Experts from Kaspersky Lab have studied the activity of the FunkSec group, which emerged in late 2024. The main features of the group turned out to be: the use of AI-based tools (including in the development of ransomware), a high degree of adaptability, and the large scale of cyberattacks.
According to experts, FunkSec targets organizations in the public sector, as well as IT, finance, and education industries in European and Asian countries.
Typically, FunkSec operators demand unusually small ransoms — sometimes no more than $10,000 USD. Additionally, the attackers sell the data stolen from victims at a relatively low price.
Experts believe that such an approach allows for a large number of cyberattacks and quickly builds a reputation within the criminal community. Additionally, the scale of the attacks indicates that the perpetrators are using AI to optimize and scale their operations.
The report highlights that the FunkSec ransomware is distinguished by its complex technical architecture and use of AI. The malware’s developers have included full-scale encryption and data theft capabilities in a single executable file written in Rust. It can terminate more than 50 processes on victim devices and is equipped with self-cleaning functions, making incident analysis more difficult.
It is also noted that FunkSec employs advanced methods to evade detection, which complicates the work of researchers.
The FunkSec ransomware does not come as a standalone package: it is supplemented with a password generator (used for brute force attacks and password spraying), as well as a tool for DDoS attacks.
In all cases, researchers discovered clear signs of code generation using large language models (LLMs). Many code fragments were evidently written not manually, but automatically. This is confirmed by placeholder comments (e.g., “placeholder for actual validation”), as well as technical inconsistencies. For instance, it was observed that a single program contained commands for different operating systems. Additionally, the presence of declared but unused functions reflects how LLMs combine several code fragments without trimming excess elements.
“We are increasingly seeing that attackers are using generative AI to create malicious tools. It speeds up the development process, allowing attackers to adapt their tactics more quickly, and also lowers the entry barrier into the industry. However, such generated code often contains errors, so attackers cannot fully rely on new technologies during development,” comments Tatyana Shishkova, a leading expert at Kaspersky GReAT.
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →