#FactCheck - Debunking the AI-Generated Image of an Alleged Israeli Army Dog Attack

Overview:

A recent addition to the  list of cybercrime  is SharpRhino, a RAT (Remote Access Trojan) actively used by Hunters International ransomware group. SharpRhino is highly developed and penetrates into the network mask of IT specialists, primarily due to the belief in the tools’ legitimacy. Going under the genuine software installer, SharpRhino started functioning in mid-June 2024. However, Quorum Cyber discovered it in early August 2024 while investigating ransomware.

About Hunters International Group:

Hunters International emerged as one of the most notorious groups focused on ransomware attacks, having compromised over 134 targets worldwide in the first seven months of 2024. It is believed that the group is the rebranding of Hive ransomware group that was previously active, and there are considerable similarities in the code. Its focus on IT employees in particular demonstrates the fact that they move tactically in gaining access to the organizations’ networks.

Modus Operandi:

1. Typosquatting Technique 

SharpRhino is mainly distributed by a domain that looks like the genuine Angry IP Scanner, which is a popular network discovery tool. The malware installer, labeled as ipscan-3.9.1-setup. It is a 32-bit Nullsoft installer which embeds a password protected 7z archive in it. 

2. Installation Process 

• Execution of Installer: When the victim downloads and executes the installer and changes the windows registry in order to attain persistence. This is done by generating a registry entry that starts a harmful file, Microsoft. AnyKey. exe, are fakes originating from fake versions of true legitimate Microsoft Visual Studio tools. 

• Creation of Batch File: This drops a batch file qualified as LogUpdate at the installer.bat, that runs the PowerShell scripts on the device. These scripts are to compile C# code into memory to serve as a means of making the malware covert in its operation. 

• Directory Creation: The installer establishes two directories that allow the C2 communication – C:\ProgramData\Microsoft: WindowsUpdater24 and LogUpdateWindows. 

3. Execution and Functionality: 

• Command Execution: The malware can execute PowerShell commands on the infected system, these actions may involve privilege escalation and other extended actions such as lateral movement. 

• C2 Communication: SharpRhino interacts with command and control servers located on domains from platforms such as Cloudflare. This communication is necessary for receiving commands from the attackers and for returning any data of interest to the attackers. 

• Data Exfiltration and Ransomware Deployment: Once SharpRhino has gained control, it can steal information and then proceed to encrypt it with a .locked extension. The procedure generally concludes with a ransom message, which informs users on how to purchase the decryption key. 

4. Propagation Techniques: 

Also, SharpRhino can spread through the self-copying method, this is the virus may copy itself to other computers using the network account of the victim and pretending to be trustworthy senders such as emails or network-shared files. Moreover, the victim’s machine may then proceed to propagate the malware to other systems like sharing in the company with other employees.

Indicators of Compromise (IOCs):

• LogUpdate.bat
• Wiaphoh7um.t
• ipscan-3.9.1-setup.exe
• kautix2aeX.t
• WindowsUpdate.bat

Command and Control Servers:

• cdn-server-1.xiren77418.workers.dev
• cdn-server-2.wesoc40288.workers.dev
• Angryipo.org
• Angryipsca.com

Analysis:

‍

‍

Graph:

Precautionary measures to be taken:

To mitigate the risks posed by SharpRhino and similar malware, organizations should implement the following measures:

• Implement Security Best Practices: It is important only to download software from official sites and avoid similar sites to confuse the user by changing a few letters.

• Enhance Detection Capabilities: Use technology in detection that can detect the IOCs linked to Sharp Rhino.

• Educate Employees: Educate IT people and employees on phishing scams and the requirement to check the origin of the application.

• Regular Backups: It is also important to back up important files from systems and networks in order to minimize the effects of ransomware attacks on a business.

Conclusion:

SharpRhino could be deemed as the evolution of the strategies used by organizations like Hunters International and others involved in the distribution of ransomware. SharpRhino primarily focuses on the audience of IT professionals and employs complex delivery and execution schemes, which makes it an extremely serious threat for corporate networks. To do so it is imperative that organizations have an understanding of its inner workings in order to fortify their security measures against this relatively new threat. Through the enforcement of proper security measures and constant enlightenment of organizations on the importance of cybersecurity, firms can prevent the various risks associated with SharpRhino and related malware. Be safe, be knowledgeable, and most importantly, be secure when it comes to cyber security for your investments.

