#FactCheck: Viral Video of Chandra Arya Speaking Kannada Unrelated to Canadian PM Nomination

Introduction

‍

In today’s cybersecurity landscape, ransomware has emerged as one of the most significant and rapidly growing cyber threats. What began as attacks carried out by individual hackers has evolved into a highly organised criminal enterprise, with groups operating through structured business models and global networks. The emergence of The Gentlemen ransomware group reflects this transformation, demonstrating how modern threat actors can quickly expand their operations and target organisations across multiple sectors. Their rise highlights the increasing sophistication of ransomware campaigns and the growing challenges faced by organisations in defending against them. The attribution of the group's administrator to an identified individual in Izhevsk, Russia, provides a valuable lens through which to examine three interconnected developments: the maturation of ransomware-as-a-service (RaaS) business models, the inherent operational security (OPSEC) weaknesses that emerge over the course of cybercriminal careers, and the geopolitical environments that enable such actors to operate with relative impunity. Together, these dynamics illustrate the industrialisation of modern cybercrime.

‍

The Industrialisation of Ransomware-as-a-Service

‍

The remarkable rapid rise of The Gentlemen is impossible without discussing the maturation of ransomware-as-a-service (RaaS). RaaS systems utilize network intrusion experts as affiliates who conduct networks intrusions and secure access in exchange for a cut of the total ransoms paid, while a core group builds and maintains the ransomware framework itself. Although Reveton, one of the earliest Raas providers, can be credited with bringing early iterations of RaaS to fruition in 2012, the potential scale was truly evident in the mid-2020s. By 2025 it was estimated that there were over 100 active ransomware gangs operating; this proliferation is the direct result of the franchise-like system, which has lowered the barriers to entry for cybercrime. 

The marketplace surrounding RaaS is intensely competitive, and this is clearly exemplified in the business structure of The Gentlemen: while many of the top ransomware groups provide an 80/20 profit share (with the majority of the profit going to the affiliates), The Gentlemen has an exceptionally profitable 90/10 split (affiliates keep 90% of the profit share) for affiliates, likely to draw experienced operators away from their rivals given recent decreases in victim willingness to pay and corresponding increases in the incentives RaaS platforms are required to offer. 

The operational efficiency of the group is representative of a successful enterprise. They attack vulnerable internet-facing VPNs and firewalls and generally complete the network encryption within a matter of hours, leaving defenders with very little time to respond, as confirmed by Check Point Software, a renowned cybersecurity vendor.

Additionally, PRODAFT reports that the administrator of The Gentlemen, known by the alias Zeta88 (previously known as Hastalamuerte), directly provides affiliates with SSL VPN credentials, often obtained through brutal force attacks or their own private leaked databases, indicating an unusually high level of vertical integration for RaaS groups.

‍

AI as a Force Multiplier in Ransomware Development

‍

A particularly significant aspect of the Hastalamuerte case is PRODAFT's finding that the administrator employs artificial intelligence to develop and maintain ransomware, support associated tooling, and assist post-exploitation operations. This reflects a broader trend observed across the 2025–2026 threat landscape, where AI has increasingly lowered the capability threshold for participation in organised cybercrime. Researchers have documented its role in automating stages of intrusion, accelerating malware development cycles, and simplifying the maintenance of malicious infrastructure. These capabilities have been leveraged by both nation-state actors and criminal enterprises.

The trajectory of Hastalamuerte is especially illustrative. Cybersecurity Forum posts during 2019-2020 depict a hacker who is fairly novice at fundamental penetration testing procedures. A subsequent emergence as the operator of a top-tier ransomware-as-a-service operation indicates that AI-assisted development may be responsible for dramatically reducing the skill level and time necessary to create a successful criminal enterprise in cyberspace. The evolution of these tools should make the route from novice forum user to accomplished ransomware operator more attainable for a wider array of perpetrators in the future.

‍

The OPSEC Paradox: How Cybercriminals Leave a Trail

‍

The attribution of Hastalamuerte's identity by researchers from Intel 471, Flashpoint, and Constella Intelligence demonstrates the effectiveness of modern open-source and commercial intelligence methodologies. A forum registration traceable to an IP address from Izhevsk, Russia linked a Protonmail address, which linked to an Apple account, a GitHub profile, a Telegram handle, a Russian phone number, and finally to a 36 year old marketing professional named Alexander Andreevich Yapaev who was also living in Izhevsk. Investigators did not use an advanced capability in their attribution, but rather a simple OPSEC mistake of consistently reusing credentials. Every username and email address and every phone number creates a linkage between disparate data points, eventually building into a real-world persona. 

