Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
IT Infrastructure
AI in cybersecurity AI Security Cyber Security Data protection data security Data security software enterprise AI IT Infrastructure

Rocket Software Research Highlights Data Security and AI Infrastructure Gaps in Enterprise IT Modernization

 

Stress is rising among IT decision-makers as organizations accelerate technology upgrades and introduce AI into hybrid infrastructure. Data security now leads modernization concerns, with nearly 70 percent identifying it as their primary pressure point. As transformation speeds up, safeguarding digital assets becomes more complex, especially as risks expand across both legacy systems and cloud environments. 

Aligning security improvements with system upgrades remains difficult. Close to seven in ten technology leaders rank data protection as their biggest modernization hurdle. Many rely on AI-based monitoring, stricter access controls, and stronger data governance frameworks to manage risk. However, confidence in these safeguards is limited. Fewer than one-third feel highly certain about passing upcoming regulatory audits. While 78 percent believe they can detect insider threats, only about a quarter express complete confidence in doing so. 

Hybrid IT environments add further strain. Just over half of respondents report difficulty integrating cloud platforms with on-premises infrastructure. Poor data quality emerges as the biggest obstacle to managing workloads effectively across these mixed systems. Secure data movement challenges affect half of those surveyed, while 52 percent cite access control issues and 46 percent point to inconsistent governance. Rising storage costs also weigh on 45 percent, slowing modernization and increasing operational risk. 

Workforce shortages compound these challenges. Nearly 48 percent of organizations continue to depend on legacy systems for critical operations, yet only 35 percent of IT leaders believe their teams have the necessary expertise to manage them effectively. Additionally, 52 percent struggle to recruit professionals skilled in older technologies, underscoring the need for reskilling to prevent operational vulnerabilities. 

AI remains a strategic priority, particularly in areas such as fraud detection, process optimization, and customer experience. Still, infrastructure readiness lags behind ambition. Only one-quarter of leaders feel fully confident their systems can support AI workloads. Meanwhile, 66 percent identify data accessibility as the most significant factor shaping future modernization plans. 

Looking ahead, organizations are prioritizing stronger data protection, closing infrastructure gaps to support AI, and improving data availability. Progress increasingly depends on integrated systems that securely connect applications and databases across hybrid environments. The findings are based on a survey conducted with 276 IT directors and vice presidents from companies with more than 1,000 employees across the United States, the United Kingdom, France, and Germany during October 2025.
Read more »
IoT
AI Cloud Cyber Security Data Data Leak IoT

Two AI Data Breaches Leak Over Billion KYC Records


About the leaks

Two significant data leaks connected to two AI-related apps have been discovered by cybersecurity researchers, exposing the private information and media files of millions of users worldwide. 

The security researchers cautioned that more than a billion records might be exposed in two different studies published by Cybernews, which were initially reported by Forbes. An AI-powered Know Your Customer (KYC) technology utilized by digital identity verification company IDMerit has been blamed for the initial leak. The business offers real-time verification tools to the fintech and financial services industries as part of its AI-powered digital identity verification solutions.

Attack tactic 

When the researchers discovered the unprotected instance on November 11, 2025, they informed the company right away, and they quickly secured the database. The cybersecurity researchers said, "Automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear, even though there is currently no evidence of malicious misuse." 

Leaked records

One billion private documents belonging to people in 26 different nations were compromised. With almost 203 million exposed data, the United States was the most impacted, followed by Mexico (124 million) and the Philippines (72 million). Full names, residences, postcodes, dates of birth, national IDs, phone numbers, genders, email addresses, and telecom information were among the "core personal identifiers used for your financial and digital life" that were made public.

According to researchers, account takeovers, targeted phishing, credit fraud, SIM swaps, and long-term privacy losses are some of the downstream hazards associated with this data leak. The Android software "Video AI Art Generator & Maker," which has received over 500,000 downloads on Google Play and has received over 11,000 reviews with a rating of 4.3 stars, is connected to the second leak. Due to a Google Cloud Storage bucket that was improperly configured, allowing anyone to access stored files without authentication, the app was discovered to be leaking user data. According to researchers, the app exposed millions of media assets created by users utilizing AI, as well as more than 1.5 million user photos and 385,000 videos.

The app was created by Codeway Dijital Hizmetler Anonim Sirketi, a company registered in Turkey. Previously, the company's Chat & Ask AI app leaked around 300 million messages associated with over 25 million users.

