CyberBakery Chronicles (02 June 2025)

Your Weekly Cybersecurity Update (02 June 2025)

• U.S. DoJ Seizes 4 Domains Supporting Cybercrime Crypting Services in Global Operation

• Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale

• Germany doxxes Conti ransomware and TrickBot ring leader

• Australian ransomware victims now must tell the government if they pay up

• APT41 Hijacks Google Calendar for Covert Cyberespionage Operations

U.S. DoJ Seizes 4 Domains Supporting Cybercrime Crypting Services in Global Operation

On May 27, 2025, the U.S. Department of Justice (DoJ), in collaboration with international law enforcement agencies, seized four domains—AvCheck[.]net, Cryptor[.]biz, Crypt[.]guru, and an unspecified fourth domain. These domains were integral to a cybercrime syndicate offering crypting services designed to help malware evade detection by antivirus software. The takedown was part of Operation Endgame, a global initiative aimed at dismantling cybercriminal infrastructures.

Crypting services modify malicious software to bypass security measures, making them harder to detect and remove. For instance, AvCheck[.]net promoted itself as a “high-speed antivirus scantime checker,” allowing users to test files against multiple antivirus engines to ensure stealth. Undercover operations confirmed that cybercriminals actively used these services to refine their malware before deployment.

This seizure follows other significant actions under Operation Endgame, including the disruption of the Lumma Stealer malware network, which involved the takedown of approximately 2,300 domains, and the dismantling of the DanaBot malware infrastructure, leading to charges against 16 individuals. These coordinated efforts underscore the international commitment to combating cyber threats and protecting digital infrastructure.

Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale

A threat actor using the alias “Often9” has claimed responsibility for a significant data breach involving TikTok, asserting possession of 428 million unique user records. These records reportedly include sensitive information, such as email addresses, mobile phone numbers, user IDs, usernames, biographies, avatar URLs, profile links, and internal account flags, including verification status and seller indicators. The data is being offered for sale on a prominent cybercrime forum. 

Often9 alleges that the data was obtained by exploiting a vulnerability in one of TikTok’s internal APIs, which allowed access to non-public user information before the flaw was patched. This method goes beyond typical data scraping, as it involves unauthorised access to internal systems to retrieve private data. 

However, cybersecurity experts have expressed scepticism regarding the legitimacy of the breach. Analyses of sample data provided by Often9 reveal inconsistencies, such as missing or generic entries for emails and phone numbers. Additionally, the threat actor’s recent emergence and lack of established reputation in cybercrime forums raise questions about the credibility of their claims. 

TikTok has not yet confirmed the breach, and investigations are ongoing to determine the authenticity and scope of the alleged data compromise.

Germany doxxes Conti ransomware and TrickBot ring leader

German federal police (BKA) have identified Vitaly Nikolaevich Kovalev, a 36-year-old Russian national, as the individual behind the online alias “Stern,” believed to be the leader of the notorious Trickbot and Conti ransomware groups. This revelation is part of Operation Endgame, a coordinated international effort aimed at dismantling major cybercrime networks.  

Kovalev, who has previously operated under aliases such as “Bentley,” “Ben,” and “Alex Konor,” is accused of orchestrating cyberattacks that targeted thousands of institutions worldwide, including hospitals, schools, and businesses. These operations reportedly generated hundreds of millions of dollars in illicit profits over several years. Despite prior sanctions and indictments, this is the first time authorities have publicly connected Kovalev to the “Stern” moniker. An Interpol Red Notice has been issued for his arrest, although he is believed to reside in Russia, which complicates potential extradition efforts.  

The identification of Kovalev was facilitated by analysing leaked internal communications from the Trickbot and Conti groups, as well as data obtained during the 2023 Qakbot malware investigation. These insights revealed that “Stern” managed the cybercrime operations with a corporate-like structure, delegating tasks to trusted associates and maintaining strict operational security. Notably, there are indications of potential links between Kovalev and Russian intelligence services, including the FSB. 

This development underscores the increasing effectiveness of international collaboration in combating cybercrime. By unmasking key figures behind these sophisticated operations, authorities aim to disrupt their activities and hold them accountable.

Australian ransomware victims now must tell the government if they pay up

Australia has enacted a pioneering law mandating that specific organisations report ransomware payments to the government. Effective from 30 May 2025, this regulation applies to:

• Businesses operating in Australia with an annual turnover exceeding AUD $3 million.

• Entities responsible for critical infrastructure assets, as defined under the Security of Critical Infrastructure Act 2018. 

Reporting Requirements:

• Timeframe: Reports must be submitted within 72 hours of making a ransomware payment or becoming aware that such a payment has been made on their behalf.

