{ "id": "e5146813-ef2e-48aa-8044-237e97c72919", "created_at": "2026-04-06T00:13:24.178294Z", "updated_at": "2026-04-10T03:37:51.379645Z", "deleted_at": null, "sha1_hash": "4b9f342ed274fdd0aba88c4fe381c814e25ff52c", "title": "Risky Biz News: Google shuts down YouTube Russian propaganda channels", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 350690, "plain_text": "Risky Biz News: Google shuts down YouTube Russian propaganda\r\nchannels\r\nBy Catalin Cimpanu\r\nPublished: 2023-03-08 · Archived: 2026-04-05 14:54:23 UTC\r\nThis newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary.\r\nYou can subscribe to an audio version of this newsletter as a podcast by searching for \"Risky Business News\" in\r\nyour podcatcher or subscribing via this RSS feed.\r\nIn its quarterly disinformation report for Q2 2022, Google said last week that it suspended more than 190\r\nYouTube channels and 12 Google Ads accounts linked to Russia's disinformation efforts surrounding its invasion\r\nof Ukraine. Forty-four of these accounts were linked to the Internet Research Agency (IRA), the Russian internet\r\ntroll farm based in Sankt Petersburg, an entity that has been active for years and still operates despite several US\r\nTreasury sanctions.\r\nGoogle said these accounts published content that was supportive of Russia's invasion of Ukraine and Russian\r\nPresident Vladimir Putin and critical of NATO, Ukraine, Ukrainian President Volodymyr Zelenskyy, and Russian\r\nopposition politician Alexei Navalny. Some accounts also tried to justify the activity of Russian private military\r\ncontractor Wagner Group in Ukraine and Africa, where they have been accused of civilian killings and\r\nother atrocities.\r\nGoogle's crackdown comes as the company also suspended in the first quarter of the year more than 715 YouTube\r\naccounts used for the same purpose and after the company also delisted multiple Russian state-media news\r\noutlets from its Google News section in March.\r\n\"The information domain is a critical theater of war for the Kremlin,\" said researchers from the Brookings\r\nInstitution think tank earlier this year in March in a report analyzing news search results for Ukraine-related terms.\r\nThe report—published before Google moved to remove Russian state media outlets from its News section—found\r\nthat sites like TASS dominated Google's search results, helping the Kremlin drive its message to huge audiences.\r\nCompanies like Google, Microsoft, Twitter, and Meta (formerly Facebook) have been trying to shut down Russia's\r\ngenocide-washing propaganda but with little results, especially on Twitter and Facebook, where copy-pasta bot\r\nnetworks and especially troll farms continue to dominate discussions.\r\nWhile Twitter and Meta have intervened to limit the reach of official Russian state news outlets, tweets about\r\nUkraine, Russia, and NATO are often flooded with bots and trolls. Similarly, on Facebook, bots and trolls also\r\nflood the comments sections in news stories from western media outlets, often driving the discussions toward\r\nRussian-friendly narratives.\r\nIn most cases, these disinformation and propaganda efforts often follow the same patterns, namely that Ukraine\r\nhas committed genocide against its Russian-speaking minority and Russia is only trying to save them, narratives\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nPage 1 of 5\n\nthat have been thoroughly debunked by multiple sources ranging from Russian independent media to the EU\r\nitself.\r\nOptimism hack happy ending: The threat actor who intercepted a transfer of nearly $19 million (at the time)\r\nbetween the Wintermute and Optimism cryptocurrency platforms last week has decided to return the stolen funds,\r\naccording to blockchain security firm PeckShield.\r\nGerman energy suppliers: German energy suppliers Entega and Mainzer Stadtwerke were hit by a cyber-attack\r\nover the weekend. The attacks, believed to be unrelated, blocked access to companies' email servers and public\r\nwebsites, but industrial systems remained unaffected.\r\nCloud middleware: Wiz, the cloud security firm that discovered the OMIGOD vulnerability last year,\r\nhas continued its research into the types of middleware products installed by default on cloud servers. The\r\ncompany has published a GitHub repo with cloud middleware (aka cloud agents) installed and used across the\r\nmajor cloud service providers (Azure, AWS, and GCP). These agents—13 right now— are usually installed\r\nwithout the customers' awareness or explicit consent.