Here are the most important cybersecurity news highlights from the past week.

  • North Korean hackers targeted blockchain developers to steal cryptocurrency.
  • The FBI dismantled the "last refuge" of ransomware operators.
  • Hackers breached single sign-on systems to attack corporations.
  • The head of CISA sparked controversy by uploading sensitive documents to ChatGPT.

North Korean Hackers Target Blockchain Developers to Steal Cryptocurrency

The North Korean hacking group Konni has used AI-generated malware to attack blockchain developers, according to Check Point analysts.

The primary goal of the attackers is to gain access to development environments, which can lead to API credentials, infrastructure, and ultimately, the companies' cryptocurrency wallets.

Experts report that the attack begins on Discord, where the victim receives a link to a ZIP archive. Inside are a PDF lure and a malicious LNK file. Running the shortcut activates a complex chain:

  1. A PowerShell loader is launched, which opens a DOCX document to distract the victim.
  2. A CAB archive containing a backdoor, batch files (BAT), and an account control bypass tool is extracted in the background.
  3. An hourly task is created in the scheduler disguised as a OneDrive process, which runs an encrypted script directly in memory, erasing traces after execution.

Analysts concluded that the malicious script was created using a large language model (LLM), indicated by several factors:

  • Unusual structure. The presence of clear documentation at the beginning of the code and a modular, neat layout, which is rare in "handcrafted" malware;
  • Distinctive comments. The code contains the line # < — — your permanent project UUID.

Experts linked the campaign to Konni based on similarities in the formats of loaders and file names used in previous operations.

Active since 2014, the group has traditionally targeted entities in South Korea, Russia, and Europe. The new campaign focuses on three Asia-Pacific countries: India, Japan, and Australia.

The FBI Dismantles the "Last Refuge" of Ransomware Operators

The FBI, in coordination with the U.S. Department of Justice, has arrested the popular ransomware forum RAMP. This was reported by BleepingComputer.

RAMP positioned itself as the "last refuge" for ransomware operators, attracting numerous groups that used the forum to recruit partners and buy and sell access to corporate networks.

According to media reports, while there has been no official statement from authorities, the DNS servers for the domain have been changed to those typically used by the FBI during seizures:

  • ns1.fbi.seized.gov;
  • ns2.fbi.seized.gov.

One of the forum's administrators, known as Stallman, confirmed the information, admitting that years of work have been destroyed.

According to the publication, the authorities have obtained a vast array of confidential data: IP addresses, personal messages, and user email accounts. For forum participants who did not maintain strict anonymity, this poses a direct threat of de-anonymization and subsequent arrest.

The platform emerged in 2021 in response to the ban on advertising ransomware programs on other hacker portals like Exploit and XSS. The resource is associated with hacker Mikhail Matveev, known as Orange.

In 2023, the U.S. Department of Justice charged Matveev with involvement in the development of malware such as Babuk, LockBit, and Hive. He was placed on the FBI's list of most wanted cybercriminals, and in November 2024, he was arrested in Kaliningrad.

Hackers Breach Single Sign-On Systems to Attack Corporations

The ShinyHunters group has initiated a large wave of phishing attacks targeting single sign-on (SSO) systems from Okta, Microsoft, and Google. The hackers announced this to BleepingComputer.

The attackers employ advanced social engineering: they call employees posing as support and convince them to enter their logins and codes on fake websites.

A report from Okta confirmed the use of advanced phishing kits. These tools include a web control panel that allows the hacker to change the website's content in real-time while speaking with the victim on the phone:

  • If the hacker needs a code when entering stolen data, they instantly display the corresponding field on the victim's screen;
  • If confirmation via a push notification is required, instructions for approving it appear on the phishing site.

Successful compromise of a single SSO account grants criminals access to the entire corporate ecosystem, including Google Workspace, Slack, and Microsoft 365. To prepare for attacks, ShinyHunters utilize data from their previous leaks, knowing employees' names, positions, and phone numbers, making their calls highly convincing.

The group has also relaunched its data leak site, publishing information about breaches at SoundCloud, Betterment, and Crunchbase. Representatives from the affected companies have confirmed the incidents.

CISA Head Sparks Controversy by Uploading Sensitive Documents to ChatGPT

Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA) Madhu Gottumukkala is under internal investigation after uploading sensitive agency contract documents to ChatGPT. This was reported by Politico.

Most CISA employees have been blocked from accessing the chatbot, but Gottumukkala requested special permission to use the OpenAI product instead of approved secure tools.

According to media reports, the federal network security system issued several warnings about data leaks. Although the uploaded information was not classified, it was marked "for official use only." Now, the data could be used by the neural network to respond to users, jeopardizing the confidentiality of government contracts.

Gottumukkala may face disciplinary actions ranging from an official warning to revocation of access to classified information.

Cyberattack on Poland's Energy Sector: New Details

In late December, Poland's energy infrastructure was subjected to a coordinated attack targeting distributed energy facilities across the country. The strikes affected thermal power plants and systems managing wind and solar energy, Reuters reports.

Despite the attackers breaching operational systems and damaging "critical equipment beyond recovery," they failed to disrupt the power supply. The total capacity of the attacked facilities was 1.2 GW, equivalent to 5% of Poland's energy supply.

Official reports indicate that 12 facilities were affected. However, cybersecurity experts from Dragos stated that the actual number of impacted sites reached 30.

With "medium confidence," specialists attributed the attack to the Russian hacking group Electrum. Although its activities overlap with the well-known group Sandworm (APT44), researchers have identified it as a separate cluster.

Electrum has previously been linked to attacks on Ukrainian networks using malware such as Caddywiper and Industroyer2. In Poland, the hackers deployed a new wiper—DynoWiper.

According to Dragos, the attackers demonstrated a deep understanding of industrial equipment. They specifically targeted:

  • Vulnerable dispatch and communication systems;
  • Remote terminals and border network devices;
  • Windows-based monitoring and control systems.

The hackers successfully disabled communication equipment at several sites, depriving operators of remote control capabilities, although energy generation continued autonomously.

Experts believe that the disconnection of all targeted facilities did not lead to a blackout. However, the sudden loss of 1.2 GW of capacity could have caused a critical frequency deviation in the grid. Similar fluctuations have previously led to cascading failures in other countries, including the massive Iberian energy system collapse in 2025.

Also on ForkLog:

  • The U.S. Department of Justice seized $400 million from the Bitcoin mixer Helix.
  • Hackers stole $2.9 billion in cryptocurrency in 2025.
  • Critical vulnerabilities were found in the AI agent Clawdbot.
  • Boasting on Telegram helped uncover a $40 million theft from the U.S. government.
  • ZachXBT accused Circle of inaction following the $16.8 million SwapNet hack.

What to Read This Weekend?

Vasily Smirnov explored the essence of the UN's Hanoi Convention on Cybercrime. In a new piece, he examined possible scenarios for its application in signatory countries.