Read more »
Google security
Cyber Security Google Chrome Google Chrome HTTPS warning Google Chrome security Google Quantum Google security

Google Chrome Introduces Merkle Tree Certificates to Build Quantum-Resistant HTTPS

 

A fresh move inside Google Chrome targets long-term security of HTTPS links against risks tied to quantum machines. Instead of dropping standard X.509 certificates straight into the Chrome Root Store - ones using post-quantum methods - the team leans on an alternate design path. Speed stays high, system growth remains smooth, thanks to this structural twist shaping how protection rolls out online. 

The decision comes from Chrome’s Secure Web and Networking Team: conventional post-quantum X.509 certificates won’t enter the root program right now. Rather than adopt them outright, Google works alongside others on a different path - Merkle Tree Certificates (MTCs). Progress unfolds inside the PLANTS working group, shifting how HTTPS verification could function down the line. 

One way to look at MTCs, according to Cloudflare, is as an updated framework for how online trust systems operate today. Instead of relying on long chains of verification, these models aim to cut down excess - fewer keys, fewer signatures traded when devices connect securely. A key feature involves certification authorities signing just one root structure, known as a Tree Head, which stands in for vast groups of individual certificates. During a web visit, the user's browser gets a small cryptographic note confirming the site’s credentials live inside that larger authenticated structure. Rather than pulling multiple files across networks, only minimal evidence travels each time. 

One way this setup works is by fitting new quantum-resistant codes without needing much extra data flow. Large certificates often grow bulkier when using tougher encryption methods. Instead of linking security directly to file size, these compact certificates help maintain speed during secure browsing. With less information needed at connection start, performance stays high even under upgraded protection levels. 

Testing of MTCs is now happening, using actual internet data flows, alongside a step-by-step introduction schedule that runs until 2027. Right now, the opening stage focuses on checking viability through joint work with Cloudflare, observing how things run when exposed to active TLS environments. Instead of waiting, preparations are shifting ahead - by early 2027, those running Certificate Transparency logs, provided they had at least one accepted by Chrome prior to February 1, 2026, may join efforts to kickstart broader MTC availability. Moving forward, around late 2027, rules for admitting CAs into Google's new quantum-safe root store should be set, a system built only to handle MTC certificates. 

A shift like this one sits at the core of Google's approach to future-proofing online security. Rather than wait, the team is rebuilding trust systems so they handle both emerging risks and current efficiency needs. With updated certificates in place, stronger defenses can spread faster across services. Speed does not take a back seat - performance stays aligned with how people actually use browsers now.
Read more »
Homeland Security Investigations
Brick Industry Association Cyber Security dark web child abuse Flaming Alamo brick Greg Squire Homeland Security Investigations

How a Single Brick Helped Homeland Security Rescue an Abused Child from the Dark Web

 

A years-long investigation by the US Department of Homeland Security led to the dramatic rescue of a young girl whose abuse images had been circulating on the dark web — with a crucial clue hidden in the background of a photograph.

Specialist online investigator Greg Squire had nearly exhausted all leads while trying to identify and locate a 12-year-old girl his team had named Lucy. Explicit images of her were being distributed through encrypted networks designed to conceal users’ identities. The perpetrator had taken deliberate steps to erase identifying features, carefully cropping and altering images to avoid detection.

Despite those efforts, investigators found that the answer was concealed in plain sight.

Squire, part of an elite Homeland Security Investigations unit focused on identifying children in sexual abuse material, became deeply invested in Lucy’s case early in his career. The case struck him personally — Lucy was close in age to his own daughter, and new images of her abuse continued to surface online.

Initially, the team determined only that Lucy was likely somewhere in North America, based on visible electrical outlets and fixtures in the room. Attempts to seek assistance from Facebook proved unsuccessful. Although the company had facial recognition technology, it stated it "did not have the tools" to help with the search.

Investigators then scrutinized every visible detail in Lucy’s bedroom — bedding patterns, toys, clothing, and furniture. A breakthrough came when they realized that a sofa appearing in some images had only been sold regionally rather than nationwide, reducing the potential customer base to roughly 40,000 buyers.

"At that point in the investigation, we're [still] looking at 29 states here in the US. I mean, you're talking about tens of thousands of addresses, and that's a very, very daunting task," says Squire.

Still searching for more clues, Squire turned his attention to an exposed brick wall visible in the background of several photos. He contacted the Brick Industry Association after researching brick manufacturers.

"And the woman on the phone was awesome. She was like, 'how can the brick industry help?'"

The association circulated the image among brick specialists nationwide. One expert, John Harp — a veteran in brick sales since 1981 — quickly identified the material.

"I noticed that the brick was a very pink-cast brick, and it had a little bit of a charcoal overlay on it. It was a modular eight-inch brick and it was square-edged," he says. "When I saw that, I knew exactly what the brick was," he adds.

Harp identified it as a "Flaming Alamo".

