#Fact Check: Old Video Shared to Fuel Netanyahu Death Rumours

Executive Summary

‍
Muslims offering prayers inside a crowded train in Japan is being widely shared on social media, amid ongoing discussions around the country’s alleged rise in anti-immigration sentiment. The clip is being presented as a recent and real incident. However, an research reveals that the video is not authentic. Experts noted that the prayer postures shown in the clip do not align with standard Islamic practices, raising doubts about its credibility. Further analysis indicates that the video has been generated using artificial intelligence (AI).

‍

Claim

‍

A user shared the viral video on YouTube, showing a group of men—mostly dressed in long tunics and skullcaps—appearing to offer prayers inside a moving subway train. Passengers can be seen seated on both sides of the carriage. In the clip, two men are kneeling on the floor and bowing their heads onto a small mat placed in front of them, with their heads coming very close to the knees of seated passengers. Another man is seen bending forward at the waist while standing, and a fourth appears to be standing upright with his eyes closed.

• Link: https://www.youtube.com/shorts/cZHMCUgbDIA

‍

,

‍

Fact Check

‍

A closer examination of the video reveals several visual inconsistencies. One passenger appears to be fused with the seat rails, creating a distorted overlap. Others seem to be seated in areas where seats do not normally exist, such as directly in front of a door. Additionally, an advertisement visible in the background appears blurred and oddly shaped—another common indicator of AI-generated content. An analysis conducted using the Hive Moderation tool found that the video is “likely to contain AI-generated or deepfake content.”

‍

‍

Conclusion

‍

The viral claim is misleading. The video does not depict a real incident in Japan. Instead, it is likely AI-generated content being circulated with a false narrative, misrepresenting both the context and religious practices shown in the clip.

‍

Introduction

The Department of Telecommunications (DoT) has launched the 'Digital Intelligence Platform (DIP)'and the 'Chakshu' facility on the Sanchar Saathi portal to combat cybercrimes and financial frauds. Union telecom, IT and railways minister Ashwini Vaishnaw announced the initiatives, stating that the government has been working to counter cyber frauds at national, organizational, and individual levels. The Sanchar Saathi portal has successfully tackled such attacks, and the two new portals will further enhance the capacity to check any kind of cyber security threat.

The Digital Intelligence Platform is a secure and integrated platform for real-time intelligence sharing, information exchange, and coordination among stakeholders, including telecom operators, law enforcement agencies, banks, financial institutions, social media platforms, and identity document issuing authorities. It also contains information regarding cases detected as misuse of telecom resources.

The 'Chakshu' facility allows citizens to report suspected fraud communication received over call, SMS, or WhatsApp with the intention of defrauding, such as KYC expiry, bank account/payment wallet/SIM/gas connection/electricity connection, sextortion, impersonations a government official/relative for sending money, and disconnection of all mobile numbers by the Department of Telecommunications.

The launch of these proactive initiatives or steps represents another significant stride by the Ministry of Communications and the Department of Telecommunications in combating cybersecurity threats to citizens' digital assets.

In this age of technology, there is a reason to be concerned about the threats posed by cybercrooks to individuals and organizations. The risk of using digital means for communication, e-commerce, and critical infrastructure has increased significantly. It is important to have proper measures in place to prevent cybercrime and destructive behavior. The Department of Telecommunication has unveiled "Chakshu," a digital intelligence portal aimed at combating cybercrimes. This platform seeks to enhance the country's cyber defense capabilities by providing enforcement agencies with effective tools and actionable intelligence for countering cybercrimes, including financial frauds.

Digital Intelligence Platform (DIP)

Digital Intelligence Platform (DIP) developed by the Department of Telecommunications is a secure and integrated platform for real-time intelligence sharing, information exchange and coordination among the stakeholders i.e. Telecom Service Providers(TSPs), law enforcement agencies (LEAs), banks and financial institutions(FIs), social media platforms, identity document issuing authorities etc. The portal also contains information regarding the cases detected as misuse of telecom resources. The shared information could be useful to the stakeholders in their respective domains. It also works as a backend repository for the citizen-initiated requests on the Sanchar Saathi portal for action by the stakeholders. The DIP is accessible to the stakeholders through secure connectivity, and the relevant information is shared based on their respective roles. However, the platform is not accessible to citizens.‍

What is Chakshu?

Chakshu, which means “eye” in Hindi, is a new feature on the Sanchar Saathi portal. This citizen-friendly platform allows you to report suspicious communication you receive via calls, SMS, or WhatsApp. “Chakshu” is a new advanced tool to safeguard against modern-day cybercriminal activities. Chakshu is a sophisticated design that uses the latest technologies for assembling and analyzing digital information and provides law enforcement agencies with useful data on what should be done next. Below are some of its attributes.

