Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data. Show all posts
Technology
AI Claude Crypto Data Malware Attack Technology

Hackers Exploit Fake Claude Code Installers and Install Malware


Developers looking into Claude Code deployment instructions could be lured into an advanced malware campaign that hides itself as a genuine AI tooling documentation. 

Fake Claude code exploit

Experts found a few fake Claude Code and developer platform websites built to steal credentials, cryptocurrency, and API keys.

According to Straiker researchers, “the attack chain runs on the same unchecked trust that makes AI developer tools so easy to adopt.  “You copy a command. You paste it in your terminal. By then, it’s already too late,” said Straiker researchers in their analysis of the campaign. 

Highlights of the fake Claude code campaign 

1. Experts found over 88 fake domains mimicking Claude Code and other developer sites. The campaign utilises SEO infection and Google ads to deploy malicious install web pages over genuine documentation.

2. Threat actors hide infected commands within genuine installation commands, without impacting the deployment process.

3. The malware particularly attacks AI-based assets such as cloud development credentials, API keys, and verification tokens.

About the credential theft campaign 

The campaign attacked users of famous AI and developer tools, such as Claude Code, JetBrains, Perplexity Comet, and Cline. 

As per the experts, the operation depends on over 88 domains hosted throughout genuine platforms and constantly shuffles infrastructure, letting malicious sites to immediately resurface after shutdowns. To trap targets, threat actors use redirect chains, SEO poisoning and paid Google ads that place scammed installations over genuine documentation in search results.

These websites closely impersonate genuine vendor resources and demonstrate installation commands that look genuine but include hidden separators, such as “&,” that launch malicious actions along with the expected software deployment.

In various incidents, the genuine command still runs effectively, helping hide the hack.

Delivery of malware and launch tactics

Experts found various delivery techniques, such as rundll32.exe loading infected DLLs, Base64-encoded commands, mshta.exe abuse, JavaScript-based payloads, and GitHub-hosted scripts. 

By such techniques, hackers improve their potential to escape convention detection tools. Contrary to infostealers, the campaign pick on AI assets like authentication tokens, API Key, and cloud development credentials from tools such as Continue[.]dev, Cline. 

After execution, the malware uses a multi-level malicious chain that features encoded C2 communications, anti-analysis capabilities, fileless execution tactics, and credential theft functions.

Experts found the primary payload as ACRStealer, a malware family that steals information and has developed to include sophisticated encryption and escape tactics. Experts also identified a cryptocurrency clipboard hacker that rediverts transactions by replacing copied wallet addresses.

Read more »
Technology
AI Cloud Data Deepfakes Phishing Technology

Cyber Security: Six Cyber Threats to Look Out for in 2026


With industries being digitized, cybercrime is also advancing. This year, besides being opportunistic, threats have also become highly targeted, intelligent, and automated. 

The data comes from UK Government’s Cyber Security Breaches Survey 2025, which hints that 43% of businesses and 30% of charities listed an attack or a cyber breach or attack in the past 12 months. That’s a surprising 61,000 charities and 612,000 businesses impacted. 

Despite the data, businesses can lower their risk of cyber threats. But it is important to understand these key risks to stay safe and prepare for the next danger.

Six rising common cyber threats

1. Deepfakes: Deepfakes have shifted from niche technology to a major threat. Hackers nowadays use AI-generated audio and media to mimic organization staff. This can be risky in procurement or finance, where hackers push staff to send funds, share personal data, or approve finances, where the hackers pose as business leaders.

2. Supply-chain attacks: Instead of targeting organizations directly, hackers are targeting third-party vendors to get access to various firms at once via supply-chain attacks. The attack tactic abuses trust and internal security sometimes may not address all the threats in the supply chain. One hacked vendor can prompt a domino effect throughout hundreds of businesses. 

3. AI-powered phishing hacks: Phishing is one of the most common attacks in the past 12 months, and the tactic has changed significantly over the years. Most of the phishing attacks today are supported by AI tools and hackers are copying internal comms.

4. Credential stuffing attack: Weak passwords are the biggest reasons for hacks these days. In such attacks, hackers use stolen login credentials from past hacks and test them automatically across distinct platforms.

5. IoT and device flaws: As IoT is increasing, the hack surface also widens. Many devices such as sensors, cameras and industrial machinery still have limitations. Hackers abuse these flaws to access larger corporate networks. Traditional cyber security methods tend to ignore these flaws, and this has resulted in a significant risk.

6. Cloud errors: A simple thing such as exposed storage bucket or false access setting can expose sensitive data publicly accessible. These cases don’t get hacked as the information is unprotected. Currently, cloud storage environments are advanced, and building robust configuration hygiene has become a top critical priority.

Read more »
Technology
AI Akira Convention Center Data Ransomware Technology

Akira Gang Claims Ransomware Attack at Convention Center, Extorts $250 Million


Akira gang extorts $250 million

Akira, the infamous ransomware gang has extorted over $250 million from businesses globally. It is now blackmailing to leak 46 GBs of data allegedly extorted from the Buffalo Convention Center. The stolen data includes financial information, contracts, employee records, and private data linked to around 1,80,000 people.

What do the experts say?

Resilience director at Gate 15, Ben Taylor has warned that ransomware gangs often boast the amount of data stolen. The alleged figure of 1,80,00 impacted people suggests data retrieved via a third-party provider, exaggerated claims to extort victims, or direct breach of venue systems. 

The dark web monitoring firm Breach Sense verified the Buffalo Convention Center data breach. The FBI has classified Akira as a ransomware-as-a-service gang that extorted over $250 million from hundreds of businesses since 2023.