"[Our company] made that brick from the late 60s through about the middle part of the 80s, and I had sold millions of bricks from that plant."

Although sales records were not digitized and existed only as a "pile of notes", Harp shared a vital insight.

"He goes: 'Bricks are heavy.' And he said: 'So heavy bricks don't go very far.'"

That observation narrowed the search dramatically. Investigators filtered the sofa buyers list to those living within a 100-mile radius of the brick factory in the American southwest


From there, social media analysis uncovered a photograph of Lucy alongside an adult woman believed to be a relative. Tracking related addresses and household members eventually led authorities to a single residence.

Investigators discovered that Lucy lived there with her mother’s boyfriend — a convicted sex offender. Within hours, local Homeland Security agents arrested the man, who had abused Lucy for six years. He was later sentenced to more than 70 years in prison.

Harp, who has fostered over 150 children and adopted three, said the rescue resonated deeply with him.

"We've had over 150 different children in our home. We've adopted three. So, doing that over those years, we have a lot of children in our home that were [previously] abused," he said.

"What [Squire's team] do day in and day out, and what they see, is a magnification of hundreds of times of what I've seen or had to deal with."

The emotional toll of the work eventually affected Squire’s mental health. He admits that outside of work, "alcohol was a bigger part of my life than it should have been".

Reflecting on that period, he said:

"At that point my kids were a bit older… and, you know, that almost enables you to push harder. Like… 'I bet if I get up at three this morning, I can surprise [a perpetrator] online.'

"But meanwhile, personally… 'Who's Greg? I don't even know what he likes to do.' All of your friends… during the day, you know, they're criminals… All they do is talk about the most horrific things all day long."

After his marriage ended and he experienced suicidal thoughts, colleague Pete Manning urged him to seek help.

"It's hard when the thing that brings you so much energy and drive is also the thing that's slowly destroying you," Manning says.

Squire credits confronting his struggles openly as the turning point.

"I feel honoured to be part of the team that can make a difference instead of watching it on TV or hearing about it… I'd rather be right in there in the fight trying to stop it."

Years later, Squire met Lucy — now in her 20s — for the first time. She said healing and support have helped her speak openly about her past.

"I have more stability. I'm able to have the energy to talk to people [about the abuse], which I could not have done… even, like, a couple years ago."

She revealed that when authorities intervened, she had been "praying actively for it to end".

"Not to sound cliché, but it was a prayer answered."

Squire shared that he wished he could have reassured her during those years.

"You wish there was some telepathy and you could reach out and be like, 'listen, we're coming'."

When questioned about its earlier role, Facebook responded: "To protect user privacy, it's important that we follow the appropriate legal process, but we work to support law enforcement as much as we can."
Read more »
Malware Attack
AI Agent AI agent data theft Cyber Security Data Theft Infostealer Infostealer Malware Malware Attack

Infostealer Malware Targets OpenClaw AI Agent Files to Steal API Keys and Authentication Tokens

 

Now appearing in threat reports, OpenClaw — a local AI assistant that runs directly on personal devices — has rapidly gained popularity. Because it operates on users’ machines, attackers are shifting focus to its configuration files. Recent malware infections have been caught stealing setup data containing API keys, login tokens, and other sensitive credentials, exposing private access points that were meant to remain local. 

Previously known as ClawdBot or MoltBot, OpenClaw functions as a persistent assistant that reads local files, logs into email and messaging apps, and interacts with web services. Since it stores memory and configuration details on the device itself, compromising it can expose deeply personal and professional data. As adoption grows across home and workplace environments, saved credentials are becoming attractive targets. 

Cybersecurity firm Hudson Rock identified what it believes is the first confirmed case of infostealer malware extracting OpenClaw configuration data. The incident marks a shift in tactics: instead of stealing only browser passwords, attackers are now targeting AI assistant environments that store powerful authentication tokens. According to co-founder and CTO Alon Gal, the infection likely involved a Vidar infostealer variant, with stolen data traced to February 13, 2026. 

Researchers say the malware did not specifically target OpenClaw. Instead, it scanned infected systems broadly for files containing keywords like “token” or “private key.” Because OpenClaw stores data in a hidden folder with those identifiers, its files were automatically captured. Among the compromised files, openclaw.json contained a masked email, workspace path, and a high-entropy gateway authentication token that could enable unauthorized access or API impersonation. 

The device.json file stored public and private encryption keys used for pairing and signing, meaning attackers with the private key could mimic the victim’s device and bypass security checks. Additional files such as soul.md, AGENTS.md, and MEMORY.md outlined the agent’s behavior and stored contextual data including logs, messages, and calendar entries. Hudson Rock concluded that the combination of stolen tokens, keys, and memory data could potentially allow near-total digital identity compromise.

