Coordinated Microsoft Actions and Court-Authorized Domain Seizures Disrupt LummaC2 Malware Infrastructure Used to Target Millions
The Justice Department announced today the unsealing of two warrants authorizing the seizure of five internet domains used by malicious cyber actors to operate the LummaC2 information-stealing malware service.
“The Department will continue to use its unique tools, authorities, and partnerships to disrupt malicious cyber operations and criminal networks,” said Sue J. Bai, head of the Justice Department’s National Security Division. “Today’s disruption is another instance where our prosecutors, agents, and private sector partners came together to protect us from the persistent cybersecurity threats targeting our country. We are grateful for their work and dedication.”
“Malware like LummaC2 is deployed to steal sensitive information such as user login credentials from millions of victims in order to facilitate a host of crimes, including fraudulent bank transfers and cryptocurrency theft,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Today’s announcement demonstrates that the Justice Department is resolved to use court-ordered disruptions like this one to protect the public from the theft of their personal information and their assets. The Department is also committed to working with and appreciates the efforts of the private sector to safeguard the public from cybercrime.”
“The FBI is committed to disrupting the key services that cyber criminals rely on,” said Assistant Director Bryan Vorndran of FBI’s Cyber Division. “That’s why, with our partners, we took action against the most popular infostealer service available in online criminal markets, which is responsible for millions of attacks against victims. Thanks to partnerships with the private sector, we were able to disrupt the LummaC2 infrastructure and seize user panels. Together, we are making it harder, and more painful, for cyber criminals to operate.”
As alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2 used the seized websites to distributeLummaC2, an information-stealing malware, to their affiliates and other cyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.
The government’s affidavit further alleges that the seized domains, also referred to as user panels, served as login pages for the LummaC2 malware, allowing credentialed users and administrators to access and deploy LummaC2. On May 19, 2025, the government seized two domains. On May 20, 2025, as detailed in court documents, the LummaC2 administrators informed their users of three new domains that they had set up to host the user panel. The next day, the government then seized those three domains.
The seizure of these domains by the government will prevent the owners and cybercriminals from using the websites to access LummaC2 to compromise computers and steal victim information. Individuals who now visit the websites will see a message indicating that the site has been seized by the Justice Department, including the FBI.
Concurrent with today’s actions and consistent with the Department’s approach to public-private operational coordination, Microsoft announced an independent civil action to take down 2,300 internet domains also claimed to be used by the LummaC2 actors or their proxies.
FBI’s Dallas Field Office is investigating the case.
The U.S. Attorney’s Office for the Northern District of Texas, the National Security Division’s National Security Cyber Section, and the Criminal Division’s Computer Crime and Intellectual Property Section are handling the case.
The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, offers a reward of up to $10 million for information on foreign government-linked individuals participating in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Anyone with information on any other foreign government-linked malicious cyber actors or activity targeting U.S. critical infrastructure should contact Rewards for Justice via the RFJ Tor-based tip line at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required). Learn more about Rewards for Justice and their reward offers at RewardsforJustice.net.
If you believe you have a compromised computer or device, please visit the FBI’s Internet Crime Complaint Center (IC3). You may also contact your local FBI field office directly.
One major consequence of the UK government’s resistance to rejoining the European single market is that it is forced to go around the world seeking trade deals and investment.
Recently, the government has boasted of successful arrangements with India, the US, and some new agreements with the EU. But it has also found itself courting one highly dubious suitor.
Since the chancellor of the exchequer, Rachel Reeves, went to Beijing in January 2025, the government has been focusing much of its attention on China. And while investment from the world’s second-largest economy is fairly unproblematic in a few sectors (some services and domestic real estate, for example), other areas are a cause for concern.
Relying on Chinese money to support key sectors such as steel, telecommunications, advanced electronics, power and transport – all vital for Britain’s economic and geopolitical security – is potentially dangerous.
Get your news from actual experts, straight to your inbox.Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.
Yet it has been going on for years. Efforts to secure funding by a previous Conservative government even allowed state-owned Chinese companies to invest in the UK’s nuclear future, despite considerable criticism from the likes of MI5 and the British military.
Then there was the 2017 acquisition by a Chinese state-backed private equity firm of cutting-edge semi-conductor company, Imagination Technologies. Subsequent concerns over the leaking of its intellectual property prompted a parliamentary enquiry into foreign corporate asset-stripping.
British Steel was also a target. Sold in 2019, it is now owned by a private company, Jingye, which in April 2025 moved to shut down operations at its Scunthorpe site by not supplying the raw materials required for its blast furnaces.
In response, the UK government took emergency control of production in a scramble to stop the furnaces from going cold.
That incident should have served as an urgent reminder to the government that it needs to be wary of the effect Chinese companies can have on the UK.
Early signs, however, are not reassuring. Business secretary Jonathan Reynolds commented that Jingye was not acting in the “rational way” he would expect of a company in a market economy.
But the government should know that when it comes to strategic decision-making, Chinese companies do not operate in ways that others consider rational. Put simply, they are not comparable to their equivalents in Britain or other liberal-market economies – because they are effectively controlled by the Chinese Communist Party (CCP).
According to the CCP’s data, by 2017 it had established a formal presence inside 92% of larger private companies and 73% of all private companies in China. Those figures will certainly be higher now. And, as with the digital-technology firm Huawei, senior CCP members are often on a company’s boards of directors.
So, while Jingye almost eliminated British Steel as a viable company, it can be reasonably assumed that a decision of such strategic and geopolitical importance would not have been taken by Jingye’s executives alone. They would have been “guided” by the CCP.
Influence and infrastructure
And of course, it’s not just steel production the UK should be concerned about. Chinese ownership now extends across many vital sectors.
There’s the Chinese state-owned company, Beijing Construction Engineering helping to build a new science and innovation park next to Manchester airport. And the private Hong Kong company, CK Infrastructure which owns water companies serving north-east England, Essex and Suffolk.
China Investment Corporation (state-owned) owns part of Heathrow, while China Huaneng (state-owned) operates Europe’s largest battery storage facility in Wiltshire. Meanwhile, wind turbine producer Mingyang (privately owned and reputedly linked to the Chinese military) is the preferred bidder for a new Scottish wind farm, despite being barred from a similar Norwegian development.
All of these companies, irrespective of formal ownership, are likely to be subject to varying degrees of CCP influence and control (comment on the issue from Chinese companies is rare). And successive UK governments have either failed to appreciate the implications of this, or have accepted it as the price of gaining greater access to the Chinese market – especially for London’s financial sector.
This was almost certainly a factor behind China’s involvement in the building of Hinkley Point’s new nuclear power station, and was at the forefront in Rachel Reeves’s discussions with the Chinese government earlier this year.
Separately, Chinese investment in non-strategic sectors is much less controversial. One private conglomerate (Fosun) owns the Premier League side Wolverhampton Wanderers and formerly owned Thomas Cook.
But the lesson from the British Steel fiasco is clear. We are now in a world where the political interests of major states trump the economic interests of their business corporations. Geopolitics takes precedence over geoeconomics.
Consequently, Chinese firms – regardless of ownership status – should be barred from industries vital to the UK’s economic and political security. Anything less risks subordinating British interests to those of the Chinese Communist Party.
Funding from European Cooperation in Science and Technology (COST), for the China in Europe Research Network, contributed to the research on which this article is based.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3.PostRequest
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. SecondPOSTRequest
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing ofexJSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing ofcJSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode0– Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode1– Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode2– Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode2Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode3– Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode3Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
Source: Federal Bureau of Investigation FBI Crime News (b)
ST. LOUIS – U.S. District Henry E. Autrey on Tuesday sentenced a man who admitted transporting a minor across state lines for sex to 230 months in prison.
Scott M. Arnold-Micke, 48, of Rolla, Missouri met the 17-year-old victim in 2021 and took him to Chicago, where they used drugs and engaged in sexual acts. Arnold-Micke engaged in drug use with the victim on an almost daily basis after Arnold-Micke moved from Sullivan, Missouri to Rolla.
Arnold-Micke, 48, pleaded guilty in January to one count of transportation of a minor to engage in a criminal sex act.
The case was investigated by the FBI and the Rolla Police Department with assistance from the Phelps County Sheriff’s Department. Assistant U.S. Attorney Dianna Edwards prosecuted the case.
“The FBI is unrelenting when it comes to protecting children,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “I commend those who brought this crime to light in order to get this child predator off the streets and in prison where he belongs.”
This case was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorneys’ Offices and the Department of Justice Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A member of the Pagan’s Motorcycle Club pleaded guilty today before U.S. District Judge Greg Kays for his involvement in an armed assault and an attempted armed assault against members of rival motorcycle clubs.
Jeremiah Z. Hahn, also known as “Pass Out,” 42, of Cameron, Mo., pleaded guilty today to one count of assault with a dangerous weapon in aid of racketeering, one count of attempting to commit assault with a dangerous weapon in aid of racketeering, and one count of felon in possession of a firearm.
On May 30, 2022, Hahn and other members of the Pagan’s and their support club, assaulted a lone rival motorcycle gang member at a business in Grain Valley, Mo. In addition to fists, Hahn used an axe handle during the assault, causing physical injury to the victim.
On Sep. 3, 2022, Hahn and other members of the Pagan’s and their support club, travelled to Topeka, Ks., to carry out a revenge attack against another rival motorcycle gang. The plan was to “catch a stray” and “smash on sight” any rival member they saw. The Pagan’s were aware that the rival motorcycle gang were having an event in Topeka that day, and the plan was to use either an axe handle or a gun on one of the rival gang members. After arriving in Topeka, a rival member was spotted in a hotel parking lot. As Hahn, who was armed with a gun, prepared to shoot the rival, a disagreement occurred among members, and the group returned to the Kansas City area.
Following both events, Hahn and others present were awarded patches for their participation.
