Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
data security
AI companies Ai Data AI technology Cyber Security Data Center Data Centre Impact data security

SK hynix Launches New AI Company as Data Center Demand Drives Growth

 

A surge in demand for data center hardware has lifted SK hynix into stronger market standing, thanks to limited availability of crucial AI chips. Though rooted in memory production, the company now pushes further - launching a dedicated arm centered on tailored AI offerings. Rising revenues reflect investor confidence, fueled by sustained component shortages. Growth momentum builds quietly, shaped more by timing than redirection. Market movements align closely with output constraints rather than strategic pivots. 

Early next year, the business will launch a division known as “AI Company” (AI Co.), set to begin operations in February. This offshoot aims to play a central role within the AI data center landscape, positioning itself alongside major contributors. As demand shifts toward bundled options, clients prefer complete packages - ones blending infrastructure, programs, and support - over isolated gear. According to SK hynix, such changes open doors previously unexplored through traditional component sales alone. 

Though little is known so far, news has emerged that AI Co., according to statements given to The Register, plans industry-specific AI tools through dedicated backing of infrastructure tied to processing hubs. Starting out, attention turns toward programs meant to refine how artificial intelligence operates within machines. From there, financial commitments may stretch into broader areas linked to computing centers as months pass. Alongside funding external ventures and novel tech, reports indicate turning prototypes into market-ready offerings might shape a core piece of its evolving strategy.  

About $10 billion is being set aside by SK hynix for the fresh venture. Next month should bring news of a temporary leadership group and governing committee. Instead of staying intact, the California-focused SSD unit known as Solidigm will undergo reorganization. What was once Solidigm becomes AI Co. under the shift. Meanwhile, production tied to SSDs shifts into a separate entity named Solidigm Inc., built from the ground up.  

Now shaping up, the AI server industry leans into tailored chips instead of generic ones. By 2027, ASIC shipments for these systems could rise threefold, according to Counterpoint Research. Come 2028, annual units sold might go past fifteen million. Such growth appears set to overtake current leaders - data center GPUs - in volume shipped. While initial prices for ASICs sometimes run high, their running cost tends to stay low compared to premium graphics processors. Inference workloads commonly drive demand, favoring efficiency-focused designs. Holding roughly six out of every ten units delivered in 2027, Broadcom stands positioned near the front. 

A wider shortage of memory chips keeps lifting SK hynix forward. Demand now clearly exceeds available stock, according to IDC experts, because manufacturers are directing more output into server and graphics processing units instead of phones or laptops. As a result, prices throughout the sector have climbed - this shift directly boosting the firm's earnings. Revenue for 2025 reached ₩97.14 trillion ($67.9 billion), up 47%. During just the last quarter, income surged 66% compared to the same period the previous year, hitting ₩32.8 trillion ($22.9 billion). 

Suppliers such as ASML are seeing gains too, thanks to rising demand in semiconductor production. Though known mainly for photolithography equipment, its latest quarterly results revealed €9.7 billion in revenue - roughly $11.6 billion. Even so, forecasts suggest a sharp rise in orders for their high-end EUV tools during the current year. Despite broader market shifts, performance remains strong across key segments. 

Still, experts point out that a lack of memory chips might hurt buyers, as devices like computers and phones could become more expensive. Predictions indicate computer deliveries might drop during the current year because supplies are tight and expenses are climbing.
Read more »
online privacy concerns
AI Deepfakes AI generated Deepfake AI Privacy AI Risks Artificial Intelligence (AI) Grok Cyber Security Deepfake concerns Grok Indonesia online privacy concerns

Indonesia Temporarily Blocks Grok After AI Deepfake Misuse Sparks Outrage

 

A sudden pause in accessibility marks Indonesia’s move against Grok, Elon Musk’s AI creation, following claims of misuse involving fabricated adult imagery. News of manipulated visuals surfaced, prompting authorities to act - Reuters notes this as a world-first restriction on the tool. Growing unease about technology aiding harm now echoes across borders. Reaction spreads, not through policy papers, but real-time consequences caught online.  

A growing number of reports have linked Grok to incidents where users created explicit imagery of women - sometimes involving minors - without consent. Not long after these concerns surfaced, Indonesia’s digital affairs minister, Meutya Hafid, labeled the behavior a severe breach of online safety norms. 

As cited by Reuters, she described unauthorized sexually suggestive deepfakes as fundamentally undermining personal dignity and civil rights in digital environments. Her office emphasized that such acts fall under grave cyber offenses, demanding urgent regulatory attention Temporary restrictions appeared in Indonesia after Antara News highlighted risks tied to AI-made explicit material. 

Protection of women, kids, and communities drove the move, aimed at reducing mental and societal damage. Officials pointed out that fake but realistic intimate imagery counts as digital abuse, according to statements by Hafid. Such fabricated visuals, though synthetic, still trigger actual consequences for victims. The state insists artificial does not mean harmless - impact matters more than origin. Following concerns over Grok's functionality, officials received official notices demanding explanations on its development process and observed harms. 

Because of potential risks, Indonesian regulators required the firm to detail concrete measures aimed at reducing abuse going forward. Whether the service remains accessible locally hinges on adoption of rigorous filtering systems, according to Hafid. Compliance with national regulations and adherence to responsible artificial intelligence practices now shape the outcome. 

Only after these steps are demonstrated will operation be permitted to continue. Last week saw Musk and xAI issue a warning: improper use of the chatbot for unlawful acts might lead to legal action. On X, he stated clearly - individuals generating illicit material through Grok assume the same liability as those posting such content outright. Still, after rising backlash over the platform's inability to stop deepfake circulation, his stance appeared to shift slightly. 

A re-shared post from one follower implied fault rests more with people creating fakes than with the system hosting them. The debate spread beyond borders, reaching American lawmakers. A group of three Senate members reached out to both Google and Apple, pushing for the removal of Grok and X applications from digital marketplaces due to breaches involving explicit material. Their correspondence framed the request around existing rules prohibiting sexually charged imagery produced without consent. 

What concerned them most was an automated flood of inappropriate depictions focused on females and minors - content they labeled damaging and possibly unlawful. When tied to misuse - like deepfakes made without consent - AI tools now face sharper government reactions, Indonesia's move part of this rising trend. Though once slow to act, officials increasingly treat such technology as a risk needing strong intervention. 

A shift is visible: responses that were hesitant now carry weight, driven by public concern over digital harm. Not every nation acts alike, yet the pattern grows clearer through cases like this one. Pressure builds not just from incidents themselves, but how widely they spread before being challenged.
Read more »
messages
acronis Astaroth Banking Trojan Astaroth Trojan Cyber Security Cyberattacks Hacking WhatsApp Malicious Files messages

WhatsApp-Based Astaroth Banking Trojan Targets Brazilian Users in New Malware Campaign

 

A fresh look at digital threats shows malicious software using WhatsApp to spread the Astaroth banking trojan, mainly affecting people in Brazil. Though messaging apps are common tools for connection, they now serve attackers aiming to steal financial data. This method - named Boto Cor-de-Rosa by analysts at Acronis Threat Research - stands out because it leans on social trust within widely used platforms. Instead of relying on email or fake websites, hackers piggyback on real conversations, slipping malware through shared links. 
While such tactics aren’t entirely new, their adaptation to local habits makes them harder to spot. In areas where nearly everyone uses WhatsApp daily, blending in becomes easier for cybercriminals. Researchers stress that ordinary messages can now carry hidden risks when sent from compromised accounts. Unlike older campaigns, this one avoids flashy tricks, favoring quiet infiltration over noise. As behavior shifts online, so do attack strategies - quietly, persistently adapting. 