\r\nFirefox reducing sandbox escape attack surface: In its quarterly security newsletter for Q1 2022, Mozilla said it\r\ndeployed a new security feature to Firefox in v96 that will reduce the attack surface for Firefox sandbox escapes\r\n(attack from the browser to the underlying OS).\r\nMore surveillance in Russia: The Russian government has updated its SORM technical guide to specifically tell\r\nnetwork operators to intercept and store data from their customers, such as internet calls, browsing history, and\r\nuser geo-location. According to Kommersant, a new legislation draft proposed last week corrects technical\r\nrequirements needed for data collection and storage of certain parameters; for a better compatibility between\r\nSORM systems and the control panel used by the FSB to access this data. The news outlet said that certain\r\nnetwork operators will have to update SORM equipment to comply with the government's new user data\r\ncollection methodology.\r\nConfluence exploitation: Microsoft's security team said on Saturday that at least two nation-state groups—\r\ntracked as DEV-0401 and DEV-0234—are now exploiting the Atlassian Confluence RCE zero-day\r\nvulnerability CVE-2022-26134 that was disclosed last week. Microsoft researchers said that this vulnerability has\r\nalso been used for device and domain discovery, but also for the deployment of payloads like Cobalt Strike, web\r\nshells, botnets like Mirai and Kinsing, coin miners, and even ransomware.\r\nMicrosoft Security Intelligence@MsftSecIntel\r\nMultiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the\r\nAtlassian Confluence RCE vulnerability CVE-2022-26134. We urge customers to upgrade to the latest version or\r\napply recommended mitigations:\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nPage 2 of 5\n\nmsft.it\r\nConfluence Security Advisory 2022-06-02 | Confluence Data Center and Server 7.18 | Atlassian Documentation\r\n12:24 AM · Jun 11, 2022\r\n78 Reposts · 152 Likes\r\nSeaFlower group: Confiant said in a report last week that it detected a new threat actor—that it named SeaFlower\r\n—targeting cryptocurrency users. Since at least March this year, the group has operated websites cloned after\r\nlegitimate cryptocurrency wallets. These websites, which target Chinese-speaking audiences, host backdoored\r\nwallet apps that steal users' private wallet seeds.\r\nASyncRAT stats: Malwarebytes reported this week that its telemetry indicated that ASyncRAT had become\r\nthe most widespread malware payload delivered via email spam in the first half of 2022. ASyncRAT was ranked\r\n#3 throughout 2021, behind Dridex and TrickBot.\r\nFinland arrest: An online scammer was detained in Finland last week after defrauding local car\r\ndealerships. Investigators said they were able to identify the suspect after they took a high-quality photo of a fake\r\ncheck where one of their fingertips was also visible, allowing them to identify them based on police records.\r\n(h/t @mikko)\r\nNigerian bank robbers: Nigerian police said they detained three suspects for a daring scheme to hack into the\r\nnetworks of at least 11 Nigerian banks and steal funds. According to authorities, the group had bribed an\r\nemployee at one of the banks to leave critical network gateways open so they could gain access to the bank\r\nnetwork and steal funds. Per data recovered from seized devices, the group was planning to use the same method\r\non 10 other banks if this first intrusion went without a hitch. [Coverage in BankInfoSecurity]\r\nAdconion execs plead guilty: Three of four Adconion executives pleaded guilty last week to fraud and\r\nmisrepresentation via email. The three were charged in 2018 for hijacking IP address blocks from their inactive\r\nowners. Some of these IP addresses were later used to send email spam.\r\nFew NetWalker victims complained: Speaking at the RSA security conference last week, FBI and DOJ officials\r\nsaid that only a quarter of all victims of the NetWalker ransomware filed complaints with authorities. Law\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nPage 3 of 5\n\nenforcement seized NetWalker's infrastructure in January 2021, and the gang ceased operations following the law\r\nenforcement crackdown.