On May 3, 2023, Hahn was stoppedby a Missouri State Highway Patrol Trooper on eastbound Highway 36 in Dekalb County, Mo., for speeding. Hahn, who was riding a black, 2012 Harley Davidson motorcycle, had passed the trooper, traveling 98 mph in a 65-mph zone. Initially,Hahn attempted to flee the trooper and reached speeds ranging from 100-102 mph before stopping. Following Hahn’s arrest, the trooper discovered a Smith and Wesson, model M&P Shield, .40 caliber semi-automatic handgun, in Hahn’s front pants’ pocket. Hahn, who had felony convictions out of Oklahoma, Kansas, and Missouri, stated that he had stolen the gun approximately a week and a half earlier from a member of a rival motorcycle club in St. Joseph, Mo.
Under federal statutes, Hahn is subject to a sentence of up to twenty years in prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorneys Bradley K. Kavanaugh and Robert Smith. It was investigated by the FBI, the Independence, Mo., Police Department, the Blue Springs, Mo., Police Department, Homeland Security Investigations, and the Kansas City, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury today for robbing fourteen convenience stores at gunpoint. He also faces charges for attempting to rob another convenience store and illegally possessing a firearm.
Marquise L. North, 31, of Kansas City, Mo., was charged in a thirty-one count indictment returned by a federal grand jury in Kansas City, Mo.
Today’s indictment charges North with fourteen counts of Hobbs Act robbery, one count of attempted Hobbs Act robbery, fourteen counts of brandishing a firearm in furtherance of a crime of violence, and one count of being a felon in possession of a firearm.
The federal indictment alleges North committed the robberies between July 26, 2024, and Sep. 21, 2024. North is alleged to have brandished a firearm during each of the robberies.
Under federal law, it is illegal for anyone who has been convicted of a felony to be in possession of any firearm or ammunition. North has a prior felony conviction for unlawful possession of a firearm.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, North is subject to a sentence of up to life in federal prison without parole. Brandishing a firearm during a crime of violence carries a mandatory minimum sentence of seven years in federal prison without parole. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Special Assistant U.S. Attorney Jessica L. Jennings. It was investigated by the FBI, Kansas City, Missouri Police Department, Raytown, Missouri Police Department, and Independence, Missouri Police Department.
Project Safe Neighborhoods
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
SPRINGFIELD, Mo. – Two men from Springfield, Mo., were sentenced in federal court for their roles in a conspiracy to distribute large quantities of methamphetamine in the Springfield area.
Erik C. Foster, 43, was sentenced by U.S. District Judge Brian C. Wimes, to 215 months in federal prison without parole, to be followed by 5 years of supervised release. Foster pleaded guilty on Dec. 16, 2024.
Tilton Chase Tate, 41, was sentenced by U.S. District Judge Brian C. Wimes, to 146 months in federal prison without parole, to be followed by 5 years of supervised release. Tate pleaded guilty on October 15, 2024.
Foster and Tate were charged, along with other individuals, in a 24-count superseding indictment on July 25, 2023, for their roles in a drug conspiracy that lasted from Dec. 2020 to Oct. 2022.
Foster admitted to purchasing and delivering methamphetamine for other conspirators to distribute in Southwest Missouri. During the course of the conspiracy, law enforcement seized well over 50 grams of methamphetamine from members of the conspiracy.
According to court records, on Sep. 10, 2022, officers with the Republic, Mo. Police Department located two plastic bags containing at least 844 grams of methamphetamine from inside a speaker during a traffic stop where Foster was the passenger. Foster told officers that he had picked up the methamphetamine in Joplin and was taking it to Springfield to deliver it to a co-conspirator for distribution.
On Oct. 12, 2022, deputies with the Greene County, Mo., Sheriff’s Office seized a small plastic bag of what appeared to be black tar heroin, a backpack containing 70 grams of methamphetamine, and over $11,960 in cash from Foster during a traffic stop. During a post-Miranda interview, Foster told officers that he was taking the backpack to a co-conspirator for distribution and that he had made six or seven similar trips to deliver methamphetamine.
Tate admitted to possessing and distributing methamphetamine to others as part of the conspiracy.
On Oct. 19, 2021, during a traffic stop, a Springfield, Mo. Police Department (SPD) detective seized over 440 grams of methamphetamine from Tate.
On April 14, 2022, while executing a search warrant for Tate’s residence, SPD officers located a Ruger LCP 380 handgun and a Stoeger Arms, STR 9C 9mm handgun, as well as miscellaneous pills and suspected methamphetamine.
Later in April, during a post-Miranda interview, Tate admitted to purchasing the methamphetamine seized during the Oct. traffic stop from a co-conspirator. He estimated that he was selling a pound of methamphetamine each week.
This case is being prosecuted by Assistant U.S. Attorney Stephanie L. Wan. It was investigated by the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Federal Bureau of Investigation, the Greene County, Mo., Sheriff’s Office, the Missouri State Highway Patrol, the Republic, Mo., Police Department, and the Springfield, Mo., Police Department.
Organized Crime and Drug Enforcement Task Force
This case is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was sentenced in federal court today for his role in a conspiracy to distribute fentanyl, methamphetamine, and heroin and for possession of firearms in furtherance of that conspiracy.
Codi J. Monteer, 38, was sentenced by U.S. District Judge D. Greg Kays to 30 years in federal prison without parole.
On Oct. 8, 2024, Monteer pleaded guilty to one count of conspiracy to distribute fentanyl, methamphetamine, heroin, and marijuana; one count of maintaining a drug involved premises; one count of possession of firearms in furtherance of the drug conspiracy; and one count of being a felon in possession of firearms.
Monteer’s participation in the drug trafficking conspiracy lasted approximately one year and he was responsible for conspiring with others to distribute at least 124 kilograms of methamphetamine; 700 grams of fentanyl (powder and pills); and 1.58 kilograms of heroin. He was also in possession of several firearms used in furtherance of his drug trafficking.
On one occasion, in March 2021, Monteer led members of the Kansas Highway Patrol on a high-speed pursuit that reached speeds of approximately 145 miles per hour. The pursuit did not conclude until two of the tires came off Monteer’s vehicle. During the pursuit, drugs were thrown from the vehicle.
Monteer was an associate of Autumn Dicks, Ian Hazel, They Kelley, Marc Downs, and Jamison Hopson-Stephens. Those individuals have already been sentenced for their roles within the conspiracy. Monteer was also an associate of Davion Williams, Curtis Lewis, Daniel Anderson, and Aaron Dorsey in this conspiracy. Those individuals have all pleaded guilty and are awaiting sentencing.
This case is being prosecuted by Assistant U.S. Attorney Ashleigh A. Ragner. It was investigated by the Kansas City, Mo. Police Department, FBI, United States Postal Inspection Service, and the Kansas State Highway Patrol.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon after he allegedly stabbed a man multiple times during an altercation near Shiprock.
According to court documents, on the night of April 19, 2025, Navajo Police Department officers responded to a 911 call reporting a stabbing in Shiprock, New Mexico. Officers located the victim who had sustained three stab wounds to his upper and lower back. The victim was transported to the hospital for emergency treatment.
An investigation led by the FBI and Navajo Nation Criminal Investigators revealed that Matthew Charley, 29, an enrolled member of the Navajo Nation, approached the victim and two witnesses. After a brief verbal exchange, the witnesses left the area, leaving Charley and the victim alone. When the witnesses returned a short time later, they found the victim had been stabbed. The victim identified Charley as his assailant.
Law enforcement collected witness statements, obtained video evidence, and reviewed surveillance footage that corroborated the description and movements of the suspect.
Screenshot of video showing Charley
Charley is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Charley faces 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Waleed Abughanem, 33, of Lackawanna, NY, who was convicted of misprision of felony, was sentenced to serve 36 months in prison by U.S. District Judge John L. Sinatra, Jr.
Assistant U.S. Attorneys Charles M. Kruly and Maeve E. Huggins, who handled the case, stated that Abughanem is the son of Khaled Abughanem and the brother of Adham Abughanem. On September 8, 2021, Khaled and Adham Abughanem flew from Buffalo, NY, to Guadalajara, Mexico to kidnap Victim 1, who is the daughter of Khaled and the sister of Adham and Waleed. Between September 10, 2021, and April 6, 2023, Waleed, Khaled and Adham Abughanem conspired to transport Victim 1 from the Western District of New York to Cairo, Egypt, and then to Sanaa, Yemen, where they confined Victim 1 for approximately 16 months with the purpose of marrying her to a man not of her choosing.
Waleed Abughanem knew Victim 1 was being held involuntarily, and during some of this period, he was present in Yemen. When he was not present in Yemen, Waleed Abughanem instructed his wife to monitor and supervise Victim 1. In December 2022, Waleed Abughanem traveled from Yemen to the United States. When questioned by U.S. Customs and Border Protection as to the whereabouts of his siblings, Waleed Abughanem told the CBP Officer that the Victim was in the United States. By making a false statement, Waleed Abughanem concealed that Victim 1 had been kidnapped and was being involuntarily held in Yemen.
Khaled and Adham Abughanem were previously convicted by a federal jury at trial and are awaiting sentencing.
Waleed Abughanem’s sentencing is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the U.S. Department of State’s Diplomatic Security Service, under the direction of Diplomatic Security Director Carlos Matus and Deputy Assistant Secretary Paul Houston. Additional assistance was provided by the Lackawanna Police Department, under the direction of Chief Mark Packard, Customs and Border Protection, under the direction of Director of Field Operations Rose Brophy, and CPB in Boston, Massachusetts.
Greenbelt, Maryland – Chase William Mulligan, 28, of Silver Spring, Maryland, pled guilty to two counts of producing child sexual abuse material in federal court. The charges are in connection with a scheme in which he met young girls through social media and internet chat rooms and eventually “sextorted” them.