Here are some examples of what you can report:

-       Fraudulent messages claiming your KYC (Know Your Customer)details need to be updated.

-       Fraudulent requests to update your bank account, payment wallet, or SIM card details.

-       Phishing attempts impersonating government officials or relatives asking for money.

-       Fraudulent threats of disconnection of your sim connections.

How Chakshu Aims to crackdown Cybercrime and Financial Frauds

Chakshu is a new tool on the Sanchar Saathi platform that invites individuals to report suspected fraudulent communications received by phone, SMS, or WhatsApp. These fraudulent activities may include attempts to deceive individuals through schemes such as KYC expiry or update requests for bank accounts, payment wallets, SIM cards, gas connections, and electricity connections, sextortion, impersonation of government officials or relatives for financial gain, or false claims of mobile number disconnection by the Department of Telecommunications.

The tool is well-designed and equipped to help the investigators with actionable intelligence and insights, enabling LEAs to conduct targeted investigations on financial frauds and cyber-crimes; the tool helps in gathering a comprehensive data analysis and evidence collection capability by mapping out the connection between individuals, organizations and illicit activities, it, therefore, allows the law enforcement agencies in dismantling criminal activities and help the law enforcement agencies.

Chakshu’s Impact

India has launched Chakshu, a digital intelligence tool that strengthens the country's cybersecurity policy. Chakshu employs modern technology and real-time data analysis to enhance India's cyber defenses. Law enforcement can detect and neutralize possible threats by taking proactive approach to threat analysis and prevention before they become significant crises. Chakshu also improves the resilience of critical infrastructure and digital ecosystems, safeguarding them against cyber-attacks. Overall, Chakshu plays an important role in India's cybersecurity posture and the protection of national interests in the digital era.

Where can Chaksu be accessed?

Chakshu can be accessed through the government's Sanchar Saathi web portal:https://sancharsaathi.gov.in

Conclusion

The launch of the Digital Intelligence Platform and Chakshu facility is a step forward in safeguarding citizens from cybercrimes and financial fraud. These initiatives use advanced technology and stakeholder collaboration to empower law enforcement agencies. The Department of Telecommunications' proactive approach demonstrates the government's commitment to cybersecurity defenses and protecting digital assets, ensuring a safer digital environment for citizens and critical infrastructure.

References

• https://telecom.economictimes.indiatimes.com/news/policy/dot-launches-digital-intelligence-portal-chakshu-facility-to-curb-cybercrimes-financial-frauds/108220814
• https://bankingfrontiers.com/digital-intelligence-platform-launched-to-curb-cybercrime-financial-fraud/
• https://www.business-standard.com/india-news/calcutta-hc-justice-abhijit-gangopadhyay-sends-his-resignation-to-prez-cji-124030500367_1.html
• https://www.the420.in/dip-chakshu-government-launches-powerful-weapons-against-cybercrime/
• https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2011383

‍

Introduction

Recently the attackers employed the CVE-2017-0199 vulnerability in Microsoft Office to deliver a fileless form of the Remcos RAT. The Remcos RAT makes the attacker have full control of the systems that have been infected by this malware. This research will give a detailed technical description of the identified vulnerability, attack vector, and tactics together with the practical steps to counter the identified risks.

The Targeted Malware: Remcos RAT

Remcos RAT (Remote Control & Surveillance) is a commercially available remote access tool designed for legitimate administrative use. However, it has been widely adopted by cybercriminals for its stealth and extensive control capabilities, enabling:

• System control and monitoring
• Keylogging
• Data exfiltration
• Execution of arbitrary commands

The fileless variant utilised in this campaign makes detection even more challenging by running entirely in system memory, leaving minimal forensic traces.

Attack Vector: Phishing with Malicious Excel Attachments

The phishing email will be sent which appears as legitimate business communication, such as a purchase order or invoice. This email contains an Excel attachment that is weaponized to exploit the CVE-2017-0199 vulnerability.

Technical Analysis: CVE-2017-0199 Exploitation

Vulnerability Assessment

• CVE-2017-0199 is a Remote Code Execution (RCE) vulnerability in Microsoft Office which uses Object Linking and Embedding (OLE) objects.
• Affected Components:some text
  • Microsoft Word
  • Microsoft Excel
  • WordPad
• CVSS Score: 7.8 (High Severity)

Mechanism of Exploitation

The vulnerability enables attackers to craft a malicious document when opened, it fetches and executes an external payload via an HTML Application (HTA) file. The execution process occurs without requiring user interaction beyond opening the document.