• Submission Portal: Reports are to be filed through the Australian Signals Directorate’s (ASD) online portal at cyber.gov.au.

• Report Contents: Organisations must provide details, including:

  • Contact and business information, including the Australian Business Number (ABN).

  • Description of the cybersecurity incident and its impact.

  • Details of the ransom demand and the payment made, including method and amount.

  • Any communications with the threat actor. 

Penalties for Non-Compliance:

• Failure to report within the stipulated timeframe can result in civil penalties of up to 60 penalty units, equivalent to AUD $19,800.

• However, during the initial enforcement phase (until 31 December 2025), the government will adopt an “education-first” approach, focusing on guidance and support rather than immediate penalties. 

Objective of the Legislation:

The primary goal is to enhance the government’s visibility into the ransomware threat landscape, which has been historically underreported. By collecting data on incidents and payments, authorities aim to gain a better understanding of cybercriminal tactics and develop more effective countermeasures. 

Privacy and Legal Protections:

• Information submitted in ransomware payment reports is protected under a “limited use obligation,” ensuring it cannot be used for regulatory or law enforcement actions against the reporting entity.

• This provision is designed to encourage compliance without fear of legal repercussions.

Broader Cybersecurity Strategy:

This mandatory reporting requirement is part of Australia’s broader 2023–2030 Cyber Security Strategy, which includes:

• Establishing a Cyber Incident Review Board to analyse significant cyber incidents and share anonymised insights.

• Developing a “Ransomware Playbook” to guide businesses in responding to ransomware attacks. 

By implementing these measures, Australia aims to disrupt the ransomware business model and bolster national cybersecurity resilience. 

APT41 Hijacks Google Calendar for Covert Cyberespionage Operations

Chinese state-sponsored hacking group APT41 has been identified exploiting Google Calendar as a covert command-and-control (C2) channel in a sophisticated cyber-espionage campaign. The malware used in this operation, dubbed TOUGHPROGRESS, was discovered by Google’s Threat Intelligence Group (GTIG) in October 2024. It targeted multiple government entities by leveraging a compromised government website to distribute malicious payloads. 

Attack Overview

The campaign began with spear-phishing emails that directed victims to download a ZIP archive hosted on the compromised site. This archive contained:

• A Windows shortcut file (.lnk) masquerading as a PDF document.

• Several image files are used, with two (“6.jpg” and “7.jpg”) serving as the encrypted payload and a DLL loader, respectively.

Chinese state-sponsored hacking group APT41 has been identified exploiting Google Calendar as a covert command-and-control (C2) channel in a sophisticated cyber-espionage campaign. The malware used in this operation, dubbed TOUGHPROGRESS, was discovered by Google’s Threat Intelligence Group (GTIG) in October 2024. It targeted multiple government entities by leveraging a compromised government website to distribute malicious payloads. 

Upon execution, the attack unfolded in three stages:

1. PLUSDROP: A DLL that decrypts and executes the next stage in memory.

2. PLUSINJECT: Performs process hollowing on a legitimate svchost.exe process to inject the final payload.

3. TOUGHPROGRESS: The primary malware that communicates with attacker-controlled Google Calendar events. 

Google Calendar as a C2 Channel

TOUGHPROGRESS innovatively utilises Google Calendar:

• Data Exfiltration: It creates zero-minute calendar events on hardcoded dates (e.g., May 30, 2023), embedding encrypted data from the compromised host into the event descriptions.

• Command Retrieval: The malware polls for specific calendar events on predetermined dates (e.g., July 30 and 31, 2023), decrypts the commands contained within the event descriptions, and executes them on the infected host.

• Result Transmission: Execution results are encrypted and written back into new calendar events, allowing attackers to retrieve the output seamlessly. 

This method enables the malware to blend its communication within legitimate cloud service traffic, complicating detection efforts.

Evasion Techniques

TOUGHPROGRESS employs several advanced techniques to avoid detection:

• In-Memory Execution: Payloads are executed directly in memory, leaving minimal traces on the disk.

• Process Hollowing: Injects malicious code into legitimate processes to mask its activities.

• Control Flow Obfuscation: Utilises register-based indirect calls and 64-bit arithmetic overflow to hinder analysis. 

Google’s Response

In response to this campaign, Google has:

• Developed custom detection signatures to identify and dismantle attacker-controlled Google Calendar instances.

• Terminated associated Google Workspace projects utilised by APT41.

• Updated Safe Browsing blocklists to prevent access to malicious domains and URLs.

• Notified affected organisations and provided them with samples of TOUGHPROGRESS network traffic logs to aid in detection and remediation efforts. 

This incident underscores the evolving tactics of threat actors in leveraging legitimate cloud services for malicious purposes, highlighting the need for vigilant cybersecurity measures.