and free spaces; credential dumping from web browser applications; using open-source tools such as frp
and Impacket for establishing control channels; and the absence of custom-made malware
government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S
“Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past
along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information,” the researchers observed
a Chinese government-sponsored threat actor
In August 2023, Microsoft researchers detailed Flax Typhoon targeting dozens of organizations in Taiwan with the likely intention of performing espionage
Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware
relying on tools built into the operating system
along with some usually benign software to quietly remain in these networks.
Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries.
Furthermore, the researchers have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries
They have discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners
“It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne
have not been seen being used by the aforementioned threat actors in public reporting,” the post added
“It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures.”
UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet
Activity following a successful compromise consists of preliminary reconnaissance to identify users
Initial credential reconnaissance is carried out using the ‘cmdkey’ command
The threat actor then proceeds to download and place publicly available red-teaming tools on endpoints to carry out further actions
UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk.
Cisco Talos detailed that the threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft’s CurrPorts utility and TCPView
Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to
“The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified.”
The researchers found that credential harvesting is another key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz
They also consistently attempt to gain access to additional endpoints within the enterprise
They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket
“UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor,” the Talos researchers identified
“This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents
DB exports and backups to application configuration files
the threat actor used the SQLCMD[.]exe utility to create a database backup that could be exfiltrated.”
Last month, Cisco Talos researchers disclosed that having tracked reports of extensive intrusion activities targeting several U.S. telecommunications firms
they have investigated to date initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials
The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods
maintaining access in one instance for over three years
All rights reserved | Terms and Conditions
Privacy Policy | Cookie Policy
Music
We can't get Six13's take on the K-Pop hit featuring Bruno Mars out of our head
Six13 is back with an infectious Passover K-Pop (Korean pop) — or rather J-Pop (Jewish-pop) — parody that makes us want to recline and bop our heads all Passover long
(The holiday starts on the evening of April 12
The new parody from the veteran a cappella group is a Passoverized version of the smash Rosé (a member of the iconic K-pop group Blackpink who released her first solo album last year) and Bruno Mars hit “APT,” based on a Korean drinking game — so truly perfect for a holiday in which we have to drink four cups of wine
The song itself incorporated elements from the wonderfully nostalgic song “Mickey” by Toni Basil (co-written by Jewish British songwriter Nicky Chinn) and was also co-written and co-produced by Israeli songwriter and record producer Omer Fedi (who
Six13 incorporates some of the fun elements of the Bruno Mars and Rosé video
turning its pink hues to blues but featuring the same dancing
They also add so many fun Passover flourishes
from crumbled matzah to stuffed frogs to bopping Stars of David and bottles of Manischewitz
Instead of “APT,” the song is called “PSVR,” and the group starts by reciting the order of the seder then turns the chorus of “APT
Passover.” At the end they also incorporate the title of iconic seder songs like “Chad Gadya” and “Ma Nishtana.” It’s a delightful parody and it’s hard to choose my favorite part
though I will say it might have my favorite micro-retelling of the Passover story of any parody in the bridge of the song:
yeah / There were ten plagues / Dough flat
Lior Zaltzman is the deputy managing editor of Kveller
By submitting I agree to the privacy policy
Firefighters were battling a second-alarm building fire near Aspers in Menallen Township on Wednesday afternoon
Emergency crews had been called to a report of a house on fire on the 200 block of Opossum Hill Road in Menallen Township around 2:34 p.m
The second alarm was then requested after units arrived on scene
Bendersville Community Fire Company, the main agency for the fire, shared that the department was working at the scene of the fire along with multiple other fire companies
In one of the images provided by the department
a large column of black smoke is seen visible over the horizon
In a release
the Fayetteville Volunteer Fire Department of Franklin County shared that they were assisting on the scene of the fire
which they said involved an apartment building
was not immediately available as of Wednesday afternoon
This is a developing story, check back for updates.
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024
Jean-Ian Boutin
ESET APT Activity Report Q2 2024–Q3 2024 summarizes notable activities of selected advanced persistent threat (APT) groups that were documented by ESET researchers from April 2024 until the end of September 2024
The highlighted operations are representative of the broader landscape of threats we investigated during this period
illustrating the key trends and developments
and contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports
we observed a notable expansion in targeting by China-aligned MirrorFace
it extended its operations to include a diplomatic organization in the European Union (EU) for the first time while continuing to prioritize its Japanese targets
China-aligned APT groups have been relying increasingly on the open-source and multiplatform SoftEther VPN to maintain access to victims’ networks
We detected extensive use of SoftEther VPN by Flax Typhoon
observed Webworm switching from its full-featured backdoor to using the SoftEther VPN Bridge on machines of governmental organizations in the EU
and noticed GALLIUM deploying SoftEther VPN servers at telecommunications operators in Africa
We also observed indications that Iran-aligned groups might be leveraging their cybercapabilities to support diplomatic espionage and
These groups compromised several financial services firms in Africa – a continent geopolitically important to Iran; conducted cyberespionage against Iraq and Azerbaijan
neighboring countries with which Iran has complex relationships; and increased their interest in the transportation sector in Israel
Despite this seemingly narrow geographical targeting
Iran-aligned groups maintained a global focus
also pursuing diplomatic envoys in France and educational organizations in the United States
North Korea-aligned threat actors persisted in advancing the goals of their regime
which has been accused by the United Nations and South Korea of stealing funds – both traditional currencies and cryptocurrencies – to support its weapons of mass destruction programs
These groups continued their attacks on defense and aerospace companies in Europe and the US
as well as targeting cryptocurrency developers
began abusing Microsoft Management Console files
which are typically used by system administrators but can execute any Windows command
several North Korea-aligned groups frequently misused popular cloud-based services
we saw an APT group – specifically ScarCruft – abusing Zoho cloud services
We detected Russia-aligned cyberespionage groups frequently targeting webmail servers such as Roundcube and Zimbra
usually with spearphishing emails that trigger known XSS vulnerabilities
we identified another Russia-aligned group
stealing email messages via XSS vulnerabilities in Roundcube
Other Russia-aligned groups continued to focus on Ukraine
with Gamaredon deploying large spearphishing campaigns while reworking its tools using and abusing the Telegram and Signal messaging apps
Sandworm utilized its new Windows backdoor
and its advanced Linux malware: LOADGRIP and BIASBOAT
a disinformation and psychological operation primarily aimed at demoralizing Ukrainians
We also analyzed the public hack-and-leak of the Polish Anti-Doping Agency
which we believe was compromised by an initial access broker who then shared access with the Belarus-aligned FrostyNeighbor APT group
the entity behind cyber-enabled disinformation campaigns critical of the North Atlantic Alliance
from analyzing an exploit found in the wild
we discovered a remote code execution vulnerability in WPS Office for Windows
We attribute the attack leveraging the exploit to the South Korea-aligned APT-C-60 group
Malicious activities described in ESET APT Activity Report Q2 2024–Q3 2024 are detected by ESET products; shared intelligence is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers
ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided in ESET APT Reports PREMIUM. For more information, visit the ESET Threat Intelligence website
Follow ESET research on Twitter for regular updates on key trends and top threats
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities