September 02, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. ‘Chairmen’ of $100 million scam operation extradited to US – Bleeping Computer

In an August 8 press release, the United States Attorney’s Office for the Southern District of New York announced the extradition of four Ghanaian nationals for participating in an international criminal organization “that stole more than $100 million from victims via romance scams and business email compromises.” The four individuals were reportedly high-ranking members of a Ghanaian criminal organization that targeted entities in the U.S. between 2016 and 2023. The defendants were extradited from Ghana and arrived in the U.S. on August 7. Read full article.

2. New EDR killer tool used by eight different ransomware groups – Bleeping Computer

According to BleepingComputer, eight different ransomware groups have been observed using a new endpoint detection and response (EDR) killer believed to be an evolution of the “EDRKillShifter” developed by RansomHub. EDR killers are a useful tool for threat actors as they turn off security products on targeted systems to help remain undetected. As of this writing, the eight groups seen using the new tool include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. Article here.

3. CTM360 spots Malicious ‘FraudOnTok’ Campaign Targeting TikTok Shop users – Bleeping Computer

Researchers at CTM360 have identified a new malware campaign dubbed “FraudOnTok” that targets users through fake TikTok Shops with SparkKitty spyware. According to the cybersecurity company’s report, the campaign is characterized by a dual attack strategy combining both phishing and malware to target TikTok users. The threat actors utilize replicas of TikTok Shop, TikTok Wholesale, and TikTok Mall to deceive users into believing they’re using the genuine platforms before stealing cryptocurrency wallets. Read more here.

4. Cyber Espionage Campaign Hits Russian Aerospace Sector Using EAGLET Backdoor – The Hacker News

Researchers at SEQRITE Labs have observed a cyberespionage campaign targeting Russian aerospace and defense industries. According to the company’s report, the campaign has specifically targeted employees at Voronezh Aircraft Production Association (VASO), one of Russia’s largest aircraft production entities. The activity has been dubbed “Operation CargoTalon” and functions by delivering a backdoor called EAGLET to exfiltrate data. The threat actor is currently being tracked as UNG0901. Read here.

5. Cybercrime Groups ShinyHunters, Scattered Spider Join Forces in Extortion Attacks on Businesses – Bleeping Computer

Researchers at ReliaQuest have observed a shift in tactics used by the hacking group ShinyHunters that suggests possible collaboration with the Scattered Spider group. Following a year of limited activity, ShinyHunters’ campaigns resurged this summer with a series of attacks against Salesforce customers. These recent operations have used techniques previously observed in attacks attributed to Scattered Spider. Specifically, these have included impersonating IT support staff, using apps that masquerade as legitimate tools, VPN obfuscation, and “Okta-themed phishing pages to trick victims into entering credentials during vishing call.” Learn more.

6. Hacker extradited to US for stealing $3.3 million from taxpayers – Bleeping Computer

In an August 5 press release, the U.S. Department of Justice announced the extradition of a Nigerian national to the U.S. from France “in connection with hacking, fraud, and identity theft offenses.” According to the statement, the subject participated in multiple fraud schemes, including one targeting U.S. tax businesses to defraud the IRS since at least 2019. The scheme involved other Nigeria-based co-conspirators who used spear phishing emails to hack “several U.S. based businesses located in New York, Texas, and other states.” Read full article.

7. CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures – The Hacker News

In an August 4 press release, Ukraine’s Computer Emergency Response Team (CERT-UA) warned of a series of cyber attacks carried out by the threat actor UAC-0099 against “state authorities, the Defense Forces, and enterprises of the defense-industrial complex of Ukraine.”  As noted in the statement, the threat actor delivers MATCHBOIL, MATCHWOK, and DRAGSTARE malware via phishing emails. The emails are predominantly sent from UKR.NET addresses and are presented as official “court summons.” Read full article.

8. US sanctions North Korean firm, nationals behind IT worker schemes – Bleeping Computer

In a July 24 press release, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the sanctioning of the North Korea-based Korea Sobaeksu Trading Company and three associated individuals for their participation in fraudulent remote IT worker schemes. As previously noted in DarkOwl’s Weekly Intelligence Summaries, the DPRK government uses these IT worker schemes to generate illicit revenue. The IT workers involved in the scheme use “fraudulent documents, stolen identities, and false personas to obfuscate their identities and infiltrate legitimate companies.” Learn more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.