Welcome to the first spring edition of Upfort’s Threat Matrix we cover fraudulent file converters spreading malware, an infostealing video game, an intricate Google Maps scam targeting small businesses, and so many new ransomware threats. 

Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.

Fake file converters spreading malware and ransomware

The FBI is alerting the public about a surge in fake online file converter tools that are being used to distribute malware and steal sensitive data. Posing as free services to convert or merge documents, audio, or video files, these websites deliver malicious downloads that can lead to ransomware infections or data breaches. In some cases, they even scrape uploaded documents for personal information, including Social Security numbers, crypto wallet keys, and banking credentials.

Cybercriminals use tactics like typo-squatting—slightly altering URLs to mimic legitimate sites—and paid search ads to appear at the top of search engine results. Recent reports confirm that sites like “docu-flex[.]com” and “pdfixers[.]com” were distributing malware-laced executables.

How to protect your business: Avoid using unknown or free file conversion sites found via search engines. Instead, rely on trusted software or cloud services. Train employees to verify links before downloading files and use endpoint protection to detect malicious downloads.

Read more

‍

Steam pulls fake game demo spreading infostealing malware

Valve has removed the game demo Sniper: Phantom’s Resolution from the Steam store after it was found to distribute information-stealing malware. The demo, published by a fake developer known as “Sierra Six Studios,” tricked users into downloading a malicious installer hosted on an external GitHub link. Once executed, the installer deployed tools to intercept cookies, steal credentials, and maintain persistence on infected systems.

The malware used deceptive filenames like Windows Defender SmartScreen.exe and quickly terminated background scripts to avoid detection. The developer’s GitHub account also hosted other suspicious tools, including crypto utilities and Telegram bot kits. Steam has taken down the game, and GitHub removed the malicious repository after user reports.

How to protect your business: Only download software and updates from official platforms. Train staff to avoid third-party links, even if they appear to come from trusted sources. Use endpoint protection to detect stealthy malware, and routinely scan systems for suspicious files.

Read more

Scammers list 1000s of fake business listings on Google Maps

Google has filed a lawsuit against individuals running a large-scale scam that created over 10,000 fake business listings on Google Maps. These fraudulent profiles were sold or used to impersonate legitimate businesses, deceive customers, and in some cases, reroute calls to scam centers or charge inflated fees for services. The scheme came to light after a Texas locksmith discovered someone impersonating their business.

In 2023 alone, Google says it blocked or removed 12 million fake listings—an increase of over one million from the previous year. The company is also cracking down on fake reviews and manipulative engagement tactics that scammers use to boost visibility in local search results.

How to protect your business: Small businesses should routinely check their online presence for fake listings or impersonators. Claim and verify your business on platforms like Google Maps, monitor customer reviews, and report fraudulent listings immediately to protect your brand and reputation.

Read more

‍

PA education union breach exposes data of 500k+ 

The Pennsylvania State Education Association (PSEA), the largest public-sector union in the state, has confirmed that a July 2024 cyberattack compromised the personal, financial, and health data of more than 500,000 people. Exposed information may include Social Security numbers, medical records, driver’s license numbers, passport data, and payment card details.

Although PSEA did not name the attackers in its disclosure, the Rhysida ransomware gang claimed responsibility and demanded a ransom of 20 BTC. The union is offering affected individuals free identity protection services and is urging them to monitor accounts for suspicious activity.

How to protect your business: Any organization storing sensitive employee or customer information should encrypt that data, limit access based on job roles, and conduct regular security audits. Have an incident response plan ready—and ensure ransomware-specific protections like offline backups and MFA are in place.

Read more

23andMe files for bankruptcy, time to delete your DNA data

Genetic testing company 23andMe has filed for Chapter 11 bankruptcy and plans to sell its assets after years of financial difficulties. Although the company claims it will continue to safeguard customer data throughout the sale process, privacy experts warn that the genetic information of over 12 million customers could be at risk if acquired by less responsible entities.