Convention centres have become a lucrative target for hackers

Convention centers, which increasingly act as repository for guest registrations, exhibitor information, payment data, contracts, and operational systems, are facing an escalating cybersecurity issue as a result of the alleged incident.

Ransomware gangs claim that they have gained access to a company in order to obtain leverage for a swift and simple payment. According to Taylor, there are situations in which these assertions are true and some that are not.

Ransomware as double extortion

Additionally, the attack illustrates how contemporary ransomware operations have evolved. "Double extortion" is a common method used by organizations such as Akira. Before encrypting networks, they take confidential files and threaten to reveal the information if payment is not received.

According to Taylor, developments in AI are intensifying the problem by making it simpler to scale and customize phishing campaigns and other cybercrime tactics.

About the victims

Buffalo Convention Center was not the only enterprise to suffer a ransomware attack. 

High-case hospital hacks showcase the operational effect of a ransomware attack. According to MGM Resorts, in 2023, a cyberattack leaked personal data linked to millions of guests and impacted hotel operations for days. Another famous enterprise, Caesars Entertainment was also breached and allegedly paid $15 million in ransom to hackers.

The dangers go beyond convention centers. In April, Carnival Corporation was attacked by a gang that claims to have stolen over 8.7 million records such as dates of birth, names, and other personal data. 

Read more »
US
AI Cyber Attacks Data Donald Trump MyPillow Play Gang Ransomware US

Play Gang Claims Responsibility for MyPillow Hack, Company CEO Denies the Breach


The US military has always known that threat actors could use location data to spy on troops’ devices. The military also knows the easy solutions for the problem. But the Pentagon implemented none of these security measures. 

Recently, CySecurity reported that threat actors were using digital advertising data to attack US soldiers in war zones. The US law enforcement recently warned about the “anti-tech” extremism because the AI criticism was growing in the country.

Play gang takes responsibility 

The Play ransomware hacking group claimed the data theft behind the US pillow manufacturer called MyPillow. It stole personal and private confidential data from the victim. 

About the target

MyPillow was founded by 2020 Minnesota gubernatorial candidate and 220 election conspiracy theorist Mike Lindell.

The stolen data claim first surfaced on Play’s blog recently, it threatened that it was able to steal an unknown amount of information which may be exposed soon which may leak “"private and personal confidential data, clients and etc. documents, budget, payroll, IDs, taxes, finance information."

The claim, which appeared on Play's dark web leak portal earlier this week, threatens that an undeclared amount of data will be released on Friday, potentially exposing "private and personal confidential data, clients and etc. documents,budget, payroll, IDs, taxes, finance information."

High profile case

Straight Arrow News first reported about the incident. But MyPillow’s high-profile CEO Mike Lindell has denied claims of any ransomware attack which happened at all.

MyPillow was a lucrative victim for the threat actors, as Lindell’s role in pumping the controversial claims that the 2020 US presidential campaign was rigged against the now President Donald Trump.

According to Straight Arrow News, Lindell claimed in a recent interview on his website, Lindell TV, that political attacks during the previous few years cost MyPillow $400 million in damages. 

What next?

Lindell stated that he will submit an application for reimbursement from Trump's $1.8 billion "Anti-Weaponization Fund," which was established as part of Trump's settlement of an Internal Revenue Service lawsuit. 

The settlement, according to critics, offered Trump a slush fund to compensate rioters on January 6 and other individuals who have spread election conspiracy theories.

Whether MyPillow was hacked is not confirmed at the time of writing. The company denies the claim, whereas Play gang takes responsibility.
Read more »
Technology
AI ALPR Data Spying Surveillance Technology

School Buses Could Become Surveillance Vehicles for Government in The US


In the US, school buses may soon become surveillance vehicles, according to 404 media’s report. A review of leaked documents revealed plans to deploy buses with automatic license plate readers (ALPR). 

The data will be allegedly given to government agencies. Already, privacy is a concerning issue amid rising data safety violations. Equipping buses with surveillance cameras will be unconstitutional and national-level spying of citizens in the US. 

About the incident

Bus Patrol, US’ leading provider of school bus stop-arm cameras has  over 40,000 AI-based cameras throughout 24 states. These cameras are allowed in 30 states, and are installed on school buses, and capture images of vehicles violating traffic rules when the bus is stopped. 

The footages captured  by the buses are “recorded, reviewed, and submitted to local law enforcement for review and final approval,” says BusPatrol. 

Stop-arm cameras claim to improve driver behaviour near school buses and student safety, but they have faced backlashes for failing on both ends. Stop-arm cameras also generate millions of dollars for businesses like BusPatrol. 

Currently, the firm plans to increase its data collection, revenue, and teaming with local law enforcement by changing stop-arm camera into ALPRs, as per the leaked BusPatrol documents. 

Why is ALPR system an issue?

ALPR systems are run by firms such as Flock Safety. They record the license plate number of passing vehicles but unlike traffic signals or stop-cameras, ALPR "cameras photograph every vehicle that drives by and can use artificial intelligence to create a profile with identifying information that then gets stored into a massive data base,” said the Institute for Justice (I.J), a public interest law firm. 

The data can be sent to law agencies which might use it for searching a vehicle or driver without requiring a legal warrant. The ALPR cameras fixed on moving school buses will help enforcement agencies to capture every moving vehicle they come across.

Flawed implementation

Without ethical enforcement, these cameras can be exploited. joshua Windham, a senior I.J. attorney, announced a nationwide campaign to oppose the uncontrolled and unconstitutional deployment of ALPR technology. 

Earlier ALPR systems’ data security has come under scrutiny after cases of sharing databases with immigration agencies surfaced despite company policies forbidding it. 

In Kansas, an officer used the data to trace his ex-girlfriend whereas in Texas, officers used the data to search for a woman who got an abortion. Such incidents have caused a few communities to termiate their contracts and discontinue ALPR entirely.

Read more »
Surveillance
AI Cloud Data FROST Internet Privacy Spying Surveillance

FROST Attack: Websites Can Now Spy on Users Via SSDs


Websites have always tried to spy on user activity through browsing histories, mouse clicks and keystrokes, and device fingerprints. Even Yandex and Meta were caught spying on users recently.

Hackers exploiting SSDs

These days, hackers are exploiting SSDs to spy on user activity. Known as Fingerprinting Remotely using OPFS-based SSD Timing or FROST, the technique lets hackers spy on other websites a visitor is viewing and what other applications are open on a user device.

In a research paper, the authors explained the exploit tactic. Hackers exploit a side channel, creating a type of leak that results from data caches or electromagnetic emanations. By computing the physical manifestations, hackers can decode encoded traffic and hack other confidential information.

Sites spying on user activity

The exploit that FROST used was called a contention side channel, which calculates the communication of other processes all using a given resource. By measuring input-output (I/O) time of SSD operations that a visitor uses, the experts found out websites opened in different tabs and browsers; even the applications that were opened on the user device. FROST doesn’t need any communication from the visitor but only requires opening the site hosting the exploit.

The attack tactic

According to the researchers, “Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications.” They also said that “companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” 

The impact

The authors also noted that, "while these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

About the exploit

The attack is different to older contention-side channel attacks on SSDs. FROST runs only in the browser and uses JavaScript that communicated with OPFS (origing private file system), a dedicated storage space that is kept for a particular site to rune codes needed to do a given task. Sites can make one with zero communication required by the user.

“The attacker continuously measures SSD contention by performing random reads from a large OPFS file. SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model,” said the researchers. 

Read more »
Phishing
AI Bug Cloud Cyber Attacks Data KnowledgeDeliver Phishing

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells


Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration,” said Bleeping Computer, throughout all KnowledgeDeliver consumer deployments. 

Deserialization of ViewState

Hackers found the stolen machine key and used it in ViewState deserialization campaigns to sign infected ViewState payloads and launch remote code execution (RCE) at the OS level. 

In 2025, Mandiant responded to a campaign on a KnowledgeDeliver server and said that in the beginning, the bug was abused as a zero-day to deploy a compromised script into the web platform.

Attack tactic

The compromise was also possible as threat actors used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the experts said. 

According to Mandiant, “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”

Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor. 

The encrypted payload used a key “that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant report said.

Similar attacks in 2025

In August last year, experts from ASEC also disclosed that Godzilla was planted in ASP.NET environments in ViewState deserialization attacks against firms in the finance industry.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Hackers targeting unsecured machines

In recent years, threat actors are increasingly exploiting unsafe  machine keys in Viewstate deserialization attacks against web platforms for a few products.

Threat actors utilized a hardcoded machine key in March of last year to create a malicious payload that gave them access to Gladinet CenterStack's secure file-sharing servers.

After obtaining the machine key to generate signed malicious ViewState payloads, hackers gained access to 85 Microsoft SharePoint systems in July 2025.

Additionally, state-sponsored actors utilized ViewState deserialization assaults to install WeepSteel, a spying tool that revealed the ASP.NET machine key on Sitecore servers.

Read more »
YouTube
Cloud Data Instagram Meta Roblox Technology TikTok YouTube

Media Regulators Call Out Youtube, TikTok for Ignoring Child Safety

Media Regulators Call Out Youtube, TikTok for Ignoring Child Safety

According to a report by Ofcom, YouTube and TikTok have failed to implement steps to safeguard British children from harmful online content. Data suggests widespread exposure to underage kids on these platforms. 

TikTok, YouTube ignoring child safety

Ofcom media regulators said none of the company made any serious efforts to make recommendations feeds/explore pages safer, despite proof that these platforms are the main entry point through which underage kids face harm. 

Platforms not safe enough

Ofcom said the platforms are “not safe enough”. The report comes after Ofcom’s call for stricter action on children’s online safety, saying Roblox, meta, and Snap had each complied to stronger anti-grooming actions.

TikTok said it was quite disappointing that Ofcom didn’t acknowledge its safety measures, whereas Youtube said it worked with child safety researchers to give industry grade, age-appropriate experiences for children. 

About the Ofcom report

Ofcom’s latest report explains how five large social media and video platforms responded to its call for safety measures. The report said that, "Notably, TikTok and YouTube failed to commit to any significant changes to reduce harmful content being served to children, maintaining their feeds are already safe for children.” Ofcom added, "Our wealth of evidence, published today, suggests they are still not safe enough."

What did YouTube and TikTok say?

Responding to the criticism, YouTube and TikTok said that safety measures already existed. YouTube’s short-form video timer allowed parents to control scrolling time for Shorts feed, whereas TikTok stopped direct messaging (DM) for under-16 children.

Governments have taken measures to address online child safety. UK PM Keir Starmer has urged social media platforms to take greater responsibility. Britain is discussing tighter restrictions, this includes a potential ban on under-16 children that use social media, inspired from Australia's landmark decision that tackled addictive design features. 

According to social media analyst Matt Navarra, the report has shown a shift in how we perceive online harm as a “product problem.” Earlier, the debate was, “did the platform remove harmful content quickly enough?' - the new one has shifted towards, 'why did the platform show it to a child in the first place?”

What does the data say?

Ofcom reported that 73% of 11-17 year olds were exposed to malicious content for four weeks, primarily through recommendation feeds. TikTok was the most cited, followed by YouTube, Instagram and Snapchat. Experts stress that YouTube and TikTok said their existing platforms were adequate, but media regulators have found their feeds to be unsafe.

