Threat actors have turned to Facebook ads to unleash NodeStealer on unsuspecting victims, and they’re using scantily clad women to achieve this. 

Facebook is no stranger to finding its ad network compromised to spread malware, but what’s interesting about this latest campaign is that it primarily targets males. At the core of this attack is NodeStealer, a strain of malware which has been active for several months. However, NodeStealer has changed. At the start of its existence, it was designed in JavaScript, but it’s now being coded with the Python programming language. 

NodeStealer is part of a wider campaign, believed to have its origins in Vietnam, to steal sensitive data, and it’s more than worthy of your attention. 

How Does NodeStealer Target its Victims? 

Using marketing strategies almost as old as time, the threat actors behind NodeStealer have used the provocative lure of female flesh to entice their victims. Taking advantage of the massive reach of Facebook’s ad network, these threat actors have created adverts which contain revealing photos of young women. The objective of these adverts is to encourage people to click on them, a process which will download an archive of malicious files. 

One of these files is called Photo Album.exe but, far from containing any photos, it simply downloads a further executable file which unleashes NodeStealer. With NodeStealer running rampant on an infected system, it will begin harvesting login credentials and, in particular, it will attempt to take control of Facebook business accounts. With further business accounts compromised, NodeStealer can launch even more malicious ad campaigns and spread itself further. 

Stay Safe from the Threat of NodeStealer 

NodeStealer is a classic example of malware deceiving its victims to achieve its goal. And it’s not surprising to hear that the 18 – 65 male demographic have made up the majority of its victims. Regardless of the bait, however, NodeStealer provides us with a number of interesting lessons to learn. The most important takeaways should be: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


A major ransomware attack on the MGM brand of casinos has led to the firm’s IT systems having to be shut down. 

The ransomware-as-a-service hacking group BlackCat has taken responsibility for the attack, and it’s an attack which has caused major issues for MGM. IT systems responsible for processing electronic payments, digital key cards, parking systems and ATMs have all been impacted by this attack. While the attack is considered major, it was executed by the simplest of means. As ever, this attack on MGM contains some important lessons for organizations to learn and enforce. 

How Were the MGM Casinos Hacked? 

The MGM attack was made possible by the use of social engineering techniques. In particular, BlackCat identified an MGM employee by scouring related profiles on LinkedIn. With this information at their disposal, the threat actors contacted the MGM help desk and used this employee’s details as their way into the system. The exact nature of the breach, for security reasons, has not been disclosed, but it’s believed that it only took 10 minutes for BlackCat’s strategy to be successful. 

BlackCat, with full access to MGM’s IT infrastructure, set about issuing demands to MGM through a secure communication channel they had put in place. However, MGM refused to pay any of the ransom fees demanded by BlackCat. Instead, on the recommendations of their security team, MGM began shutting their Okta servers – used for authorization processes – down. 

However, BlackCat were able to remain active on the network due to the administrator privileges that they had gained during the attack. And, in response, BlackCat set about compromising over 100 hypervisors – applications which are used to manage virtual machines located on a PC – and encrypting the data contained on them.  

BlackCat, again, brought their ransom demand to the table and also threatened to launch further attacks if this was not met. 

How Could MGM Have Protected Their IT Systems? 

As a thriving, world-famous organization, MGM could have done without the headlines relating to the attack by BlackCat. And, as with all social engineering attacks, this could have easily been avoided if MGM had practiced the following: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Malware which can be enhanced always poses a huge risk to PC users, and the rise of open source malware like SapphireStealer is magnifying this problem. 

Open source programs are those which have had their source code put online and made available not only for use, but also modification. This approach is usually chosen with the main objective being public, open collaboration between coders, and the resulting programs made available to the public for free. It’s the very definition of what the internet was created for, but this doesn’t mean these intentions are always well meaning. And the story of SapphireStealer makes for the perfect evidence. 

What is SapphireStealer? 

The name of SapphireStealer is somewhat of a giveaway in terms of what this malware does, it’s an information stealer. SapphireStealer was first published to GitHub (an online and public source code repository) towards the end of 2022. And it proved to be a hit. As well as being simple enough for basic hackers to launch attacks, SapphireStealer was open source and could be tinkered with by fellow hackers. 

SapphireStealer originally started life with a basic set of capabilities, it would grab popular files – such as Word documents and image files – before emailing them to the hacker behind the attack. However, it wasn’t perfect, and there was plenty of room for improvement. It was a fantastic opportunity for the hacking community to see how they could enhance SapphireStealer. And this was exactly what they did. 

By January 2023, new variants of SapphireStealer were detected which could steal a wider range of files, and this stolen data could now be relayed through Discord and Telegram servers. And, as it remained open source, anyone on the internet could now access these more robust and dangerous variants. SapphireStealer appears to infect victims through a variety of methods: 

Minimizing the Threat of SapphireStealer 

At present, SapphireStealer is relatively basic in terms of the threat it carries. It isn’t going to cause financial damage like, for example, ransomware will. However, it has evolved rapidly in less than a year, and its risk level is only going to rise higher. The fact that open source malware is proving so popular also indicates that more threat actors are going to enter the digital arena. Therefore, you need to make sure you IT infrastructures are heavily guarded: 

  • Use a firewall: a tried and trusted security measure, a firewall puts a digital barrier between your organization and the internet. This means that you can monitor incoming and outgoing traffic and put filters in place to mitigate attacks and allow access to trusted users.  
  • Make sure your employees are aware: SapphireStealer relies on a number of well-known infection methods, but these aren’t necessarily well-known to the average PC user. Accordingly, your employees need to understand the most basic attack methods and how to identify them e.g. the telltale signs of a phishing email.  
  • Install antivirus software: it may seem like a no-brainer, but many organizations fail to put an effective antivirus suite at the forefront of their defenses. Even free antivirus software, such as Kaspersky Free, can make a significant difference to your digital safety. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Healthcare organizations across the United States and Europe have recently found themselves targeted by Lazarus, the North Korean hacking group. 

