Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data. Show all posts
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Technology
AI Apple Data Google Internet Microsoft Techno Technology

Experts Find Malicious Browser Extensions, Chrome, Safari, and Edge Affected


Threat actors exploit extensions

Cybersecurity experts found 17 extensions for Chrome, Edge, and Firefox browsers which track user's internet activity and install backdoors for access. The extensions were downloaded over 840,000 times. 

The campaign is not new. LayerX claimed that the campaign is part of GhostPoster, another campaign first found by Koi Security last year in December. Last year, researchers discovered 17 different extensions that were downloaded over 50,000 times and showed the same monitoring behaviour and deploying backdoors. 

Few extensions from the new batch were uploaded in 2020, exposing users to malware for years. The extensions appeared in places like the Edge store and later expanded to Firefox and Chrome. 

Few extensions stored malicious JavaScript code in the PNG logo. The code is a kind of instruction on downloading the main payload from a remote server. 

The main payload does multiple things. It can hijack affiliate links on famous e-commerce websites to steal money from content creators and influencers. “The malware watches for visits to major e-commerce platforms. When you click an affiliate link on Taobao or JD.com, the extension intercepts it. The original affiliate, whoever was supposed to earn a commission from your purchase, gets nothing. The malware operators get paid instead,” said Koi researchers. 

After that, it deploys Google Analytics tracking into every page that people open, and removes security headers from HTTP responses. 

In the end, it escapes CAPTCHA via three different ways, and deploy invisible iframes that do ad frauds, click frauds, and tracking. These iframes disappear after 15 seconds.

Besides this, all extensions were deleted from the repositories, but users shoul also remove them personally. 

This staged execution flow demonstrates a clear evolution toward longer dormancy, modularity, and resilience against both static and behavioral detection mechanisms,” said LayerX. 

The PNG steganography technique is employed by some. Some people download JavaScript directly and include it into each page you visit. Others employ bespoke ciphers to encode the C&C domains and use concealed eval() calls. The same assailant. identical servers. many methods of delivery. This appears to be testing several strategies to see which one gets the most installs, avoids detection the longest, and makes the most money.

This campaign reflects a deliberate shift toward patience and precision. By embedding malicious code in images, delaying execution, and rotating delivery techniques across identical infrastructure, the attackers test which methods evade detection longest. The strategy favors longevity and profit over speed, exposing how browser ecosystems remain vulnerable to quietly persistent threats.

Read more »
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
Technology
AI Apple Cloud Data Location Technology

Apple's New Feature Will Help Users Restrict Location Data


Apple has introduced a new privacy feature that allows users to restrict the accuracy of location data shared with cellular networks on a few iPad models and iPhone. 

About the feature

The “Limit Precise Location” feature will start after updating to iOS26.3 or later. It restricts the information that mobile carriers use to decide locations through cell tower connections. Once turned on, cellular networks can only detect the device’s location, like neighbourhood instead of accurate street address. 

According to Apple, “The precise location setting doesn't impact the precision of the location data that is shared with emergency responders during an emergency call.” “This setting affects only the location data available to cellular networks. It doesn't impact the location data that you share with apps through Location Services. For example, it has no impact on sharing your location with friends and family with Find My.”

Users can turn on the feature by opening “Settings,” selecting “Cellular,” “Cellular Data Options,” and clicking the “Limit Precise Location” setting. After turning on limited precise location, the device may trigger a device restart to complete activation. 

The privacy enhancement feature works only on iPhone Air, iPad Pro (M5) Wi-Fi + Cellular variants running on iOS 26.3 or later. 

Where will it work?

The availability of this feature will depend on carrier support. The mobile networks compatible are:

EE and BT in the UK

Boost Mobile in the UK

Telecom in Germany 

AIS and True in Thailand 

Apple hasn't shared the reason for introducing this feature yet.

Compatibility of networks with the new feature 

Apple's new privacy feature, which is currently only supported by a small number of networks, is a significant step towards ensuring that carriers can only collect limited data on their customers' movements and habits because cellular networks can easily track device locations via tower connections for network operations.

“Cellular networks can determine your location based on which cell towers your device connects to. The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks,”

Read more »
Technology
AI ai agents Corporate Data Technology

AI Agent Integration Can Become a Problem in Workplace Operations


AI agents were considered harmless sometime ago. They did what they were supposed to do: write snippets of code, answer questions, and help users in doing things faster. 