Specifically, through the scheme, Mulligan coerced at least 108 girls — ranging from ages 5-17 — to send him sexually explicit photographs and videos of themselves. When the girls told him they no longer wanted to send him sexually graphic images, Mulligan threatened to post the images online or come to their house.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the guilty plea with Special Agent in Charge William J. DelBagno of the Federal Bureau of Investigation (FBI) – Baltimore Field Office.
“Mulligan used manipulation, fear, and intimidation to exploit over 100 young victims. Now we must ensure that we send a clear message to Mulligan, and others, that those who abuse the most vulnerable members of our communities will pay a steep price,” Hayes said. “We’re committed to working with our law-enforcement partners to relentlessly pursue, prosecute, and bring to justice those who engage in these deplorable acts.”
“Chase Mulligan is a depraved and dangerous predator. He used social media to target, viciously threaten, and horribly abuse more than 100 minor victims – one as young as five years old,” DelBagno said. “His abhorrent behavior is not diminished by the fact he was thousands of miles away and never met his victims, rather, it’s the opposite. Despite his distance, he presents a serious threat to any child he can access through the internet. The FBI works diligently every day to find and arrest predators like Mulligan so they can no longer prey on innocent children.”
As detailed in the plea agreement, between at least 2019 and December 2023, Mulligan used numerous Snapchat, Discord, Roblox, Skype, Omegle, and Instagram accounts to target young girls. He convinced minors living in the United States, Canada, Denmark, Spain, Philippines, Australia, and United Kingdom to produce and send him sexually explicit images.
Mulligan also directed minors to expose their genital areas and engage in sexual conduct. Additionally, Mulligan coerced multiple girls to urinate on camera, insert objects into their genitalia, and participate in sexual acts with dogs.
After some victims informed Mulligan that they no longer wished to send him sexually explicit images, he threatened to publicly post the images or come to their homes. Mulligan wanted the victims to send more images depicting increasingly graphic sexual conduct.
As part of his plea agreement, Mulligan must register as a sex offender in places where he resides, is an employee, and is a student, under the Sex Offender Registration and Notification Act.
Mulligan is facing a mandatory minimum of 15 years and a statutory maximum of 60 years in federal prison. U.S. District Judge Theodore C. Chuang scheduled sentencing for Wednesday, August 27, at 2:30 p.m.
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorney’s Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, visit www.justice.gov/psc. Click the “Resources” tab on the left side of the page to learn about Internet safety education.
U.S. Attorney Hayes commended the FBI for its work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorneys Megan S. McKoy and Elizabeth Wright who are prosecuting the case.
NEW YORK, May 21, 2025 (GLOBE NEWSWIRE) — Monteverde & Associates PC (the “M&A Class Action Firm”), has recovered millions of dollars for shareholders and is recognized as a Top 50 Firm in the 2024 ISS Securities Class Action Services Report. We are headquartered at the Empire State Building in New York City and are investigating SigmaTronInternational, Inc.(NASDAQ:SGMA), relating to the proposed merger with Transom Capital Group, LLC. Under the terms of the agreement, an affiliate of Transom will commence a tender offer to acquire all outstanding shares of the Company’s common stock for $3.02 per share in cash.
NOT ALL LAW FIRMS ARE THE SAME. Before you hire a law firm, you should talk to a lawyer and ask:
Do you file class actions and go to Court?
When was the last time you recovered money for shareholders?
What cases did you recover money in and how much?
About Monteverde & Associates PC
Our firm litigates and has recovered money for shareholders…and we do it from our offices in the Empire State Building. We are a national class action securities firm with a successful track record in trial and appellate courts, including the U.S. Supreme Court.
No company, director or officer is above the law. If you own common stock in the above listed company and have concerns or wish to obtain additional information free of charge, please visit our website or contact Juan Monteverde, Esq. either via e-mail at jmonteverde@monteverdelaw.com or by telephone at (212) 971-1341.
Contact: Juan Monteverde, Esq. MONTEVERDE & ASSOCIATES PC The Empire State Building 350 Fifth Ave. Suite 4740 New York, NY 10118 United States of America jmonteverde@monteverdelaw.com Tel: (212) 971-1341
Attorney Advertising. (C) 2025 Monteverde & Associates PC. The law firm responsible for this advertisement is Monteverde & Associates PC (www.monteverdelaw.com). Prior results do not guarantee a similar outcome with respect to any future matter.
NEW YORK, May 21, 2025 (GLOBE NEWSWIRE) — Monteverde & Associates PC (the “M&A Class Action Firm”), has recovered millions of dollars for shareholders and is recognized as a Top 50 Firm in the 2024 ISS Securities Class Action Services Report. We are headquartered at the Empire State Building in New York City and are investigating CFSBBancorp, Inc.(NASDAQ:CFSB), relating to the proposed merger with Hometown Financial Group, Inc. Under the terms of the agreement, CFSB shareholders will receive $14.25 in cash for each share of CFSB common stock.
NOT ALL LAW FIRMS ARE THE SAME. Before you hire a law firm, you should talk to a lawyer and ask:
Do you file class actions and go to Court?
When was the last time you recovered money for shareholders?
What cases did you recover money in and how much?
About Monteverde & Associates PC
Our firm litigates and has recovered money for shareholders…and we do it from our offices in the Empire State Building. We are a national class action securities firm with a successful track record in trial and appellate courts, including the U.S. Supreme Court.
No company, director or officer is above the law. If you own common stock in the above listed company and have concerns or wish to obtain additional information free of charge, please visit our website or contact Juan Monteverde, Esq. either via e-mail at jmonteverde@monteverdelaw.com or by telephone at (212) 971-1341.
Contact: Juan Monteverde, Esq. MONTEVERDE & ASSOCIATES PC The Empire State Building 350 Fifth Ave. Suite 4740 New York, NY 10118 United States of America jmonteverde@monteverdelaw.com Tel: (212) 971-1341
Attorney Advertising. (C) 2025 Monteverde & Associates PC. The law firm responsible for this advertisement is Monteverde & Associates PC (www.monteverdelaw.com). Prior results do not guarantee a similar outcome with respect to any future matter.
NATO Secretary General Mark Rutte welcomed Czech President Petr Pavel to NATO Headquarters on Wednesday (21 May 2025) to discuss preparations for the upcoming NATO Summit in The Hague.
The Secretary General praised Czechia as a strong and reliable Ally, highlighting its defence investment and support to Ukraine. “You spend more than 2% of GDP on defence, and I welcome the commitment you’ve already made to increase defence spending to 3% in the coming years,” said Mr Rutte.
Czechia plays an important role in NATO’s deterrence and defence, contributing to Forward Land Forces in Slovakia, Latvia and Lithuania. This year, Czechia will also deploy combat aircraft to Iceland in support of NATO’s air policing mission.
The Secretary General commended Czechia’s substantial support to Ukraine, including over 1.3 billion euros in military assistance. He welcomed the success of the Czech-led ammunition initiative, which has helped deliver over 3 million rounds of large-calibre ammunition to Ukraine, including 1.5 million in 2024 alone. Mr Rutte also underlined Czechia’s growing role in NATO’s long-term support to Ukraine, including contributions to NATO’s Security Assistance and Training command (NSATU) in Wiesbaden and the deployment of 20 personnel to NSATU’s Logistics Enabling Nodes this July.
Looking ahead to the NATO Summit in The Hague, Secretary General Rutte stressed the importance of strengthening NATO’s deterrence and defence even further, increasing defence spending, and building a stronger and more innovative transatlantic defence industry. “We will need to do much more, and this will remain our focus as we prepare for The Hague Summit,” he said. “We have a lot of work to do. And I know I can count on Czechia’s continued commitment and leadership.”
Source: Federal Bureau of Investigation FBI Crime News (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury on charges related to child pornography.
According to an indictment returned this week, Jeffrey Lynn Petrie, 40, of Kansas City, Mo., was charged with one count of distributing child pornography over the internet in May 2024, and one count of receiving child pornography from Dec. 9, 2024, to Dec. 10, 2024.
The indictment replaces a complaint originally filed on Friday, April 25, 2025. According to an affidavit filed in support of the criminal complaint, law enforcement officers received a Cybertip reporting that a user, “kinkypopper69,” was uploading video files depicting child sexual abuse materials. Petrie was later identified as the user “kinkypopper69.”
On April 24, 2025, the FBI conducted a search at Petrie’s residence and seized a cell phone and other electronic devices.
Petrie is a registered sex offender in Missouri based on prior convictions for child molestation in the 2nd degree.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, if convicted of distribution and receipt of child pornography, a prison sentence of not less than 15 years and not more than 40 years and a fine of up to $250,000 is authorized on each count. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorney Teresa A. Moore. This case was investigated by the Federal Bureau of Investigation, and the Franklin County, Missouri Sheriff’s Office.
Project Safe Childhood
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.usdoj.gov/psc. For more information about Internet safety education, please visit www.usdoj.gov/psc and click on the tab “resources.”
Source: Federal Bureau of Investigation FBI Crime News (b)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon following a shooting incident outside a restaurant.
According to court documents, Navajo Nation Police responded to a 911 call reporting that an individual was shot in the hand in front of the Little Caesars Restaurant in Shiprock. Officers located the suspect, identified as TerroldTyler, 35, an enrolled member of the Navajo Nation, near the scene carrying a black backpack that contained a homemade firearm and five live shotgun shells. Tyler was detained without incident.
Investigators determined that Tyler and the victim were involved in an argument behind the restaurant prior to the shooting. Tyler allegedly produced the homemade shotgun and shot the victim in the left hand. Paramedics responded to the scene, but the victim declined medical treatment. A social media video depicting Tyler with the firearm was also recovered as evidence.
Tyler is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Tyler faces up to 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
WASHINGTON, May 21, 2025 (GLOBE NEWSWIRE) — Rhizome, the leading climate resilience planning platform for the power grid, today announced the close of a $6.5 million oversubscribed Seed funding round led by Base10 Partners. The company will use the funding to scale their AI platform and team as they continue to help utilities protect their grid and customers from the impacts of extreme weather events. Rhizome will focus on building out its existing platform, new product research and development, and expanding its geographic footprint domestically and internationally.