The California Attorney General’s Office has issued a consumer alert advising users to delete their data, destroy test samples, and revoke research permissions. Meanwhile, the UK’s Information Commissioner’s Office emphasized that 23andMe remains bound by strict GDPR data protection laws. The bankruptcy filing follows a massive 2023 breach that exposed sensitive data from 6.4 million users and led to multiple lawsuits and changes to the company’s Terms of Use.

How to protect your business: If your small business collects or stores customer data—especially health or personal information—have clear data retention and deletion policies in place. Make sure you only store what’s necessary, encrypt sensitive data, and provide customers with easy ways to manage or delete their information. In the event of a sale or shutdown, prioritize transparency and security to maintain trust.

Read more

Attackers spoof SEMrush ads to steal Google credentials 

Cybercriminals are targeting SEO professionals and digital marketers by using spoofed Google Ads for SEMrush that redirect users to fake login pages. These phishing sites are designed to closely mimic SEMrush’s branding, but instead capture users’ Google credentials, which are often linked to sensitive company data and marketing platforms.

Researchers say this campaign is part of a “cascading fraud” model where attackers hijack ad accounts to launch new malicious campaigns, further spreading the threat. Because SEMrush accounts often integrate with Google Ads, Search Console, and Analytics, a compromised login can lead to extensive business exposure.

How to protect your business: Marketers and small businesses should be cautious when clicking on sponsored search results and always verify domain names. Use two-factor authentication (2FA) on all linked accounts, and regularly audit user access to connected platforms.

Read more

VanHelsing ransomware emerges with stealthy new campaign

A new ransomware-as-a-service (RaaS) operation called VanHelsing has emerged, targeting a wide range of platforms including Windows, Linux, BSD, ARM-based devices, and VMware ESXi servers. Promoted on underground cybercrime forums, VanHelsing appeals to experienced attackers by offering advanced features, an 80/20 revenue split, and a stealth encryption mode designed to evade detection.

The ransomware uses the ChaCha20 encryption algorithm and can selectively encrypt files while disguising its behavior as normal system activity. VanHelsing has already claimed victims in the U.S. and France, including a Texas city government and two tech companies, with ransom demands reportedly reaching $500,000. Despite some coding flaws, researchers warn the malware is rapidly evolving and poses a serious threat.

How to protect your business: Small businesses should segment their networks, secure remote access points, and regularly back up data offline. Keep all systems and third-party applications patched, and monitor for unusual file activity that could indicate ransomware behavior.

Read more

Apple patch iOS bug that exposed users to phishing attacks

Apple has patched a vulnerability in its iOS Passwords app that left users exposed to phishing attacks for three months. The issue, which was fixed in iOS 18.2, involved unencrypted network requests made by the app when fetching website icons and logos. This allowed attackers on the same Wi-Fi network—such as at cafes or airports—to redirect users to fake login pages and harvest credentials.

The flaw was originally discovered by researchers at Mysk, who demonstrated how attackers could impersonate legitimate sites using the app’s unencrypted traffic. The vulnerability also affected macOS, iPadOS, and visionOS, and has since been addressed across all platforms.

How to protect your business: Encourage employees to update devices promptly and avoid using public Wi-Fi for sensitive logins. Use VPNs on untrusted networks and educate staff on spotting phishing techniques, even when apps seem secure.

Read more

DrayTek router bug triggers reboot loops around the globe

Thousands of DrayTek routers worldwide experienced mass outages over the weekend due to a software bug that forced devices into constant reboot cycles. The issue, which affected models such as the Vigor 3910, 2962, and 1000B, caused widespread internet disruptions for businesses and consumers alike. Internet service providers (ISPs) and DrayTek quickly recommended firmware updates to resolve the issue, which appears unrelated to a cyberattack.

DrayTek released updated firmware to fix the bug and is encouraging affected users to install the latest version. Some ISPs offered temporary workarounds, including configuration changes, while customers waited for permanent patches.

How to protect your business: Small businesses relying on networking hardware should enable automatic firmware updates when possible and subscribe to vendor alerts. Maintain offline copies of router configuration settings to speed up recovery in the event of outages or failed updates.

Read more

‍