Acronis reports that the malware targets WhatsApp contact lists, sending harmful messages automatically - spreading fast with no need for constant hacker input. Notably, even though the main Astaroth component sticks with Delphi, and the setup script remains in Visual Basic, analysts spotted a fresh worm-style feature built completely in Python. Starting off differently this time, the mix of languages shows how cyber attackers now build adaptable tools by blending code types for distinct jobs. Ending here: such variety supports stealthier, more responsive attack systems. 

Astaroth - sometimes called Guildma - has operated nonstop since 2015, focusing mostly on Brazil within Latin America. Stealing login details and enabling money scams sits at the core of its activity. By 2024, several hacking collectives, such as PINEAPPLE and Water Makara, began spreading it through deceptive email messages. This newest push moves away from that method, turning instead to WhatsApp; because so many people there rely on the app daily, fake requests feel far more believable. 

Although tactics shift, the aim stays unchanged. Not entirely new, exploiting WhatsApp to spread banking trojans has gained speed lately. Earlier, Trend Micro spotted the Water Saci group using comparable methods to push financial malware like Maverick and a version of Casbaneierio. Messaging apps now appear more appealing to attackers than classic email phishing. Later that year, Sophos disclosed details of an evolving attack series labeled STAC3150, closely tied to previous patterns. This operation focused heavily on individuals in Brazil using WhatsApp, distributing the Astaroth malware through deceptive channels. 

Nearly all infected machines - over 95 percent - were situated within Brazilian territory, though isolated instances appeared across the U.S. and Austria. Running uninterrupted from early autumn 2025, the method leaned on compressed archives paired with installer files, triggering script-based downloads meant to quietly embed the malicious software. What Acronis has uncovered fits well with past reports. Messages on WhatsApp now carry harmful ZIP files sent straight to users. Opening one reveals what seems like a safe document - but it is actually a Visual Basic Script. Once executed, the script pulls down further tools from remote servers. 

This step kicks off the full infection sequence. After activation, this malware splits its actions into two distinct functions. While one part spreads outward by pulling contact data from WhatsApp and distributing infected files without user input, the second runs hidden, observing online behavior - especially targeting visits to financial sites - to capture login details. 

It turns out the software logs performance constantly, feeding back live updates on how many messages succeed or fail, along with transmission speed. Attackers gain a constant stream of operational insight thanks to embedded reporting tools spotted by Acronis.
Read more »
Windows device encryption
BitLocker encryption keys Cyber Security Data Privacy Concerns Microsoft BitLocker Microsoft FBI case Windows device encryption

Microsoft BitLocker Encryption Raises Privacy Questions After FBI Key Disclosure Case

 


Microsoft’s BitLocker encryption, long viewed as a safeguard for Windows users’ data, is under renewed scrutiny after reports revealed the company provided law enforcement with encryption keys in a criminal investigation.

The case, detailed in a government filing [PDF], alleges that individuals in Guam illegally claimed pandemic-related unemployment benefits. According to Forbes, this marks the first publicly documented instance of Microsoft handing over BitLocker recovery keys to law enforcement.

BitLocker is a built-in Windows security feature designed to encrypt data stored on devices. It operates through two configurations: Device Encryption, which offers a simplified setup, and BitLocker Drive Encryption, a more advanced option with greater control.

In both configurations, Microsoft generally stores BitLocker recovery keys on its servers when encryption is activated using a Microsoft account. As the company explains in its documentation, "If you use a Microsoft account, the BitLocker recovery key is typically attached to it, and you can access the recovery key online."

A similar approach applies to organizational devices. Microsoft notes, "If you're using a device that's managed by your work or school, the BitLocker recovery key is typically backed up and managed by your organization's IT department."

Users are not required to rely on Microsoft for key storage. Alternatives include saving the recovery key to a USB drive, storing it as a local file, or printing it. However, many customers opt for Microsoft’s cloud-based storage because it allows easy recovery if access is lost. This convenience, though, effectively places Microsoft in control of data access and reduces the user’s exclusive ownership of encryption keys.

Apple provides a comparable encryption solution through FileVault, paired with iCloud. Apple offers two protection levels: Standard Data Protection and Advanced Data Protection for iCloud.

Under Standard Data Protection, Apple retains the encryption keys for most iCloud data, excluding certain sensitive categories such as passwords and keychain data. With Advanced Data Protection enabled, Apple holds keys only for iCloud Mail, Contacts, and Calendar. Both Apple and Microsoft comply with lawful government requests, but neither can disclose encryption keys they do not possess.

Apple explicitly addresses this in its law enforcement guidelines [PDF]: "All iCloud content data stored by Apple is additionally encrypted at the location of the server. For data Apple can decrypt, Apple retains the encryption keys in its US data centers. Apple does not receive or retain encryption keys for [a] customer's end-to-end encrypted data."

This differs from BitLocker’s default behavior, where Microsoft may retain access to a customer’s encryption keys if the user enables cloud backup during setup.

Microsoft states that it does not share its own encryption keys with governments, but it stops short of extending that guarantee to customer-managed keys. In its law enforcement guidance, the company says, "We do not provide any government with our encryption keys or the ability to break our encryption." It further adds, "In most cases, our default is for Microsoft to securely store our customers' encryption keys. Even our largest enterprise customers usually prefer we keep their keys to prevent accidental loss or theft. However, in many circumstances we also offer the option for consumers or enterprises to keep their own keys, in which case Microsoft does not maintain copies."

Microsoft’s latest Government Requests for Customer Data Report, covering July 2024 through December 2024, shows the company received 128 law enforcement requests globally, including 77 from US agencies. Only four requests during that period—three from Brazil and one from Canada—resulted in content disclosure.

After the article was published, a Microsoft spokesperson clarified, “With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide whether to use key escrow and how to manage their keys.”

Privacy advocates argue that this design reflects Microsoft’s priorities. As Erica Portnoy, senior staff technologist at the Electronic Frontier Foundation, stated in an email to The Register, "Microsoft is making a tradeoff here between privacy and recoverability. At a guess, I'd say that's because they're more focused on the business use case, where loss of data is much worse than Microsoft or governments getting access to that data. But by making that choice, they make their product less suitable for individuals and organizations with higher privacy needs. It's a clear message to activist organizations and law firms that Microsoft is not building their products for you."
Read more »
Fortinet
Cloud Security Cloud Server Cyber Phishing Cyber Security Cyber Security Ransomware Attacks Cyberattacks FortiGuard Fortinet

Multi-Stage Phishing Campaign Deploys Amnesia RAT and Ransomware Using Cloud Services

 

One recently uncovered cyberattack is targeting individuals across Russia through a carefully staged deception campaign. Rather than exploiting software vulnerabilities, the operation relies on manipulating user behavior, according to analysis by Cara Lin of Fortinet FortiGuard Labs. The attack delivers two major threats: ransomware that encrypts files for extortion and a remote access trojan known as Amnesia RAT. Legitimate system tools and trusted services are repurposed as weapons, allowing the intrusion to unfold quietly while bypassing traditional defenses. By abusing real cloud platforms, the attackers make detection significantly more difficult, as nothing initially appears out of place. 

The attack begins with documents designed to resemble routine workplace material. On the surface, these files appear harmless, but they conceal code that runs without drawing attention. Visual elements within the documents are deliberately used to keep victims focused, giving the malware time to execute unseen. Fortinet researchers noted that these visuals are not cosmetic but strategic, helping attackers establish deeper access before suspicion arises. 

A defining feature of the campaign is its coordinated use of multiple public cloud services. Instead of relying on a single platform, different components are distributed across GitHub and Dropbox. Scripts are hosted on GitHub, while executable payloads such as ransomware and remote access tools are stored on Dropbox. This fragmented infrastructure improves resilience, as disabling one service does not interrupt the entire attack chain and complicates takedown efforts. 

