Be aware, your files are under threat from a new variant of the Phobos ransomware. And it’s being distributed by threat actors using the SmokeLoader trojan.  

The Phobos ransomware was first detected in 2017 and, since then, has gone on to be used in numerous cyber-attacks. This new variant, however, is slightly different and more sophisticated than previous incarnations. The threat actors behind the new variant are believed to be the same team behind the 8Base ransomware syndicate, a powerful cybercrime operation

As you know, any form of ransomware is dangerous, but one which is as clever and cunning as Phobos requires special attention. Luckily, Ophtek are here to provide you with all the advice you need. 

The SmokeLoader Campaign 

The SmokeLoader trojan is typically used to deliver the 8Base team’s variant of Phobos. A trojan is employed as the launchpad as Phobos, on its own, does not have the capability to breach a PC’s defenses. SmokeLoader operates by disguising itself within spam email campaigns and relies on social engineering techniques to unleash its malicious payload. Once SmokeLoader has been activated, it begins loading the Phobos ransomware. 

And Phobos presents a very persistent and effective threat. It starts by identifying target files and automatically ends any processes which are accessing the files. From here, Phobos’ next step is to disable the PC’s system recovery tool, which ensures the victim is unable to roll back their PC to a pre-infection stage. Finally, before encrypting any files, Phobos makes a point of deleting any backups and shadow copies. Rest assured that Phobos doesn’t want to give you any chance of retrieving your files without paying a ransom. 

What’s notable about this strain of Phobos is its encryption speed. Instead of fully encrypting all files, it only focuses on completing this on files under 1.5MB in size. Anything over this file size is only partially encrypted. Phobos alerts its victims to its encryption activities by issuing a ransom note on the infected system. This ransom note explains that the only way to decrypt the files is by making a payment in Bitcoin. And this payment is dependent on how quickly contact is made. 

Staying Safe from SmokeLoader and Phobos 

The financial damages arising from ransomware continue to rise and rise, so it’s crucial that you keep one step ahead of these attacks. The best way to stay safe is by following these best practices: 

  • Understand social engineering: the Phobos attack, and many other ransomware attacks, are only able to initiate themselves due to victims falling for social engineering scams. Therefore, it’s vital your staff understand what social engineering is and how to combat it. For example, if an email sounds too good to be true, it probably is. And the best thing to do with a suspicious email is to take a deep breath and think long and hard before clicking any links. 

For more ways to secure and optimize your business technology, contact your local IT professionals

Read More


Modern businesses are constantly looking to reduce their carbon footprint. One of the best ways to achieve this is with a greener IT environment. 

When it comes to the environment, digital data comes at a cost. Therefore, it’s important for businesses to evaluate their practices in order to reduce their impact on the environment. This is known as Green IT, a study and practice of the ways in which IT usage can be more environmentally friendly and sustainable. However, for many organizations, their adoption of eco-friendly practices tends to be focused on manufacturing and service elements. 

How Do You Develop Sustainable IT Practices? 

If you want to reduce the carbon footprint of your IT operations, you should start making changes in these areas: 

  • Cloud computing: one of the best ways to reduce your impact on the environment is by embracing the cloud. Due to superior hardware setups, cloud data centers use less energy than traditional in-house data solutions. And the savings are seriously impressive. It’s estimated that cloud computing can improve energy efficiency by up to 93% and, in the process, release 98% fewer greenhouse gases. 
     
  • Dark data: all businesses carry and store huge amounts of data, but does it all need to be kept? Data which is stored, but not required is referred to as dark data. Therefore, if you’re using cloud data centers, which are responsible for 2.5% of carbon dioxide emissions, to store dark data, you’re putting an unnecessary strain on the environment. The solution here is to evaluate your data governance policies and develop strategies for disposing of dark data. 
     
  • Turn your PCs off: many employees fail to shut their PCs down at the end of the day. This is the result of wanting to get home and, of course, saving time the next day when they’re logging on. However, leaving a PC running overnight not only produces carbon emissions but also shortens the lifespan of the device. This means that you are more likely to have to replace the machine, contributing towards environmental damage. Accordingly, your employees need to be educated on the importance of shutting their PC down. 
     