Then business started expecting more.

Slowly, companies started using organizational agents over personal copilots- agents integrated into customer support, HR, IT, engineering, and operations. These agents didn't just suggest, but started acting- touching real systems, changing configurations, and moving real data:

  • A support agent that gets customer data from CRM, triggers backend fixes, updates tickets, and checks bills.
  • An HR agent who overlooks access throughout VPNs, IAM, SaaS apps.
  • A change management agent that processes requests, logs actions in ServiceNow, updates production configurations and Confluence.
  • These AI agents automate oversight and control, and have become core of companies’ operational infrastructure

Work of AI agents

Organizational agents are made to work across many resources, supporting various roles, multiple users, and workflows via a single implement. Instead of getting linked with an individual user, these business agents work as shared resources that cater to requests, and automate work of across systems for many users. 

To work effectively, the AI agents depend on shared accounts, OAuth grants, and API keys to verify with the systems for interaction. The credentials are long-term and managed centrally, enabling the agent to work continuously. 

Threat of AI agents in workplace 

While this approach maximizes convenience and coverage, these design choices can unintentionally create powerful access intermediaries that bypass traditional permission boundaries.

Although this strategy optimizes coverage and convenience, these design decisions may inadvertently provide strong access intermediaries that go beyond conventional permission constraints. The next actions may seem legitimate and harmless when agents inadvertently grant access outside the specific user's authority. 

Reliable detection and attribution are eliminated when the execution is attributed to the agent identity, losing the user context. Conventional security controls are not well suited for agent-mediated workflows because they are based on direct system access and human users. Permissions are enforced by IAM systems according to the user's identity, but when an AI agent performs an activity, authorization is assessed based on the agent's identity rather than the requester's.

The impact 

Therefore, user-level limitations are no longer in effect. By assigning behavior to the agent's identity and concealing who started the action and why, logging and audit trails exacerbate the issue. Security teams are unable to enforce least privilege, identify misuse, or accurately assign intent when using agents, which makes it possible for permission bypasses to happen without setting off conventional safeguards. Additionally, the absence of attribution slows incident response, complicates investigations, and makes it challenging to ascertain the scope or aim of a security occurrence.

Read more »
malware
AI Cloud Data Google Ads Internet malware

n8n Supply Chain Attack Exploits Community Nodes In Google Ads Integration to Steal Tokens


Hackers were found uploading a set of eight packages on the npm registry that pretended as integrations attacking the n8n workflow automation platform to steal developers’ OAuth credentials. 

About the exploit 

The package is called “n8n-nodes-hfgjf-irtuinvcm-lasdqewriit”, it copies Google Ads integration and asks users to connect their ad account in a fake form and steal OAuth credentials from servers under the threat actors’ control. 

Endor Labs released a report on the incident. "The attack represents a new escalation in supply chain threats,” it said. Adding that “unlike traditional npm malware, which often targets developer credentials, this campaign exploited workflow automation platforms that act as centralized credential vaults – holding OAuth tokens, API keys, and sensitive credentials for dozens of integrated services like Google Ads, Stripe, and Salesforce in a single location," according to the report. 

Attack tactic 

Experts are not sure if the packages share similar malicious functions. But Reversing labs Spectra Assure analysed a few packages and found no security issues. In one package called “n8n-nodes-zl-vietts,” it found a malicious component with malware history. 

The campaign might still be running as another updated version of the package “n8n-nodes-gg-udhasudsh-hgjkhg-official” was posted to npm recently.

Once installed as a community node, the malicious package works as a typical n8n integration, showing configuration screens. Once the workflow is started, it launches a code to decode the stored tokens via n8n’s master key and send the stolen data to a remote server. 

This is the first time a supply chain attack has specially targeted the n8n ecosystem, with hackers exploiting the trust in community integrations. 

New risks in ad integration 

The report exposed the security gaps due to untrusted workflows integration, which increases the attack surface. Experts have advised developers to audit packages before installing them, check package metadata for any malicious component, and use genuine n8n integrations. 

The findings highlight the security issues that come with integrating untrusted workflows, which can expand the attack surface. Developers are recommended to audit packages before installing them, scrutinize package metadata for any anomalies, and use official n8n integrations.