Phishing emails deliver compressed archives that contain decoy documents alongside malicious Windows shortcut files labeled in Russian. These shortcuts use double file extensions to impersonate ordinary text files. When opened, they trigger a PowerShell command that retrieves additional code from a public GitHub repository, functioning as an initial installer. The process runs silently, modifies system settings to conceal later actions, and opens a legitimate-looking document to maintain the illusion of normal activity. 

After execution, the attackers receive confirmation via the Telegram Bot API. A deliberate delay follows before launching an obfuscated Visual Basic Script, which assembles later-stage payloads directly in memory. This approach minimizes forensic traces and allows attackers to update functionality without altering the broader attack flow. 

The malware then aggressively disables security protections. Microsoft Defender exclusions are configured, protection modules are shut down, and the defendnot utility is used to deceive Windows into disabling antivirus defenses entirely. Registry modifications block administrative tools, repeated prompts seek elevated privileges, and continuous surveillance is established through automated screenshots exfiltrated via Telegram. 

Once defenses are neutralized, Amnesia RAT is downloaded from Dropbox. The malware enables extensive data theft from browsers, cryptocurrency wallets, messaging apps, and system metadata, while providing full remote control of infected devices. In parallel, ransomware derived from the Hakuna Matata family encrypts files, manipulates clipboard data to redirect cryptocurrency transactions, and ultimately locks the system using WinLocker. 

Fortinet emphasized that the campaign reflects a broader shift in phishing operations, where attackers increasingly weaponize legitimate tools and psychological manipulation instead of exploiting software flaws. Microsoft advises enabling Tamper Protection and monitoring Defender changes to reduce exposure, as similar attacks are becoming more widespread across Russian organizations.
Read more »
Pop-Up Alerts
1Password Cyber Security Data Privacy Phishing Scams Pop-Up Alerts

1Password Launches Pop-Up Alerts to Block Phishing Scams

 

1Password has introduced a new phishing protection feature that displays pop-up warnings when users visit suspicious websites, aiming to reduce the risk of credential theft and account compromise. This enhancement builds on the password manager’s existing safeguards and responds to growing phishing threats fueled by increasingly sophisticated attack techniques.

Traditionally, 1Password protects users by refusing to auto-fill credentials on sites whose URLs do not exactly match those stored in the user’s vault. While this helps block many phishing attempts, it still relies on users noticing that something is wrong when their password manager does not behave as expected, which is not always the case. Some users may assume the tool malfunctioned or that their vault is locked and proceed to type passwords manually, inadvertently handing them to attackers.

The new feature addresses this gap by adding a dedicated pop-up alert that appears when 1Password detects a potential phishing URL, such as a typosquatted or lookalike domain. For example, a domain with an extra character in the name may appear convincing at a glance, especially when the phishing page closely imitates the legitimate site’s design. The pop-up is designed to prompt users to slow down, double-check the URL, and reconsider entering their credentials, effectively adding a behavioral safety net on top of technical controls.

1Password is rolling out this capability automatically for individual and family subscribers, ensuring broad coverage for consumers without requiring configuration changes. In business environments, administrators can enable the feature for employees through Authentication Policies in the 1Password admin console, integrating it into existing access control strategies. This flexibility allows organizations to align phishing protection with their security policies and training programs.

The company underscores the importance of this enhancement with survey findings from 2,000 U.S. respondents, revealing that 61% had been successfully phished and 75% do not check URLs before clicking links. The survey also shows that one-third of employees reuse passwords on work accounts, nearly half have fallen for phishing at work, and many believe protection is solely the IT department’s responsibility. With 72% admitting to clicking suspicious links and over half choosing to delete rather than report questionable messages, 1Password’s new pop-up warnings aim to counter risky user behavior and strengthen overall phishing defenses.
Read more »
online misinformation
AI Misuse AI Risks Cyber Security Election Security Fake messages Misinformation misinformation disinformation threat online misinformation

Online Misinformation and AI-Driven Fake Content Raise Concerns for Election Integrity

 

With elections drawing near, unease is spreading about how digital falsehoods might influence voter behavior. False narratives on social platforms may skew perception, according to officials and scholars alike. As artificial intelligence advances, deceptive content grows more convincing, slipping past scrutiny. Trust in core societal structures risks erosion under such pressure. Warnings come not just from academics but also from community leaders watching real-time shifts in public sentiment.  

Fake messages have recently circulated online, pretending to be from the City of York Council. Though they looked real, officials later stated these ads were entirely false. One showed a request for people willing to host asylum seekers; another asked volunteers to take down St George flags. A third offered work fixing road damage across neighborhoods. What made them convincing was their design - complete with official logos, formatting, and contact information typical of genuine notices. 

Without close inspection, someone scrolling quickly might believe them. Despite their authentic appearance, none of the programs mentioned were active or approved by local government. The resemblance to actual council material caused confusion until authorities stepped in to clarify. Blurred logos stood out immediately when BBC Verify examined the pictures. Wrong fonts appeared alongside misspelled words, often pointing toward artificial creation. 

Details like fingers looked twisted or incomplete - a frequent issue in computer-made visuals. One poster included an email tied to a real council employee, though that person had no knowledge of the material. Websites referenced in some flyers simply did not exist online. Even so, plenty of individuals passed the content along without questioning its truth. A single fabricated post managed to spread through networks totaling over 500,000 followers. False appearances held strong appeal despite clear warning signs. 

What spreads fast online isn’t always true - Clare Douglas, head of City of York Council, pointed out how today’s tech amplifies old problems in new ways. False stories once moved slowly; now they race across devices at a pace that overwhelms fact-checking efforts. Trust fades when people see conflicting claims everywhere, especially around health or voting matters. Institutions lose ground not because facts disappear, but because attention scatters too widely. When doubt sticks longer than corrections, participation dips quietly over time.  

Ahead of public meetings, tensions surfaced in various regions. Misinformation targeting asylum seekers and councils emerged online in Barnsley, according to Sir Steve Houghton, its council head. False stories spread further due to influencers who keep sharing them - profit often outweighs correction. Although government outlets issued clarifications, distorted messages continue flooding digital spaces. Their sheer number, combined with how long they linger, threatens trust between groups and raises risks for everyday security. Not everyone checks facts these days, according to Ilya Yablokov from the University of Sheffield’s Disinformation Research Cluster. Because AI makes it easier than ever, faking believable content takes little effort now. 

With just a small setup, someone can flood online spaces fast. What helps spread falsehoods is how busy people are - they skip checking details before passing things along. Instead, gut feelings or existing opinions shape what gets shared. Fabricated stories spreading locally might cost almost nothing to create, yet their impact on democracy can be deep. 

When misleading accounts reach more voters, specialists emphasize skills like questioning sources, checking facts, or understanding media messages - these help preserve confidence in public processes while supporting thoughtful engagement during voting events.
Read more »
Online Trading Scam
cryptocurrency cryptocurrency security Cryptocurrency Users Cyber Security online trading Online Trading Scam

Suspicious Polymarket Bets Spark Insider Trading Fears After Maduro’s Capture

 

A sudden, massive bet surfaced just ahead of a major political development involving Venezuela’s leader. Days prior to Donald Trump revealing that Nicolás Maduro had been seized by U.S. authorities, an individual on Polymarket placed a highly profitable position. That trade turned a substantial gain almost instantly after the news broke. Suspicion now centers on how the timing could have been so precise. Information not yet public might have influenced the decision. The incident casts doubt on who truly knows what - and when - in digital betting arenas. Profits like these do not typically emerge without some edge. 