Detailed Exploitation Steps

1. Phishing Email and Malicious Document some text
   • The email contains an Excel file designed to make use of CVE-2017-0199.
   • When the email gets opened, the document automatically connects to a remote server (e.g., 192.3.220[.]22) to download an HTA file (cookienetbookinetcache.hta).
2. Execution via mshta.exe some text
   • The downloaded HTA file is executed using mshta.exe, a legitimate Windows process for running HTML Applications.
   • This execution is seamless and does not prompt the user, making the attack stealthy.
3. Multi-Layer Obfuscation some text
   • The HTA file is wrapped in several layers of scripting, including: some text
     • JavaScript
     • VBScript
     • PowerShell
   • This obfuscation helps evade static analysis by traditional antivirus solutions.
4. Fileless Payload Deployment some text
   • The downloaded executable leverages process hollowing to inject malicious code into legitimate system processes.
   • The Remcos RAT payload is loaded directly into memory, avoiding the creation of files on disk.

Fileless Malware Techniques

1. Process Hollowing
The attack replaces the memory of a legitimate process (e.g., explorer.exe) with the malicious Remcos RAT payload. This allows the malware to:

• Evade detection by blending into normal system activity.
• Run with the privileges of the hijacked process.

2. Anti-Analysis Techniques

• Anti-Debugging: Detects the presence of debugging tools and terminates malicious processes if found.
• Anti-VM and Sandbox Evasion: Ensures execution only on real systems to avoid detection during security analysis.

3. In-Memory Execution

• By running entirely in system memory, the malware avoids leaving artifacts on the disk, making forensic analysis and detection more challenging.

Capabilities of Remcos RAT

Once deployed, Remcos RAT provides attackers with a comprehensive suite of functionalities, including:

• Data Exfiltration: some text
  • Stealing system information, files, and credentials.
• Remote Execution: some text
  • Running arbitrary commands, scripts, and additional payloads.
• Surveillance: some text
  • Enabling the camera and microphone.
  • Capturing screen activity and clipboard contents.
• System Manipulation: some text
  • Modifying Windows Registry entries.
  • Controlling system services and processes.
  • Disabling user input devices (keyboard and mouse).

Advanced Phishing Techniques in Parallel Campaigns

1. DocuSign Abuse
Attackers exploit legitimate DocuSign APIs to create authentic-looking phishing invoices. These invoices can trick users into authorising payments or signing malicious documents, bypassing traditional email security systems.

2. ZIP File Concatenation
By appending multiple ZIP archives into a single file, attackers exploit inconsistencies in how different tools handle these files. This allows them to embed malware that evades detection by certain archive managers.

Broader Implications of Fileless Malware

Fileless malware like Remcos RAT poses significant challenges:

• Detection Difficulties: Traditional signature-based antivirus systems struggle to detect fileless malware, as there are no static files to scan.
• Forensic Limitations: The lack of disk artifacts complicates post-incident analysis, making it harder to trace the attack's origin and scope.
• Increased Sophistication: These campaigns demonstrate the growing technical prowess of cybercriminals, leveraging legitimate tools and services for malicious purposes.

Mitigation Strategies

1. Patch Management some text
   • It is important to regularly update software to address known vulnerabilities like CVE-2017-0199. Microsoft released a patch for this vulnerability in April 2017.
2. Advanced Email Security some text
   • It is important to implement email filtering solutions that can detect phishing attempts, even those using legitimate services like DocuSign.
3. Endpoint Detection and Response (EDR)some text
   • Always use EDR solutions to monitor for suspicious behavior, such as unauthorized use of mshta.exe or process hollowing.
4. User Awareness and Training some text
   • Educate users about phishing techniques and the risks of opening unexpected attachments.
5. Behavioral Analysis some text
   • Deploy security solutions capable of detecting anomalous activity, even if no malicious files are present.

Conclusion

The attack via CVE-2017-0199 further led to the injection of a new fileless variant of Remcos RAT, proving how threats are getting more and more sophisticated. Thanks to the improved obfuscation and the lack of files, the attackers eliminate all traditional antiviral protection and gain full control over the infected computers. It is real and organisations have to make sure that they apply patches on time, that they build better technologies for detection and that the users themselves are more wary of the threats.

References

• Fortinet FortiGuard Labs: Analysis by Xiaopeng Zhang
• Perception Point: Research on ZIP File Concatenation
• Wallarm: DocuSign Phishing Analysis
• Microsoft Security Advisory: CVE-2017-0199

‍