Lazarus, who are believed to have ties to the North Korean government, are well known in the world of cybersecurity. In 2022, Lazarus were rumored to have stolen a total of $1.7 billion worth of cryptocurrency across the year. So, yes, Lazarus is a force to be reckoned with. As their latest attack targets organizations rich in sensitive data, it’s important to understand their methods and determine the lessons that can be learned. 

What Is Lazarus’ Latest Campaign? 

At the heart of this new attack by Lazarus is the ManageEngine ServiceDesk. This management suite is used to help organizations manage their entire IT infrastructure. From networks and servers through to mobile devices and applications, ManageEngine helps make life easier for IT teams. It’s a highly popular management suite, with numerous Fortune 100 businesses implementing it. For healthcare organizations, it’s a crucial service which allows them to stay productive and support their IT systems. 

However, as with all, applications, ManageEngine is not 100% secure. The CVE-2022-47966 vulnerability, which was discovered in January 2023, was first exploited by threat actors in February of the same year. This vulnerability allowed the deployment of QuiteRAT, a new and complex brand of malware. QuiteRAT let the threat actors steal data relating to the compromised device and, cleverly, allowed QuiteRAT to “sleep” in order to appear dormant and stay off the radars of security professionals. 

Another part of the attack also involves a new strain of malware dubbed CollectionRAT, which has the ability to perform typical remote access trojan tasks such as executing commands on a compromised system. As with previous campaigns, this latest strike utilizes many of the trademark Lazarus tactics and innovations. For example, by using open-source tools to create CollectionRAT, the threat actors are able to launch their attacks more quickly and without raising the alarm immediately. 

How Do You Protect Your Organization from Lazarus?

Naturally, the most obvious way to protect your IT infrastructure from Lazarus is to be prompt with installing software patches. Lazarus appears to have infiltrated these healthcare organizations due to a known vulnerability, so patching any holes within your IT systems is essential. Luckily, many updates, such as Windows, can be set to automatic and ensures that your applications are as secure as they can be. 

Hacking groups, however, don’t rely solely on vulnerabilities to launch their attacks. In fact, they will deploy almost every technique you can think of to launch an attack. The best practices to stay safe from these are: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More



Microsoft Teams has experienced a surge in popularity among businesses since the pandemic, and this makes it a highly prized target for hackers. 

Businesses find Microsoft Teams a powerful tool as it allows employees to work remotely, communicate and be productive. And it’s all through one app. This is why it’s a fantastic business solution and used by 280 million people. Naturally, the size of this audience is going to turn a threat actor’s head. Where there are high numbers of users, there’s an opportunity for malware to be successful. And that’s why the discovery of a vulnerability in Teams has caused so much concern. 

The Vulnerability Lying Within Microsoft Teams 

One of the main uses of Teams is as a communication tool, and this means that the potential for spreading malware via file transfers and linked hard drives is high. But this newly discovered vulnerability is very different. Therefore, it’s important you understand the threat it poses. 

Now, Microsoft Teams allows you to communicate with a wide range of people within your organization. It also allows you to communicate with external parties e.g. subcontractors, clients and facility management teams. Usually, these external users are unable to transmit files to other organizations through Teams. And this is a good thing, as it lowers the risk of malware being sent between businesses. 

However, the security protocols which are in place to stop unauthorized file sending can, it turns out, be compromised. Once this vulnerability is exploited, a threat actor can start sending malware direct to the Teams inbox of staff within that business. Often, the threat actors are increasing the chances of their attack being successful by setting up similar email addresses to that of their target. All it takes is for one employee to open the malware and it can start to spread. 

While the incoming message will still be tagged as “External”, the busy nature of many employees’ days means that it’s likely this message will be ignored. Also, this method of attack is relatively new. Users are well drilled in the telltale signs of a phishing email, but a Teams instant message is very different. Accordingly, the risk of falling victim to this attack is concerning. 

Staying Safe on Microsoft Teams 


Curiously, Microsoft has advised that this vulnerability doesn’t, at present, warrant fixing. No doubt, at some point, it will be patched, but for now you should remain cautious. To help strengthen your defenses, make sure you practice the following: 

  • Always update: there’s never an excuse for not carrying out software updates once they are available. It’s the quickest and simplest way to plug weak points in your cyber defenses, so, if they are not already in place, setting up automatic updates should be your priority. 
  • Reduce your availability: it’s possible to limit your communication through Teams to specific domains only. Again, this reduces your risk by ensuring that your staff can only communicate with trusted sources and not threat actors operating from similar, yet malicious domains. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More