The Good | Interpol Cracks Down on Cybercrime as U.S. Sanctions North Korean IT Scheme
Interpol announced the arrest of over 1200 suspects in Operation Serengeti 2.0, a three-month crackdown on cybercrime across Africa. Conducted between June and August, the operation dismantled 11,432 malicious infrastructures, seized $97.4 million, and disrupted attacks impacting nearly 88,000 victims worldwide. Investigators from 18 African nations and the U.K. collaborated under the African Joint Operation against Cybercrime, supported by various private sector partners. Targets included ransomware operators, online scammers, and business email compromise (BEC) groups.
This is the latest in a series of coordinated operations across Africa, following earlier successes such as Operation Red Card and Operation Serengeti (2024). Interpol emphasized that each initiative strengthens cross-border cooperation, expanding both intelligence sharing and investigative expertise, which garner larger, more impactful results in the fight against transnational cybercrime.
The U.S. Treasury’s OFAC has sanctioned two individuals and two entities tied to North Korea’s illicit remote IT worker scheme, which funds its weapons and missile programs. Russian national Vitaliy Sergeyevich Andreyev, North Korean official Kim Ung Sun, Shenyang Geumpungri Network Technology (China), and Korea Sinjin Trading Corporation were named for defrauding American businesses. Andreyev allegedly helped transfer nearly $600,000 in cryptocurrency-to-cash payments, while Shenyang Geumpungri generated over $1 million in profits since 2021.
The IT worker scheme, specifically, embeds North Korean IT workers in global companies using fake identities and stolen documents. Recent investigations indicate a growing reliance on AI tools to build false resumes, pass interviews, and deliver work. Authorities warn the operation also enables malware insertion, data theft, and extortion against targeted firms.
The Bad | UpCrypter Malware Loader Spreads Through Fake Voicemails to Install RAT Payloads
A new phishing campaign distributing a malware loader known as UpCrypter is using fake voicemail notifications and purchase orders as lures. Active since early August 2025, the campaign has primarily targeted organizations in manufacturing, technology, healthcare, construction, and retail/hospitality, with infections observed in Austria, Belarus, Canada, Egypt, India, Pakistan, and several others worldwide.
The attack begins with carefully crafted phishing emails containing malicious URLs to fraudulent landing pages that mimic corporate branding by embedding a victim’s domain name and logo. Victims are prompted to download what appears to be a voicemail or PDF, delivered as a ZIP archive containing an obfuscated JavaScript file. Once executed, the script checks for internet connectivity, scans for forensic tools or sandbox environments, and then retrieves the next-stage malware from an external server.
UpCrypter serves as a dropper for multiple remote access tools (RATs), including PureHVNC RAT, DCRat, and Babylon RAT, all of which enable full control of infected systems and provide attackers with remote surveillance, credential theft, and command execution capabilities. Payloads may be delivered in plain text or concealed via steganography inside images. A parallel distribution method uses a Microsoft Intermediate Language (MSIL)-based loader that performs similar anti-analysis checks before fetching an obfuscated PowerShell script, a DLL, and the main payload.
The final execution sequence embeds data from the DLL and payload directly into memory, bypassing the file system to minimize forensic artifacts. Security researchers warn that UpCrypter’s evolving design, combining layered obfuscation, sandbox evasion, and flexible RAT deployment, points to an actively maintained delivery ecosystem capable of persisting across environments that rely only on traditional defenses.
The Ugly | Salt Typhoon Expands Global Cyber-Espionage Campaign via Router Exploits
Authorities from 13 nations, including the U.S., U.K., Canada, Germany, and Japan, have issued a joint security advisory linking three Chinese tech companies to advanced persistent threat (APT) group Salt Typhoon (also tracked as UNC2286). Receiving intelligence services, cyber tools, and stolen data, the China-based actor has been able to intensify its global cyberespionage operations. Targeting has been focused on telecommunications, government, transportation, and military infrastructure since at least 2019.
The group focuses on exploiting backbone, provider edge (PE), and customer edge (CE) routers, using flaws such as CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, CVE-2023-46805, CVE-2024-21887, and CVE-2024-3400. Compromised devices are modified for persistence through generic routing encapsulation (GRE) tunnels, altered Access Control Lists (ACLs), custom containers, and added IP-controlled ports. Attackers further exploit Terminal Access Controller Access Control System Plus (TACACS+) authentication traffic on TCP/49 to harvest highly privileged administrator credentials, enabling lateral movement across network environments.
To date, Salt Typhoon has attacked over 600 organizations across 80 countries. The advisory emphasized that intrusions into telecom and transportation networks have enabled Chinese intelligence services to track communications and movements worldwide. Experts urge defenders to watch for configuration changes, container activity, unusual tunnels, and integrity issues in firmware and logs.
To counter Salt Typhoon and similar threats, the guidance calls for rapid patching, adoption of zero-trust models, disabling unused services, and strengthening authentication. Officials warn that adversaries will only grow more sophisticated, stressing the need to retire outdated systems and harden defenses.
