🔴 The 39th Chaos Communication Congress (39C3) presentation videos are now available on YouTube and their media server:

- YouTube
- Media server

The conference will be held in Hamburg from December 27–30, 2025.

You can find the full event schedule here.

#39C3 #CyberSecurity #Conference

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Behzad Akbari, Deputy Minister of ICT, Chairman and CEO of Telecommunication Infrastructure Company, and university faculty member, reported:

Last night, the Telecommunication Infrastructure system detected and mitigated the largest DDoS attack in recent years in terms of packets per second targeting one of the country’s operators.

The attack exceeded 720 million packets per second, of which 502 pps were mitigated by the infrastructure system itself, and the rest were mitigated abroad.

The attack originated from 125,000 distributed sources worldwide, ranking it among the 12 largest DDoS attacks globally in terms of packet rate.

#Iran #DDoS #CyberAttack

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Trust Wallet Confirms December 24 Hack: $7 Million Stolen from 2,596 Wallets

Trust Wallet has confirmed the December 24 hack, reporting that 2,596 wallets were compromised, resulting in approximately $7 million stolen.

Trust Wallet is a crypto wallet with over 200 million users, allowing management of Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and tokens via its browser extension and free iOS/Android apps. Launched in 2017 and acquired by Binance in 2018, Trust Wallet continues to operate as an independent, decentralized wallet app.

Incident Details:

Malicious extension version v2.68 was not released through the internal, manual publication process.

Current findings indicate the version was likely published externally using a Chrome Web Store API key, bypassing standard release checks.

The version successfully passed Chrome Web Store review and was released on December 24, 2025, at 12:32 UTC.

Response Actions:

Trust Wallet temporarily invalidated all release-related API keys to block any new version publication for the next two weeks.

The domain used to exfiltrate wallet data was reported to NiceNIC registrar and immediately suspended.

Attacks continue through phishing and other exploitation of this vector.

Trust Wallet stated it will compensate affected users. So far, 2,596 affected wallet addresses have been identified, though around 5,000 claims have been submitted, indicating a significant number of duplicate or fraudulent claims.

Affected users can submit a compensation request here:

https://be-support.trustwallet.com

#Cryptocurrency #ThreatActors #TrustWallet #CryptoTheft #BrowserExtensionHack

🔴 29-Year-Old Lithuanian Arrested for Distributing Malware via KMSAuto

A 29-year-old man from Lithuania has been arrested for distributing malware to 2.8 million systems worldwide through the illegal Windows and Office activator KMSAuto.

Details:

- The campaign ran from April 2020 to January 2023.
- The malware acted as a clipper: it monitored the clipboard, and if it detected a cryptocurrency wallet address, it replaced it with the attacker’s wallet, redirecting crypto funds to the hacker.
- This campaign impacted users of six major cryptocurrency exchanges, resulting in 8,400 transactions and approximately $1.2 million stolen from 3,100 wallet addresses.

Investigation & Arrest:

- The South Korean police began investigating in August 2020.
- In December 2024, authorities in Lithuania seized 22 devices, including laptops and mobile phones, which provided evidence.
- The suspect was arrested in April 2025 while traveling from Lithuania to Georgia and has recently been extradited to South Korea.

Authorities warn against using illegal tools or sources to activate software, as they can be used to deliver malware.

#ThreatActors #Malware #Cryptocurrency #KMSAuto #ClipperMalware

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 MongoDB Vulnerability CVE-2025-14847 ("MongoBleed") Actively Exploited

As previously shared on the channel, a vulnerability identified as CVE-2025-14847 has been discovered and patched in MongoDB. This vulnerability is known as MongoBleed.

⚠️ This vulnerability is actively being exploited, and multiple threat groups are abusing it in the wild.

Exposure Statistics

According to a Censys report, more than 87,000 MongoDB instances are currently exposed to the internet, with the majority located in:

🇺🇸 United States
🇨🇳 China
🇩🇪 Germany

[Security researchers may also find this list of search engines useful.]


Technical Analysis

For in-depth technical details, refer to the following analyses:

- Ox Security – Exploitation of zlib leading to data exfiltration.
- Kevin Beaumont – Real-world MongoDB incident analysis


Proof of Concept (PoC)

A public PoC has been released by Hamid Kashfi.

#SecurityVulnerability #CVE #MongoDB #MongoBleed

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Security Alert: Potential Malware in EmEditor Installer (Dec 19–20, 2025)

If you downloaded EmEditor from the official website between December 19–20, 2025, your system may have been infected with malware.