Rhizome, launched in 2023, supports utilities by helping them model the impacts of increasingly severe extreme weather events against their systems. By leveraging AI against climate risk data and digital representations of the physical grid, Rhizome’s platform identifies vulnerabilities and prioritizes resilience investments and upgrades. This fundraise will further fuel Rhizome’s mission to integrate climate intelligence into utility planning workflows at a time when grid resilience has never been more crucial.
Extreme weather events are rapidly increasing in frequency, intensity, and cost. In 2024 alone, the U.S. faced 27 billion-dollar climate and weather disasters, totaling over $182 billion in damages. For electric utilities, the stakes are particularly high. A McKinsey analysis found that major storms have cost individual utilities an average of $1.4 billion over a 20-year period, underscoring the urgent need for smarter, more resilient infrastructure planning in the face of growing climate volatility.
At the same time, electric utility capital expenditures hit a record $179 billion, with projections rising to $194 billion in 2025. In an environment where every dollar counts, utilities need advanced planning tools that can simulate a range of climate scenarios — removing the guesswork from resilience planning and helping every dollar go further.
“We set out to partner with investors who deeply understand the power sector and share our commitment to solving pressing climate resilience challenges,” said Mishal Thadani, Co-founder and CEO of Rhizome. “This funding allows us to scale our work and continue refining a suite of products that help utilities prepare the grid for an increasingly uncertain future.”
“Resilience is unquestionably one of the most important factors in ensuring a safe, reliable power grid,” said Rexhi Dollaku, General Partner at Base10 Partners. “Mish, Rahul, and the team bring the right mix of vision, urgency, and technical depth to solve this challenge, and we’re proud to support them.”
In just under two years, Rhizome has developed and commercialized a suite of mission-specific products used by electric utilities in diverse geographical regions. Its flagship product, gridADAPT, supports long-term infrastructure planning by helping utilities prioritize investments that improve reliability and resilience. This was followed by the launch of gridFIRM, a first-of-its-kind platform for wildfire risk mitigation, and most recently, gridCAVA –– an affordable climate vulnerability assessment tool designed specifically for municipal and cooperative utilities. Built on Rhizome’s scalable, cloud-based Aspen platform, these tools round out a powerful portfolio of climate resilience planning tools designed to model current and future climate risk against utility infrastructure, available to utilities across Rhizome’s expanding geographical footprint.
Rhizome is expanding its platform, growing its team, and partnering with more utilities to strengthen resilience in the face of climate-driven threats. Contact Rhizome or visit here to learn more about the company’s expanding portfolio of climate risk solutions.
About Rhizome Rhizome is an AI-powered software platform that helps utilities identify vulnerabilities from climate threats, quantify risk at high resolutions, and measure the economic and social benefits of grid-enhancing investments. Rhizome provides the highest standard of equitable climate risk mitigation to ensure that communities and businesses are protected against intensifying extreme weather events.
About Base10 Partners Founded by Adeyemi Ajao and TJ Nahigian, Base10 is a San Francisco-based venture capital fund investing in founders who believe purpose is key to profits and companies that are automating sectors of the Real Economy, including transportation, retail, logistics, and construction. Through its program, The Advancement Initiative, Base10 aims to donate 50% of profits to underfunded colleges and universities to support financial aid and other key initiatives. Portfolio companies include Notion, Figma, Nubank, Stripe, Motive, Chili Piper, and Popmenu. Connect via base10.vc.
SINGAPORE, May 21, 2025 (GLOBE NEWSWIRE) — Bitcoin has officially shattered the long-anticipated $100,000 barrier, marking a historic milestone for the crypto market. As shown in the latest TradingView chart, BTC continues to push higher, riding the upper edge of the Bollinger Bands with no signs of slowing down.
While the bull run creates exciting opportunities, traders are now facing a critical question: Which platform is best positioned to help them capitalize on this volatility?
Introducing BexBack — A Streamlined Futures Trading Platform Built for This Moment
In a sea of exchanges that are often overloaded, overcomplicated, or overregulated, BexBack stands out with its fast, frictionless, and fully non-KYC approach to crypto derivatives trading.
Whether you’re a seasoned leverage trader or just getting started, BexBack delivers a powerful yet simple experience, offering:
No KYC Required — Trade anonymously with just an email
100% Deposit Bonus+ $100 Trading Bonus — Double your capital and get a head start
Up to 100x Leverage — Maximize your position in times of volatility
Free Demo Account — Practice with 10 BTC and 1,000,000 USDT risk-free
50+ Perpetual Contracts — Including BTC, ETH, XRP, ADA, SOL and more
Zero Spread, No Slippage — What you see is what you get
Security and Speed in One Package
BexBack isn’t just fast — it’s secure. With cold wallet fund storage, multi-signature withdrawal approvals, and real-time risk monitoring, the platform ensures your assets and trades are well protected.
Global Access, Real Freedom
BexBack proudly serves a global user base. With no mandatory KYC, even traders from regions with limited access to traditional exchanges can participate freely and instantly.
About BexBack?
BexBack is a leading cryptocurrency derivatives platform offering up to 100x leverage on futures contracts for BTC, ETH, ADA, SOL, XRP, and over 50 other digital assets. Headquartered in Singapore, the platform also operates offices in Hong Kong, Japan, the United States, the United Kingdom, and Argentina. Like many top-tier exchanges, BexBack holds a U.S. MSB (Money Services Business) license and is trusted by more than 500,000 traders worldwide. The platform accepts users from the United States, Canada, and Europe, with zero deposit fees and 24/7 multilingual customer support, delivering a secure, efficient, and user-friendly trading experience.
As Bitcoin Enters Price Discovery, Don’t Get Left Behind
Markets like this don’t come around often. Whether you’re aiming to ride short-term price swings or position for long-term growth, BexBack provides the tools, leverage, and freedom you need to trade your way.
Create your account, claim your bonuses, and trade with confidence — all on BexBack.
Disclaimer: This content is provided by BexBackThe statements, views, and opinions expressed in this content are solely those of the content provider and do not necessarily reflect the views of this media platform or its publisher. We do not endorse, verify, or guarantee the accuracy, completeness, or reliability of any information presented. We do not guarantee any claims, statements, or promises made in this article. This content is for informational purposes only and should not be considered financial, investment, or trading advice. Investing in crypto and mining-related opportunities involves significant risks, including the potential loss of capital. It is possible to lose all your capital. These products may not be suitable for everyone, and you should ensure that you understand the risks involved. Seek independent advice if necessary. Speculate only with funds that you can afford to lose. Readers are strongly encouraged to conduct their own research and consult with a qualified financial advisor before making any investment decisions. However, due to the inherently speculative nature of the blockchain sector—including cryptocurrency, NFTs, and mining—complete accuracy cannot always be guaranteed. Neither the media platform nor the publisher shall be held responsible for any fraudulent activities, misrepresentations, or financial losses arising from the content of this press release. In the event of any legal claims or charges against this article, we accept no liability or responsibility. Globenewswire does not endorse any content on this page.
Legal Disclaimer: This media platform provides the content of this article on an “as-is” basis, without any warranties or representations of any kind, express or implied. We assume no responsibility for any inaccuracies, errors, or omissions. We do not assume any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information presented herein. Any concerns, complaints, or copyright issues related to this article should be directed to the content provider mentioned above.
Photos accompanying this announcement are available at
WATERTOWN, Mass., May 21, 2025 (GLOBE NEWSWIRE) — Cangrade today announced the launch of its newly patented Resume Ranker (U.S. Patent No. 12,287,833), an AI feature that enables recruiters to quickly and effectively narrow down high-fit candidates from just a job description. With the ability to assess hundreds of resumes in minutes, Resume Ranker significantly expedites the process of finding top candidates and screening out those who may not meet the specific job requirements for a given role.
Born out of customer need, Resume Ranker goes a step beyond resume scanning tools and parsers, applying generative AI-powered technology to uncover the most relevant job requisites and subsequently screen for them. Using existing or new job descriptions, the AI then compares them to current candidate pools to uncover the highest fits for a role, based on rankings for both required and desired skills for the job.
With the ability to identify and edit required skills, users can create and adjust the parameters to find the best candidates. For example, a person applying for a data analyst role without SQL experience would be eliminated. More mundane skills like “record keeping” or “basic computer skills” can be removed or deprioritized. This ensures anyone in the hiring process is aligned based on the scope of the actual job.
Benefits of Resume Ranker Include:
Time Savings: Quickly sort through a large volume of resumes, enabling users to focus on uniquely human parts of the recruiting process, such as interviewing and building rapport with candidates.
Ease of Use: Simply access existing job descriptions or copy/paste new ones, with the ability to identify and edit required and desired skills tailored to the role.
Improved Accuracy and Insights: View resume rankings in an intuitive dashboard, and based on the results, narrow down candidates or fine-tune job descriptions to uncover the most pertinent skills, and thus candidates, for the role.
“With the uncertain state of the economy and job market, it’s likely that we’ll see a shift to an employers’ market this year, with more professionals competing for fewer jobs,” said Gershon Goren, founder and CEO, Cangrade. “With less internal resources and a higher number of applicants, recruiters need processes that empower them to make quick and accurate hiring decisions to stay competitive. Resume Ranker is an effective, intuitive tool giving recruiters a leg up.”
All Cangrade solutions are created through the lens of responsible AI. As such, Resume Ranker doesn’t include any demographic information, like names, in the resume screening process—the biggest driver of bias when using large language models (LLMs). Recruiters select only job-relevant skills and experiences, so the results are solely based on candidates’ competency and ability to perform the skills most important for the job.
