{"id":174248,"date":"2026-01-01T03:00:00","date_gmt":"2026-01-01T08:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/01\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-1\/"},"modified":"2026-01-03T08:25:26","modified_gmt":"2026-01-03T13:25:26","slug":"the-good-the-bad-and-the-ugly-in-cybersecurity-week-1","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/01\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-1\/","title":{"rendered":"The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 1"},"content":{"rendered":"

The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 1<\/a><\/p>\n

https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-1-7\/<\/a><\/p>\n

Publish Date: 2026-01-01 03:00:00<\/a><\/p>\n

Source Domain: www.sentinelone.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n\t\t\t\t\t\t\t\t\tThe Good | Authorities Crackdown on BlackCat and Coinbase Malicious Insiders & Malware Operators
\nTwo former employees from Sygnia and DigitalMint have pleaded guilty for participating in ransomware attacks linking them to the BlackCat (ALPHV, AlphaVM) operation. Ryan Goldberg and Kevin Martin admitted to conspiring to extort U.S. organizations, abusing the same security expertise they once used to defend cyber victims. Working with a third accomplice, they breached multiple companies nationwide and shared roughly 20% of ransom proceeds for access to BlackCat\u2019s infrastructure. Prosecutors say they demanded between $300,000 and $10 million per victim.
\nAlternative to insider risk at the highest technical levels, similar threats are emerging from much lower in the access chain, too. Indian authorities arrested a former customer support agent for aiding threat actors in the May data breach at Coinbase, a popular cryptoexchange with more arrests are expected. The incident exposed data from roughly 69,500 users after bribed staff at outsourcing partner, TaskUs, enabled access. This news follows charges against Ronald Spektor, accused of stealing $16 million by impersonating Coinbase, highlighting ongoing insider and social engineering risks.<\/p>\n

We have zero tolerance for bad behavior and will continue to work with law enforcement to bring bad actors to justice.
\nThanks to the Hyderabad Police in India, an ex-Coinbase customer service agent was just arrested. Another one down and more still to come.
\n\u2014 Brian Armstrong (@brian_armstrong) December 26, 2025<\/p>\n

Beyond insider abuse, attackers are also exploiting everyday user behavior to siphon funds at massive scale. A Lithuanian national was arrested for allegedly infecting 2.8 million systems with clipboard-stealing malware disguised as KMSAuto, an illegal Windows and Office software activator. The suspect used clipper malware to swap cryptocurrency addresses and divert funds to attacker-controlled ones. Korean National Police Agency says the campaign ran from 2020 to 2023, with a total of KRW 1.7 billion ($1.2M) stolen across thousands of transactions. Authorities warn that pirated software is often a key component in how attackers spread malware.
\nThe Bad | Chinese-Based Attackers Deploy Stealthy Kernel\u2011Mode \u2018ToneShell\u2019 Backdoor
\nSecurity researchers have uncovered a significantly more stealthy variant of the ToneShell backdoor, a tool long associated with Chinese state-sponsored cyberespionage activity, now delivered via a kernel\u2011mode loader for the first time. New analysis links the campaign to G0129 (aka Bronze President, TEMP.Hex, Hive0154), a threat actor known for targeting government agencies, NGOs, and think tanks.
\nThe activity, observed since at least February, primarily targets government organizations across Asia, particularly in Myanmar and Thailand. Investigators have found evidence that some victims had previously been compromised by earlier ToneShell variants, PlugX malware, or the ToneDisk USB worm, indicating long\u2011term persistence across multiple intrusion waves.
\nWhat sets this campaign apart is its use of a malicious kernel\u2011mode mini\u2011filter driver, ProjectConfiguration.sys, signed with a stolen or leaked digital certificate originally issued to Guangzhou Kingteller Technology Co., Ltd and valid between 2012 to 2015. Operating deep within the Windows kernel, the driver acts as a rootkit: evading static analysis by resolving kernel APIs at runtime, blocking file deletion and registry access, protecting injected processes, and deliberately interfering with Microsoft Defender by manipulating the WdFilter driver\u2019s load order.
\nThe driver ultimately injects two user\u2011mode payloads, including the updated ToneShell backdoor, which now features enhanced stealth capabilities. Changes also include a simplified host\u2011ID scheme, network traffic obfuscation using fake TLS headers, and remote administration capabilities such as file transfer and interactive shell access. Communication occurs over TCP port 443 to an attacker\u2011controlled infrastructure.
\nToneShell injection workflow (Source: Securelist)
\nResearchers note this marks a clear evolution in G0129\u2019s tactics, prioritizing kernel\u2011level persistence and evasion. As the payload operates almost entirely in memory, memory forensics becomes a critical detection method, alongside monitoring for indicators of compromise tied to the malicious driver and injected shellcode.
\nThe Ugly | Hackers Steal $7M via Compromised Trust Wallet Chrome Extension
\nAfter a compromised update to the Trust Wallet Chrome extension went live over the holidays, approximately $7 million has been stolen from nearly 3,000 cryptocurrency wallets. The malicious version 2.68.0 contained a hidden JavaScript file called 4482.js that silently exfiltrated sensitive wallet data, including seed phrases, to an external server, api.metrics-trustwallet[.]com. Users immediately reported funds disappearing after simple wallet authorizations, prompting Trust Wallet to investigate and release a patched version 2.69. CEO Eowyn Chen confirmed the hack and assured users that the company would reimburse affected wallets.
\nInvestigations indicate that attackers likely exploited a leaked Chrome Web Store API key to publish the malicious extension, bypassing Trust Wallet\u2019s standard release procedures. In parallel, threat actors launched a phishing campaign using a Trust Wallet-branded site, fix-trustwallet[.]com, claiming to provide a \u201cvulnerability fix\u201d. Users who entered their seed phrases on the site immediately lost access to their wallets. WHOIS records suggest the phishing domain may be linked to the same actors behind the malicious extension.
\nPhishing site asking for wallet seed phrases (Source: BleepingComputer)
\nTrust Wallet, a non-custodial cryptocurrency wallet acquired by Binance in 2018, emphasized that mobile-only users and other browser extension versions were not affected. The company has begun reimbursing victims after verifying wallet ownership, transaction hashes, and affected addresses, while warning users not to share private keys or seed phrases.
\nSecurity researchers noted the incident highlights significant risks in browser-based wallets and supply chain attacks, as malicious updates can gain privileged access to funds. Trust Wallet has suspended compromised API keys, reported the malicious domains to registrars, and continues monitoring for scams. Users are strongly advised to immediately update to version 2.69, only use official channels, and verify all communications to protect their crypto assets.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The Good, the Bad and the Ugly in Cybersecurity \u2013 Week 1 https:\/\/www.sentinelone.com\/blog\/the-good-the-bad-and-the-ugly-in-cybersecurity-week-1-7\/ Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":174249,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.sentinelone.com\/wp-content\/uploads\/2025\/12\/GBU_week1_2026.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,32,25,34,27],"class_list":["post-174248","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174248"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=174248"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174248\/revisions"}],"predecessor-version":[{"id":174250,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/174248\/revisions\/174250"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/174249"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=174248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=174248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=174248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}