В киберпространстве: от пиратского Battlefield 6 до криптоаферы в Киеве Headline: In Cyberspace: From Pirate Battlefield 6 to Crypto Scam in Kyiv

We have gathered the most important cybersecurity news from the past week.

Experts from Bitdefender Labs have uncovered extensive malware campaigns leveraging the October release of the shooter Battlefield 6. The malicious software is being distributed through fake tools intended for installing pirated versions of the game—repackaged by well-known groups.

Cybercriminals are employing social engineering tactics and posing as popular teams like InsaneRamZes and RUNE to deliver infected installers containing stealers.

The malicious files completely lack the advertised functionality and compromise the system immediately upon execution. Experts identified a suite of hacking tools:

Bitdefender researchers advised users to download software exclusively from official platforms like Steam or EA App.

In Kyiv, law enforcement uncovered a group of scammers who defrauded EU citizens under the guise of investments in cryptocurrency and shares of «promising» companies. This was reported by the Cyber Police of Ukraine.

Among the victims are over 30 individuals. During a special operation, police conducted 21 searches and seized more than $1.4 million, over 5.8 million hryvnias, and 17,000 euros in cash.

According to operational data, the leader of the scheme, along with two accomplices, organized a call center in Kyiv with 20 workstations. «VIP client managers» created a false impression of successful trading on global exchanges for the victims. To achieve this, the criminals remotely installed specialized software on the «clients'» computers.

After receiving cryptocurrency, group members cashed it out through physical exchange offices in Kyiv. They face up to 12 years in prison.

Experts from Kaspersky Lab have detected the Tsundere botnet, which infiltrates Windows devices disguised as installers for popular games like Valorant, CS2, and R6x.

For attacks, the malware utilizes Ethereum smart contracts, significantly enhancing the botnet’s infrastructure resilience. If one command server is blocked, the system automatically switches to backup servers pre-recorded in the blockchain.

To do this, hackers conduct a transaction of 0 ETH, adding a new address to the contract’s state variable. The bot accesses public Ethereum RPC, analyzes transactions, and extracts the current path.

The investigation revealed a connection between Tsundere and a stealer being distributed on hacker forums—123 Stealer. They share the same infrastructure and are affiliated with a user known as koneko.

The new JackFix attack employs fake adult websites and imitates Windows updates to widely deploy info stealers. This was reported by the Acronis Threat Research Unit.

The attackers replicate popular platforms like Pornhub, and upon interaction, display a full-screen window demanding the installation of «critical Windows security updates.»

According to analysts, the attack is executed within the victim’s browser using HTML and JavaScript, attempting to programmatically block exit from full-screen mode.

To bypass security systems, hackers employ arrays of commands and specialized files with a .odd extension to secretly initiate malicious processes via the PowerShell interface.

Subsequently, the script continuously assaults the user with social engineering techniques until administrative rights are obtained. After this, the code assigns exceptions for antivirus software and downloads the final payload from the attackers’ servers. The fake URLs are configured to redirect researchers to legitimate Google or Steam resources upon direct access.

Experts noted that a single successful injection leads to the download and execution of eight different families of malware, including the latest versions of stealers and Remote Access Trojans (RAT).

If the site enters full-screen mode and blocks the interface, the Acronis Threat Research Unit recommends using the Esc or F11 key to exit. If the problem persists, the browser should be forcefully closed via Alt+F4 or the task manager (Ctrl+Shift+Esc).

Unofficial LLM models WormGPT 4 and KawaiiGPT are expanding the capabilities of cybercriminals, reported specialists from Unit 42.

According to them, AI generates functional malicious code, including scripts for ransomware and automating movements within corporate networks.

WormGPT 4 is a revival of the closed WormGPT project from 2023, which was rediscovered in September 2025. The model is marketed as an alternative to ChatGPT, specifically trained for illicit operations. The software is available for $50 a month or $220 for lifetime access.

In an experiment, WormGPT 4 successfully generated a ransomware tool for PDF files on Windows. The script also included an option for data exfiltration via the Tor network for executing real attacks.

Experts believe that the model excels in crafting «convincing and intimidating» ransom notes mentioning «military-grade encryption» and doubling the ransom demand within 72 hours.

According to Unit 42, WormGPT 4 provides «reliable tools for linguistic manipulation» to compromise business correspondence and phishing attacks, making complex operations accessible even to beginners.

Another software, KawaiiGPT 2.5, was discovered in July and is distributed for free. Setting up the model on Linux took the researchers about five minutes. The LLM generates realistic phishing emails and ready-to-execute scripts.

Although KawaiiGPT did not create a complete «ransomware» unlike WormGPT 4, experts warned that its ability to generate scripts for remote command execution makes it a dangerous tool for data theft.

Researchers noted that both models have hundreds of subscribers in Telegram channels, where users share experiences and workaround methods.

Pro-government hacker groups have shifted from traditional espionage to a «cyber support for kinetic targeting» tactic to directly assist military strikes. This was reported by Amazon Threat Intelligence (ATI) specialists.

According to ATI, Imperial Kitten allegedly infiltrated the navigation systems and cameras of unnamed vessels to gather precise coordinates for maritime targets. The intelligence reportedly enabled Houthi forces to conduct a targeted missile strike on a tracked ship on February 1, 2024, the researchers claim.

They urged the implementation of enhanced threat modeling to protect physical assets from such attacks. According to ATI, critical infrastructure operators must view their systems as potential targeting tools.