It has also come out in the forum discussion that while training for a penetration testing course in 2020, Hastalamuerte displayed the kind of inexperience that a novice would display in traceable, recorded fashion to intelligence databases. It's an example of a broader rule about attribution; attacker mistakes provide the most value. With Russians the lack of apparent consequences may contribute to a lack of need to maintain tight OPSEC from the start.

‍

The Russian Safe Haven: Conditional Impunity and Its Limits

‍

Yapaev's base in Izhevsk is emblematic of the geostrategic situation that has allowed Russian cybercriminality to prosper. Security researchers routinely label Russia's policy as one of "controlled impunity," where the cybercriminality directed at foreign entities is ignored or implicitly condoned, while that directed at Russian interests will prompt a law enforcement response. This constitutes what has been called a "managed market" rather than an "unconditional sanctuary," where many of the named defendants could and likely will continue their illegal enterprise with little fear of reprisal, provided that they do not threaten the interests of the Russian state and do not attempt to move their operations outside of Russian control.

Yet this protection is neither absolute nor permanent. In May 2024, the transnational Operation Endgame campaign highlighted the growing global appetite for damaging the cybercrime ecosystem rooted in Russia. Russian authorities did indeed pursue and seize some assets and operators, but arrests seem largely confined to the lower-rung facilitators of these attacks (hosting providers and payment services), and it seems higher-end ransomware operators continue to evade scrutiny. Selective enforcement thus further bolsters the perception that protection is accorded according to strategic value, not legal standards. For operators such as Hastalamuerte, who possess no publicly documented intelligence connections, growing attribution capabilities, and sustained international pressure may gradually erode the security traditionally associated with operating from within Russia.

‍

Attribution as a Deterrence Instrument

‍

The public identification of Alexander Andreevich Yapaev as Hastalamuerte/Zeta88 shows the continued struggle with the utility of attribution in situations where immediate prosecution is not feasible. Its utility is far more extensive than simply an ability to make an arrest. Functionally, public naming forces a perpetrator into an open evidentiary space and can lead to alterations in their operational habits and effectiveness. Strategically, attribution provides future leverage for sanctions, indictments, financial restrictions, or extradition if the target can leave their safe haven country. The logic behind US rewards programs (paying up to $10 million for the capture and conviction of ransomware operators) relies on this principle. The analytical insight provided by the case cannot be understated either. Hastalamuerte's trajectory from a relative amateur forum participant on Nulled and Raidforums in 2019 to leading a significant ransomware operation by 2026 offers an invaluable look into the career progression of a cyber criminal. It confirms one of the lessons learned through deterrence and attribution: pseudonymity is not everlasting, and many years of OPSEC failures can be pieced together to establish a real-world identity.

‍

Conclusion

‍

The Gentlemen incident is emblematic of the three broad themes that currently characterise cyber warfare: ransomware-as-a-service through innovative competition, common OPSEC failures that enable attribution, and a new, conditional regime of protection for Russian cybercriminals. The obvious defense lesson: increasing attack surfaces require stronger identity, behavioural monitoring, and intelligence capacities. The policy lesson: effective attribution is still an essential tool for comprehension, deterrence, and disruption in an increasingly industrialised environment of criminals supporting each other's operations in ransomware-as-a-service.

‍

References

‍

1. https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
2. https://www.recordedfuture.com/
3. https://www.vectra.ai/topics/ransomware-as-a-service
4. https://www.trmlabs.com/es/resources/blog/new-disruption-opportunities-in-the-evolving-ransomware-ecosystem

‍

Introduction

‍

Recently, in April 2025, security researchers at Oligo Security exposed a substantial and wide-ranging threat impacting Apple's AirPlay protocol and its use via third-party Software Development Kit (SDK). According to the research, the recently discovered set of vulnerabilities titled "AirBorne" had the potential to enable remote code execution, escape permissions, and leak private data across many different Apple and third-party AirPlay-compatible devices. With well over 2.35 billion active Apple devices globally and tens of millions of third-party products that incorporate the AirPlay SDK, the scope of the problem is enormous. Those wireless-based vulnerabilities pose not only a technical threat but also increasingly an enterprise- and consumer-level security concern.