Experts expect infostealers to increasingly target AI systems as they become embedded in professional workflows. Separately, Tenable disclosed a critical flaw in Nanobot, an AI assistant inspired by OpenClaw. The vulnerability, tracked as CVE-2026-2577, allowed remote hijacking of exposed instances but was patched in version 0.13.post7. 

Security professionals warn that as AI tools gain deeper access to personal and corporate systems, protecting configuration files is now as critical as safeguarding passwords. Hidden setup files can carry risks equal to — or greater than — stolen login credentials.
Read more »
IT Rules
3-hour Takedown AI Content Cyber Security Indian Influencers Deepfake IT Rules

Influencers Alarmed as New AI Rules Enforce Three-Hour Takedowns

 

India’s new three-hour takedown rule for online content has triggered unease among influencers, agencies, and brands, who fear it could disrupt campaigns and shrink creative freedom.

The rule, introduced through amendments to the IT Intermediary Rules on February 11, slashes the takedown window from 36 hours to just three, with the stated goal of curbing unlawful and AI-generated deepfake content. Creators argue that while tackling deepfakes and harmful material is essential, such a compressed deadline leaves almost no room to contest wrongful flags or provide context, especially when automated moderation tools make mistakes. They warn that legitimate posts could be penalised simply because systems misread nuance, humour, or sensitive but educational topics.

Influencer Ekta Makhijani described the deadline as “incredibly tight,” noting that if a brand campaign video is misflagged, an entire launch window could be lost in hours rather than days. She highlighted how parenting content around breastfeeding or toddler behaviour has previously been misinterpreted by moderation tools, and said the shorter window magnifies the risk of such false positives. Apparel brand founder Akanksha Kommirelly added that small creators lack round-the-clock legal and compliance teams, making it unrealistic for them to respond to takedown notices at all times.

Experts also worry about a chilling effect on speech, especially satire, political commentary, and advocacy. With platforms facing tighter liability, agencies fear an “act first, verify later” culture in which companies remove anything remotely borderline to stay safe. Raj Mishra of Chtrbox warned that, in practice, the incentive becomes to take down flagged content immediately, which could hit investigative work or edgy creative pieces hardest. India’s linguistic diversity further complicates moderation, as systems trained mainly on English may misinterpret regional content.A

longside takedowns, mandatory AI labelling is reshaping creator workflows and brand strategies. Kommirelly noted that prominent AI tags on visual campaigns may weaken brand recall, while Mishra cautioned that platforms could quietly de-prioritise AI-labelled content in algorithms, reducing reach regardless of audience acceptance. This dual pressure—strict timelines and AI disclosure—forces creators to rethink how they script, edit, and publish content.

Agencies like Kofluence and Chtrbox are responding by building compliance support systems for the creator economy. These include AI content guides, pre-upload checks, documentation protocols, legal support networks, and even insurance options to cover campaign disruptions. While most stakeholders accept that tougher rules are needed against deepfakes and abuse, they are urging the government to differentiate emergency takedowns for clearly illegal content from more contested speech so that speed does not entirely override fairness.
Read more »
Cybersecurity
Blockchain Botnet Cyber risks Cyber Security Cybersecurity

Botnet Moves to Blockchain, Evades Traditional Takedowns

 

A newly identified botnet loader is challenging long standing methods used to dismantle cybercrime infrastructure. Security researchers have uncovered a tool known as Aeternum C2 that stores its command instructions on the Polygon blockchain rather than on traditional servers or domains. 

For years, investigators have disrupted major botnets by seizing command and control servers or suspending malicious domains. Operations targeting networks such as Emotet, TrickBot, and QakBot relied heavily on this approach. 

Aeternum C2 appears designed to bypass that model entirely by embedding instructions inside smart contracts on Polygon, a public blockchain replicated across thousands of nodes worldwide. 

According to researchers at Qrator Labs, the loader is written in native C++ and distributed in both 32 bit and 64 bit builds. Instead of connecting to a centralized server, infected systems retrieve commands by reading transactions recorded on the blockchain through public remote procedure call endpoints. 

The seller claims that bots receive updates within two to three minutes of publication, offering relatively fast synchronization without peer to peer infrastructure. The malware is marketed on underground forums either as a lifetime licensed build or as full source code with ongoing updates. Operating costs are minimal. 

Researchers observed that a small amount of MATIC, the Polygon network token, is sufficient to process a significant number of command transactions. With no need to rent servers or register domains, operators face fewer operational hurdles. 

Investigators also found that Aeternum includes anti virtual machine checks intended to avoid execution in sandboxed analysis environments. A bundled scanning feature reportedly measures detection rates across multiple antivirus engines, helping operators test payloads before deployment. 