Reference: 

https://cybersecuritynews.com/sharprhino-ransomware-alert/

https://cybersecsentinel.com/sharprhino-explained-key-facts-and-how-to-protect-your-data/

https://www.dataprivacyandsecurityinsider.com/2024/08/sharprhino-malware-targeting-it-professionals/

‍

Executive Summary:

A picture about the April 8 solar eclipse, which was authored by AI and was not a real picture of the astronomical event, has been spreading on social media.  Despite all the claims of the authenticity of the image, the CyberPeace’s analysis showed that the image was made using Artificial Intelligence image-creation algorithms. The total solar eclipse on April 8 was observable only in those places on the North American continent that were located in the path of totality, whereas a partial visibility in other places was possible. NASA made the eclipse live broadcast for people who were out of the totality path. The spread of false information about rare celestial occurrences, among others, necessitates relying on trustworthy sources like NASA for correct information.

Claims:

An image making the rounds through social networks, looks like the eclipse of the sun of the 8th of April, which makes it look like a real photograph.

‍

Fact Check:

After receiving the news, the first thing we did was to try with Keyword Search to find if NASA had posted any lookalike image related to the viral photo or any celestial events that might have caused this photo to be taken, on their official social media accounts or website. The total eclipse on April 8 was experienced by certain parts of North America that were located in the eclipse pathway. A part of the sky above Mazatlan, Mexico, was the first to witness it. Partial eclipse was also visible for those who were not in the path of totality. 

Next, we ran the image through the AI Image detection tool by Hive moderation, which found it to be 99.2% AI-generated.

‍

Following that, we applied another AI Image detection tool called Isitai, and it found the image to be 96.16% AI-generated.

‍

With the help of AI detection tools, we came to the conclusion that the claims made by different social media users are fake and misleading. The viral image is AI-generated and not a real photograph.

Conclusion:

Hence, it is a generated image by AI that has been circulated on the internet as a real eclipse photo on April 8. In spite of some debatable claims to the contrary, the study showed that the photo was created using an artificial intelligence algorithm. The total eclipse was not visible everywhere in North America, but rather only in a certain part along the eclipse path, with partial visibility elsewhere. Through AI detection tools, we were able to establish a definite fact that the image is fake. It is very important, when you are talking about rare celestial phenomena, to use the information that is provided by the trusted sources like NASA for the accurate reason.

• Claim:  A viral image of a solar eclipse claiming to be a real photograph of the celestial event on April 08
• Claimed on: X, Facebook, Instagram, website
• Fact Check: Fake & Misleading

‍

Executive Summary
 

A video from Prime Minister Narendra Modi’s visit to Norway is being widely shared on social media with the false claim that he avoided a question related to alleged Indian aircraft losses during the India–Pakistan conflict and “Operation Sindoor”. However, a fact-check by CyberPeace Research Wing found the claim to be false.The video shows a recent incident from 18 May in Oslo during a joint press appearance between Prime Minister Narendra Modi and Norwegian Prime Minister Jonas Gahr Støre.

The clip being circulated online shows journalist Helle Lyng asking PM Modi a question, but there is no reference to any India–Pakistan conflict or aircraft losses in her question.

‍

Claim:

‍

A post shared on X (formerly Twitter) on 19 May 2026 claims: “Fear of questions on historic defeat in Operation Sindoor and Pakistan’s great victory in Marka e Haq: Modi flees in Norway without taking journalists’ questions.”

‍

The post, along with archived links and screenshots, has been circulated to support the misleading narrative.

• https://x.com/ConnectingPak/status/2056639406216540536?s=20 
• https://archive.ph/CACMY 

‍

‍

‍

Fact Check

‍

A review of journalist Helle Lyng’s official social media account shows the original video posted by her on 18 May. In the video, she can be heard asking:

“Prime Minister Modi, why don’t you take some questions from the freest press in the world?” In her caption, she stated that she did not expect PM Modi to take her question and highlighted press freedom rankings, noting Norway’s position at the top and India’s at 157th. She also emphasized that questioning cooperating governments is part of journalistic responsibility.

• https://x.com/HelleLyngSvends/status/2056349011213181063?s=20 

‍

‍

Further verification of the full press event published on the official Government of Norway portal shows no question related to alleged downed aircraft or military losses.

• https://www.regjeringen.no/en/whats-new/indias-prime-minister-narendra-modi-to-visit-norway/id3159311/ 

‍

‍

Additional reporting by Al Jazeera also confirms that a Norwegian journalist questioned PM Modi in Oslo about why he does not engage in open media briefings.

• https://www.aljazeera.com/video/newsfeed/2026/5/19/norway-journalist-calls-out-modi-over-avoiding-media-questions

‍

‍

Conclusion:

‍

The video is being shared with a misleading claim. It is a recent clip from 18 May in Oslo, and the journalist’s question was about press freedom—not about Operation Sindoor or any India–Pakistan conflict-related aircraft losses.

‍