EmEditor is widely used to open large files, such as leaked datasets. Attackers compromised the EmEditor website and uploaded a malicious installer, emed64_25.4.3.msi, for download. Two infected versions were identified:

- Malicious version 1: VirusTotal
- Malicious version 2: VirusTotal
- Legitimate version: VirusTotal

Key Findings:

Both malicious files had digital signatures issued by Microsoft, but their validity was extremely short-lived. It’s suspected that the certificates were issued using a method similar to developer signing. Microsoft has since revoked both signatures, so executing the files now will produce invalid signature errors.

If you executed emed64_25.4.3.msi, Windows may have stored a copy in:

C:\Windows\Installer

This location is not directly accessible by default, but the file remains on the system.

Indicators of Compromise (IoCs):

- File hash verification against known malicious versions
- Presence of file:

C:\ProgramData\tmp_mojo.log

- Scheduled Task: Google Drive Caching
- File:

%LOCALAPPDATA%\Google Drive Caching\background.vbs

- Browser extension: Google Drive Caching in Chromium-based browsers (Chrome or Edge)
- Network traffic to fake domains:

cachingdrive.com
emeditorde.com
emeditorgb.com
emeditorjp.com
emeditorsb.com

Website Backdoor:

A backdoor file named base64.php was found in the WordPress plugin folder.

A script footer.php in the WordPress theme redirected the legitimate installer URL:

https://support.emeditor.com/ja/downloads/latest/installer/64

to the malicious installer:

https://www.emeditor.com/wp-content/uploads/filebase/emeditor-core/emed64_25.4.3.msi

Recommendations:

- Verify your installer hash before execution
- Check for the listed IoCs
- Remove malicious files, scheduled tasks, and browser extensions immediately

#ThreatActors #WordPress #Malware #EmEditor #SecurityIncident #Cybersecurity

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🚀 Welcome 2026 with OnHex! 🚀

The English version of OnHex is here! Get the latest cybersecurity news, vulnerabilities, and hacking stories – now in English, from around the world.

Join the community: t.iss.one/onhex_en

🔐 Hack safely, read wisely!

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 The hacking group Handala claims to have infiltrated the iPhone 15 Pro of Ms. Ayelet Shaked. She is a computer engineer and former Minister of Justice of Israel.

To prove their breach, the hackers released a series of videos and images under the title Queen’s Secrets.

In a part of the released statement, the hackers stated:

When you resorted to advanced cyber operations using tools like Pegasus and Paragon, it was only logical for the Resistance Front to seek innovative solutions and develop systems like Naem in order to counter your attacks and defend its own interests. The game has changed, and now you must realize that your actions no longer go unanswered.

If you are not familiar with mercenary spyware such as Pegasus and Paragon, you can read the articles linked below:

- Intellexa Leaks
- Spyware vendors use 0-days and n-days against popular platforms
- Buying Spying: How the commercial surveillance industry works and what can be done about it

#APT #Handala #MercenarySpyware

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Trust Wallet has announced that the recent hack of its Chrome extension is likely influenced by the Sha1-Hulud attack that occurred in November.

The Shai-Hulud threat first emerged in mid-September, compromising 187 NPM packages with a self-replicating payload, using TruffleHog to identify account tokens, inject malicious scripts into the packages, and automatically publish them.

In the second wave, this malware impacted over 800 packages (including all compromised versions).

Trust Wallet has stated that during this attack, sensitive GitHub information of developers was leaked, allowing hackers access to the extension’s source code and the Chrome Web Store (CWS) API key.

Hackers were able to bypass the standard extension release process through the CWS API and directly post the malicious version to the store.

Subsequently, the attackers registered the domain metrics-trustwallet[.]com and the subdomain api.metrics-trustwallet[.]com to utilize in the contaminated version.

As a result of this hack, over $8.5 million was stolen from 2,500 wallets.\Source

#SupplyChainAttack #ShaiHaludAttack #TrustWallet

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Dates of major cybersecurity conferences in 2026:

- DEF CON Singapore - Apr. 28-30, 2026
- DEF CON 34 - Aug. 6-9, 2026
- Black Hat USA - August 1-6, 2026
- Black Hat Europe - TBA, 2026
- Black Hat Asia - April 21-24, 2026
- Black Hat Middle East & Africa - December 1-3, 2026
- Recon - June 19 to 21 2026
- Offensive Security Conference May 15-16th 2026
- Orangecon - 4 June 2026
- Zer0con - 2 - 3 April, 2026
- Districtcon - January 24-25, 2026
- RE//verse - March 5-7, 2026
- x33fcon - June 11-12 2026

To find out when to CFP, you can check this site or this.