Because commands are stored on chain, they cannot be altered or removed without access to the controlling wallet. Even if infected devices are cleaned, the underlying smart contracts remain active, allowing operators to resume activity without rebuilding infrastructure. 

Researchers warn that this model could complicate takedown efforts and enable persistent campaigns involving distributed denial of service attacks, credential theft, and other abuse. 

As infrastructure seizures become less effective, defenders may need to focus more heavily on endpoint monitoring, behavioral detection, and careful oversight of outbound connections to blockchain related services.
Read more »
Ledger
Crypto Wallet Crypto Wallet Theft cryptocurrency Cryptocurrency threats Cyber Phishing Cyber Security Ledger

Trezor and Ledger Impersonated in Physical QR Code Phishing Scam Targeting Crypto Wallet Users

 

Nowadays criminals push fake crypto warnings through paper mail, copying real product packaging from firms like Trezor and Ledger. These printed notes arrive at homes without digital traces, making them feel more trustworthy than email scams. Instead of online messages, fraudsters now use stamps and envelopes to mimic official communication. Because it comes in an envelope, people may believe the request is genuine. Through these letters, attackers aim to steal secret backup codes used to restore wallets. Physical delivery gives the illusion of authenticity, even though the goal remains theft. The method shifts away from screens but keeps the same deceitful intent. 

Pretending to come from company security units, these fake messages tell recipients they need to finish an urgent "Verification Step" or risk being locked out of their wallets. A countdown appears on screen, pushing people to act fast - slowing down feels risky when time runs short. Opening the link means scanning a barcode first, then moving through steps laid out by the site. Pressure builds because delays supposedly lead to immediate consequences. Following directions seems logical under such conditions, especially if trust in the sender feels justified. 

A single message pretending to come from Trezor told users about an upcoming Authentication Check required before February 15, 2026, otherwise access to Trezor Suite could be interrupted. In much the same way, another forged notice aimed at Ledger customers claimed a Transaction Check would turn mandatory, with reduced features expected after October 15, 2025, unless acted upon. Each of these deceptive messages leads people to fake sites designed to look nearly identical to real setup portals. BleepingComputer’s coverage shows the QR codes redirect to websites mimicking real company systems. 

Instead of clear guidance, these fake sites display alerts - claiming accounts may be limited, transactions could fail, or upgrades might stall without immediate action. One warning follows another, each more urgent than the last, pulling users deeper into the trap. Gradually, they reach a point where entering their crypto wallet recovery words seems like the only option left. Fake websites prompt people to type in their 12-, 20-, or 24-word recovery codes, claiming it's needed to confirm device control and turn on protection. 

Though entered privately, those words get sent straight to servers run by criminals. Because these attackers now hold the key, they rebuild the digital wallet elsewhere without delay. Money vanishes quickly after replication occurs. Fewer scammers send fake crypto offers by post, even though email tricks happen daily. Still, real-world fraud attempts using paper mail have appeared before. 

At times, crooks shipped altered hardware wallets meant to steal recovery words at first use. This latest effort shows hackers still test physical channels, especially if past leaks handed them home addresses. Even after past leaks at both Trezor and Ledger revealed user emails, there's no proof those events triggered this specific attack. However the hackers found their targets, one truth holds - your recovery phrase stays private, always. 

Though prior lapses raised alarms, they didn’t require sharing keys; just like now, safety lives in secrecy. Because access begins where trust ends, never hand over seed words. Even when pressure builds, silence protects better than any tool. Imagine a single line of words holding total power over digital money - this is what a recovery phrase does. Ownership shifts completely when someone else learns your seed phrase; control follows instantly. Companies making secure crypto devices do not ask customers to type these codes online or send them through messages. 

Scanning it, emailing it, even mailing it physically - none of this ever happens if the provider is real. Trust vanishes fast when any official brand demands such sharing. Never type a recovery phrase anywhere except the hardware wallet during setup. When messages arrive with urgent requests, skip the QR scans entirely. Official sites hold the real answers - check there first. A single mistake could expose everything. Trust only what you confirm yourself.  

A shift in cyber threats emerges as fake letters appear alongside rising crypto use. Not just online messages now - paper mail becomes a tool for stealing digital assets. The method adapts, reaching inboxes on paper before screens. Physical envelopes carry hidden risks once limited to spam folders. Fraud finds new paths when trust in printed words remains high.
Read more »
Passwords
Crypto Cyber Security Cybersecurity GitHub Linux Passwords

Fake Go Crypto Package Caught Stealing Passwords and Spreading Linux Backdoor

 



Cybersecurity investigators have revealed a rogue Go module engineered to capture passwords, establish long-term SSH access, and deploy a Linux backdoor known as Rekoobe.