Hours before Trump spoke on Saturday, predictions about Maduro losing control by late January jumped fast on Polymarket. A single user, active for less than a month, made four distinct moves tied to Venezuela's political situation. That player started with $32,537 and ended with over $436,000 in returns. Instead of a name, only a digital wallet marks the profile. Who actually placed those bets has not come to light. 

That Friday afternoon, market signals began shifting - quietly at first. Come late evening, chances of Maduro being ousted edged up to 11%, starting from only 6.5% earlier. Then, overnight into January 3, something sharper unfolded. Activity picked up fast, right before news broke. Word arrived via a post: Trump claimed Maduro was under U.S. arrest. Traders appear to have moved quickly, moments prior. Their actions hint at advance awareness - or sharp guesswork - as prices reacted well before confirmation surfaced. Despite repeated attempts, Polymarket offered no prompt reply regarding the odd betting patterns. 

Still, unease is growing among regulators and lawmakers. According to Dennis Kelleher - who leads Better Markets, an independent organization focused on financial oversight - the bet carries every sign of being rooted in privileged knowledge Not just one trader walked away with gains. Others on Polymarket also pulled in sizable returns - tens of thousands - in the window before news broke. That timing hints at information spreading earlier than expected. Some clues likely slipped out ahead of formal releases. One episode sparked concern among American legislators. 

On Monday, New York's Representative Ritchie Torres - affiliated with the Democratic Party - filed a bill targeting insider activity by public officials in forecast-based trading platforms. Should such individuals hold significant details not yet disclosed, involvement in these wagers would be prohibited under his plan. This move surfaces amid broader scrutiny over how loosely governed these speculative arenas remain. Prediction markets like Polymarket and Kalshi gained traction fast across the U.S., letting people bet on politics, economies, or world events. 

When the 2024 presidential race heated up, millions flowed into these sites - adding up quickly. Insider knowledge trades face strict rules on Wall Street, yet forecasting platforms often escape similar control. Under Biden, authorities turned closer attention to these markets, increasing pressure across the sector. When Trump returned to influence, conditions shifted, opening space for lighter supervision. At Kalshi and Polymarket, leadership includes Donald Trump Jr., serving behind the scenes in guiding roles. 

Though Kalshi clearly prohibits insider trading - even among government staff using classified details - the Maduro wagering debate reveals regulatory struggles. Prediction platforms increasingly complicate distinctions, merging guesswork, uneven knowledge, then outright ethical breaches without clear boundaries.
Read more »
vulnerable web applications
Cloud Security Cyber Security misconfigured cloud services penetration testing tools vulnerable web applications

Hackers Abuse Vulnerable Training Web Apps to Breach Enterprise Cloud Environments

 

Threat actors are actively taking advantage of poorly secured web applications designed for security training and internal penetration testing to infiltrate cloud infrastructures belonging to Fortune 500 firms and cybersecurity vendors. These applications include deliberately vulnerable platforms such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP.

Research conducted by automated penetration testing firm Pentera reveals that attackers are using these exposed apps as entry points to compromise cloud systems. Once inside, adversaries have been observed deploying cryptocurrency miners, installing webshells, and moving laterally toward more sensitive assets.

Because these testing applications are intentionally insecure, exposing them to the public internet—especially when they run under highly privileged cloud accounts—creates significant security risks. Pentera identified 1,926 active vulnerable applications accessible online, many tied to excessive Identity and Access Management (IAM) permissions and hosted across AWS, Google Cloud Platform (GCP), and Microsoft Azure environments.

Pentera stated that the affected deployments belonged to several Fortune 500 organizations, including Cloudflare, F5, and Palo Alto Networks. The researchers disclosed their findings to the impacted companies, which have since remediated the issues. Analysis showed that many instances leaked cloud credentials, failed to implement least-privilege access controls, and more than half still relied on default login details—making them easy targets for attackers.

The exposed credentials could allow threat actors to fully access S3 buckets, Google Cloud Storage, and Azure Blob Storage, as well as read and write secrets, interact with container registries, and obtain administrative-level control over cloud environments. Pentera emphasized that these risks were already being exploited in real-world attacks.

"During the investigation, we discovered clear evidence that attackers are actively exploiting these exact attack vectors in the wild – deploying crypto miners, webshells, and persistence mechanisms on compromised systems," the researchers said.

Signs of compromise were confirmed when analysts examined multiple misconfigured applications. In some cases, they were able to establish shell access and analyze data to identify system ownership and attacker activity.

"Out of the 616 discovered DVWA instances, around 20% were found to contain artifacts deployed by malicious actors," Pentera says in the report.

The malicious activity largely involved the use of the XMRig mining tool, which silently mined Monero (XMR) in the background. Investigators also uncovered a persistence mechanism built around a script named ‘watchdog.sh’. When removed, the script could recreate itself from a base64-encoded backup and re-download XMRig from GitHub.

Additionally, the script retrieved encrypted tools from a Dropbox account using AES-256 encryption and terminated rival miners on infected systems. Other incidents involved a PHP-based webshell called ‘filemanager.php’, capable of file manipulation and remote command execution.

This webshell contained embedded authentication credentials and was configured with the Europe/Minsk (UTC+3) timezone, potentially offering insight into the attackers’ location.

Pentera noted that these malicious components were discovered only after Cloudflare, F5, and Palo Alto Networks had been notified and had already resolved the underlying exposures.

To reduce risk, Pentera advises organizations to keep an accurate inventory of all cloud assets—including test and training applications—and ensure they are isolated from production environments. The firm also recommends enforcing least-privilege IAM permissions, removing default credentials, and setting expiration policies for temporary cloud resources.

The full Pentera report outlines the investigation process in detail and documents the techniques and tools used to locate vulnerable applications, probe compromised systems, and identify affected organizations.
Read more »
Zestix
Cloud Services Corporate Data Breach Credential Phishing Cyber Security Data Exposure Files Zestix

Cybercriminals Target Cloud File-Sharing Services to Access Corporate Data

 



Cybersecurity analysts are raising concerns about a growing trend in which corporate cloud-based file-sharing platforms are being leveraged to extract sensitive organizational data. A cybercrime actor known online as “Zestix” has recently been observed advertising stolen corporate information that allegedly originates from enterprise deployments of widely used cloud file-sharing solutions.

Findings shared by cyber threat intelligence firm Hudson Rock suggest that the initial compromise may not stem from vulnerabilities in the platforms themselves, but rather from infected employee devices. In several cases examined by researchers, login credentials linked to corporate cloud accounts were traced back to information-stealing malware operating on users’ systems.

These malware strains are typically delivered through deceptive online tactics, including malicious advertising and fake system prompts designed to trick users into interacting with harmful content. Once active, such malware can silently harvest stored browser data, saved passwords, personal details, and financial information, creating long-term access risks.

When attackers obtain valid credentials and the associated cloud service account does not enforce multi-factor authentication, unauthorized access becomes significantly easier. Without this added layer of verification, threat actors can enter corporate environments using legitimate login details without immediately triggering security alarms.

Hudson Rock also reported that some of the compromised credentials identified during its investigation had been present in criminal repositories for extended periods. This suggests lapses in routine password management practices, such as timely credential rotation or session invalidation after suspected exposure.

Researchers describe Zestix as operating in the role of an initial access broker, meaning the actor focuses on selling entry points into corporate systems rather than directly exploiting them. The access being offered reportedly involves cloud file-sharing environments used across a range of industries, including transportation, healthcare, utilities, telecommunications, legal services, and public-sector operations.

To validate its findings, Hudson Rock analyzed malware-derived credential logs and correlated them with publicly accessible metadata and open-source intelligence. Through this process, the firm identified multiple instances where employee credentials associated with cloud file-sharing platforms appeared in confirmed malware records. However, the researchers emphasized that these findings do not constitute public confirmation of data breaches, as affected organizations have not formally disclosed incidents linked to the activity.