Read more »
Technology
AI Privacy Al Cyber Threats Data Security Technology

Al-Driven Attacks and Ransomware Surge Across the Americas in 01 2026

 


The cyber threat environment across the Americas experienced a sharp increase in sophisticated attacks during the first quarter of 2026, driven by the growing use of artificial intelligence, persistent ransomware activity, and heightened targeting of critical infrastructure sectors.

According to cybersecurity researchers, threat actors are increasingly integrating generative AI into their operations to streamline phishing campaigns, generate realistic deepfake content, and speed up attack execution. Simultaneously, ransomware groups, hacktivists, and nation-state-backed actors intensified their focus on organizations operating in healthcare, manufacturing, energy, utilities, and government sectors throughout North and Latin America.

To address these emerging risks, Cyble is scheduled to host a live webinar on May 28, 2026. The session will examine major cyber threats, adversary tactics, and evolving attack patterns that shaped the Americas' cybersecurity landscape during Q1 2026.

A key trend observed during the quarter was the increasing adoption of AI technologies by cybercriminals and advanced threat actors.

Generative AI is now being used to craft highly personalized phishing emails, create fake digital identities, produce convincing deepfakes, and automate large-scale social engineering campaigns. Security experts caution that these tactics are making malicious activities harder to detect while improving the effectiveness of phishing and credential theft attacks.

Researchers also found that AI is helping attackers accelerate reconnaissance efforts and exploit vulnerabilities more efficiently, allowing them to target a greater number of victims in less time. As these capabilities continue to evolve, organizations face mounting pressure to strengthen threat detection systems and enhance incident response strategies.

Critical infrastructure remained a major target throughout Q1 2026. Healthcare organizations, utility providers, energy companies, manufacturers, and government agencies continued to face sustained attacks from ransomware operators, hacktivist groups, and nation-state adversaries.

Cybersecurity analysts highlighted growing concerns surrounding operational technology (OT) environments, where attacks have the potential to disrupt essential services. In addition, supply chain weaknesses and third-party security risks continued to create significant challenges for infrastructure operators.

Experts suggest that many of these attacks are no longer motivated solely by financial gain. Increasingly, campaigns are being linked to geopolitical objectives, intelligence collection efforts, and attempts to disrupt strategically important industries and national infrastructure.

Threat intelligence gathered during the quarter revealed continued activity from nation-state groups associated with China, Russia, Iran, and North Korea.

These actors maintained cyber espionage campaigns targeting organizations across the Americas through vulnerability exploitation, malware deployment, credential theft, and intelligence-gathering operations. Government institutions, critical infrastructure operators, and large enterprises remained among their primary targets.

Security specialists note that ongoing geopolitical developments continue to shape cyber activity, underscoring the importance of proactive risk monitoring and stronger organizational resilience against advanced threats.

Ransomware and Dark Web Ecosystems Remain Active

Despite increased attention on AI-enabled threats, ransomware continued to be one of the most damaging cybersecurity challenges during Q1 2026.

Attackers persisted in using double-extortion methods, data theft, and operational disruption tactics against organizations across a wide range of industries. Researchers also reported continued activity on dark web marketplaces and underground forums, where stolen credentials, unauthorized access data, and cyberattack tools are frequently traded.

Hacktivist groups remained active as well, particularly in campaigns connected to regional and political conflicts.

As a result, many security teams are placing greater emphasis on real-time threat intelligence, attack surface management, and proactive monitoring to identify risks before they escalate.

The upcoming webinar will feature insights from Kaustubh Medhe, Head of Research & Intelligence at Cyble, Brian Osterman, Senior Solutions Engineer for the U.S. region, and moderator Mihir Bagwe.

Participants will gain insights into ransomware developments, AI-powered cyber threats, nation-state operations, and practical strategies for improving cyber resilience throughout 2026.

Registered attendees will also receive a complimentary copy of the Americas Threat Landscape Report – Q1 2026.
Read more »
WhatsApp
Bugs Cloud Data Meta Technology WhatsApp

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program

WhatsApp Fixed Two Security Bugs via It's Bug Bounty Program

Meta recently released a security advisory in May revealing two bugs in WhatsApp were found through its bug bounty program. But these bugs were patched and were not exploited in the wild by the threat actors. Both bugs are now patched.

About two bugs

The first bug is tracked as CVE-2026-23863, a Windows specific problem. This bug was maliciously crafted with hidden “NUL BYTES” hidden within the filename, to trick WhatsApp into showing it as one filetype such as an authorized PDF while pretending to be running as an executable once opened. Meta fixed this patch in April on both platforms.

The second vulnerability, tracked as CVE-2026-23866 impacted both android and iOS users. The attack tactic involved partial authorization of AI rich response texts for Instagram Reels shared within Whatsapp. A threat actor could possible launch another user’s device to access media content through an arbitrary URL, such as launching OS level custom URL scheme handles. This flaw was patched in April on both platforms.

Severity

The two bugs were given medium severity by researchers. WhatsApp has verified that no bug was abused.

Both were rated medium severity, and WhatsApp confirmed there's no evidence either was actually abused.

The impact

These kind of reporting get sidelined by glossy and infamous threat. For instance the recent SMS pumpoing attacks increasing phone bills, or phishing campaigns that used messaging apps as entry points, and lastly the attack on educational institutes that compromised Canvas and Instructure, leaking hundreds of GBs of data.

But Whatsapp did a good job in finding and fixing the flaw before cybercriminals could exploit them and cause harm. The bug bounty program of WhatsApp has been going on for fifteen yesr, and the recent patches show it it is still reliable.

What should users do?

Simple advice: always keep your phones and app updated. 

