US Sanctions Iran-Based Nemesis Admin

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, the United States sanctioned an Iran-based Nemesis admin, Dark Caracal deployed Poco RAT in Latin America, Apple challenged a British order to weaken cloud backup encryption and the FBI warned against scam letters claiming to come from BianLian. Also, a Nigerian tax scammer and hacker extradited from the United Kingdom, a new botnet discovered and a Webex vulnerability detected.

See Also: Top 10 Technical Predictions for 2025

The U.S. Department of the Treasury sanctioned Behrouz Parsarad, an Iranian national accused of running Nemesis, a darknet marketplace facilitating drug sales, cybercrime and money laundering. The move comes a year after German law enforcement seized the platform’s infrastructure in a coordinated international operation.

Nemesis was founded in 2021 and had more than 150,000 users and facilitated $30 million in drug sales, including fentanyl. Marketplace sellers offered stolen data, fake documents and cybercrime services such as ransomware and distributed denial of service attacks.

The Treasury said Parsarad controlled all marketplace operations and cryptocurrency wallets, profiting from transaction fees and laundering funds for cybercriminals. Since Nemesis’ shutdown, he has allegedly tried to rebuild the platform.

The U.S. federal government in coordination with German law enforcement identified 49 crypto wallets linked to Parsarad.

European and U.S. enforcement agencies have been ramping up takedowns of darknet marketplaces (see: European Police Make Headway Against Darknet Drug Markets).

A cyberespionage group tracked as Dark Caracal, once linked to Lebanese intelligence, is linked to the deployment of the Poco RAT in Latin America, Russian cybersecurity firm Positive Technologies said.

First spotted by Cofense in July 2024, Poco RAT has been used in phishing attacks against sectors such as mining, manufacturing, hospitality and utilities. This recent campaign relies on finance-themed phishing emails with malicious Spanish-language attachments. Victims are redirected to cloud storage platforms such as Google Drive and Dropbox, where they unknowingly download Poco RAT hidden in .rev archives.

The attacks primarily target businesses in Venezuela, Chile, the Dominican Republic, Colombia and Ecuador. Positive Technologies attributes them to Dark Caracal due to operational similarities with its past cyberespionage efforts, including the Bandidos campaign in 2021, which used Bandook malware against Spanish-speaking countries.

Poco RAT establishes a connection to a command-and-control server, allowing remote access. Unlike some malware, it does not include a built-in persistence mechanism, suggesting that attackers issue commands to maintain access or use it as a foothold for deploying more sophisticated payloads. The use of .rev archives, originally designed to reconstruct corrupted files, helps the malware evade detection, making it a stealthy and persistent cyberthreat.

Apple filed a legal complaint with the U.K. Investigatory Powers Tribunal against a government order demanding it weaken optional end-to-end encryption for cloud-stored Apple device backups, the Financial Times reported. This marks the first appeal of its kind before the IPT, which oversees legal challenges against British intelligence agencies.

The dispute stems from a technical capability notice reportedly issued by the Home Office, ordering Apple to create a backdoor for law enforcement access into backups for users who have enabled the “Advanced Data Protection” feature on their iCloud accounts.

Apple responded by disabling Advanced Data Protection for U.K. users in February (see: Apple Withdraws Strong Encryption Feature for All UK Users).

The FBI warned corporate executives Thursday to be on the lookout for snail mail letters claiming that the “BianLian Group” has stolen sensitive corporate data. The letters are stamped “Time Sensitive Read Immediately” and contain a QR code linked to a Bitcoin wallet. Letter writers demand a payment of between $250,000 and $500,000 within ten days.

Whoever is behind the letters, they’re apparently not associated with the actual Russia-based BianLian ransomware operation, the FBI said (see: Feds Warn of New BianLian Ransomware Group Attack Profile).

Security firms Guidepoint and Arctic Wolf also published warnings about these letters, which are postmarked from Boston.

To appear legitimate, some letters include actual compromised passwords. But a Guidepoint researcher said with high confidence that these extortion demands are fake and not linked to BianLian. Arctic Wolf also reports no evidence of real breaches.

The United Kingdom extradited a Nigerian national to the United States to face charges in a cyber fraud scheme that stole over $1.3 million in fraudulent tax refunds over five years. Prosecutors say Kehinde Hassan and his co-conspirators phished tax preparation firms to deliver the Warzone RAT and steal personal information of clients in order to file fraudulent tax returns. Conspirators attempted to obtain $8.1 million in tax returns.

British authorities arrested Hassan in 2024 at Heathrow Airport. Hassan faces multiple felony charges, which could lead to decades in prison if convicted. An alleged accomplice, Kolawole Awonuga, pleaded guilty last year and is serving a five-year sentence.

Researchers found a new botnet malware infecting over 86,000 Internet of Things devices, mainly security cameras and network video recorders, to launch large-scale DDoS attacks on telecom providers and gaming servers.

Discovered by Nokia researchers and further analyzed by GreyNoise, the Eleven11bot botnet is one of the largest observed since 2022. Initial reports estimated 30,000 infected devices, but the Shadowserver Foundation later detected 86,400, with most infections in the United States, United Kingdom, Mexico, Canada and Australia.

Eleven11bot generates attacks reaching hundreds of millions of packets per second, often lasting for days. GreyNoise and Censys identified 1,400 IPs linked to the botnet, with 96% originating from real devices, mostly in Iran. Over 300 IPs are known to be malicious.

The malware spreads by brute-forcing weak admin credentials, exploiting default IoT passwords, and scanning for exposed Telnet and SSH ports. GreyNoise recommends adding identified IPs to blocklists and monitoring for suspicious logins.

Cisco warned customers of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely if session initiation protocol communication is not securely configured.

Discovered by Cisco researchers and disclosed in a Tuesday security advisory, the flaw affects Cisco BroadWorks, on-premises, and Webex for Cisco BroadWorks, hybrid cloud/on-premises, running in Windows environments. The issue arises from sensitive data being exposed in SIP headers, potentially allowing attackers to steal credentials and impersonate users.

Cisco pushed a configuration change to fix the issue and advised users to restart their Webex app. As a temporary workaround, admins should enable secure SIP transport to encrypt data and rotate credentials in case they have already been compromised.

The Cisco Product Security Incident Response Team said it had no evidence of active exploitation or public disclosures related to this vulnerability.

Other Stories From Last Week

With reporting from Information Security Media Group’s Prajeet Nair in Bengaluru, India, and David Perera in Washington, D.C.