The package, published as github[.]com/xinfeisoft/crypto, imitates the legitimate Go cryptography repository widely imported by developers. Instead of delivering standard encryption utilities, the altered version embeds hidden instructions that intercept sensitive input entered in terminal password prompts. The stolen credentials are transmitted to a remote server, which then responds by delivering a shell script that the compromised system executes.

Researchers at Socket explained that the attack relies on namespace confusion. The authentic cryptography project identifies its canonical source as go.googlesource.com/crypto, while GitHub merely hosts a mirror copy. By exploiting this distinction, the threat actor made the counterfeit repository appear routine in dependency graphs, increasing the likelihood that developers would mistake it for the genuine library.

The malicious modification is embedded inside the ssh/terminal/terminal.go file. Each time an application calls the ReadPassword() function, which is designed to securely capture hidden input from a user, the manipulated code silently records the data. What should have been a secure input mechanism becomes a covert data collection point.

Once credentials are exfiltrated, the downloaded script functions as a Linux stager. It appends the attacker’s SSH public key to the /home/ubuntu/.ssh/authorized_keys file, enabling passwordless remote logins. It also changes default iptables policies to ACCEPT, reducing firewall restrictions and increasing exposure. The script proceeds to fetch further payloads from an external server, disguising them with a misleading .mp5 file extension to avoid suspicion.

Two additional components are retrieved. The first acts as a helper utility that checks internet connectivity and attempts to communicate with the IP address 154.84.63[.]184 over TCP port 443, commonly used for encrypted web traffic. Researchers believe this tool likely serves as reconnaissance or as a loader preparing the system for subsequent stages.

The second payload has been identified as Rekoobe, a Linux trojan active in the wild since at least 2015. Rekoobe allows remote operators to receive commands from a control server, download additional malware, extract files, and open reverse shell sessions that grant interactive system control. Security reporting as recently as August 2023 has linked the malware’s use to advanced threat groups, including APT31.

While the malicious module remained listed on the Go package index at the time of analysis, the Go security team has since taken measures to block it as harmful.

Researchers caution that this operation reflects a repeatable, low-effort strategy with glaring impact. By targeting high-value functions such as ReadPassword() and hosting staged payloads through commonly trusted platforms, attackers can rotate infrastructure without republishing code. Defenders are advised to anticipate similar supply chain campaigns aimed at credential-handling libraries, including SSH utilities, command-line authentication tools, and database connectors, with increased use of layered hosting services to conceal corrupted infrastructure.


Read more »
WhatsApp Ban
Cyber Security Online Privacy Russia Max App State Surveillance WhatsApp Ban

Russia Blocks WhatsApp, Pushes State Surveillance App

 

Russia has effectively erased WhatsApp from its internet, impacting up to 100 million users in a bold move by regulator Roskomnadzor. On Wednesday, the app was removed from the national directory, severing access without prior slowdown warnings, as reported by the Financial Times and Gizmodo. WhatsApp condemned this as an attempt to force users onto a "state-owned surveillance app," highlighting the isolation of millions from secure communication. 

This crackdown escalates Russia's long-running battle against foreign messaging services amid its push for digital sovereignty. Restrictions began in August 2025 with blocks on voice and video calls, citing WhatsApp's failure to aid fraud and terrorism probes. Courts fined the Meta-owned app repeatedly for not removing banned content or opening a local office; by December, speeds dropped 70%, but full removal came after ongoing non-compliance. Telegram faced similar cuts this week, leaving Russians scrambling.

Enter Max, VK's 2025-launched "superapp" modeled on China's WeChat, now aggressively promoted as the national alternative. Preinstalled on devices and endorsed by celebrities and educators, it offers chats, video calls, file sharing up to 4GB, payments via Russia's Faster Payment System, and government services like digital IDs and e-signatures. Unlike WhatsApp's encryption, Max mandates activity sharing with authorities and lacks apparent privacy safeguards, per The Insider. 

The Kremlin justifies the ban as protecting citizens from scams and terrorism while achieving tech independence under sanctions. Spokesman Dmitry Peskov cited Meta's refusal to follow Russian law, though WhatsApp could return via compliance talks. Critics see it as unprecedented speech suppression, building on post-2022 Ukraine invasion censorship labeled "unprecedented" by Amnesty International. Yet past efforts, like the failed 2018 Telegram block, exposed regime overreach.