Resume Ranker is now available to subscribers of Cangrade’s AI Copilot, Jules. For more information about Cangrade’s AI-powered, bias-free hiring and talent management solutions, visit www.cangrade.com.
About Cangrade For HR leaders, Cangrade is the bias-free, AI-powered talent intelligence platform. By integrating data into talent acquisition and management processes, Cangrade enables businesses to make strategic and efficient decisions from initial screening through the entire employee lifecycle. Delivering 10x more accurate predictions of talent success and retention than traditional methods, the company’s Pre-Hire Assessment has helped organizations like Wayfair, FDNY, Lamar Advertising, and Applied Industrial Technologies make the right hiring decisions for over 10 million candidates and counting. For more information, visit www.cangrade.com.
JACKSONVILLE, Fla., May 21, 2025 (GLOBE NEWSWIRE) — Duos Technologies Group, Inc. (“Duos” or the “Company”) (Nasdaq: DUOT), through its operating subsidiary Duos Edge AI, Inc. (“Duos Edge AI”), a provider of adaptive, versatile and streamlined Edge Data Center (“EDC”) solutions tailored to meet evolving needs in any environment, today announced a strategic partnership with Region 3 Education Service Center (ESC) to deploy a new EDC in Victoria, Texas. This marks the latest execution in Duos Edge AI’s national rollout strategy, reflecting continued traction in rural markets and reinforcing the Company’s presence in the education sector.
The Victoria-based EDC will serve as a highly secure, scalable, local computing hub supporting 37 school districts in the Region 3 footprint. Built on Duos Edge AI’s modular architecture—engineered to SOC 2 Type II compliance and backed by N+1 power redundancy and dual generators—the facility will enable low-latency access to mission-critical workloads including AI-based learning platforms, telemedicine, and EHR systems. This project exemplifies Duos Edge AI’s ability to rapidly deploy infrastructure that meets both community needs and commercial growth objectives.
Dr. Morris Lyon, Executive Director of Region 3 ESC, commented: “We are proud to partner with Duos Edge AI, Inc. to bring secure, innovative data solutions to the greater Victoria area. The commitment to community-based technology aligns with our mission to support the 37 districts we serve across Region 3. Together, we’re creating a safer, smarter foundation that helps schools and the community focus on what matters most—educating students.”
Doug Recker, President and Founder of Duos Edge AI, added: “This installation strengthens our position in the education vertical while demonstrating our ability to deliver digital infrastructure in underserved regions. Our partnership with Region 3 ESC accelerates digital equity, expands our market footprint, and contributes to sustainable long-term revenue. We’re also proud to bring new job opportunities to the area and look forward to collaborating with local businesses as we continue investing in the economic and technological future of the Victoria region.”
This deployment is part of Duos Edge AI’s 2025 roadmap, which targets 15 contracted EDCs by year-end. With nine sites commercially identified and additional real estate and contractual negotiations underway, the Company is on track to deliver scalable edge solutions across Texas, the Southeast, and Midwest -meeting the increasing demand for localized, low-latency compute infrastructure.
Duos Edge AI, Inc. is a subsidiary of Duos Technologies Group, Inc. (Nasdaq: DUOT). Duos Edge AI’s mission is to bring advanced technology to underserved communities, particularly in education, healthcare and rural industries, by deploying high-powered edge computing solutions that minimize latency and optimize performance. Duos Edge AI specializes in high-function Edge Data Center (“EDC”) solutions tailored to meet evolving needs in any environment. By focusing on providing scalable IT resources that seamlessly integrate with existing infrastructure, its solutions expand capabilities at the network edge, ensuring data uptime onsite services. With the ability to provide 100 kW+ per cabinet, rapid 90-day deployment, and continuous 24/7 data services, Duos Edge AI aims to position its edge data centers within 12 miles of end users or devices, significantly closer than traditional data centers. This approach enables timely processing of massive amounts of data for applications requiring real-time response and supporting current and future technologies without large capital investments. For more information, visit www.duosedge.ai.
About Region 3 Education Service Center (ESC) The Region 3 Education Service Center is proud to support our 37 public school districts, 52,000+ students, and hundreds of campuses across 11 counties: Calhoun, Colorado, DeWitt, Goliad, Jackson, Karnes, Lavaca, Matagorda, Refugio, Victoria, and Wharton. Spanning over 10,800 square miles, Region 3 ESC is more than a service provider — we’re a committed partner in delivering excellence to every classroom, every educator, and every child we serve. From across our region, our mission remains clear: to improve the performance of all learners. With programs that strengthen instruction, build leadership capacity, support student needs, and fuel innovation, Region 3 is here to help schools thrive — because when our schools succeed, our communities do too. For more information, visit https://www.esc3.net/.
About Duos Technologies Group, Inc. Duos Technologies Group, Inc. (Nasdaq: DUOT), based in Jacksonville, Florida, through its wholly owned subsidiaries, Duos Technologies, Inc., Duos Edge AI, Inc., and Duos Energy Corporation, designs, develops, deploys and operates intelligent technology solutions for Machine Vision and Artificial Intelligence (“AI”) applications including real-time analysis of fast-moving vehicles, Edge Data Centers and power consulting. For more information, visit www.duostech.com, www.duosedge.ai and www.duosenergycorp.com.
Forward-Looking Statements This news release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, regarding, among other things, our plans, strategies and prospects — both business and financial. Although we believe that our plans, intentions and expectations reflected in or suggested by these forward-looking statements are reasonable, we cannot assure you that we will achieve or realize these plans, intentions or expectations. Forward-looking statements are inherently subject to risks, uncertainties and assumptions. Many of the forward-looking statements contained in this news release may be identified by the use of forward-looking words such as “believe,” “expect,” “anticipate,” “should,” “planned,” “will,” “may,” “intend,” “estimated” and “potential,” among others. Important factors that could cause actual results to differ materially from the forward-looking statements we make in this news release include market conditions and those set forth in reports or documents that we file from time to time with the United States Securities and Exchange Commission. We do not undertake or accept any obligation or undertaking to release publicly any updates or revisions to any forward-looking statements to reflect any change in our expectations or any change in events, conditions or circumstances on which any such statement is based, except as required by law. All forward-looking statements attributable to Duos Technologies Group, Inc. or a person acting on its behalf are expressly qualified in their entirety by this cautionary language.
NEW YORK, May 21, 2025 (GLOBE NEWSWIRE) — StepStone Group (Nasdaq: STEP), a global private markets solutions provider, today announced the opening of the new Ireland office at One Haddington Buildings, Dublin 4, of its subsidiary StepStone Group Europe Alternative Investment Limited (“SGEAIL”), an alternative investment fund manager regulated by the Central Bank of Ireland.
Having operated in Dublin since 2005 through a predecessor firm, SGEAIL enables EU-based clients to access private market investment solutions in private debt, private equity, real estate, and infrastructure and real assets. SGEAIL oversees €29.1 billion in AUM as of December 31, 2024, a significant increase from €20.6 billion in December 2022.
“Our growth in Ireland reflects the increasing demand for private market solutions globally, and especially among EU-based institutional and private wealth clients,” said David Allen, Partner and CEO of SGEAIL. “Our expanded space demonstrates our commitment to investing in the local economy and talent pool to meet this demand.”
Since 2021, the number of people working in StepStone’s Dublin office has doubled and now numbers 110 employees, approximately 10% of the firm’s global workforce. The new 12,000 square foot office allows the firm to continue to invest in talent to support the global client footprint, while providing the team with a modern workspace that was designed with teamwork, brand pride, wellness and sustainability in mind.
“StepStone Group’s expansion in Dublin is a welcome development for our financial services sector, and highlights Ireland’s position as a leading destination for global investment firms seeking to access the European market. I would like to congratulate the team at StepStone Group and wish them luck in this exciting new phase of their journey,” said Peter Burke, Minister for Enterprise, Tourism and Employment.
Michael Lohan, CEO of IDA Ireland, the agency responsible for attracting and retaining foreign direct investment into Ireland, said “StepStone’s announcement further underscores Ireland’s position as a leading location for global firms in the financial services sector. The combination of deep industry expertise, a strong pipeline of talent, and a stable, pro-business environment continues to attract companies looking for a strategic entry point to the EU and access to wider global markets. I want to wish StepStone every success and to assure them of our continued support and partnership as they expand their footprint in Ireland.”
In addition to managing EU-domiciled commingled funds and separate accounts for institutional clients, SGEAIL has in recent years served as a hub for StepStone’s expansion into the European private wealth market. Earlier this year, StepStone launched its first ELTIF focused on the private debt market and converted its existing RAIF funds into UCI Part II vehicles.
Savills Dublin served as StepStone’s tenant representative for the new office, and Calibro Workspace completed the space’s interior design and fitout.
About StepStone
StepStone Group Inc. (Nasdaq: STEP) is a global private markets investment firm focused on providing customized investment solutions and advisory and data services to its clients. As of December 31, 2024, StepStone was responsible for approximately $698 billion of total capital, including $179 billion of assets under management. StepStone’s clients include some of the world’s largest public and private defined benefit and defined contribution pension funds, sovereign wealth funds and insurance companies, as well as prominent endowments, foundations, family offices and private wealth clients, which include high-net-worth and mass affluent individuals. StepStone partners with its clients to develop and build private markets portfolios designed to meet their specific objectives across the private equity, infrastructure, private debt and real estate asset classes.
About IDA Ireland
IDA Ireland is the country’s inward investment promotion agency, responsible for attracting and developing foreign investment in Ireland. With a proven track record of facilitating international companies, IDA Ireland offers a range of services to support businesses in establishing and expanding operations on the island. Our expert team works closely with companies across various industries, including technology, pharmaceuticals, financial services, and more, providing tailor-made solutions to meet their needs.
