The IT Nerd

CloudSEK’s latest threat intelligence report reveals a sophisticated ransomware campaign leveraging fake ClickFix-themed verification pages to distribute Epsilon Red malware.

Threat actors are impersonating platforms like Discord, Twitch, and OnlyFans to trick users into downloading .HTA files. These payloads silently execute ransomware via browser-based ActiveX abuse—bypassing standard security measures and putting global users at risk.

Key Highlights:

• Active campaign observed in July 2025
• Abuse of social engineering and brand impersonation
• Infrastructure linked to multiple fake domains and IPs
• Epsilon Red ransom notes bear stylistic resemblance to REvil, though the malware is distinct
• Final-stage deployment of Epsilon Red ransomware
   

Full report available here:
🔗 https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware

CloudSEK has released a groundbreaking whitepaper uncovering a sophisticated network of Chinese-operated illegal payment gateways exploiting India’s digital banking infrastructure. 

The report, titled Chinese-Operated Illegal Payment Gateways Exploiting & Laundering in the Indian Financial Network, reveals how transnational criminal syndicates are orchestrating a multi-billion-dollar shadow economy, laundering funds through illicit gateways that facilitate illegal gambling, Ponzi schemes, predatory lending, and digital fraud.

A Parallel Financial Ecosystem Threatening India’s Economy

India’s rapid digital transformation, powered by the Unified Payments Interface (UPI), has revolutionized financial access but also created vulnerabilities. CloudSEK’s research exposes how Chinese-led syndicates are exploiting these gaps, operating illegal payment gateways that bypass Reserve Bank of India (RBI) regulations. 

These gateways serve as the financial backbone for illicit operations, facilitating the movement of tainted money through a web of “mule” bank accounts to obscure its origins before exfiltrating it via cryptocurrency or hawala networks. (For More Information, Download Full Report)

Key findings include:

• Massive Scale of Operations: A single fraudulent app analyzed by CloudSEK facilitated ₹166 crore in transactions across 398,675 transactions, involving 34,299 unique mule accounts in just 12 months. Extrapolating to an estimated 25 similar apps, the total laundered amount could reach ₹4,000–5,000 crore annually, with a daily volume of ₹10–15 crore.
• Sophisticated Mule Recruitment: Criminals target vulnerable Indians—unemployed youth, students, and rural communities—through fraudulent apps, face-to-face agents, and “work-from-home” OTP-sharing scams to harvest bank accounts. These accounts are then integrated into advanced dashboards for large-scale money laundering.
• Global Reach, Local Impact: 40+ countries involved in the illegal payment gateway network. The syndicates operate from Southeast Asia and the Mekong region, using mule accounts from India, Pakistan, Bangladesh, and beyond. Funds are laundered through dynamic UPI IDs, cryptocurrency (primarily USDT-Tether), and fake international trade, draining India’s economy and evading taxes.
• Diverse Illicit Clients: The gateways serve illegal gambling platforms (e.g., Aviator crash games), Ponzi schemes, predatory lending apps, fake stock trading platforms, and digital arrest scams, charging transaction fees of 3–10% based on the risk level of the funds.
• Tech-Enabled Deception: Over 100 Telegram channels promote these gateways, while YouTube tutorials with 37,200+ views guide fraudsters on integrating APIs. Shell companies pose as legitimate fintechs, using paid ads on Google, Facebook, and Instagram to whitewash their operations. (For More Information, Download Full Report)

Three-Tier Exploitation Model Uncovered

CloudSEK’s research identified three distinct categories of illegal payment gateway clients, each charged different fees based on risk levels:

1. Gaming & Gambling Platforms (5% deposit, 3% withdrawal fees) – Including illegal casinos and betting apps like crash games
2. Ponzi & Investment Schemes (7-8% deposit, 4-5% withdrawal fees) – Fake investment platforms promising unrealistic returns
3. Mixed Scam Operations (10% deposit, 10% withdrawal fees) – Multi-source fraud including loan scams and crypto doubling schemes

The syndicates employ multiple recruitment strategies to acquire Indian bank accounts, including fraudulent mobile applications that request banking credentials and intercept OTP messages, face-to-face agents who target vulnerable populations with cash payments, and “work-from-home” schemes where individuals unknowingly serve as human OTP relays.

Technical Sophistication Rivals Legitimate Services

The illegal gateways operate with remarkable technical sophistication, featuring dynamic UPI infrastructure that generates unique QR codes for each transaction, full API integration allowing automated fund collection, global wallet access enabling multi-currency transactions, and comprehensive monitoring dashboards for real-time transaction management.

Once funds are collected, they undergo a complex layering process across 7-10 different mule accounts within minutes, making detection and tracing extremely difficult. The final stage involves exfiltrating laundered funds from India through cryptocurrency purchases, traditional hawala networks, or trade-based money laundering schemes.