  • Outsourcing: if your business experiences a surge in demand, you don’t have to buy additional equipment to cope with the increased workload. Instead, you can outsource this workload, such as to a call center, to manage the demand. After all, this surge in activity may be short lived, and outsourcing represents a sustainable and more affordable option. Remember, anything which reduces the sale of new hardware will only have a positive effect  
    on the environment. 
     
  • Remote working: advances in IT technology mean that any employee with a high-speed internet connection can seamlessly connect with your IT infrastructure from home. This means a reduction in not just emissions from travel, but also a number of energy saving costs in your office. As a result, allowing employees to work from home will easily enhance your green credentials and reduce your carbon footprint. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Threat actors have turned to Facebook ads to unleash NodeStealer on unsuspecting victims, and they’re using scantily clad women to achieve this. 

Facebook is no stranger to finding its ad network compromised to spread malware, but what’s interesting about this latest campaign is that it primarily targets males. At the core of this attack is NodeStealer, a strain of malware which has been active for several months. However, NodeStealer has changed. At the start of its existence, it was designed in JavaScript, but it’s now being coded with the Python programming language. 

NodeStealer is part of a wider campaign, believed to have its origins in Vietnam, to steal sensitive data, and it’s more than worthy of your attention. 

How Does NodeStealer Target its Victims? 

Using marketing strategies almost as old as time, the threat actors behind NodeStealer have used the provocative lure of female flesh to entice their victims. Taking advantage of the massive reach of Facebook’s ad network, these threat actors have created adverts which contain revealing photos of young women. The objective of these adverts is to encourage people to click on them, a process which will download an archive of malicious files. 

One of these files is called Photo Album.exe but, far from containing any photos, it simply downloads a further executable file which unleashes NodeStealer. With NodeStealer running rampant on an infected system, it will begin harvesting login credentials and, in particular, it will attempt to take control of Facebook business accounts. With further business accounts compromised, NodeStealer can launch even more malicious ad campaigns and spread itself further. 

Stay Safe from the Threat of NodeStealer 

NodeStealer is a classic example of malware deceiving its victims to achieve its goal. And it’s not surprising to hear that the 18 – 65 male demographic have made up the majority of its victims. Regardless of the bait, however, NodeStealer provides us with a number of interesting lessons to learn. The most important takeaways should be: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble. 

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.  

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated. 

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files. 

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long. 

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users. 

Swatting Striped Fly Away 

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


The threat of malware strikes the business world again, and this time it’s using LinkedIn to trick users into downloading the DarkGate malware. 

LinkedIn is designed to help professionals connect with each other and build professional relationships. It’s proven to be wildly popular, with 950 million members currently registered on the platform. 

But where there are huge numbers of users, there will also be large amounts of data. And this data is like catnip to threat actors. This is why fake LinkedIn posts have started appearing on the platform. These posts, as well as a campaign of direct messages, are far from informative for the users of LinkedIn. Instead, they are being used to trick LinkedIn users, primarily those who hold positions within the social media niche, to download malware. 

Unveiling the Essentials of DarkGate on LinkedIn 

Security experts have been aware of DarkGate since 2017, but it was considered a low-level threat due to its limited activity in the digital wild. However, this changed in June 2023, when its creator began selling it as Malware-as-a-Service package. Since then, a campaign using DarkGate has been launched by threat actors, believed to be working in Vietnam, which targets LinkedIn users. 

Mostly, these users have consisted of social media managers operating in the US, the UK, and India. Using LinkedIn posts, or sending direct messages to targets, the threat actors propose that a job offer at Corsair is on the table. LinkedIn is a highly popular recruitment tool, so there’s nothing out of the ordinary with these initial contacts. However, the targets are encouraged into downloading malicious documents, such as a Word document containing a job description and a text file discussing salary details. 

Within these documents are malicious links. Once clicked, these links lead to a series of scripts being launched which are used to build DarkGate. The malware’s first move is to start uninstalling security tools located on the infected system. DarkGate’s next step is to begin harvesting data from the compromised system. In particular, DarkGate appears to be targeting login credentials for Facebook business accounts, hence the focus on social media managers. 

Protecting Your Credentials from DarkGate 

If you’re a social media manager and regularly log on to LinkedIn, the advice is simple: stay away from any links relating to job offers for Corsair. Unfortunately, the threat actors are likely to change the details of their attack now that it’s started generating headlines. Nonetheless, you can still do the following to protect your credentials: 

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More