As a gateway to Europe, Ireland offers a competitive corporate tax rate, a young and highly skilled workforce, and a robust business environment, making it an ideal location for global companies looking to innovate and grow. Headquartered in Dublin, with a network of offices worldwide, IDA Ireland is committed to driving economic growth and job creation by fostering a vibrant and sustainable business ecosystem. For more information, visit www.idaireland.com or follow us on Twitter @IDAIRELAND.
The information contained in the private placement memorandum (the “PPM”) for the VanEck PurposeBuilt Fund, L.P. is not complete and may be changed. Van Eck may not solicit subscriptions until the limited partnership’s interests are available for purchase. The private placement memorandum is not an offer or a solicitation for subscriptions referenced therein and is not a solicitation for an offer or solicitation for subscriptions in any state where the offer is not permitted. Please view the PPM here:VanEck PurposeBuilt Fund Private Placement Memorandum.
NEW YORK, May 21, 2025 (GLOBE NEWSWIRE) — VanEck, a leading asset manager, is today announcing the upcoming launch of the VanEck PurposeBuilt Fund, a private digital assets fund that will invest in businesses building on Avalanche and launching tokens designed to create long-term value and utility. The Fund is expected to launch in June 2025.
The Fund will invest in liquid tokens and venture-backed projects—spanning industries that include gaming, financial services, payments and AI—typically around or after a Token Generation Event, with a fundamentals-first strategy focused on long-term outcomes. Idle capital will be deployed onchain through Avalanche-native real-world asset (RWA) products, including tokenized money market funds, to maintain liquidity while reinforcing the broader onchain economy.
The Fund will be managed by the team behind the VanEck Digital Assets Alpha Fund (DAAF), one of the strongest-performing directional liquid token funds in the market, with over $100 million in assets under management. Since launching in 2022, DAAF has focused on investing in liquid tokens tied to scalable products, economic alignment and real adoption. This same approach is being applied to the PurposeBuilt Fund, with a focus on the Avalanche ecosystem, currently valued at nearly $50 billion. The team sees a growing concentration of serious builders leveraging the Avalanche network to pioneer new markets, while generating onchain economic activity. The PurposeBuilt Fund reflects VanEck’s conviction in the “GDP onchain” thesis: that blockchain technology will eventually be core to global economic and financial systems and that the projects that align with this vision will be the most durable.
“The next wave of value in crypto will come from real businesses, not more infrastructure,” said Pranav Kanade, Portfolio Manager of VanEck Digital Assets Alpha Fund. “Avalanche has become a magnet for thoughtful builders, and with the VanEck PurposeBuilt Fund, we’re bringing capital and conviction to the founders creating lasting value, not chasing momentum.”
The Fund is designed to address a persistent challenge in today’s crypto market. Founders launching legitimate blockchain-enabled businesses often struggle to stand out in an environment dominated by short-term speculation. This distorts incentives, undermines token credibility and slows real adoption. The Fund offers strategic, differentiated capital and long-term alignment, empowering mission-driven founders to stay focused, remain long-term oriented and scale effectively.
“VanEck’s launch of the PurposeBuilt Fund marks a pivotal moment for the Avalanche ecosystem,” commented John Nahas, Chief Business Officer at Ava Labs. “We’re seeing a shift away from speculative hype toward real utility and sustainable token economies, and the VanEck PurposeBuilt Fund aims to bring the kind of long-term capital and strategic conviction that builders need to lead that shift. This fund reinforces the strength of Avalanche as the home for serious founders who are scaling real businesses and driving meaningful onchain adoption.”
Avalanche continues to attract teams creating real-world applications across sectors, including DeFi, RWAs, AI, gaming, payments and FinTech. These builders are delivering enterprise-grade products already being adopted by web2 platforms and traditional institutions. The VanEck PurposeBuilt Fund ensures they have the capital, support and signal they need to succeed.
About VanEck
VanEck has a history of looking beyond the financial markets to identify trends that are likely to create impactful investment opportunities. We were one of the first U.S. asset managers to offer investors access to international markets. This set the tone for the firm’s drive to identify asset classes and trends — including gold investing in 1968, emerging markets in 1993, and exchange traded funds in 2006 — that subsequently shaped the investment management industry.
Today, VanEck offers active and passive strategies with compelling exposures supported by well-designed investment processes. As of 4/30/2025, VanEck managed approximately $116.6 billion in assets, including mutual funds, ETFs and institutional accounts. The firm’s capabilities range from core investment opportunities to more specialized exposures to enhance portfolio diversification. Our actively managed strategies are fueled by in-depth, bottom-up research and security selection from portfolio managers with direct experience in the sectors and regions in which they invest. Investability, liquidity, diversity, and transparency are key to the experienced decision-making around market and index selection underlying VanEck’s passive strategies.
Since our founding in 1955, putting our clients’ interests first, in all market environments, has been at the heart of the firm’s mission.
About Avalanche
Avalanche is an ultra-fast, low-latency blockchain platform designed for builders who need high performance at scale. The network’s architecture allows for the creation of sovereign, efficient and fully interoperable public and private layer 1 (L1) blockchains which leverage the Avalanche Consensus Mechanism to achieve high throughput and near-instant transaction finality. The ease and speed of launching an L1, and the breadth of architectural customization choices, make Avalanche the perfect environment for a composable multi-chain future.
Supported by a global community of developers and validators, Avalanche offers a fast, low-cost environment for building decentralized applications (dApps). With its combination of speed, flexibility, and scalability, Avalanche is the platform of choice for innovators pushing the boundaries of blockchain technology.
General Disclosures
This is not an offer to buy or sell, or a recommendation to buy or sell any of the securities, financial instruments or digital assets mentioned herein. The information presented does not involve the rendering of personalized investment, financial, legal, tax advice, or any call to action. Certain statements contained herein may constitute projections, forecasts and other forward-looking statements, which do not reflect actual results, are for illustrative purposes only, are valid as of the date of this communication, and are subject to change without notice. Actual future performance of any assets or industries mentioned are unknown. Information provided by third party sources are believed to be reliable and have not been independently verified for accuracy or completeness and cannot be guaranteed. VanEck does not guarantee the accuracy of third party data. The information herein represents the opinion of the author(s), but not necessarily those of VanEck or its other employees.
Important Disclosures – VanEck PurposeBuilt Fund and VanEck Digital Assets Alpha Fund
The VanEck PurposeBuilt Fund and the VanEck Digital Assets Alpha Fund (together, the “Funds”) are not registered investment companiesunder the Investment Company Act of 1940 and are therefore not subject to the same regulatory requirements as mutual funds or ETFs. Both Funds rely on an exemption from registration as Commodity Pool Operators under CFTC Rule 4.13(a)(3) and are subject to related trading limitations, investor suitability requirements, and offering and marketing restrictions.
VAN ECK ABSOLUTE RETURN ADVISERS CORPORATION (“VEARA”), THE INVESTMENT MANAGER OF THE FUNDS, IS A MEMBER OF NFA AND IS SUBJECT TO NFA’S REGULATORY OVERSIGHT AND EXAMINATIONS. VEARA HAS ENGAGED OR MAY ENGAGE IN UNDERLYING OR SPOT VIRTUAL CURRENCY TRANSACTIONS IN THE FUNDS. ALTHOUGH NFA HAS JURISDICTION OVER VEARA, YOU SHOULD BE AWARE THAT NFA DOES NOT HAVE REGULATORY OVERSIGHT AUTHORITY FOR UNDERLYING OR SPOT MARKET VIRTUAL CURRENCY PRODUCTS OR TRANSACTIONS OR VIRTUAL CURRENCY EXCHANGES, CUSTODIANS OR MARKETS. YOU SHOULD ALSO BE AWARE THAT GIVEN CERTAIN MATERIAL CHARACTERISTICS OF THESE PRODUCTS, INCLUDING LACK OF A CENTRALIZED PRICING SOURCE AND THE OPAQUE NATURE OF THE VIRTUAL CURRENCY MARKET, THERE CURRENTLY IS NO SOUND OR ACCEPTABLE PRACTICE FOR NFA TO ADEQUATELY VERIFY THE OWNERSHIP AND CONTROL OF A VIRTUAL CURRENCY OR THE VALUATION ATTRIBUTED TO A VIRTUAL CURRENCY BY VEARA.
Each Fund is available toQualified Purchasers Only. Prospective investors should carefully review the respective Private Placement Memorandum (“PPM”) before investing. There is no guarantee either Fund will achieve its investment objectives, and investors may lose all or a substantial portion of their investment. Past performance is not indicative of future results.
Both Funds pursue speculative investment strategiesand involve significant risks. Individual investor performance may vary materially due to factors such as investment timing, new issue participation, expense structures, and the impact of loss carryforwards. Investor performance will be reflected in monthly statements provided by the Administrator.
The VanEck PurposeBuilt Fund seeks capital appreciation through investments in Digital Assets, tokenized real world assets (“RWAs”), Digital Asset projects, and companies associated with the Avalanche ecosystem. Investments include equity, equity-like, and debt instruments of early-stage blockchain and Digital Asset companies. The Fund may employ staking, yield-farming, and investments across centralized and decentralized platforms.
The VanEck Digital Assets Alpha Fund seeks capital appreciation by investing in 5 to 30 Digital Assets with high perceived upside relative to current valuations and generally with market capitalizations above $100 million. It also invests in public and private securities of Digital Asset companies. The Fund intends to generate yield through staking and DeFi-based lending, maintaining a general allocation of 70–90% in Digital Assets with the remainder focused on yield-generating strategies.
VanEck Purpose Build Fund and VanEck Digital Assets Alpha Fund: Investments may include a wide variety of digital instruments and structures, including cryptocurrencies, stablecoins, NFTs, tokens, RWAs, DeFi protocols, DAOs, ICOs, SAFTs, SAFEs, token warrants, and synthetic assets. These technologies are new, may be untested, and are subject to competitive pressures, adoption challenges, and technological obsolescence.