The data allegedly being marketed spans a wide spectrum of corporate and operational material, including technical documentation, internal business files, customer information, infrastructure layouts, and contractual records. Exposure of such data could lead to regulatory consequences, reputational harm, and increased risks related to privacy, security, and competitive intelligence.

Beyond the specific cases examined, researchers warn that this activity reflects a broader structural issue. Threat intelligence data indicates that credential-stealing infections remain widespread across corporate environments, reinforcing the need for stronger endpoint security, consistent use of multi-factor authentication, and proactive credential hygiene.

Hudson Rock stated that relevant cloud service providers have been informed of the verified exposures to enable appropriate mitigation measures.

Read more »
Threat Intelligence
Active Defense Cyber Security Cybercrime Groups Deception Security Honeypot Technology Incident response Network Intrusion Synthetic Data Threat Intelligence

Targeted Cyberattack Foiled by Resecurity Honeypot


 

There has been a targeted intrusion attempt against the internal environment of Resecurity in November 2025, which has been revealed in detail by the cyber security company. In order to expose the adversaries behind this attack, the company deliberately turned the attack into a counterintelligence operation by using advanced deception techniques.

In response to a threat actor using a low-privilege employee account in order to gain access to an enterprise network, Resecurity’s incident response team redirected the intrusion into a controlled synthetic data honeypot that resembles a realistic enterprise network within which the intrusion could be detected. 

A real-time analysis of the attackers’ infrastructure, as well as their tradecraft, was not only possible with this move, but it also triggered the involvement of law enforcement after a number of evidences linked the activity to an Egyptian-based threat actor and infrastructure associated with the ShinyHunter cybercrime group, which has subsequently been shown to have claimed responsibility for the data breach falsely. 

Resecurity demonstrated how modern deception platforms, with the help of synthetic datasets generated by artificial intelligence, combined with carefully curated artifacts gathered from previously leaked dark web material, can transform reconnaissance attempts by financially motivated cybercriminals into actionable intelligence.

The active defense strategies are becoming increasingly important in today's cybersecurity operations as they do not expose customer or proprietary data.

The Resecurity team reported that threat actors operating under the nickname "Scattered Lapsus$ Hunters" publicly claimed on Telegram that they had accessed the company's systems and stolen sensitive information, such as employee information, internal communications, threat intelligence reports, client data, and more. This claim has been strongly denied by the firm. 

In addition to the screenshots shared by the group, it was later confirmed that they came from a honeypot environment that had been built specifically for Resecurity instead of Resecurity's production infrastructure. 

On the 21st of November 2025, the company's digital forensics and incident response team observed suspicious probes of publicly available services, as well as targeted attempts to access a restricted employee account. This activity was detected by the company's digital forensics and incident response team. 

There were initial traces of reconnaissance traffic to Egyptian IP addresses, such as 156.193.212.244 and 102.41.112.148. As a result of the use of commercial VPN services, Resecurity shifted from containment to observation, rather than blocking the intrusion.

Defenders created a carefully staged honeytrap account filled with synthetic data in order to observe the attackers' tactics, techniques, and procedures, rather than blocking the intrusion. 

A total of 28,000 fake consumer profiles were created in the decoy environment, along with nearly 190,000 mock payment transactions generated from publicly available patterns that contained fake Stripe records as well as fake email addresses that were derived from credential “combo lists.” 

In order to further enhance the authenticity of the data, Resecurity reactivated a retired Mattermost collaboration platform, and seeded it with outdated 2023 logs, thereby convincing the attackers that the system was indeed genuine. 

There were approximately 188,000 automated requests routed through residential proxy networks in an attempt by the attackers to harvest the synthetic dataset between December 12 and December 24. This effort ultimately failed when repeated connection failures revealed operational security shortcomings and revealed some of the attackers' real infrastructure in the process of repeated connection failures exposing vulnerabilities in the security of the system. 

A recent press release issued by Resecurity denies the breach allegation, stating that the systems cited by the threat actors were never part of its production environment, but were rather deliberately exposed honeypot assets designed to attract and observe malicious activity from a distance.

After receiving external inquiries, the company’s digital forensics and incident response teams first detected reconnaissance activity on November 21, 2025, after a threat actor began probing publicly accessible services on November 20, 2025, in a report published on December 24 and shared with reporters. 

Telemetry gathered early in the investigation revealed a number of indications that the network had been compromised, including connections coming from Egyptian IP addresses, as well as traffic being routed through Mullvas VPN infrastructure. 

A controlled honeypot account has been deployed by Resecurity inside an isolated environment as a response to the attack instead of a move to containment immediately. As a result, the attacker was able to authenticate to and interact with systems populated completely with false employee, customer, and payment information while their actions were closely monitored by Resecurity. 

Specifically, the synthetic datasets were designed to replicate the actual enterprise data structures, including over 190,000 fictitious consumer profiles and over 28,000 dummy payment transactions that were formatted to adhere to Stripe's official API specifications, as defined in the Stripe API documentation. 

In the early months of the operation, the attacker used residential proxy networks extensively to generate more than 188,000 requests for data exfiltration, which occurred between December 12 and December 24 as an automated data exfiltration operation. 

During this period, Resecurity collected detailed telemetry on the adversary's tactics, techniques, and supporting infrastructure, resulting in several operational security failures that were caused by proxy disruptions that briefly exposed confirmed IP addresses, which led to multiple operational security failures. 

As the deception continued, investigators introduced additional synthetic datasets, which led to even more mistakes that narrowed the attribution and helped determine the servers that orchestrated the activity, leading to an increase in errors. 

In the aftermath of sharing the intelligence with law enforcement partners, a foreign agency collaborating with Resecurity issued a subpoena request, which resulted in Resecurity receiving a subpoena. 

Following this initial breach, the attackers continued to make claims on Telegram, and their data was also shared with third-party breach analysts, but these statements, along with the new claims, were found to lack any verifiable evidence of actual compromise of real client systems. Independent review found that no evidence of the breach existed. 

Upon further examination, it was determined that the Telegram channel used to distribute these claims had been suspended, as did follow-on assertions from the ShinyHunters group, which were also determined to be derived from a honeytrap environment.

The actors, unknowingly, gained access to a decoy account and infrastructure, which was enough to confirm their fall into the honeytrap. Nevertheless, the incident demonstrates both the growing sophistication of modern deception technology as well as the importance of embedding them within a broader, more resilient security framework in order to maximize their effectiveness. 

A honeypot and synthetic data environment can be a valuable tool for observing attacker behavior. However, security leaders emphasize that the most effective way to use these tools is to combine them with strong foundational controls, including continuous vulnerability management, zero trust access models, multifactor authentication, employee awareness training, and disciplined network segmentation. 

Resecurity represents an evolution in defensive strategy from a reactive and reactionary model to one where organizations are taking a proactive approach in the fight against cyberthreats by gathering intelligence, disrupting the operations of adversaries, and reducing real-world risk in the process. 

There is no doubt that the ability to observe, mislead, and anticipate hostile activity, before meaningful damage occurs, is becoming an increasingly important element of enterprise defenses in the age of cyber threats as they continue to evolve at an incredible rate.

Together, the episodes present a rare, transparent view of how modern cyber attacks unfold-and how they can be strategically neutralized in order to avoid escalation of risk to data and real systems. 

Ultimately, Resecurity's claims serve more as an illustration of how threat actors are increasingly relying on perception, publicity, and speed to shape narratives before facts are even known to have been uncovered, than they serve as evidence that a successful breach occurred. 