There has never been a better moment to use secure communications services like WhatsApp or Signal. The truth is that Meta does a great job of keeping the app and its users safe and secure, despite some security concerns of its own, such as the recently reported phishing attempts using the encrypted messenger as part of the exploit chain and a spyware threat targeting iOS users.

Read more »
Data Leak
AI Bug Management Cloud Cyber Security Data Data Leak

9-Year-Old Linux bug Found by Researchers, Could Leak Data


Experts have revealed details of a bug in the Linux kernel that stayed unnoticed for nine years. The flaw is tracked as CVE-2026-46333 (CVSS score: 5.5). 

Improper bug management 

The incident is improper privilege management that could have allowed threat actors to reveal sensitive data as unprivileged local users and launch arbitrary commands on default installs such as Ubuntu, Debian, and Fedora. Its alias is aka ssh-keysign-pwn.

Vulnerability existed since 2016

Cybersecurity firm Qualys found the flaw. Since November 2016, the problem has been present in mainstream Linux (v4.10-rc1). 

Distribution updates and upstream patches are already accessible. There are publicly available working exploits, thus administrators should install vendor kernel upgrades right away, Qualys said.

Privilege compromise tactic

TRU discovered a small window in which a privileged process that is dropping its credentials can still be accessed through ptrace-family operations, despite the fact that its dumpable flag should have blocked that path, during ongoing study into Linux kernel privilege boundaries.  

Qualys also added that an attacker can obtain open file descriptors and authenticated inter-process channels from a dying privileged process and utilize them under their own uid by combining this window with the pidfd_getfd() syscall (introduced in v5.6-rc1, January 2020)

What is successful exploit?

Successful bug exploit can allow a local threat actor to reveal /etc/shadow and ho'st private keys under /etc/ssh/*_key, and deploy arbitrary commands as root via four distinct hacks attacking ssh-keysign, accounts-daemon, chage, and pkexec.

PoC exploit

The bug reveal is a proof-of-concept (PoC) exploit for the bug. It was released recently, and soon after, a public kernel surfaced. CVE-2026-46333 is the latest security bug revealed in Linux after Dirty Frag, Fragnesia, and Copy Fail in recent months.

How to stay safe

Experts have advised to use the latest kernel update released by Linux distributions. If users are unable to do it immediately, temporary patchwork includes raising "kernel.yama.ptrace_scope" to 2.
Qualys added, "On hosts that have allowed untrusted local users during the exposure window, treat SSH host keys and locally cached credentials as potentially disclosed. Rotate host keys and review any administrative material that lived in the memory of set-uid processes,” Qualys said.

Incident impact

The incident happened after the release of a PoC for a local privilege exploit known as PinTheft that lets local hackers get access to root privileges on Arch Linux systems. The hack requires the Reliable Datagram Sockets (RDS) module to be deployed on the victim system, readable SUID-root-binary, io_ring enabling, and x86_64 support for the given payload.

Read more »
Tech
Banks Cyber Security Data Data Leak digital scam identity Scam Tech

High Court Squashes Ban for Sim-Swap Fraud, Says Zero Customer Liability


In an important ruling amid surging digital financial fraud attacks, the Bombay HC sided with the customer protection norms. It directed Bank of Baroda to return Rs. 1.24 crore to the victim private firm that lost money in a SIM-swap case. The court stressed that if a consumer reports fraud promptly in time, “zero liability” is ruled, and the bank must reimburse the losses.                 

Private company reported the incident immediately

The order was given by a division bench of the HC, which included Justices Manjusha Deshpande and Bharati Dangre, when private company PNP Polytex (based in Mumbai) submitted a petition. Polytex alleged that Rs.1.24 crore had been stolen from its bank accounts illegally and without knowledge. 

About court proceedings

As per the submissions to the court, the firm informed the bank soon after finding malicious transactions and asked the accounts to be frozen. The bank could only save Rs. 47.8 lakh, the remaining money was already stolen by the hackers. After this, the firm moved to HC for help.

Later, enquiry revealed that the scam was done using a SIM-swap tactic, where hackers get control of the target’s registered contact number. This lets the hackers intercept OTPs and do banking transactions without the account owner's consent and knowledge. The high court found that the scam was done by third-parties, and showed no evidence of negligence on consumer’s end.

What is RBI’s zero liability rule?

During the proceedings, the court referred to the July 6, 2017 statement given by the RBI, which laid down the customer protection guidelines in incidents of illegal electronic banking transactions. According to the circular, the consumers are entitled to zero liability if they report fraud transactions within 72 hours (three days).

In the judgement, the high court stressed that if a customer informs the bank about a scam or fraud, it is the duty of the bank to return the disputed amount back to the victim’s account. The court also said that the burden of proving customer negligence is on the bank too.  

The court rejected the bank's defenses that it had followed the due process and security measures, and the bench  labelled the argument as a “lame excuse,” saying that such mechanisms become powerless when a SIM card is hacked. The court also attributed another ruling in an incident where HDFC bank was held liable under similar situations. 

Bank will return stolen amount with interest

After revising the previously frozen funds, the High Court ordered the bank to return the remaining sum plus 6% interest within eight weeks. 

Read more »
User Safety
AI ChatGPT Cloud Data GenAI Internet Tech Technology User Safety

New ChatGPT Settings Will Improve User Privacy and Data Training


Almost everyone has used ChatGPT now. Sometimes we share our personal information and files with the Chatbot. 

Do not feed your personal info to AI bots

To be safe, users should avoid feeding personal data to the AI, as it can be misused, and there are thousands of cases now. Users at the receiver end can not do much except using multifactor authentication, and creating a strong password and using two-factor authentication. But users can be happy now that a new feature is available to individual ChatGPT users.

What is Advanced Account Security

The new feature is called Advanced Account Security, it aims to provide better security to your account and protect your data. The option is aimed for security-minded users like journalists, politicians, activists, and researchers. 

