September 17th – This Week’s Top Cybersecurity and Dark Web Stories

New HybridPetya Ransomware Strain

A new ransomware strain called HybridPetya has been discovered with the ability to bypass UEFI Secure Boot protections and install a malicious application directly onto the EFI System Partition.

The malware appears to take inspiration from the notorious Petya and NotPetya attacks of 2016-2017, which encrypted systems at the disk level and prevented Windows from booting, without offering recovery options.

Researchers found a sample of HybridPetya uploaded to VirusTotal. While it remains unclear if the malware is a proof-of-concept, a research project, or an early-stage cybercrime tool, its capabilities underscore a growing trend of sophisticated bootkit threats.

HybridPetya may be part of a broader wave of UEFI-based malware, joining recent examples like BlackLotus, BootKitty, and the Hyper-V Backdoor. These threats prove that UEFI bootkits with Secure Boot bypass functionality are no longer theoretical, they are actually real and practical.

HybridPetya builds on the destructive techniques of its predecessors while adding modern capabilities. Notably, it installs itself into the EFI System Partition and leverages CVE-2024-7344, a vulnerability in Microsoft-signed applications discovered earlier this year, to bypass Secure Boot.

French Authorities Shut Down Dark French Anti System

French authorities have dismantled Dark French Anti System (DFAS), one of the last major French-speaking dark web platforms, following a joint investigation led by Cyberdouanes and the U.S. Office of Foreign Assets Control (OFAC).

On September 12th, authorities confirmed that the operation resulted in the arrest of two men on September 8th: the alleged creator of the site, born in 1997, and an active contributor, born in 1989. Authorities seized more than six bitcoins, worth approximately €600,000, along with technical materials documenting the platform’s operations.

DFAS has been active since 2017 and operated as a marketplace for illicit goods and services. It offered:

• Drugs.
• Stolen personal data.
• Fraud and cyberattack tools.
• Weapons.
• Anonymization guides.

Unlike most dark web platforms, which primarily operate in English, DFAS stood out as a French-speaking hub. Investigators found that it has grown to over 12,000 members with more than 110,000 messages, making it a central gathering place for French-speaking cybercriminals.

The investigation began in 2023, by France’s Customs Intelligence Unit DNRED and Cyberdouanes. Despite earlier takedowns of French-speaking dark web markets, DFAS continued to grow. As part of the operation, PFAC traced financial flows linked to the platform reinforcing the cross-border nature of the investigation.

VoidProxy Phishing Campaign Targets Microsoft and Google

Researchers have published detailed analysis of a newly discovered Phishing-as-a-Service (PhaaS) platform, which they have named VoidProxy. The service represents a mature, scalable, and evasive threat capable of targeting Microsoft and Google accounts as well as redirecting logins protected by third-party single sign-on (SSO) providers to a second-stage phishing pages.

VoidProxy uses Adversary-in-the-Middle (AitM) techniques to hijack authentication flows in real time. This allows attackers to capture:

• User credentials.
• Multi-factor authentication (MFA) codes.
• Session tokens created during the login process.

These capabilities make especially dangerous, as it can bypass common MFA protections such as SMS codes and one-time passcodes (OTPs) from authenticator apps.

By packaging this functionality into an accessible platform, VoidProxy lowers the technical barrier for cybercriminals, enabling a wide spectrum of threat actors to launch advanced phishing campaigns. Compromised accounts obtained through the service can then be leveraged for:

• Business Email Compromise (BEC).
• Financial fraud.
• Data theft and exfiltration.
• Lateral movement across corporate networks.