Dark Partners hackers have been linked to a network of fake cryptocurrency wallets and trading apps. Researcher g0njxa revealed that Dark Partners is a group engaged in large-scale digital asset theft. The hackers operate multiple sites distributing stealers disguised as AI services, VPNs, and cryptocurrency software, including fake versions of TradingView, MetaTrader 5, Ledger, Exodus, Koinly, AAVE, and Unusual Whales apps. An ongoing malware campaign has been delivering ”PayDay Loader” to Windows users and ”Poseidon Stealer” to macOS users via fake AI and software websites. Malware analysis and threat hunting were conducted with assistance from @anyrun_app and @urlscanio. Read about an ongoing malware campaign delivering ”PayDay Loader” to Windows users and Poseidon Stealer to macOS individuals on fake AI and software websitesA bit of malware analysis and threat hunting, thanks to @anyrun_app - Who said what? (@g0njxa) May 26, 2025 The malware scans victims’ devices for previously installed wallets such as Electrum, Coinomi, Exodus, Atomic Wallet, Wasabi, Ledger Live, MetaMask, and others. The hackers also collect host information, credentials, private keys, and cookies for resale. g0njxa suggested that Dark Partners is using acquired code signing certificates to build Windows malware. Trickbot Leader Unmasked in Germany The German Federal Criminal Police Office (BKA) has identified the leader of the Trickbot and Conti hacker groups, known as Stern, as 36-year-old Russian Vitaly Kovalev. He has been declared wanted on charges of forming a criminal organization and is presumed to be hiding in the Russian Federation. In February 2023, Kovalev was one of seven people sanctioned by the US for ties to Trickbot and Conti. At the time, he was named a high-ranking figure in these groups. According to the BKA, Trickbot had over 100 members and is responsible for infecting hundreds of thousands of systems worldwide, causing hundreds of millions of dollars in damage. AI Tool Demands $50,000 in Monero Cisco Talos experts discovered malware spreading as legitimate AI tool installers, including the CyberLock and Lucky_Gh0$t ransomware viruses, as well as the Numero viper. CyberLock operators intimidate victims by claiming to have gained full access to confidential business documents, personal files, and databases. They demand $50,000 in Monero for the decryption key, promising to send the money as humanitarian aid to various countries. The hackers threaten to publish the data if payment is not received within three days; however, experts found no evidence of data exfiltration functionality in the ransomware’s code. Lucky_Gh0$t operates similarly. Numero, on the other hand, manipulates GUI components by rewriting the contents of windows and buttons with numeric sequences, rendering the operating system unusable. AVCheck Admins Linked to Crypto Services in the Netherlands Police in the Netherlands, assisted by US counterparts, blocked the AVCheck service used by cybercriminals to test their malware against commercial antivirus solutions. Investigators also linked the site’s administrators to crypto services Cryptor.biz and Crypt.guru. The domain of the former has been seized, while the latter is offline. Encryption services help malware operators hide their data, making them part of the same ecosystem. Undercover agents posing as customers helped shut down these services. New Service Claims to Locate YouTube Commenters A new service called YouTube-Tools has appeared online, claiming it can find all comments made by a YouTube user and, with the help of AI, create a profile indicating their presumed place of residence, language skills, interests, and political views, according to 404 Media. The service was originally created to study League of Legends usernames, but with the transition to a modified LLM from Mistral, its capabilities have expanded. According to the developer, YouTube-Tools is intended for law enforcement agencies. However, after registration and for about $20 per month, it is available to anyone. Experts warn that the tool could pose a serious privacy threat. UK Announces Modernization of Cyber Military British Defense Secretary John Healey has revealed government plans to create a cyber command responsible for defending the country from hacker attacks and supporting military cyber operations. The new structure will modernize the guidance and coordination systems of army units using AI technology at a cost of £1 billion ($1.3 billion). Cyber Command will also play a leading role in electronic warfare, intercepting enemy communications and jamming drones. Over the past two years, British authorities have faced an estimated 90,000 cyberattacks from foreign intelligence agencies, mostly from Russia and China.