With better security, Advanced Account Security provides four setting standards. The first one requires using a passkey or physical security key to log in. The second one requires better tactics to recover an account besides SMS or email authorization. In the third setting, our active session with an AI chatbot is limited to restrict its exposure. The fourth setting protects your chats from AI misuse.

About new safety settings

1. Use passkeys to avoid unauthorized access. Advanced Account Security asks for signing in with a passkey. Users can set up either one or both, but will also have to create two authentication methods.

2. Two-factor authentication for securing your account will help in recovering lost data. However, SMS and Email authentication are vulnerable to attacks. Advanced Account Security disables these two methods, so users are sometimes helpless.

3. Try to shorten your login sessions. Longer sessions are more exposed to malware or cyberattacks.

4. Turn off AI training. ChatGPT uses your conversations for AI training and learns to be human. But this capability is a risk to user privacy.

Enterprise support soon

Advanced Account Security protects users in Codex  if they use it to make and fine tune their code. Currently, this feature is only available to paid and free ChatGPT users with their personal accounts. However, OpenAI has said it is planning to expand it to the enterprise public.

Advanced Account Security also protects you in Codex if you use it to develop and fine-tune your own code. For now, the feature is available to free and paid ChatGPT users with their own accounts. But OpenAI said it expects to expand it to the enterprise crowd.

Read more »
Technology
cloud act Data Digital Sovereignty Europe Microsoft Technology

Europe Pushes to Reduce Dependence on U.S. Tech as Sovereign Digital Infrastructure Gains Momentum

 




Several European governments are trying to reduce their dependence on American software, cloud platforms, and digital infrastructure as debates around data control, political influence, and technological independence become more intense across the region.

The situation has exposed contradictions in Europe’s relationship with U.S. technology companies. Microsoft chief executive Satya Nadella has largely stayed away from the kind of political messaging often associated with Alex Karp. Despite this difference, France has started moving parts of its public systems away from Microsoft Windows while simultaneously renewing contracts linked to Palantir Technologies through its domestic intelligence agency.

This complicated approach shows how Europe is attempting to distance itself from American tech firms without fully breaking away from them. Many governments now believe that relying too heavily on foreign technology companies can also mean depending on foreign laws, political priorities, and corporate influence. Still, Europe’s response has not followed one common strategy, with many actions appearing fragmented or reactive.

Much of the debate intensified after the U.S. passed the CLOUD Act in 2018 during President Donald Trump’s first term. The law gives American authorities the ability to request data from U.S.-based technology companies even if that information is stored outside the United States. For European officials, this raised concerns that storing data inside Europe may no longer be enough to fully protect sensitive information from foreign legal access.

Healthcare data quickly became one of the strongest examples used in these discussions. Medical records are considered among the most sensitive forms of information governments hold because they contain deeply personal details tied to citizens. Even after the CLOUD Act came into force, the United Kingdom partnered with companies including Google, Microsoft, and Palantir Technologies during the COVID-19 pandemic for projects involving National Health Service data.

Critics have argued that such partnerships could expose public-sector information to outside influence. France later decided that its Health Data Hub would stop using Microsoft Azure infrastructure and move toward what officials described as a sovereign cloud model. The contract was awarded to Scaleway, a cloud provider owned by French telecommunications group Iliad. Scaleway has also been expanding its network of data centers across Europe.

Scaleway later became one of four companies selected in a €180 million sovereign cloud contract backed by the European Commission. The program is intended to support cloud services that operate under European legal and regulatory standards. Notably, the European Sovereign Cloud initiative launched by Amazon Web Services was not included among the selected providers, even though Amazon created the project to answer European concerns about digital sovereignty.

Questions have also emerged around whether some so-called sovereign alternatives remain partly tied to American technology companies underneath. Some observers pointed to S3NS, a joint venture involving French defense company Thales Group and Google Cloud. Critics worry that arrangements like these could still leave room for indirect U.S. access or legal exposure despite being promoted as trusted European solutions.

Europe has faced similar problems in the search engine market. French search company Qwant was previously recommended for public servants in France while relying on Microsoft Bing’s underlying search infrastructure. The relationship later deteriorated after Qwant accused Microsoft of taking advantage of its dominant position in the market. Although French regulators declined to act against Microsoft, Qwant eventually started searching for alternatives on its own.

Qwant later partnered with German nonprofit search platform Ecosia to launch Staan, a Europe-based search index designed to reduce reliance on Google and Bing technologies. The project focuses on privacy and regional control over search infrastructure. Even so, both companies remain far smaller than their American competitors. Ecosia, despite having around 20 million users, still operates on a completely different scale compared to Google’s global user base.

One of the biggest problems facing European technology firms is market dominance from American companies. U.S. providers continue to control large parts of cloud computing, enterprise software, internet search, and artificial intelligence markets because of their global infrastructure, financial resources, and established ecosystems. European officials hope that large public-sector contracts could help regional providers compete more effectively.

Besides Scaleway, the European Commission’s sovereign cloud program also selected French companies Clever Cloud and OVHcloud, along with STACKIT. STACKIT was developed by the Schwarz Group, the parent company of Lidl, originally for its own internal systems before later being turned into a commercial cloud service.

Supporters of the initiative believe government-backed contracts could encourage more European companies to invest in domestic infrastructure instead of depending on foreign cloud providers. Backers of the program have also said the project aims to encourage digital solutions that align with European laws, governance rules, and privacy standards.

Still, Europe’s strategy of distributing contracts across several companies may create another challenge. While diversification could reduce dependence on one dominant provider and improve resilience, it may also make it harder for Europe to build a single technology giant capable of competing globally with firms such as Microsoft, Amazon, or Google.