‍

Understanding AirBorne: What’s at Stake?

‍

AirBorne is the title given to a set of 23 vulnerabilities identified in the AirPlay communication protocol and its related SDK utilised by third-party vendors. Seventeen have been given official CVE designations. The most severe among them permit Remote Code Execution (RCE) with zero or limited user interaction. This provides hackers the ability to penetrate home networks, business environments, and even cars with CarPlay technology onboard.

‍

Types of Vulnerabilities Identified

AirBorne vulnerabilities support a range of attack types, including:

‍

• Zero-Click and One-Click RCE
• Access Control List (ACL) bypass
• User interaction bypass
• Local arbitrary file read
• Sensitive data disclosure
• Man-in-the-middle (MITM) attacks
• Denial of Service (DoS)

‍

Each vulnerability can be used individually or chained together to escalate access and broaden the attack surface.

‍

Remote Code Execution (RCE): Key Attack Scenarios

‍

‍

1. MacOS – Zero-Click RCE (CVE-2025-24252 & CVE-2025-24206) These weaknesses enable attackers to run code on a MacOS system without any user action, as long as the AirPlay receiver is enabled and configured to accept connections from anyone on the same network. The threat of wormable malware propagating via corporate or public Wi-Fi networks is especially concerning.
2. MacOS – One-Click RCE (CVE-2025-24271 & CVE-2025-24137) If AirPlay is set to "Current User," attackers can exploit these CVEs to deploy malicious code with one click by the user. This raises the level of threat in shared office or home networks.
3. AirPlay SDK Devices – Zero-Click RCE (CVE-2025-24132) Third-party speakers and receivers through the AirPlay SDK are particularly susceptible, where exploitation requires no user intervention. Upon compromise, the attackers have the potential to play unauthorised media, turn microphones on, or monitor intimate spaces.
4. CarPlay Devices – RCE Over Wi-Fi, Bluetooth, or USB CVE-2025-24132 also affects CarPlay-enabled systems. Under certain circumstances, the perpetrators around can take advantage of predictable Wi-Fi credentials, intercept Bluetooth PINs, or utilise USB connections to take over dashboard features, which may distract drivers or listen in on in-car conversations.

‍

Other Exploits Beyond RCE

‍

AirBorne also opens the door for:

‍

• Sensitive Information Disclosure: Exposing private logs or user metadata over local networks (CVE-2025-24270).
• Local Arbitrary File Access: Letting attackers read restricted files on a device (CVE-2025-24270 group).
• DoS Attacks: Exploiting NULL pointer dereferences or misformatted data to crash processes like the AirPlay receiver or WindowServer, forcing user logouts or system instability (CVE-2025-24129, CVE-2025-24177, etc.).

‍

How the Attack Works: A Technical Breakdown

‍

AirPlay sends on port 7000 via HTTP and RTSP, typically encoded in Apple's own plist (property list) form. Exploits result from incorrect treatment of these plists, especially when skipping type checking or assuming invalid data will be valid. For instance, CVE-2025-24129 illustrates how a broken plist can produce type confusion to crash or execute code based on configuration.

A hacker must be within the same Wi-Fi network as the targeted device. This connection might be through a hacked laptop, public wireless with shared access, or an insecure corporate connection. Once in proximity, the hacker has the ability to use AirBorne bugs to hijack AirPlay-enabled devices. There, bad code can be released to spy, gain long-term network access, or spread control to other devices on the network, perhaps creating a botnet or stealing critical data.

‍

The Espionage Angle

‍

Most third-party AirPlay-compatible devices, including smart speakers, contain built-in microphones. In theory, that leaves the door open for such devices to become eavesdropping tools. While Oligo did not show a functional exploit for the purposes of espionage, the risk suggests the gravity of the situation.