Defenders of the case should take this lesson to heart: visibility and control can play a key role in preventing a crisis. It has become increasingly important for organizations to be able to verify, contextualize, and counter the false claims that are made by their adversaries as they implement technical capabilities combined with psychological tactics in an attempt to breach their systems. 

The Resecurity incident exemplifies how disciplined preparation and intelligence-led defense can help turn an attempted compromise into strategic advantage in an environment where trust and reputation are often the first targets. They do this quiet, methodically, and without revealing what really matters when a compromise occurs.
Read more »
zero click
Android Apple Cyber Security Google iPhone Meta Spyware zero click

What Happens When Spyware Hits a Phone and How to Stay Safe

 



Although advanced spyware attacks do not affect most smartphone users, cybersecurity researchers stress that awareness is essential as these tools continue to spread globally. Even individuals who are not public figures are advised to remain cautious.

In December, hundreds of iPhone and Android users received official threat alerts stating that their devices had been targeted by spyware. Shortly after these notifications, Apple and Google released security patches addressing vulnerabilities that experts believe were exploited to install the malware on a small number of phones.

Spyware poses an extreme risk because it allows attackers to monitor nearly every activity on a smartphone. This includes access to calls, messages, keystrokes, screenshots, notifications, and even encrypted platforms such as WhatsApp and Signal. Despite its intrusive capabilities, spyware is usually deployed in targeted operations against journalists, political figures, activists, and business leaders in sensitive industries.

High-profile cases have demonstrated the seriousness of these attacks. Former Amazon chief executive Jeff Bezos and Hanan Elatr, the wife of murdered Saudi dissident Jamal Khashoggi, were both compromised through Pegasus spyware developed by the NSO Group. These incidents illustrate how personal data can be accessed without user awareness.

Spyware activity remains concentrated within these circles, but researchers suggest its reach may be expanding. In early December, Google issued threat notifications and disclosed findings showing that an exploit chain had been used to silently install Predator spyware. Around the same time, the U.S. Cybersecurity and Infrastructure Security Agency warned that attackers were actively exploiting mobile messaging applications using commercial surveillance tools.

One of the most dangerous techniques involved is known as a zero-click attack. In such cases, a device can be infected without the user clicking a link, opening a message, or downloading a file. According to Malwarebytes researcher Pieter Arntz, once infected, attackers can read messages, track keystrokes, capture screenshots, monitor notifications, and access banking applications. Rocky Cole of iVerify adds that spyware can also extract emails and texts, steal credentials, send messages, and access cloud accounts.

Spyware may also spread through malicious links, fake applications, infected images, browser vulnerabilities, or harmful browser extensions. Recorded Future’s Richard LaTulip notes that recent research into malicious extensions shows how tools that appear harmless can function as surveillance mechanisms. These methods, often associated with nation-state actors, are designed to remain hidden and persistent.

Governments and spyware vendors frequently claim such tools are used only for law enforcement or national security. However, Amnesty International researcher Rebecca White states that journalists, activists, and others have been unlawfully targeted worldwide, using spyware as a method of repression. Thai activist Niraphorn Onnkhaow was targeted multiple times during pro-democracy protests between 2020 and 2021, eventually withdrawing from activism due to fears her data could be misused.

Detecting spyware is challenging. Devices may show subtle signs such as overheating, performance issues, or unexpected camera or microphone activation. Official threat alerts from Apple, Google, or Meta should be treated seriously. Leaked private information can also indicate compromise.

To reduce risk, Apple offers Lockdown Mode, which limits certain functions to reduce attack surfaces. Apple security executive Ivan Krstić states that widespread iPhone malware has not been observed outside mercenary spyware campaigns. Apple has also introduced Memory Integrity Enforcement, an always-on protection designed to block memory-based exploits.

Google provides Advanced Protection for Android, enhanced in Android 16 with intrusion logging, USB safeguards, and network restrictions.

Experts recommend avoiding unknown links, limiting app installations, keeping devices updated, avoiding sideloading, and restarting phones periodically. However, confirmed infections often require replacing the device entirely. Organizations such as Amnesty International, Access Now, and Reporters Without Borders offer assistance to individuals who believe they have been targeted.

Security specialists advise staying cautious without allowing fear to disrupt normal device use.

Read more »
Grok
AI Chatbot AI Deepfakes AI Privacy AI Risks AI security risks Artificial Intelligence (AI) Grok Cyber Security Deepfake Images Grok

Grok AI Faces Global Backlash Over Nonconsensual Image Manipulation on X

 

A dispute over X's internal AI assistant, Grok, is gaining attention - questions now swirl around permission, safety measures online, yet also how synthetic media tools can be twisted. This tension surfaced when Julie Yukari, a musician aged thirty-one living in Rio de Janeiro, posted a picture of herself unwinding with her cat during New Year’s Eve celebrations. Shortly afterward, individuals on the network started instructing Grok to modify that photograph, swapping her outfit for skimpy beach attire through digital manipulation. 

What started as skepticism soon gave way to shock. Yukari had thought the system wouldn’t act on those inputs - yet it did. Images surfaced, altered, showing her with minimal clothing, spreading fast across the app. She called the episode painful, a moment that exposed quiet vulnerabilities. Consent vanished quietly, replaced by algorithms working inside familiar online spaces. 

A Reuters probe found that Yukari’s situation happens more than once. The organization uncovered multiple examples where Grok produced suggestive pictures of actual persons, some seeming underage. No reply came from X after inquiries about the report’s results. Earlier, xAI - the team developing Grok - downplayed similar claims quickly, calling traditional outlets sources of false information. 

Across the globe, unease is growing over sexually explicit images created by artificial intelligence. Officials in France have sent complaints about X to legal authorities, calling such content unlawful and deeply offensive to women. A similar move came from India’s technology ministry, which warned X it did not stop indecent material from being made or shared online. Meanwhile, agencies in the United States, like the FCC and FTC, chose silence instead of public statements. 

A sudden rise in demands for Grok to modify pictures into suggestive clothing showed up in Reuters' review. Within just ten minutes, over one00 instances appeared - mostly focused on younger females. Often, the system produced overt visual content without hesitation. At times, only part of the request was carried out. A large share vanished quickly from open access, limiting how much could be measured afterward. 

Some time ago, image-editing tools driven by artificial intelligence could already strip clothes off photos, though they mostly stayed on obscure websites or required payment. Now, because Grok is built right into a well-known social network, creating such fake visuals takes almost no work at all. Warnings had been issued earlier to X about launching these kinds of features without tight controls. 

People studying tech impacts and advocacy teams argue this situation followed clearly from those ignored alerts. From a legal standpoint, some specialists claim the event highlights deep flaws in how platforms handle harmful content and manage artificial intelligence. Rather than addressing risks early, observers note that X failed to block offensive inputs during model development while lacking strong safeguards on unauthorized image creation. 

In cases such as Yukari’s, consequences run far beyond digital space - emotions like embarrassment linger long after deletion. Although aware the depictions were fake, she still pulled away socially, weighed down by stigma. Though X hasn’t outlined specific fixes, pressure is rising for tighter rules on generative AI - especially around responsibility when companies release these tools widely. What stands out now is how little clarity exists on who answers for the outcomes.
Read more »
EU
Black Basta Black Basta Ransomware Black Basta Ransomware gang Cyber Security Cyber Security Ransomware Attacks cybercrime group EU

European Authorities Identify Black Basta Suspects as Ransomware Group Collapses

 

Two Ukrainians are now under suspicion of aiding Black Basta, a ransomware network tied to Russia, after joint work by police units in Ukraine and Germany - this step adds pressure on the hacking group’s operations. The man believed to lead the gang, Oleg Evgenievich Nefedov, aged thirty-five and holding Russian citizenship, appears on key global alerts: one issued by the EU, another by INTERPOL. Though named, he remains at large. 