General Digital Asset Risk Disclosures
Cryptocurrencies and digital assets are not suitable for all investors. Investments in digital assets and Web3 companies are highly speculative and involve a high degree of risk.These risks include, but are not limited to: the technology is new and many of its uses may be untested; intense competition; slow adoption rates and the potential for product obsolescence; volatility and limited liquidity, including but not limited to, inability to liquidate a position; loss or destruction of key(s) to access accounts or the blockchain; reliance on digital wallets; reliance on unregulated markets and exchanges; reliance on the internet; cybersecurity risks; and the lack of regulation and the potential for new laws and regulation that may be difficult to predict. Moreover, the extent to which Web3 companies or digital assets utilize blockchain technology may vary, and it is possible that even widespread adoption of blockchain technology may not result in a material increase in the value of such companies or digital assets.
Digital asset prices are highly volatile, and the value of digital assets, and Web3 companies, can rise or fall dramatically and quickly. If their value goes down, there’s no guarantee that it will rise again. As a result, there is a significant risk of loss of your entire principal investment.
Digital assets are not generally backed or supported by any government or central bank and are not covered by FDIC or SIPC insurance. Accounts at digital asset custodians and exchanges are not protected by SPIC and are not FDIC insured. Furthermore, markets and exchanges for digital assets are not regulated with the same controls or customer protections available in traditional equity, option, futures, or foreign exchange investing.
Digital assets include, but are not limited to, cryptocurrencies, tokens, NFTs, assets stored or created using blockchain technology, and other Web3 products.
Web3 companies include but are not limited to, companies that involve the development, innovation, and/or utilization of blockchain, digital assets, or crypto technologies.
This communication is for informational purposes only and does not constitute financial, tax, or legal advice, nor a recommendation to buy or sell any cryptocurrency or fund interest.
Zug, Switzerland, May 21, 2025 (GLOBE NEWSWIRE) — – Panther Protocol has officially released its codebase as open-source software, following a successful security audit conducted by Veridise, a leader in blockchain auditing. This launch offers access to Panther’s industry-leading Zero-Knowledge technology to build DeFi solutions that meet customizable regulatory requirements and users’ on-chain data privacy needs.
The open-source code will enable developers, financial market participants, and blockchain innovators to integrate, utilize, and build upon Panther’s privacy-enhancing technology. Panther’s move to greater accessibility for development reflects its organizational shift towards more community-led development, as Panther’s IP has transitioned to the Panther Protocol Foundation.
Moving forward, the Foundation will oversee the protocol’s ongoing development and strategic growth, setting the stage for increased community engagement and a decentralized governance model through the Panther DAO.
Before being made publicly available, Panther’s code underwent a detailed review by Veridise. The audit included an analysis of Panther’s Zero-Knowledge circuits, and smart contracts. With the audit now complete, Panther’s codebase has been made publicly available under the LGPL3.0 and MIT License.
Dr. Anish Mohammed, Co-Founder of Panther Protocol, commented: “Open-sourcing Panther’s audited code represents a significant milestone in our journey toward transparency and decentralization. By making our technology accessible, we invite the broader decentralized finance and Web3 community to contribute, innovate, and verify our security, ensuring Panther’s continued growth as a trusted, privacy-preserving DeFi protocol. The goal of the project was always to build an infrastructure where compliance and confidentiality can coexist, and we would like to invite everyone to try out the solutions that have been built.”
A Platform for Builders
Panther’s open-source release supports the broader Web3 community. Web3 builders, licensed Zone Managers, and developers will be able to take advantage of Panther’s privacy-focused infrastructure and tooling to build DeFi applications that provide greater privacy and confidentiality to users. With Panther’s codebase now open-source, developers can adapt and build upon existing tools to create their own infrastructure that benefits from Panther.
With governance remaining in the hands of the Panther DAO, the protocol will continue to evolve in line with community values. This release furthers Panther’s mission of enabling confidential, compliant access to DeFi.
Panther’s codebase can be found on the Panther Protocol’s Foundation GitHub and GitLab. The licensing chosen supports the open-source ethos of the Web3 ecosystem, fostering a community-driven approach to Panther’s evolution.
ENDS
About Panther Protocol Foundation
The Panther Protocol Foundation is dedicated to supporting the adoption and sustainability of the Panther Protocol across the decentralized Web. The Foundation works to anchor the Panther Protocol for DeFi and blockchain ecosystems, thus empowering users, builders, and licensed operators to participate in tomorrow’s internet while remaining confidential. The Foundation also focuses on open-source code, research, and awareness of the Panther Protocol’s core technologies.
OMA SAVINGS BANK PLC, STOCK EXCHANGE RELEASE 21 MAY 2025 AT 11.40. A.M. EET, MANAGERS’ TRANSACTIONS
Oma Savings Bank Plc – Managers’ transactions – Rissanen ____________________________________________
Person subject to the notification requirement Name: Rissanen, Ville Position: Other senior manager Issuer: Oma Savings Bank Plc LEI: 743700LE1ECAPXC5UT18
Transaction date: 2025-05-21 Venue not applicable Instrument type: SHARE ISIN: FI4000306733 Nature of the transaction: RECEIPT OF A SHARE-BASED INCENTIVE
Transaction details (1): Volume: 545 Unit price: 0.00 EUR
DISTRIBUTION: Nasdaq Helsinki Ltd Major media www.omasp.fi
OmaSp is a solvent and profitable Finnish bank. About 500 professionals provide nationwide services through OmaSp’s 48 branch offices and digital service channels to over 200,000 private and corporate customers. OmaSp focuses primarily on retail banking operations and provides its clients with a broad range of banking services both through its own balance sheet as well as by acting as an intermediary for its partners’ products. The intermediated products include credit, investment and loan insurance products. OmaSp is also engaged in mortgage banking operations.
OmaSp core idea is to provide personal service and to be local and close to its customers, both in digital and traditional channels. OmaSp strives to offer premium level customer experience through personal service and easy accessibility. In addition, the development of the operations and services is customer-oriented. The personnel is committed and OmaSp seeks to support their career development with versatile tasks and continuous development. A substantial part of the personnel also own shares in OmaSp.
OMA SAVINGS BANK PLC, STOCK EXCHANGE RELEASE 21 MAY 2025 AT 11.45. A.M. EET, MANAGERS’ TRANSACTIONS
Oma Savings Bank Plc – Managers’ transactions – Souru ____________________________________________
Person subject to the notification requirement Name: Souru, Markus Position: Other senior manager Issuer: Oma Savings Bank Plc LEI: 743700LE1ECAPXC5UT18
Transaction date: 2025-05-21 Venue not applicable Instrument type: SHARE ISIN: FI4000306733 Nature of the transaction: RECEIPT OF A SHARE-BASED INCENTIVE
Transaction details (1): Volume: 370 Unit price: 0.00 EUR
DISTRIBUTION: Nasdaq Helsinki Ltd Major media www.omasp.fi
OmaSp is a solvent and profitable Finnish bank. About 500 professionals provide nationwide services through OmaSp’s 48 branch offices and digital service channels to over 200,000 private and corporate customers. OmaSp focuses primarily on retail banking operations and provides its clients with a broad range of banking services both through its own balance sheet as well as by acting as an intermediary for its partners’ products. The intermediated products include credit, investment and loan insurance products. OmaSp is also engaged in mortgage banking operations.
OmaSp core idea is to provide personal service and to be local and close to its customers, both in digital and traditional channels. OmaSp strives to offer premium level customer experience through personal service and easy accessibility. In addition, the development of the operations and services is customer-oriented. The personnel is committed and OmaSp seeks to support their career development with versatile tasks and continuous development. A substantial part of the personnel also own shares in OmaSp.
OMA SAVINGS BANK PLC, STOCK EXCHANGE RELEASE 21 MAY 2025 AT 11.50. A.M. EET, MANAGERS’ TRANSACTIONS
Oma Savings Bank Plc – Managers’ transactions – Sirkiä ____________________________________________
Person subject to the notification requirement Name: Sirkiä, Hanna Position: Other senior manager Issuer: Oma Savings Bank Plc LEI: 743700LE1ECAPXC5UT18
Transaction date: 2025-05-21 Venue not applicable Instrument type: SHARE ISIN: FI4000306733 Nature of the transaction: RECEIPT OF A SHARE-BASED INCENTIVE
Transaction details (1): Volume: 120 Unit price: 0.00 EUR
DISTRIBUTION: Nasdaq Helsinki Ltd Major media www.omasp.fi
OmaSp is a solvent and profitable Finnish bank. About 500 professionals provide nationwide services through OmaSp’s 48 branch offices and digital service channels to over 200,000 private and corporate customers. OmaSp focuses primarily on retail banking operations and provides its clients with a broad range of banking services both through its own balance sheet as well as by acting as an intermediary for its partners’ products. The intermediated products include credit, investment and loan insurance products. OmaSp is also engaged in mortgage banking operations.
OmaSp core idea is to provide personal service and to be local and close to its customers, both in digital and traditional channels. OmaSp strives to offer premium level customer experience through personal service and easy accessibility. In addition, the development of the operations and services is customer-oriented. The personnel is committed and OmaSp seeks to support their career development with versatile tasks and continuous development. A substantial part of the personnel also own shares in OmaSp.
OMA SAVINGS BANK PLC, STOCK EXCHANGE RELEASE 21 MAY 2025 AT 11.35. A.M. EET, MANAGERS’ TRANSACTIONS
Oma Savings Bank Plc – Managers’ transactions – Liiri ____________________________________________
Person subject to the notification requirement Name: Liiri, Sarianna Position: Chief Financial Officer Issuer: Oma Savings Bank Plc LEI: 743700LE1ECAPXC5UT18
Transaction date: 2025-05-21 Venue not applicable Instrument type: SHARE ISIN: FI4000306733 Nature of the transaction: RECEIPT OF A SHARE-BASED INCENTIVE
Transaction details (1): Volume: 1047 Unit price: 0.00 EUR
DISTRIBUTION: Nasdaq Helsinki Ltd Major media www.omasp.fi
OmaSp is a solvent and profitable Finnish bank. About 500 professionals provide nationwide services through OmaSp’s 48 branch offices and digital service channels to over 200,000 private and corporate customers. OmaSp focuses primarily on retail banking operations and provides its clients with a broad range of banking services both through its own balance sheet as well as by acting as an intermediary for its partners’ products. The intermediated products include credit, investment and loan insurance products. OmaSp is also engaged in mortgage banking operations.