#Conference
#CyberSecurityConference #infosec

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 As you are aware, yesterday the President of Venezuela, Nicolás Maduro, was captured during an operation and transferred to the United States. During this operation, the Americans used a cyberattack to cut off the power in Caracas.

According to U.S. military officials, initially, Venezuela’s air defense systems were destroyed to allow U.S. special operations forces to enter the country.

As these forces approached Maduro, the U.S. cut off power to parts of Caracas. Trump also mentioned in a press conference that with some of the expertise we have, the lights went out. Although he did not provide further details, sources involved in the operation stated that a cyberattack temporarily cut off power.

#Venezuela #USA

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Yesterday, the threat actors known as Scattered Lapsus$ Hunters (SLH) claimed to have breached the cybersecurity company Resecurity and published a series of data including employee information, internal communications, and threat reports to prove their infiltration. For example, they shared communications between Resecurity employees and Pastebin personnel regarding malicious content that was shared on the platform.

The hackers stated that this retaliatory attack was conducted in response to Resecurity’s attempts at social engineering and learning about their operations.

They claimed that Resecurity employees pretended to be buyers during the sale of a financial database from Vietnam, seeking free samples and additional information.

However, a spokesperson for ShinyHunters stated that they were not involved in this hack.

Resecurity has also stated that the hackers did not breach the company’s legitimate infrastructure but instead accessed a honeypot.

A honeypot is a system or account that is deliberately exposed and monitored, designed to deceive attackers, allowing for observation and analysis of the attackers’ activities without risking real data or infrastructure.

On November 21, the DFIR team at Resecurity identified reconnaissance activities on their publicly exposed systems and logged several IP addresses associated with the actor, including those originating from Egypt and Mullvad VPN services.

They subsequently created a honeypot account in an isolated environment populated with synthetic data that closely resembled real-world data to monitor the threat actor’s activities. The threat actor’s activities increased in December, and they began attempting data exfiltration.

Due to proxy connection issues, the hackers used real IP addresses on several occasions, which have been reported to law enforcement.

As the hackers’ activity increased, Resecurity added more fake datasets, leading to further OPSEC failures on the part of the hackers.

In response to this news, the hackers stated that they would soon publish new information.

#ThreatActors #ScatteredLAPSUSHunters #Resecurity #SLH #OPSEC #Honeypot

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 If you're curious about how secure your digital habits and the tools and platforms you use for communication and web browsing are, and what your status is based on the existing risks, you can use this website.
The value of this website is actually in collecting and categorizing security tips!

https://digital-defense.io/

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

A German hacker named Martha Root deleted a dating website associated with white supremacist groups during the CCC conference.

She infiltrated the site and used her own AI chatbot to extract as much information as possible from the users. Then she downloaded all the profiles. Following that, she uncovered the identity of the site’s owner and ultimately published all the acquired data.

#39C3 #CyberSecurity #Conference

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 The penetration testing course by Georgia Weidman is available for free on YouTube .

She is the author of the book "Penetration Testing: A Hands-On Introduction to Hacking."

#course

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 A threat actor known as 1011 has claimed that they were able to steal more than 10 databases containing sensitive information such as Salesforce API keys and Jira tokens by performing a brute-force attack against a NordVPN development server.

NordVPN has denied these claims, stating that the data in question belongs to an isolated test environment and contains only dummy (fake) data. According to the company, this test environment was created as part of an evaluation of a potential vendor they were considering working with. However, since no contract was ever signed, all the data stored in that environment was non-production and not real. Ultimately, NordVPN did not proceed with that vendor and chose to work with a different one.

In 2019, hackers successfully breached the servers of NordVPN and TorGuard, gaining full root access and stealing sensitive information from these VPN providers. In response to that incident, NordVPN launched its bug bounty program.

Source: BleepingComputer

#NordVPN #VPN

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Ledger, the manufacturer of hardware wallets, has informed some of its customers that their names and contact information were exposed in a security incident related to Global-e.

If you use a Ledger hardware wallet and made a purchase with Global-e acting as the Merchant of Record, you are affected by this incident. Otherwise, all software and hardware systems of the Ledger platform remain secure.

The Global-e platform is responsible for services such as checkout and payment processing, order fulfillment, localization, tax and duty calculations, and regulatory compliance for multiple online stores and brands, including Bang & Olufsen, adidas, Disney, Givenchy, Hugo Boss, Ralph Lauren, Michael Kors, Netflix, and M&S.