Users are turning to VPNs or rivals, but Max's rise could cement state surveillance in daily life. This mirrors global trends—France pushes local apps, and Meta faces U.S. spying claims—but Russia's unencrypted alternative raises alarms for privacy. As Putin eyes indefinite rule, such controls signal deepening authoritarianism, forcing 100 million into monitored chats.
Read more »
surveillance
Android Spyware Applications Cyber Security phishing Software surveillance

Is Spyware Secretly Hiding on Your Phone? How to Detect It, Remove It, and Prevent It

 



If your phone has started behaving in ways you cannot explain, such as draining power unusually fast, heating up during minimal use, crashing, or displaying unfamiliar apps, it may be more than a routine technical fault. In some cases, these irregularities signal the presence of spyware, a type of malicious software designed to quietly monitor users and extract personal information.

Spyware typically enters smartphones through deceptive mobile applications, phishing emails, malicious attachments, fraudulent text messages, manipulated social media links, or unauthorized physical access. These programs are often disguised as legitimate utilities or helpful tools. Once installed, they operate discreetly in the background, avoiding obvious detection.

Depending on the variant, spyware can log incoming and outgoing calls, capture SMS and MMS messages, monitor conversations on platforms such as Facebook and WhatsApp, and intercept Voice over IP communications. Some strains are capable of taking screenshots, activating cameras or microphones, tracking location through GPS, copying clipboard data, recording keystrokes, and harvesting login credentials or cryptocurrency wallet details. The stolen information is transmitted to external servers controlled by unknown operators.

Not all spyware functions the same way. Some applications focus on aggressive advertising tactics, overwhelming users with pop-ups, altering browser settings, and collecting browsing data for revenue generation. Broader mobile surveillance tools extract system-level data and financial credentials, often distributed through mass phishing campaigns. More intrusive software, frequently described as stalkerware, is designed to monitor specific individuals and has been widely associated with domestic abuse cases. At the highest level, intricately designed commercial surveillance platforms such as Pegasus have been deployed in targeted operations, although these tools are costly and rarely directed at the general public.

Applications marketed as parental supervision or employee productivity tools also require caution. While such software may have legitimate oversight purposes, its monitoring capabilities mirror those of spyware if misused or installed without informed consent.

Identifying spyware can be difficult because it is engineered to remain hidden. However, several warning indicators may appear. These include sudden battery drain, overheating, sluggish performance, unexplained crashes, random restarts, increased mobile data consumption, distorted calls, persistent pop-up advertisements, modified search engine settings, unfamiliar applications, difficulty shutting down the device, or unexpected subscription charges. Receiving suspicious messages that prompt downloads or permission changes may also signal targeting attempts. If a device has been out of your possession and returns with altered settings, tampering should be considered.

On Android devices, reviewing whether installation from unofficial sources has been enabled is critical, as this setting allows apps outside the Google Play Store to be installed. Users should also inspect special app access and administrative permissions for unfamiliar entries. Malicious programs often disguise themselves with neutral names such as system utilities. Although iPhones are generally more resistant without jailbreaking or exploited vulnerabilities, they are not immune. Failing to install firmware updates increases exposure to known security flaws.

If spyware is suspected, measured action is necessary. Begin by installing reputable mobile security software from verified vendors and running a comprehensive scan. Manually review installed applications and remove anything unfamiliar. Examine permission settings and revoke excessive access. On Android, restarting the device in Safe Mode temporarily disables third-party apps, which may assist in removal. Updating the operating system can also disrupt malicious processes. If the issue persists, a factory reset may be required. Important data should be securely backed up before proceeding, as this step erases all stored content. In rare instances, professional technical assistance or device replacement may be needed.

Long-term protection depends on consistent preventive practices. Maintain strict physical control over your phone and secure it with a strong password or biometric authentication. Configure automatic screen locking to reduce the risk of unauthorized access. Install operating system updates promptly, as they contain critical security patches. Download applications only from official app stores and review developer credibility, ratings, and permission requests carefully before installation. Enable built-in security scanners and avoid disabling system warnings. Regularly audit app permissions, especially for access to location, camera, microphone, contacts, and messages.

Remain cautious when interacting with links or attachments received through email, SMS, or social media, as phishing remains a primary delivery method for spyware. Avoid jailbreaking or rooting devices, since doing so weakens built-in protections and increases vulnerability. Activate multi-factor authentication on essential accounts such as email, banking, and cloud storage services, and monitor login activity for irregular access. Periodically review mobile data usage and billing statements for unexplained charges. Maintain encrypted backups so decisive action, including a factory reset, can be taken without permanent data loss.

No mobile device can be guaranteed completely immune from surveillance threats. However, informed digital habits, timely updates, disciplined permission management, and layered account security significantly reduce the likelihood of covert monitoring. In an era where smartphones store personal, financial, and professional data, vigilance remains the strongest defense.