Some critics also view sovereign tech partly as an economic strategy meant to keep European spending within the region. However, Europe’s attempts to move away from U.S. technology have not always translated into direct support for startups. In several cases, governments have instead turned toward open-source software alternatives.

France has already started replacing parts of its Windows-based systems with Linux. Public institutions in Germany, Denmark, Austria, and Italy are also exploring alternatives to Microsoft’s office software products through platforms such as LibreOffice.

Several governments have also embraced a “build instead of buy” approach by creating internal software tools. That strategy has faced criticism from parts of the technology and financial sectors. France’s Court of Auditors reportedly questioned spending linked to Visio, an internally developed platform intended to act as an alternative to Zoom and Microsoft Teams.

French newspaper Les Echos also reported frustration from parts of the country’s technology sector. Some critics argued that if governments themselves do not consistently adopt domestic technology tools, it becomes difficult to convince large private companies to do the same.

Many giants of European businesses continue selecting American technology providers when they offer stronger technical or commercial advantages. German airline Lufthansa chose Starlink for onboard internet services. Air France also selected Starlink despite partial ownership ties to the French and Dutch governments. Reports have additionally suggested that France’s national railway operator SNCF may eventually adopt similar services.

The debate around European alternatives has become particularly visible in satellite communications. During a disagreement involving Poland, Elon Musk stated publicly that “there is no substitute for Starlink.” European governments are now trying to prove otherwise by investing in domestic telecommunications and space infrastructure projects.

Public sentiment has also started influencing the discussion. After President Trump threatened to take control of Greenland, applications encouraging consumers to boycott American products surged in popularity on Denmark’s App Store rankings. The reaction showed that calls to reduce dependence on U.S. companies are no longer limited to policymakers and regulators.

Pressure is also building on European governments to reconsider contracts involving controversial American firms. Palantir’s recent public messaging and political positioning have drawn criticism inside parts of the European Union and the United Kingdom. At the same time, many European officials and citizens have started distancing themselves from X, formerly Twitter, because of growing dissatisfaction around platform governance and political discourse.

American technology companies have also shown that Europe is not always their top commercial priority. When Meta delayed the European release of Threads because of regulatory concerns tied to EU laws, it reinforced the perception that large U.S. firms can afford to deprioritize the region when legal requirements become too restrictive.

At the same time, this environment is opening new opportunities for companies building products specifically designed for European markets, languages, and legal standards. Supporters of the EuroStack initiative are pushing for rules that would encourage or require public institutions to purchase locally developed technology whenever possible.

Backers of sovereign tech also hope European companies can eventually compete internationally rather than only within domestic markets. French artificial intelligence company Mistral AI has reportedly experienced strong revenue growth as some businesses search for alternatives to OpenAI. Meanwhile, the governments of Canada and Germany are supporting cooperation between Cohere and Aleph Alpha to create what supporters describe as a transatlantic AI platform for governments and businesses.

As geopolitical tensions continue reshaping the global technology industry, some companies are discovering that not being American, Chinese, or Russian is itself becoming a commercial advantage in international markets.

Read more »
Robinhood phishing scam
Cybersecurity Data Phishing Attack Robinhood email exploit Robinhood login alert Robinhood phishing scam

Robinhood Email System Exploited to Deliver Phishing Messages Through Legitimate Alerts

 

Online trading platform Robinhood recently faced a phishing campaign in which cybercriminals manipulated its account creation process to send fake security alerts through legitimate company emails. The incident caused confusion among users, as the fraudulent messages appeared to come directly from Robinhood’s official email system.

The phishing emails carried the subject line “Your recent login to Robinhood” and warned recipients about an “Unrecognized Device Linked to Your Account.” The messages included suspicious IP addresses and partially hidden phone numbers to create a sense of urgency and authenticity.

"We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account."

Recipients were directed to click a button labeled “Review Activity Now,” which redirected users to a phishing domain designed to steal login credentials. The malicious site has since been taken offline, though screenshots shared on Reddit suggested it was being used to capture Robinhood account details.

What made the attack particularly convincing was that the emails originated from Robinhood’s legitimate email address, noreply@robinhood.com
, and successfully passed SPF and DKIM authentication checks commonly used to verify email legitimacy.

According to findings by BleepingComputer, attackers exploited a weakness in Robinhood’s onboarding workflow that failed to properly sanitize HTML input during account registration.

During the signup process, Robinhood automatically sends a “Your recent login to Robinhood” notification containing information such as device details, IP address, login time, and approximate location. Threat actors reportedly manipulated the device metadata field by inserting malicious HTML code, which was later rendered inside the email.

This caused the “Device” section of the message to display a fake warning about suspicious account activity, effectively embedding a phishing alert into a legitimate email template.

Researchers believe the attackers may have used previously leaked customer email lists to target existing Robinhood users. In 2021, Robinhood experienced a breach that affected nearly 7 million customers, with stolen information later appearing for sale on hacking forums.

The attackers also reportedly took advantage of Gmail’s dot aliasing feature, which allows email addresses with added periods to still route to the same inbox. This method enabled cybercriminals to create multiple Robinhood accounts using slight variations of real customer email addresses while ensuring delivery to the intended victims.

As a result, many recipients received what looked like a genuine Robinhood login notification containing a fraudulent warning about “unrecognized activity” and instructions to review their accounts immediately.

Robinhood later addressed the incident publicly on X.

"On Sunday evening, some customers received a falsified email from noreply@robinhood.com
 with the subject line 'Your recent login to Robinhood.'," posted RobinHood.

"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."