Real-World Consequences for India

The implications of these findings are profound:

• Economic Drain: The shadow economy siphons billions of rupees annually, weakening the Indian Rupee and depriving the government of tax revenue.
• Financial System Integrity: The volume of fraudulent transactions overwhelms bank fraud detection systems, eroding public trust in digital payments.
• Social Harm: Indian citizens are doubly victimized—first as targets of scams and then as unwitting money mules facing frozen accounts or legal repercussions.
• National Security Risks: The infrastructure could fund activities against India’s interests, while massive data collection by fraudulent apps poses espionage risks.

Law enforcement actions validate CloudSEK’s findings: 

• Hyderabad Police (2022): Uncovered ₹700+ crore money laundering operation with Chinese nationals operating from Dubai
• Enforcement Directorate (2022-2023): Froze hundreds of crores across multiple investigations into predatory loan and gambling apps
• Odisha EOW (2023): Revealed over 1,000 mule accounts used to launder ₹1,000+ crore from cyber-scams

The shadow banking system poses significant threats to India’s economic sovereignty, financial system integrity, and national security while victimizing countless citizens who become unwitting money mules.

We have already reported a total of ~47,000 mule accounts to both Public and Private sector banks since we began extracting and analyzing data from illicit mobile applications. These accounts collectively represent a transaction volume of around ₹250 crore. (For More Information, Download Full Report)

A Call to Action

CloudSEK urges immediate, coordinated action to dismantle these networks:

• Banks and Fintechs: Deploy AI-powered monitoring to detect mule account patterns and strengthen KYC for corporate accounts.
• Regulators: Enforce stricter fintech oversight and issue clear guidelines on mule account liability.
• Law Enforcement: Build specialized cyber-financial crime units and pursue international cooperation to target syndicate leaders.
• Tech Platforms: Enhance app vetting on Google and Apple stores to block fraudulent apps.
• Public Awareness: Launch nationwide campaigns to educate citizens about the risks of sharing OTPs or “renting” bank accounts, emphasizing that acting as a money mule is a serious crime.

CloudSEK’s Commitment to Cybersecurity

“These illegal payment gateways are not just financial crimes; they’re a direct attack on India’s digital economy and citizen trust, Our research arms stakeholders with actionable intelligence to disrupt these networks and protect India’s financial sovereignty,” said Mayank Sahariya, Cyber Threat Analyst at CloudSEK.

“Financial institutions, regulators, and law enforcement agencies must move beyond reactive measures to proactive, intelligence-driven strategies. The window for action is narrowing as these networks continue to expand and sophisticate their operations,” Mayank Sahariya added.

CloudSEK continues to monitor these criminal networks and provide actionable intelligence to help financial institutions, regulators, and law enforcement agencies protect India’s digital economy and financial sovereignty.

CloudSEK has raised $19 million across its Series A2 and B1 funding rounds. The round included participation from a mix of India- and US-based investors, such as MassMutual Ventures, Inflexor Ventures, Prana Ventures, Tenacity Ventures, and select strategic investors, including Commvault. Notably, Meeran Family (founders of Eastern Group), StartupXSeed, Neon Fund and Exfinity Ventures are among CloudSEK’s earlier backers and continue to support the company’s long-term vision.

Founded in 2015 by cybersecurity researcher-turned-entrepreneur Rahul Sasi, CloudSEK was created with a mission to build a safer digital future by proactively predicting and mitigating cyber threats. What began as a research-driven initiative has since evolved into one of the industry’s most trusted threat intelligence platforms—serving 250+ enterprises across banking, healthcare, technology, and the public sector.

The newly raised capital will fuel CloudSEK’s continued product innovation and global expansion, with a focus on advancing its AI models and platform integrations. Unlike traditional tools that respond after an incident, CloudSEK identifies Initial Attack Vectors (IAVs)—the earliest signs of a potential breach, such as leaked credentials, exposed APIs, or compromised vendors.

CloudSEK’s differentiated approach has resonated globally, earning the company a 4.8-star rating on Gartner Peer Insights across 195 reviews, making it one of the most recommended vendors in the cybersecurity space.

With this funding and a strategic investor on board, CloudSEK is doubling down on its vision to make predictive threat intelligence a global cybersecurity standard for —empowering organizations to stay ahead of increasingly sophisticated threat actors.

CloudSEK’s security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after the FBI’s Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware.

The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service. 

These fraudulent platforms lure users into executing a malicious PowerShell command, initiating a complex infection chain that delivers malware capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information. 

A Sophisticated Blend of Deception and Technology

The campaign employs advanced social engineering to exploit users’ trust. Victims uploading a PDF for conversion encounter a fake processing animation, followed by an unexpected CAPTCHA prompt designed to enhance the site’s perceived legitimacy and rush users into action. This leads to instructions to run a PowerShell command, which triggers a redirection chain through domains like bind-new-connect[.]click, ultimately delivering a malicious “adobe.zip” payload. The archive contains “audiobit[.]exe,” which leverages legitimate Windows tools like MSBuild[.]exe to deploy Arechclient2. (Read Full Report, For More Information)

“This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, these attackers turn routine tasks like file conversion into opportunities for data theft. Our research aims to equip individuals and organizations with the knowledge to stay safe,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

The scale of this threat becomes clear when considering the popularity of the legitimate PDFCandy.com, which attracts approximately 2.8 million monthly visits. Notably, India represents the largest segment of its user base, accounting for 19.07% or roughly 533,960 monthly visitors. This substantial audience provides a vast pool of potential victims for the threat actors behind this malicious campaign. While the fraudulent sites, candyxpdf[.]com and candyconverterpdf[.]com, saw approximately 2,300 and 4,100 visits respectively in March 2025, these numbers demonstrate active exploitation of the impersonated service’s popularity.

How the Attack Works

• Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.]com imitate the real PDFCandy website.
   
• Deceptive Flow: Fake file conversion followed by a CAPTCHA prompt creates trust and urgency.
   
• Malware Trigger: Users are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.
   
• Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.exe – a legitimate Windows utility weaponized to run ArechClient2. (Read Full Report, For More Information)
   

CloudSEK’s technical analysis traced the malware delivery chain through multiple redirections, eventually landing on a known malicious domain (bind-new-connect[.]click) to deliver the payload. The attacker’s infrastructure, command chain, and payload hashes are included in the full report.

Wider Implications

This campaign demonstrates a growing trend where attackers prey on routine digital activities—like file conversion—to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.

Protecting Against the Threat

CloudSEK’s report provides actionable recommendations to safeguard individuals and organizations:

• Stick to Trusted Tools: Use reputable file conversion services from official websites and avoid unverified “free” converters.
• Strengthen Technical Defenses: Keep antivirus software updated, deploy endpoint detection and response (EDR) solutions, and use DNS filtering to block malicious domains.
• Educate Users: Train employees to recognize red flags, such as suspicious URLs, unexpected CAPTCHAs, or prompts to run command-line instructions.
• Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
• Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.

A Call to Vigilance

As online file converters remain a staple in digital workflows, this campaign underscores the need for heightened awareness. “As threat actors become more creative with their tactics, cybersecurity must evolve to prioritize behavior-based detection, user awareness, and zero-trust principles. Organizations should invest in robust endpoint security, DNS filtering, and employee training. Most importantly, we need to reduce reliance on unknown web-based tools and encourage the use of secure, offline alternatives for tasks like file conversion,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

About CloudSEK: CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.
To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com or drop a note to info@cloudsek.com. 

Attackers are exploiting undocumented Google OAuth2 functionality to hijack user sessions. The approach gives them continuous access to Google services, even after a password reset.

Researcher Pavan Karthick M at CloudSEK has detailed how the threat actor called “Prisma” was the first to use a critical OAuth exploit which “allows the generation of persistent Google cookies through token manipulation.”

OAuth 2.0 is a protocol utilized by Google APIs for authentication and authorization, such as enabling “Log in with Google” across the web. It allows users to grant specific data access to applications while safeguarding sensitive information like passwords.

The exploit has two key features:

• Session Persistence: The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
• Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.

2023 Adoption Timeline:

Oct 20:    The exploit is first revealed on a Telegram channel.
Nov 14:    Lumma announces the feature’s integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature.
Nov 17:    Rhadamanthys announces the feature with similar blackboxing approach as Lumma
Nov 24:    Lumma updates the exploit to counteract Google’s fraud detection measures.
Dec 1:    Stealc implements the google account token restore feature
Dec 11:    Meduza implements the google account token restore
Dec 12: RisePro Implements the google account token restore feature
Dec 26:    WhiteSnake implemented the google account token restore
Dec 27: Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies.

“This analysis… highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” Karthick M concludes.

Troy Batterberry, CEO and Founder, EchoMark had this to say:

   “As we navigate the evolving landscape of cybersecurity, the sophistication of threat actors is on the rise, leading to a potential surge in zero-day exploits in 2024. Lumma’s recent assault is a poignant example. The adept concealment of their proprietary attack mechanism and exploit methodologies, coupled with their ability to circumvent detection and sustain persistent access despite routine security measures, underscores the imperative for individuals and businesses alike to heed this wake-up call. Organizations operate on trust and secure data sharing and must prioritize proactive security measures and continuous monitoring to effectively combat the ever-emerging challenges posed by cyber threats.”

This proves that to everyone needs to work hard to stay level with threat actors at the very least. Because threat actors are always looking for new angles to launch new attacks. Which will end badly for all of us if they succeed.