A Ukrainian cybercrime unit identified two people who handled technical tasks for a ransomware network, focusing on breaking into secured systems. These individuals worked by uncovering encrypted passwords through dedicated tools. Their job was to unlock access codes so others could move deeper. With those login details, associates entered company servers without permission. They installed malicious encryption programs afterward. Victims then faced demands for money before files would be released. 

Finding hidden data drives inside apartments across Ivano-Frankivsk and Lviv opened a path toward tracking illegal transactions. Though police stayed silent on custody details, they emphasized digital trails now feed directly into active probes. 

Emerging in April 2022, Black Basta quickly rose as a leading ransomware force worldwide. Over 500 businesses in North America, Europe, and Australia faced its attacks, bringing in hundreds of millions through crypto ransoms. Instead of acting alone, the group used a service-based approach, pulling in partners who received profit cuts for launching assaults on their behalf. 

Early in 2025, internal chat records from Black Basta were made public, showing how the group operated and naming those involved. Nefedov emerged as the central figure behind the network; his known aliases included Tramp, Trump, GG, and AA. Evidence within the files suggested ties between him and high-level individuals in Russian politics. Links to state security bodies like the FSB and GRU appeared in some messages. 

Such affiliations might explain why legal action against him never moved forward. The disclosure offered rare insight into an otherwise hidden criminal ecosystem. A report from June 2024 noted a short detention of Nefedov in Yerevan, Armenia; authorities let him go afterward. Although listed internationally as a fugitive, where he is now has not been confirmed - evidence suggests Russia may be harboring him. 

Some researchers connect Nefedov to Conti, a well-known ransomware outfit that ended in 2022. When Conti broke apart, new groups appeared - Black Basta, BlackByte, and KaraKurt among them. Following the split, ex-Conti members moved into different ransomware efforts, though certain ones eventually stopped operating. A different analysis by Analyst1 showed Black Basta made frequent use of Media Land - an internet host blacklisted by U.S., British, and Australian governments in late 2025 due to its resistance to takedown requests. 

According to officials in Germany, Nefedov was responsible for choosing victims, bringing in new people, handling payment talks after attacks, then splitting the money taken with others involved. After the leaks, activity from Black Basta's systems stopped. Its public leak page vanished by February. 

Still, security analysts note such criminal networks frequently reappear under different names or combine forces elsewhere. Data collected by ReliaQuest together with Trend Micro points toward ex-members possibly joining CACTUS. A sharp increase in victims claimed by CACTUS emerged right when Black Basta faded.
Read more »
malicious extensions
Chrome Extensions Cookies Cyber Security cybersecurity risks Google Chrome security malicious extensions

Malicious Chrome Extensions Target Enterprise HR and ERP Platforms to Steal Credentials

 

One after another, suspicious Chrome add-ons began appearing under false pretenses - each masquerading as helpful utilities. These were pulled from public view only after Socket, a cybersecurity group, traced them back to a single pattern of abuse. Instead of boosting efficiency, they harvested data from corporate systems like Workday, NetSuite, and SAP SuccessFactors. Installation counts climbed past 2,300 across five distinct apps before takedown. Behind the scenes, threat actors leveraged legitimate-looking interfaces to gain access where it mattered most. 

One investigation found that certain browser add-ons aimed to breach corporate systems, either by capturing login details or disrupting protective measures. Though appearing under distinct titles and author profiles, these tools carried matching coding patterns, operational frameworks, and selection methods - pointing to coordination behind their release. A person using the handle databycloud1104 was linked to four of them; another version emerged through a separate label called Software Access. 

Appearing alongside standard business applications, these extensions asked for permissions typical of corporate tools. One moment they promised better control over company accounts, the next they emphasized locking down admin functions. Positioned as productivity aids, several highlighted dashboard interfaces meant to streamline operations across teams. Instead of standing out, their behavior mirrored genuine enterprise solutions. Claiming to boost efficiency or tighten security, each framed its purpose around workplace demands. Not every feature list matched actual functionality, yet on the surface everything seemed aligned with professional needs. 

Yet the investigation revealed every extension hid its actual operations. Although privacy notices were present, they omitted details about gathering user data, retrieving login information, or tracking admin actions. Without visibility, these tools carried out harmful behaviors - such as stealing authentication cookies, altering webpage elements, or taking over active sessions - all while appearing legitimate. What seemed harmless operated differently beneath the surface. 

Repeated extraction of authentication cookies called "__session" occurred across multiple extensions. Despite user logout actions, those credentials kept reaching external servers controlled by attackers. Access to corporate systems remained uninterrupted due to timed transmissions. Traditional sign-in protections failed because live session data was continuously harvested elsewhere. 

Notably, two add-ons - Tool Access 11 and Data By Cloud 2 - took more aggressive steps. Instead of merely monitoring, they interfered directly with key security areas in Workday. Through recognition of page titles, these tools erased information or rerouted admins before reaching control panels. Pages related to login rules appeared blank or led elsewhere. Controls involving active sessions faced similar disruptions. Even IP-based safeguards vanished unexpectedly. Managing passwords became problematic under their influence. Deactivating compromised accounts grew harder. Audit trails for suspicious activity disappeared without notice. As a result, teams lost vital ground when trying to spot intrusions or contain damage. 

What stood out was the Software Access extension’s ability to handle cookies in both directions. Not only did it take cookies from users, but also inserted ones provided by attackers straight into browsers. Because of this, unauthorized individuals gained access to active sessions - no login details or extra verification steps required. The outcome? Full control over corporate accounts within moments. 

Even with few users impacted, Socket highlighted how compromised business logins might enable wider intrusions - such as spreading ransomware or extracting major datasets. After the discovery, the company alerted Google; soon after, the malicious add-ons vanished from the Chrome Web Store. Those who downloaded them should inform internal security staff while resetting access codes across exposed systems to reduce exposure. Though limited in reach, the breach carries serious downstream implications if left unchecked.
Read more »
Innovation
AI Deepfakes Artificial Intelligence Cyber Security Cyber Threats Financial Data Innovation

Why Cybersecurity Threats in 2026 Will Be Harder to See, Faster to Spread, And Easier to Believe

 


The approach to cybersecurity in 2026 will be shaped not only by technological innovation but also by how deeply digital systems are embedded in everyday life. As cloud services, artificial intelligence tools, connected devices, and online communication platforms become routine, they also expand the surface area for cyber exploitation.

Cyber threats are no longer limited to technical breaches behind the scenes. They increasingly influence what people believe, how they behave online, and which systems they trust. While some risks are still emerging, others are already circulating quietly through commonly used apps, services, and platforms, often without users realizing it.

One major concern is the growing concentration of internet infrastructure. A substantial portion of websites and digital services now depend on a limited number of cloud providers, content delivery systems, and workplace tools. This level of uniformity makes the internet more efficient but also more fragile. When many platforms rely on the same backbone, a single disruption, vulnerability, or attack can trigger widespread consequences across millions of users at once. What was once a diverse digital ecosystem has gradually shifted toward standardization, making large-scale failures easier to exploit.

Another escalating risk is the spread of misleading narratives about online safety. Across social media platforms, discussion forums, and live-streaming environments, basic cybersecurity practices are increasingly mocked or dismissed. Advice related to privacy protection, secure passwords, or cautious digital behavior is often portrayed as unnecessary or exaggerated. This cultural shift creates ideal conditions for cybercrime. When users are encouraged to ignore protective habits, attackers face less resistance. In some cases, misleading content is actively promoted to weaken public awareness and normalize risky behavior.