The company has since resolved the vulnerability by removing the abused Device field from account creation emails. Robinhood also advised affected users to delete the suspicious email and avoid interacting with any embedded links.
Read more »
UNC1069
Axios Backdoor Cyber Crime Data North Korea UNC1069

North Korean Hackers Target Axios, Steal Cryptocurrency in a Massive Attack


Threat actors from North Korea hacked software used by organizations in the US to steal cryptocurrency to fund North Korea's nuclear and missile programs. Experts found 135 devices across 12 organizations hacked; however, the list of victims can increase. The investigation may take months to uncover full details of the campaign. 

Axios attacked

Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.

About the incident 

Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.

The impact 

While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches. 

About UNC1069

The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"

Why are attacks on the rise from North Korea

Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack. 

Most deadly cyberattack in history

The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection. 

Read more »
phishing
Banks Brazil Data JanelaRAT malware Mexico phishing

JanelaRAT Malware Attacks Banks in Brazil and Mexico, Steals Data


Banks in Latin American countries such as Mexico and Brazil have been victims of continuous malware attacks by a strain called JanelaRAT. 

An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.  

In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features. 

Security

Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit. 

In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware. 

Distribution tactic

An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab. 

"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."

The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches. 

Phishing campaign

The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.

Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable. 

Victim tracking

According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.” 

If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.

Read more »
malware
AI Cloud Data GlassWorm Internet malware

GlassWorm Malware Campaign Attacks Developer IDEs, Steals Data


About GlassWorm campaign 

Cybersecurity experts have discovered another incident of the ongoing GlassWorm campaign, which uses a new Zig dropper that's built to secretly compromise all integrated development environments (IDEs) on a developer's system. 

The tactic was found in an Open VSX extension called "specstudio.code-wakatime-activity-tracker”, which disguised as WakaTime, a famous tool that calculates the time programmes spend with the IDE. The extension can not be downloaded now. 

Attack tactic 

In previous attacks, GlassWorm used the same native compiled code in extensions. Instead of using the binary as the payload directly, it is deployed as a covert indirection for the visible GlassWorm dropper. It can secretly compromise all other IDEs that may be present in your device. 

The recently discovered Microsoft Visual Studio Code (VS Code) extension is a replica (almost).

The extension installs a universal Mach-O binary called "mac.node," if the system is running Apple macOS, and a binary called "win.node" for Windows computers.

Execution 

These Zig-written compiled shared libraries that load straight into Node's runtime and run outside of the JavaScript sandbox with complete operating system-level access are Node.js native addons.

Finding every IDE on the system that supports VS Code extensions is the binary's main objective once it has been loaded. This includes forks like VSCodium, Positron, and other AI-powered coding tools like Cursor and Windsurf, in addition to Microsoft VS Code and VS Code Insiders.

Malicious code installation 

Once this is achieved, the binary installs an infected VS Code extension (.VSIX) from a hacker-owned GitHub account. The extension, known as “floktokbok.autoimport”, imitates “steoates.autoimport”, an authentic extension with over 5 million downloads on the office Visual Studio Marketplace.

After that, the installed .VSIX file is written to a secondary path and secretly deployed into each IDE via editor's CLI installer. 

In the second-stage, VS Code extension works as a dropper that escapes deployment on Russian devices, interacts with the Solana blockchain, gets personal data, and deploys a remote access trojan (RAT). In the final stage, RAT installs a data-stealing Google Chrome extension. 

“The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump,” cybersecurity firm aikido reported. 

Read more »
Technology
Claude Cloud Copilot Data GenAI Microsoft Technology

Microsoft Releases AI Upgrades, Launches Copilot Cowork to Early Access Customers


In an effort to enhance its AI offering and increase adoption, Microsoft (MSFT.O) recently introduced new features in its Copilot research assistant that would enable users to employ various AI models concurrently within the same workflow.

Instead of relying on a single model, Copilot's Researcher agent can now pull outputs from both OpenAI's GPT and Anthropic's Claude models for each response, thanks to a new feature called "Critique."

According to Microsoft, Claude will check the quality and correctness of the response before GPT provides it to the user. In the future, the business hopes to make that workflow bidirectional so that GPT may also evaluate Claude's writings.

"Having different models from ​different vendors in Copilot is highly attractive - but we're taking this to the next level, where customers actually get the benefits of the models working together," Nicole Herskowitz, VP of Copilot and  Microsoft, said to Reuters. 

The multi-model strategy will assist in increasing productivity and quality for customers by accelerating user workflow, controlling AI hallucinations, which occur when systems give incorrect information, and producing more dependable outputs.

Additionally, Microsoft is introducing a feature called "Council" that will let users compare results from various AI models side by side. The updates coincide with Microsoft expanding access to its new Copilot Cowork agentic AI tool for members of its "Frontier" program, which gives users early access to some of its most recent AI innovations.

According to Jared Spataro, Microsoft's AI-at-Work efforts leader, “We work only in a cloud environment, and we work only on behalf of the user. So you know exactly what information it (Copilot Cowork) has access ​to.”

On Monday, the company's stock increased by almost 1%. However, as investor confidence in AI declines, the stock is poised for its worst quarter since the global financial crisis of 2008, with a nearly 25% decline.

Microsoft capitalized on the increasing demand for autonomous AI agents earlier this month by releasing Copilot Cowork, a solution based on Anthropic's popular Claude Cowork product, in testing mode.

In the face of fierce competition from rivals like Google (GOOGL.O), the new tab Gemini, and autonomous agents like Claude Cowork, the Windows manufacturer has been rushing to enhance its Copilot assistant to promote greater usage.

Read more »
South Korea
Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea


GitHub attacked by state-sponsored hackers 

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. 

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution 

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. 

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. 

Successful exploit scenario 

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. 

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. 

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. 

Campaign history 

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. 

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 


Read more »
Subscribe to: Posts (Atom)