According to researchers Kiran Raj and Henrik Plate, "Community nodes run with the same level of access as n8n itself. They can read environment variables, access the file system, make outbound network requests, and, most critically, receive decrypted API keys and OAuth tokens during workflow execution.”

Read more »
Trust Wallet
AI Binance cryptocurrency Data Data Breach Finance Google Trust Wallet

Trust Wallet Browser Extension Hacked, $7 Million Stolen


Users of the Binance-owned Trust wallet lost more than $7 million after the release of an updated chrome extension. Changpenng Zhao, company co-founder said that the company will cover the stolen money of all the affected users. Crypto investigator ZachXBT believes hundreds of Trust Wallet users suffered losses due to the extension flaw. 

Trust Wallets in a post on X said, “We’ve identified a security incident affecting Trust Wallet Browser Extension version 2.68 only. Users with Browser Extension 2.68 should disable and upgrade to 2.69.”

CZ has assured that the company is investigating how threat actors were able to compromise the new version. 

Affected users

Mobile-only users and browser extension versions are not impacted. User funds are SAFE,” Zhao wrote in a post on X.

The compromise happened because of a flaw in a version of the Trust Wallet Google Chrome browser extension. 

What to do if you are a victim?

If you suffered the compromise of Browser Extension v2.68, follow these steps on Trust Wallet X site:

  • To safeguard your wallet's security and prevent any problems, do not open the Trust Wallet Browser Extension v2.68 on your desktop computer. 
  • Copy this URL into the address bar of your Chrome browser to open the Chrome Extensions panel: chrome://extensions/?id=egjidjbpglichdcondbcbdnbeeppgdph
  • If the toggle is still "On," change it to "Off" beneath the Trust Wallet. 
  • Select "Developer mode" from the menu in the top right corner. 
  • Click the "Update" button in the upper left corner. 
  • Verify the 2.69 version number. The most recent and safe version is this one. 

Please wait to open the Browser Extension until you have updated to Extension version 2.69. This helps safeguard the security of your wallet and avoids possible problems.

How did the public react?

Social media users expressed their views. One said, “The problem has been going on for several hours,” while another user complained that the company ”must explain what happened and compensate all users affected. Otherwise reputation is tarnished.” A user also asked, “How did the vulnerability in version 2.68 get past testing, and what changes are being made to prevent similar issues?”

Read more »
Pirate of Payroll
AI Cloud Corporate Cyber Attacks Data Okta Pirate of Payroll

Okta Report: Pirates of Payrolls Attacks Plague Corporate Industry


IT helps desks be ready for an evolving threat that sounds like a Hollywood movie title. In December 2025, Okta Threat Intelligent published a report that explained how hackers can gain unauthorized access to payroll software. These threats are infamous as payroll pirate attacks. 

Pirates of the payroll

These attacks start with threat actors calling an organization’s help desk, pretending to be a user and requesting a password reset. 

“Typically, what the adversary will do is then come back to the help desk, probably to someone else on the phone, and say, ‘Well, I have my password, but I need my MFA factor reset,’” according to VP of Okta Threat Intelligence Brett Winterford. “And then they enroll their own MFA factor, and from there, gain access to those payroll applications for the purposes of committing fraud.”

Attack tactic 

The threat actors are working at a massive scale and leveraging various services and devices to assist their malicious activities. According to Okta report, cyber thieves employed social engineering, calling help desk personnel on the phone and attempting to trick them into resetting the password for a user account. These attacks have impacted multiple industries,

“They’re certainly some kind of cybercrime organization or fraud organization that is doing this at scale,” Winterford said. Okta believes the hackers gang is based out of West Africa. 

Recently, the US industry has been plagued with payroll pirates in the education sector. The latest Okta research mentions that these schemes are now happening across different industries like retail sector and manufacturing. “It’s not often you’ll see a huge number of targets in two distinct industries. I can’t tell you why, but education [and] manufacturing were massively targeted,” Winterford said. 

How to mitigate pirates of payroll attacks?

Okta advises companies to establish a standard process to check the real identity of users who contact the help desk for aid. Winterford advised businesses that depend on outsourced IT help should limit their help desks’ ability to reset user passwords without robust measures. “In some organizations, they’re relying on nothing but passwords to get access to payroll systems, which is madness,” he said.



Read more »
Subscribe to: Comments (Atom)