Artificial intelligence is further accelerating cyber threats. AI-driven tools now allow attackers to automate tasks that once required advanced expertise, including scanning for vulnerabilities and crafting convincing phishing messages. At the same time, many users store sensitive conversations and information within browsers or AI-powered tools, often unaware that this data may be accessible to malware. As automated systems evolve, cyberattacks are becoming faster, more adaptive, and more difficult to detect or interrupt.

Trust itself has become a central target. Technologies such as voice cloning, deepfake media, and synthetic digital identities enable criminals to impersonate real individuals or create believable fake personas. These identities can bypass verification systems, open accounts, and commit fraud over long periods before being detected. As a result, confidence in digital interactions, platforms, and identity checks continues to decline.

Future computing capabilities are already influencing present-day cyber strategies. Even though advanced quantum-based attacks are not yet practical, some threat actors are collecting encrypted data now with the intention of decrypting it later. This approach puts long-term personal, financial, and institutional data at risk and underlines the need for stronger, future-ready security planning.

As digital and physical systems become increasingly interconnected, cybersecurity in 2026 will extend beyond software and hardware defenses. It will require stronger digital awareness, better judgment, and a broader understanding of how technology shapes risk in everyday life.

Read more »
Malwares
Cyber Security GootLoader Malicious Codes Malicious Files Malware attacks Malwares

GootLoader Malware Uses Malformed ZIP Archives to Evade Detection

 

A fresh tactic has emerged among cybercriminals using GootLoader, a JavaScript-driven malware installer. Instead of standard compression, they now distribute broken ZIP files designed to slip past digital defenses. These flawed archives exploit differences across decompression programs - some fail to process them, others do so partially. This mismatch lets malicious code stay concealed during scans yet run normally when opened by users. Findings detailed by Expel show that inconsistent parsing logic in software plays right into attacker hands. Hidden scripts activate only when handled by specific tools found on typical machines. 

Starting with a strange structure, these harmful ZIP files combine around 500 to 1,000 smaller archives into one large package. Because of this layered setup, standard programs like WinRAR or 7-Zip cannot properly read them - tools often relied on during malware checks. Due to the confusion they create, automatic detection systems frequently skip examining what's inside. Yet, when opened through Windows’ own built-in decompression feature, the file works without issue. 

That smooth operation lets victims unknowingly unpack dangerous content. Since 2020, GootLoader has maintained a presence among cyber threats, primarily spreading via manipulated search results and deceptive online ads. People looking for official forms or corporate paperwork may unknowingly land on hacked WordPress sites offering infected files. These corrupted archives, once opened, trigger the payload delivery mechanism embedded within the software. Acting as a gateway tool, it paves the way for additional harmful programs - ransomware being one frequent outcome. 

The chain of infection begins quietly, escalating quickly under the radar. By late 2025, Expel researchers noticed subtle upgrades, showing how the attack method keeps shifting. Instead of just stacking archives, hackers shorten key metadata inside ZIP structures - especially tampering with the end of central directory entries. That tweak triggers failures in numerous analysis programs, yet files still open in Windows Explorer. 

Inside the package, unimportant sections get scrambled too, throwing off predictable reading patterns and making automated inspection harder. Researchers refer to this method as "hashbusting," delivering a distinct ZIP file to each target. Every time someone downloads it, differences in the archive's layout and data prevent standard hash checks from working. Even the JavaScript inside changes form with each instance. Detection systems relying on repeated patterns struggle as a result. 

 What makes the delivery hard to catch lies in its method. Rather than sending a typical ZIP archive, attackers transmit the malicious code as an XOR-encrypted flow of data, rebuilt only after reaching the target's browser. It grows by adding copies of itself over and over, expanding until it meets a specific volume - this skirts detection meant for compressed files. After launch, the script runs using built-in Windows tools, skipping any need to unpack completely, so the attack unfolds without drawing attention. 

Once active, it stays on the machine by placing shortcuts into the Windows Startup directory - then triggers further scripts through native utilities like cscript or PowerShell. From there, data collection begins: details about the system get pulled and sent back to distant servers that control the attack, setting up what comes next without delay. 

Although often overlooked, limiting access to built-in tools such as wscript.exe helps block common attack paths. Instead of running scripts automatically, setting systems to display code in basic viewers adds another layer of protection. As seen with GootLoader’s shifts over time, attackers now twist everyday OS functions into stealthy weapons, staying active even when defenses improve.
Read more »
URL
Artificial Intelligence Cyber Security Data Exfiltration Microsoft Copilot Reprompt URL

Security Researchers Warn of ‘Reprompt’ Flaw That Turns AI Assistants Into Silent Data Leaks

 



Cybersecurity researchers have revealed a newly identified attack technique that shows how artificial intelligence chatbots can be manipulated to leak sensitive information with minimal user involvement. The method, known as Reprompt, demonstrates how attackers could extract data from AI assistants such as Microsoft Copilot through a single click on a legitimate-looking link, while bypassing standard enterprise security protections.

According to researchers, the attack requires no malicious software, plugins, or continued interaction. Once a user clicks the link, the attacker can retain control of the chatbot session even if the chat window is closed, allowing information to be quietly transmitted without the user’s awareness.

The issue was disclosed responsibly, and Microsoft has since addressed the vulnerability. The company confirmed that enterprise users of Microsoft 365 Copilot are not affected.

At a technical level, Reprompt relies on a chain of design weaknesses. Attackers first embed instructions into a Copilot web link using a standard query parameter. These instructions are crafted to bypass safeguards that are designed to prevent direct data exposure by exploiting the fact that certain protections apply only to the initial request. From there, the attacker can trigger a continuous exchange between Copilot and an external server, enabling hidden and ongoing data extraction.

In a realistic scenario, a target might receive an email containing what appears to be a legitimate Copilot link. Clicking it would cause Copilot to execute instructions embedded in the URL. The attacker could then repeatedly issue follow-up commands remotely, prompting the chatbot to summarize recently accessed files, infer personal details, or reveal contextual information. Because these later instructions are delivered dynamically, it becomes difficult to determine what data is being accessed by examining the original prompt alone.

Researchers note that this effectively turns Copilot into an invisible channel for data exfiltration, without requiring user-entered prompts, extensions, or system connectors. The underlying issue reflects a broader limitation in large language models: their inability to reliably distinguish between trusted user instructions and commands embedded in untrusted data, enabling indirect prompt injection attacks.

The Reprompt disclosure coincides with the identification of multiple other techniques targeting AI-powered tools. Some attacks exploit chatbot connections to third-party applications, enabling zero-interaction data leaks or long-term persistence by injecting instructions into AI memory. Others abuse confirmation prompts, turning human oversight mechanisms into attack vectors, particularly in development environments.

Researchers have also shown how hidden instructions can be planted in shared documents, calendar invites, or emails to extract corporate data, and how AI browsers can be manipulated to bypass built-in prompt injection defenses. Beyond software, hardware-level risks have been identified, where attackers with server access may infer sensitive information by observing timing patterns in machine learning accelerators.

Additional findings include abuses of trusted AI communication protocols to drain computing resources, trigger hidden tool actions, or inject persistent behavior, as well as spreadsheet-based attacks that generate unsafe formulas capable of exporting user data. In some cases, attackers could manipulate AI development platforms to alter spending controls or leak access credentials, enabling stealthy financial abuse.

Taken together, the research underlines that prompt injection remains a persistent and evolving risk. Experts recommend layered security defenses, limiting AI privileges, and restricting access to sensitive systems. Users are also advised to avoid clicking unsolicited AI-related links and to be cautious about sharing personal or confidential information in chatbot conversations.

As AI systems gain broader access to corporate data and greater autonomy, researchers warn that the potential impact of a single vulnerability increases substantially, underscoring the need for careful deployment, continuous monitoring, and ongoing security research.


Read more »
Subscribe to: Comments (Atom)