Мифы и реальность киберугроз: от пиратского Battlefield до угрожающих хакерских сетей в Киеве Headline: Myths and Realities of Cyber Threats: From Pirated Battlefield to Threatening Hacker Networks in Kyiv

We have compiled the most significant news from the world of cybersecurity over the past week.

Experts from Bitdefender Labs have uncovered extensive malicious campaigns that exploit the October release of the shooter Battlefield 6. Malware is being distributed through fake software designed to install pirated versions of the game—“repacks” from well-known groups.

Cybercriminals are employing social engineering techniques and masquerading as reputable teams like InsaneRamZes and RUNE to deliver infected installers containing stealers.

The malicious files completely lack the promised functionality and compromise the system as soon as they are executed. Experts have identified a suite of hacking tools:

Bitdefender researchers advised downloading software only from official platforms like Steam or EA App.

In Kyiv, authorities have exposed a group of scammers who swindled EU citizens out of money under the guise of investments in cryptocurrency and shares of «promising» companies, as reported by the Cyber Police of Ukraine.

Among the victims are over 30 individuals. During a special operation, police conducted 21 searches, seizing more than $1.4 million, over 5.8 million hryvnias, and 17,000 euros in cash.

According to operational data, the ringleader and two accomplices set up a call center in Kyiv with 20 workstations. «VIP client managers» created a false impression of successful trading on global exchanges for the victims. For this purpose, the criminals remotely installed specialized software on the «clients'» computers.

After obtaining cryptocurrency, the group members cashed it out through physical exchanges in Kyiv. They face up to 12 years in prison.

Specialists from Kaspersky Lab have identified a botnet named Tsundere that infiltrates Windows devices disguised as installers for popular games like Valorant, CS2, and R6x.

To carry out attacks, the malware utilizes Ethereum smart contracts, significantly enhancing the botnet’s infrastructure resilience. If one command server is blocked, the system automatically switches to backup servers that are pre-recorded on the blockchain.

To achieve this, hackers perform a transaction for 0 ETH, entering a new address into the contract’s state variable. The bot accesses public RPC Ethereum, analyzes transactions, and extracts the current path.

The study revealed a connection between Tsundere and a stealer distributed on hacker forums—123 Stealer. They share infrastructure and are affiliated with a user under the nickname koneko.

A new attack method called JackFix is employing fake adult websites and imitating Windows updates to spread info stealers en masse. This was reported by the Acronis Threat Research Unit.

The criminals are propagating clones of popular platforms like Pornhub, which, when interacted with, open a full-screen window demanding the installation of «critical Windows security updates.»

According to analysts, the attack is executed within the victim’s browser via HTML and JavaScript, attempting to programmatically block the exit keys from full-screen mode.

To bypass security mechanisms, hackers use arrays of commands and specialized files with the .odd extension to covertly launch malicious processes through the PowerShell interface.

Subsequently, the script continuously attacks the user using social engineering tactics until administrative rights are obtained. At this point, the code sets exceptions for antivirus software and downloads the final payload from the attackers’ servers. The fake URLs are configured in such a way that direct access redirects investigators to legitimate resources like Google or Steam.

Experts noted that a single successful injection leads to the download and execution of eight different malware families, including the latest versions of stealers and Remote Access Trojans (RATs).

If the site enters full-screen mode and blocks the interface, the Acronis Threat Research Unit recommends using the Esc or F11 keys to exit. If the issue persists, it is necessary to forcibly close the browser using Alt+F4 or the task manager (Ctrl+Shift+Esc).

Unofficial LLM models WormGPT 4 and KawaiiGPT are enhancing the capabilities of cybercriminals, experts from Unit 42 reported.

They claim that AI generates functional malicious code, including scripts for ransomware and automation of movement within corporate networks.

WormGPT 4 is a resurgence of the previously shut down WormGPT project in 2023, which was re-discovered in September 2025. The model is marketed as an equivalent to ChatGPT, specifically trained for illegal activities. The software is available for $50 per month or $220 for lifetime access.

In an experiment, WormGPT 4 successfully generated a ransomware payload for PDF files on Windows. The script also included an option to exfiltrate information via the Tor network for executing real attacks.

Experts believe that the model effectively crafts «convincing and intimidating» ransom notes mentioning «military-grade encryption» and doubling the ransom amount within 72 hours.

According to Unit 42, WormGPT 4 offers «reliable linguistic manipulation tools» for compromising business correspondence and phishing attacks, making complex operations accessible even to novices.

Another software—KawaiiGPT 2.5—was discovered in July and is being distributed for free. The installation of the model on Linux took researchers about five minutes. LLM generates realistic phishing emails and ready-to-execute scripts.

Although KawaiiGPT did not create a full-fledged «ransomware» as WormGPT 4 did, experts warned that its ability to generate scripts for remote command execution makes it a dangerous tool for data theft.

According to researchers, both models have hundreds of followers on Telegram channels where users share experiences and workarounds.

State-sponsored hacker groups have shifted from classical espionage to the tactic of “cyber support for kinetic targeting” to provide direct assistance for military strikes. This was reported by cybersecurity experts from Amazon Threat Intelligence (ATI).

According to ATI, Imperial Kitten allegedly infiltrated navigation systems and cameras of unnamed vessels to gather precise coordinates of maritime targets. The data obtained allowed Houthi forces to carry out a targeted missile strike on a tracked ship on February 1, 2024, researchers claim.

They called for the implementation of enhanced threat modeling to protect physical assets against such attacks. ATI believes that operators of critical infrastructure must consider their systems as potential targeting tools.