‍

The CarPlay Risk Factor

‍

Besides smart home appliances, vulnerabilities in AirBorne have also been found for Apple CarPlay by Oligo. Those vulnerabilities, when exploited, may enable attackers to take over an automobile's entertainment system. Fortunately, the attacks would need pairing directly through USB or Bluetooth and are much less practical. Even so, it illustrates how networks of connected components remain at risk in various situations, ranging from residences to automobiles.

‍

How to Protect Yourself and Your Organisation

‍

1. Immediate Actions:

• Update Devices: Ensure all Apple devices and third-party gadgets are upgraded to the latest software version.
• Disable AirPlay Receiver: If AirPlay is not in use, disable it in system settings.
• Restrict AirPlay Access: Use firewalls to block port 7000 from untrusted IPs.
• Set AirPlay to “Current User” to limit network-based attack.

2. Organisational Recommendations:

• Communicate the patch urgency to employees and stakeholders.
• Inventory all AirPlay-enabled hardware, including in meeting rooms and vehicles.
• Isolate vulnerable devices on segmented networks until updated.

‍

Conclusion

‍

The AirBorne vulnerabilities illustrate that even mature systems such as Apple's are not immune from foundational security weaknesses. The extensive deployment of AirPlay across devices, industries, and ecosystems makes these vulnerabilities a systemic threat. Oligo's discovery has served to catalyse immediate response from Apple, but since third-party devices remain vulnerable, responsibility falls to users and organisations to install patches, implement robust configurations, and compartmentalise possible attack surfaces. Effective proactive cybersecurity hygiene, network segmentation, and timely patches are the strongest defences to avoid these kinds of wormable, scalable attacks from becoming large-scale breaches.

‍

References

‍

• https://www.oligo.security/blog/airborne
• https://www.wired.com/story/airborne-airplay-flaws/
• https://thehackernews.com/2025/05/wormable-airplay-flaws-enable-zero.html
• https://www.securityweek.com/airplay-vulnerabilities-expose-apple-devices-to-zero-click-takeover/
• https://www.pcmag.com/news/airborne-flaw-exposes-airplay-devices-to-hacking-how-to-protect-yourself
• https://cyberguy.com/security/hackers-breaking-into-apple-devices-through-airplay/

‍

Executive Summary:

‍

A viral social media claim alleges that India’s Chief of Defence Staff (CDS), General Anil Chauhan, praised Pakistan’s Army as superior during “Operation Sindoor.” Fact-checking confirms the claim is false. The original video, available on The Hindu’s official channel, shows General Chauhan inaugurating Ran-Samwad 2025 in Mhow, Madhya Pradesh. At the 1:22:12 mark, the genuine segment appears, proving the viral clip was altered. Additionally, analysis using Hiya AI Audio identified voice manipulation, flagging the segment as a deepfake with an authenticity score of 1/100. The fabricated statement was: “never mess with Pakistan because their army appears to be far more superior.” Thus, the viral video is doctored and misleading.

Claim:

‍

A viral claim is being shared on social media (archived link) falsely claiming that India’s Chief of Defence Staff (CDS), General Anil Chauhan described Pakistan’s Army as superior and more advanced during Operation Sindoor. 

‍

‍

‍

Fact Check:

After performing a reverse image search we found a full clip on the official channel of The Hindu in which  Chief of Defence Staff Anil Chauhan inaugurated ‘Ran-Samwad’ 2025 in Mhow, Madhya Pradesh. 

‍

‍

In the clip on the time stamp of 1:22:12 we can see the actual part of the video segment which was manipulated in the viral video. 

Also, by using Hiya AI Audio tool we got to know that the voice was manipulated in the specific segment of the video. The result shows Deepfake with an authenticity score 1/100, the result also shows the statement which is deepfake which was “ was to never mess with Pakistan because their army appears to be far more superior”. 

‍

‍

Conclusion:

‍

The viral video attributing remarks to CDS General Anil Chauhan about Pakistan’s Army being “superior” is fabricated. The original footage from The Hindu confirms no such statement was made, while forensic analysis using Hiya AI Audio detected clear voice manipulation, identifying the clip as a deepfake with minimal authenticity. Hence, the claim is baseless, misleading, and an attempt to spread disinformation.

• Claim: AI Generated audio of CDS admitting that the Pakistan Army is superior to the Indian Army. 
• Claimed On: Social Media
• Fact Check: False and Misleading

‍