OmaSp core idea is to provide personal service and to be local and close to its customers, both in digital and traditional channels. OmaSp strives to offer premium level customer experience through personal service and easy accessibility. In addition, the development of the operations and services is customer-oriented. The personnel is committed and OmaSp seeks to support their career development with versatile tasks and continuous development. A substantial part of the personnel also own shares in OmaSp.
ER Report: Here is a summary of significant articles published on EveningReport.nz on May 21, 2025.
Australian para sport has issues everywhere – here’s what must be fixed ahead of the Brisbane Paralympics Source: The Conversation (Au and NZ) – By Katherine Raw, Lecturer, Sport Management, Swinburne University of Technology Bratislav Kostic/Shutterstock Australia’s underwhelming performance at the 2024 Paris Paralympics has raised serious questions about how well our adaptive sport system is working. The Paris games returned our lowest medal tally since 1988, from our smallest team since
What’s the difference between skim milk and light milk? Source: The Conversation (Au and NZ) – By Margaret Murray, Senior Lecturer, Nutrition, Swinburne University of Technology bodnar.photo/Shutterstock If you’re browsing the supermarket fridge for reduced-fat milk, it’s easy to be confused by the many different types. You can find options labelled skim, skimmed, skinny, no fat, extra light, lite, light, low fat, reduced fat,
AI is now used for audio description. But it should be accurate and actually useful for people with low vision Source: The Conversation (Au and NZ) – By Kathryn Locke, Associate Researcher in Digital Disability, Centre for Culture and Technology, Curtin University Chansom Pantip/Shutterstock Since the recent explosion of widely available generative artificial intelligence (AI), it now seems that a new AI tool emerges every week. With varying success, AI offers solutions for productivity, creativity,
NZ Budget 2025: science investment must increase as a proportion of GDP for NZ to innovate and compete Source: The Conversation (Au and NZ) – By Nicola Gaston, Director of the MacDiarmid Institute for Advanced Materials and Nanotechnology, University of Auckland, Waipapa Taumata Rau Shutterstock/Olivier Le Queinec A lack of strategy and research funding – by both the current and previous governments – has been well documented, most comprehensively in the first report
Starvation of Gaza – a distressing continuation of a decades-old plan SPECIAL REPORT: By Jeremy Rose Reading an NBC News report a couple of days ago about a Trump administration plan to relocate 1 million Gazans to Libya reminded me of a conversation between the legendary Warsaw Ghetto leader Marek Edelman and fellow fighter and survivor Simcha Rotem that took place more than quarter of a
Spotify continues to change music. What’s next – will AI musicians replace music made by humans? Source: The Conversation (Au and NZ) – By John Hawkins, Senior Lecturer, Canberra School of Politics, Economics and Society, University of Canberra Spotify was started, according to its official claims, because its founders “love music and piracy was killing it”. In Mood Machine, music journalist Liz Pelly argues this is rewriting history. In fact, she
Feats of the human body behind Tom Cruise’s stunts in Mission: Impossible movies Source: The Conversation (Au and NZ) – By Dan Baumgardt, Senior Lecturer, School of Physiology, Pharmacology and Neuroscience, University of Bristol He’s leapt from cliffs, clung to planes mid-takeoff and held his breath underwater for as long as professional freedivers. Now, at 62, Tom Cruise returns as Ethan Hunt for one final mission – and
After another call with Putin, it looks like Trump has abandoned efforts to mediate peace in Ukraine Source: The Conversation (Au and NZ) – By Stefan Wolff, Professor of International Security, University of Birmingham After a two-hour phone call with Russian leader Vladimir Putin on May 19, US president Donald Trump took to social media to declare that Russia and Ukraine will “immediately start negotiations” towards a ceasefire and an end to
The public service has a much smaller gender pay gap than the private sector. It’s a big achievement Source: The Conversation (Au and NZ) – By Leonora Risse, Associate Professor in Economics, University of Canberra NDAB Creativity/Shutterstock After two years of publishing the gender pay gaps of Australia’s private-sector companies, the Workplace Gender Equality Agency has released public-sector employer data for the first time. The report shows a stark contrast between the private
For making stars, it’s not just how much gas a galaxy has that matters – it’s where it’s hiding Source: The Conversation (Au and NZ) – By Barbara Catinella, Professor and Senior Principal Research Fellow, International Centre for Radio Astronomy Research (ICRAR), The University of Western Australia One of the galaxies mapped by WALLABY: the red shade shows the atomic hydrogen gas content of the galaxy, overlaid on an optical image showing the stars.
The Queensland melioidosis outbreak is still growing. What’s keeping this deadly mud bug active? Source: The Conversation (Au and NZ) – By Thomas Jeffries, Senior Lecturer in Microbiology, Western Sydney University ap-studio/Shutterstock The outbreak of the deadly “mud bug” melioidosis in north Queensland has not yet abated since it began at the start of this year. So far there have been 221 cases and 31 deaths from the disease
‘Outdated and irrelevant’: what do young Australians think of their schooling? Source: The Conversation (Au and NZ) – By Jun Eric Fu, Senior Research Fellow, Youth Research Collective, The University of Melbourne LBeddoe/Shutterstock Australia’s school system – and whether it is doing its job – is often under the microscope from politicians, experts and parents. The most recent NAPLAN results in 2024 triggered a wave of
Culture at the core: examining journalism values in the Pacific ANALYSIS: By Birte Leonhardt, Folker Hanusch and Shailendra B. Singh The role of journalism in society is shaped not only by professional norms but also by deeply held cultural values. This is particularly evident in the Pacific Islands region, where journalists operate in media environments that are often small, tight-knit and embedded within traditional communities.
The band is breaking up: has the Coalition stopped making sense? Source: The Conversation (Au and NZ) – By Joshua Black, Visitor, School of History, Australian National University I remember seeing footage, several years ago, of a jubilant Malcolm Turnbull, then prime minister and Liberal leader, speaking in Tamworth to loyal members of the National Party. These were the rank and file who had spent weeks
Health chief ‘conductor of an orchestra who’s never played an instrument’ ANALYSIS: By Ian Powell In February 2025, Dr Diana Sarfati resigned, not unexpectedly, as Director-General of Health after only two years into her five-year term. As a medical specialist, and in her role as developing the successful cancer control agency, she had extensive experience in New Zealand’s health system. However, she did not conform to
RBA cuts interest rates, ready to respond again if the economy weakens further Source: The Conversation (Au and NZ) – By John Hawkins, Senior Lecturer, Canberra School of Politics, Economics and Society, University of Canberra Reserve Bank Governor Michele Bullock speaks at a forum during the World Bank/IMF meetings in Washington in April. Jose Luis Magana/AP The Reserve Bank of Australia cut the official interest rate for the
The Coalition is on a break, but the Nationals risk finding their former partner doesn’t want them back Source: The Conversation (Au and NZ) – By Linda Botterill, Visiting Fellow, Crawford School of Public Policy, Australian National University In the weeks since the federal election, there’s been much speculation about the future of the Coalition agreement. In their soul-searching, it seemed possible the Liberals might pull the pin, given the degree of their
Israel slammed over ‘cynical’ sidestep of global rulings on Gazan humanitarian aid Asia Pacific Report Israel has been accused of “manipulation” and “cynical” circumvention of global decisions calling for unrestricted humanitarian aid access to the besieged Gaza enclave. “In a clear act of defiance against international humanitarian obligations, the occupying state has permitted only nine aid trucks to enter the Gaza Strip — covering both the devastated
Keith Rankin Analysis – The Aratere and the New Zealand Main Trunk Line Analysis by Keith Rankin. Government-owned Kiwirail is supposed to be presiding over the New Zealand Main Trunk (Railway) Line, from Auckland to Invercargill. As such it runs a ferry service (The Interislander) between New Zealand’s North and South Islands. We are being told by Kiwirail (and see today’s report on Radio NZ) that the only
A foreign national was sentenced today to 30 months in prison for his role in a scheme to defraud Medicare of more than $3.2 million through a sham durable medical equipment company.
According to court documents, Julian Lopez, 55, a citizen of Cuba who resides in Miami-Dade County, Florida, obtained Medicare beneficiary identification cards and sold Medicare beneficiaries’ personal information to a durable medical equipment company, One Medical Services. Lopez knew the Medicare identification cards he obtained would be used to submit fraudulent claims to Medicare. One Medical Services used the information from Lopez to bill Medicare for orthotic braces that were never provided to the Medicare beneficiaries. In connection with the scheme, One Medical Services submitted and caused the submission of over $3.2 million in false and fraudulent claims to Medicare for medically unnecessary DME.
Lopez pleaded guilty to two counts of health care fraud in February 2025. At sentencing, he was also ordered to pay $1,496,412 in restitution.
Matthew R. Galeotti, Head of the Justice Department’s Criminal Division; Acting Special Agent in Charge Jesus Barranco at the U.S. Department of Health and Human Services, Office of Inspector General (HHS-OIG) Miami Regional Office; and Acting Special Agent in Charge Brett Skiles of the FBI Miami Field Office made the announcement.
The FBI and HHS-OIG investigated the case.
Assistant Chief Emily Gurskis and Trial Attorney Owen Dunn of the Criminal Division’s Fraud Section prosecuted the case.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of nine strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with HHS-OIG, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www.justice.gov/criminal-fraud/health-care-fraud-unit.