\r\nHelloXD ransomware: Palo Alto Networks has published a technical report on HelloXD, a ransomware strain\r\nthat has been active since November 2021. The security firm also managed to link the ransomware to a threat\r\nactor active on underground cybercrime forums named \"x4k.\"\r\nAndroid malware: Security firm McAfee said it found malicious functionality designed to steal Instagram\r\naccount credentials in an Android app designed to allow users to modify the default Instagram app and in several\r\napps designed to increase Instagram account followers and post likes.\r\nSandworm: CERT Ukraine said in a security alert on Friday that the Sandworm APT group was targeting\r\nUkrainian news organizations with malicious emails. Officials said that more than 500 radio stations, newspapers,\r\nand news agencies were targeted with malicious Office files that tried to weaponize the still-unpatched Office\r\nFollina zero-day.\r\nLyceum APT: Zscaler has published a report on a .NET-based backdoor used by the Lyceum APT that the group\r\nhad been using to target Middle Eastern organizations in the energy and telecommunication sectors. According to\r\nresearchers, the malware uses a technique called \"DNS Hijacking\" in which an attacker-controlled DNS server\r\nmanipulates the responses of DNS queries to redirect targets to malicious sites.\r\nPACMAN attack: Academics from MIT CSAIL have disclosed a novel attack against Apple M1 processors. The\r\nattack, named PACMAN, can elevate access from userland to kernel space by bypassing Pointer Authentication\r\n(PAC). The PACMAN attack can be executed via a network connection, and is the third side-channel attack\r\nagainst Apple CPUs after Augury and M1racles.\r\nK8s vulnerability: Kubernetes servers are affected by a vulnerability (CVE-2021-25748) in their Nginx\r\nintegration where \"a user that can create or update ingress objects can use a newline character to bypass the\r\nsanitization\" and \"obtain the credentials of the ingress-nginx controller.\" The Kubernetes team said that in default\r\nKubernetes configurations, this credential has access to all secrets in the cluster.\r\nTrendnet vulnerabilities: Trendnet TEW-831DR WiFi routers have been found to have multiple\r\nvulnerabilities exposing the owners of the router to potential intrusions of their local WiFi network and possible\r\ntakeover of the device.\r\nDrupal bugs: The Drupal CMS has released out-of-cycle security updates to fix bugs in third-party libraries.\r\nBackdoor account in thermal cameras: IoT security company SEC-Consult disclosed last week that IRAY\r\nA8Z3 thermal cameras contain hardcoded credentials for their web application in one of its firmware binary,\r\nwhich can be extracted and used by attackers to modify camera settings. In addition, the same camera model also\r\ncontains several other vulnerabilities. After 16 months, the vendor has yet to patch any of the reported issues.\r\nBackdoor in Mitel VoIP phones: Mitel Networks has patched its 6900 IP Series VoIP phones and removed a\r\nbackdoor functionality from the firmware that would have allowed remote attackers to run malicious commands\r\non its devices[1, 2]. The vulnerability was found and reported by German pen-testing firm Syss.\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nPage 4 of 5\n\nSource: https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nhttps://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://riskybiznews.substack.com/p/risky-biz-news-google-shuts-down" ], "report_names": [ "risky-biz-news-google-shuts-down" ], "threat_actors": [ { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "00f01865-62f9-4931-b532-510eeb5e5bc7", "created_at": "2024-02-02T02:00:04.043727Z", "updated_at": "2026-04-10T02:00:03.538157Z", "deleted_at": null, "main_name": "Lilac Typhoon", "aliases": [ "DEV-0234" ], "source_name": "MISPGALAXY:Lilac Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434404, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b9f342ed274fdd0aba88c4fe381c814e25ff52c.pdf", "text": "https://archive.orkl.eu/4b9f342ed274fdd0aba88c4fe381c814e25ff52c.txt", "img": "https://archive.orkl.eu/4b9f342ed274fdd0aba88c4fe381c814e25ff52c.jpg" } }