«Миллиардные потери, киберугрозы через TikTok и атакующие соратники: неделя в кибербезопасности» Translation: Billion-Dollar Losses, Cyber Threats via TikTok, and Attacking Allies: A Week in Cybersecurity

We have compiled the most significant news from the world of cybersecurity over the past week.

In the first half of 2025, cybercrime inflicted damages of 34 billion rubles in Moscow. This was revealed in an interview with Interfax by Anton Kononenko, head of the Cyber Crime Prevention Department of the Ministry of Internal Affairs of Russia in the capital.

«Crimes are now being committed for amounts of one million rubles and higher; there are virtually no minor cases left. Compared to previous years, the total damage caused by cyber fraudsters in the capital is showing an upward trend,» Kononenko commented.

According to law enforcement, cybercriminals set a record in the spring by stealing 450 million rubles.

Kononenko noted that over the last three years, the volume of losses has been increasing. Previously, most investigations related to thefts of up to 50,000 rubles, but now about 80% of identified crimes fall into serious (losses of 250,000 rubles) and particularly serious categories.

A 64-year-old resident of Ternopil fell victim to fraud, losing around 1 million hryvnias. The Ternopil District Police Department reported this.

According to law enforcement, the victim saw an advertisement on social media for investment courses promising profits. He followed a link and contacted a person who posed as a broker-analyst.

After registering on the site, the pensioner began transferring money to the specified account from his electronic wallet. When the total amount reached $28,100, the «broker» stopped communicating, and access to the platform was blocked.

On October 17, ISC Handler analyst Xavier Mertens noted an ongoing campaign using TikTok videos for hacking attacks.

Malicious software for stealing data is disguised as free guides for activating popular programs like Windows, Spotify, and Netflix.

The authors of these videos employ ClickFix social engineering techniques, presenting the victims with seemingly legitimate «solutions» or instructions.

In reality, they trick individuals into executing malicious PowerShell commands or other scripts that infect their computers.

Each video displays a short, one-line command and suggests running it as an administrator in PowerShell.

Once initiated, the software connects to a remote site and downloads another script, which retrieves and installs two executable files from Cloudflare Pages. The first is a variant of Aura Stealer, malware that steals:

All collected data is sent to the perpetrators, granting them access to the victim’s accounts.

Mertens added that another file, source.exe, is additionally downloaded, which uses the built-in Visual C# Compiler to assemble code on the fly. This code is then run in the memory. The purpose of the second module remains unknown.

Hackers linked to China have exploited the ToolShell vulnerability in Microsoft SharePoint to attack government agencies, universities, telecommunications providers, and financial organizations. This was reported in a Symantec report.

The vulnerability affects locally hosted SharePoint servers. It became known in July following extensive attacks by Chinese hackers. The malware can be exploited remotely without authentication to execute code and gain full access to the file system.

During the campaign, the attackers used malware typically associated with the Chinese hackers known as Salt Typhoon.

According to Symantec, ToolShell has been used to compromise various organizations in the Middle East, South America, the U.S., and Africa. The attacks affected:

Interestingly, the attacks were carried out using legitimate executable files from Trend Micro and BitDefender. For the scheme in South America, the attackers utilized a file with a name similar to Symantec’s.

Researchers noted that the list of publicly available tools used in the attacks included Microsoft’s certutil, the GoGo Scanner, and the Revsocks utility, which allows for data exfiltration via a remote server.