Global-e has stated that it is currently directly notifying all potentially affected individuals and relevant regulators, and has emphasized that no payment information or account credentials were compromised in this incident.

Users are advised to remain vigilant against potential phishing and social engineering attacks that may attempt to exploit this breach.

Source: BleepingComputer

#wallet #cryptocurrency

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 I previously introduced Google’s Dark Web service, which searches for data published on the dark web and alerts you if your information is included. (Although this service is being shut down.)

This morning, I received an alert that my email and Twitter username are included in a leak titled "Cryptocurrency Twitter Follower Data." I couldn’t find any details about this data by searching on Google.

The concerning point is that if this data becomes public (which it might have), individuals can link my email to my Twitter and vice versa, opening new doors for OSINT (Open Source Intelligence).

On the other hand, the data is specifically related to cryptocurrencies, so I could also become a phishing target (email, etc.).

Furthermore, many of us, a few years ago, engaged in hamster-like activities to gain more tokens, posting about cryptocurrency on Twitter or following projects, and thus we might be on this list as well.

In summary, be careful.

#Leak #Twitter #Cryptocurrency

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 Critical Vulnerability in n8n:

A critical vulnerability with the identifier CVE-2026-21858 and a score of 10 has been reported and fixed in n8n, also known as Ni8mare.

The vulnerability allows an attacker to access files on the underlying server by executing certain form-based workflows. A vulnerable workflow may grant access to an unauthenticated remote attacker, potentially leading to the exposure of sensitive information stored on the system and creating opportunities for further compromises depending on the deployment and usage of the workflows.

Vulnerable Versions: 1.65.0 and earlier.

Fixed Versions: 1.121.0 and later (version 1.121.0 was released in November).

Over the last two weeks, n8n has fixed a total of four critical vulnerabilities related to this issue:

- CVE-2025-68613: Allows an authenticated attacker to achieve RCE.
- CVE-2025-68668 or N8scape: Grants an authenticated user with permission to create or modify workflows the ability to execute arbitrary commands on the host system running n8n.
- CVE-2026-21877: Allows an authenticated attacker to execute untrusted code via the n8n service and gain full control of the instance.

#SecurityVulnerability #n8n #cve #Ni8mare

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)

🔴 From January 11 to 14, the first National Week of Information Technology Security will be held in Tehran under the slogan “Digital Security, the Infrastructure of National Trust.”

The specialized sessions conducted in panel format are as follows:

- January 11: Information Security in the Banking Network
- January 11: The Role of Universities in the Development of Security Technology
- January 12: New Cyber Threats in the Era of Artificial Intelligence
- January 12: Data Governance and Security Requirements
- January 13: Development of the Domestic Cybersecurity Industry
- January 13: Information Security in Industrial Networks

Workshops:

- January 11 - 9 AM - 12 PM - Workshop on Security in Industrial Networks (AFTA Center)
- January 12 - 8:30 AM - 10 AM - Asset Management, Risk Management, and Data Leakage (RejaIT Company)
- January 12 - 10:30 AM - 12 PM - Attack Simulation (BAS): Assessing the Effectiveness of Cyber Threat Detection in the Security Operations Center

On January 23 and 24, an exhibition will also take place, which is open to the public. This exhibition will feature the participation of 40 private sector companies active in producing local cybersecurity products and providing security services.

For more information, you can visit the event website.

In other news from AFTA, Dr. Noroozadeh, the head of AFTA’s Strategic Center, has stated:

- Training, attracting, retaining, and maintaining cybersecurity specialists are significant concerns for agencies, organizations, and the private sector.

- A plan has been submitted by the AFTA Development Headquarters to the Administrative and Recruitment Affairs Organization to exempt the allocation and determination of cybersecurity specialists’ salaries from the regulations of public service law. This aims to align the salaries of cybersecurity personnel in the public sector closer to those in the private sector by providing financial incentives.

- Poor configuration, human negligence, and violation of cybersecurity policies are major reasons for cyber incidents, necessitating legal action against managers who fail to act despite the regulations and directives from the AFTA Strategic Management Center.

- To free ourselves from the cyber dominance of adversaries, it is essential to increase the use of domestically produced cybersecurity products and replace foreign products.

- Establishing and launching National Threat Intelligence Centers (CTI), Threat Detection and Response (MDR), and Information Sharing and Analysis Centers (ISAC) are among the future plans and projects of the AFTA Center. / Source

#Iran #AFTA

🆔 @onhex_en
🌍 ONHEXGROUP (Official Links)