Read more »
online privacy concerns
Cyber Privacy Cyber Security global privacy tools Google Privacy Sandbox Google Updates online privacy concerns

Google Expands Privacy Tools With Automated ID Detection and Deepfake Image Removal

 

Years of relying on users to report privacy issues have shaped Google’s approach so far. Lately, automated tools began taking a bigger role in spotting private details online. One shift involves how quickly artificial visuals get flagged across search results. Instead of waiting for complaints, systems now proactively detect such content. Efficiency improves when machines assist with removals. This update adjusts how personal data flows through the platform. Recently, detection methods became sharper at finding fake imagery. People gain better control without needing to act first. Progress shows in faster response times behind the scenes. 

What stands out in this update is a more capable "Results About You" feature. Using Google's vast web index, it searches for personal details visible on public pages. Still, there is a condition - people need to share some identifying information for matches to be found. After signing up, automated scans run regularly. Alerts go out when fresh links showing that person’s data turn up in search results. 

One major upgrade helps the software spot ID codes hidden in online pages. These can be driving permit numbers, passport data, or national identity figures. Access depends on user permission set in profiles, along with self-submitted records. With permits, the entire sequence is needed; however, travel documents and tax IDs need just a partial match. After setup, the mechanism reviews stored material to flag possible leaks. 

Even though Google doesn’t control outside sites, it may take down certain links from its search listings. Since being found online often depends on search engines, removing those entries can greatly limit exposure to identity theft, unwanted personal disclosures, or abuse. Despite lacking authority over external pages, limiting access through search still offers meaningful protection.  
Now handling non-consensual intimate visuals differently, the firm includes AI-made fakes in its revised policy. Since manufactured images are spreading faster, reports may cover real photos alongside altered ones. Submitting several pictures at once is possible, which helps people facing organized abuse move through the steps quicker. 

A new option appears via three dots beside image entries - clicking lets people mark media showing them in sensitive situations. Removing such results begins there, with a choice labeled "Remove result" leading onward. That path includes confirming if pictures are authentic or made by artificial tools. Faster replies come now, Google says, especially when many visuals require attention. Streamlined steps help manage high quantities without delay piling up. 

Ahead of issues arising, the system checks for recurring content once someone submits a deletion. Following approval, ongoing scans detect related information during later indexing rounds. Whether it involves personal details or visual files, matches trigger warnings automatically. When duplicates show up, visibility stops before they appear in outcomes - no repeated forms needed. Each cycle works silently unless something flagged emerges. 

Even with improvements, the tools fall short in key ways. While they limit what shows up in searches, they leave the material live on source sites. Yet since many people rely on Google to find content, taking links out of results tends to help - sometimes significantly. 

Right now, systems can spot ID numbers automatically. Soon after, quicker image reports should appear in many regions - proactive scans following shortly afterward. Expansion to nearly every country will happen by the end of the year, though timing may differ slightly depending on location.
Read more »
remote monitoring and management
Command And Control Infrastructure Cyber Security Cyber Threats. Healthcare Cybersecurity Endpoint security Multi Factor Authentication ransomware attacks remote monitoring and management

Enterprise Monitoring Tool Misused by Ransomware Gang to Target Businesses


Increasingly, enterprise networks are characterized by tools designed to enhance visibility and oversight applications purchased in the name of enhancing productivity, compliance, and efficiency. However, the same software entrusted with safeguarding workflow transparency is currently being quietly redirected toward far more harmful purposes. 

As ransomware operators weaponize commercially available monitoring and remote management platforms, they avoid traditional red flags and embed themselves within routine administrative traffic. Nevertheless, the result is not immediate chaos, but calculated persistence. This involves silent access, continuous control, and the staging of systems for extortion, extortion, and financial coercion. Huntress has published a technical analysis that illustrates the evolution of this tactic. 

In a study, researchers found that attackers are no longer relying solely on custom malware to maintain access to systems. Instead, they are repurposing legitimate employee surveillance software as well as remote monitoring and management tools to turn passive oversight tools into active intrusion tools. In the field of ransomware tradecraft, a subtle but significant evolution has occurred, as it becomes increasingly difficult to distinguish between administrative utility and adversarial control.

As outlined in a report February 2026 report, a threat actor associated with the Crazy ransomware gang utilized Net Monitor for Employees Professional, a commercially marketed workplace monitoring product in tandem with SimpleHelp, a remote management platform. Together, these tools enabled more than discrete observation of employees. 

As a result, attackers were able to control the system interactively, transfer files, and execute commands remotely—functions reminiscent of legitimate IT administration, but quietly paved the way for the deployment of disruptive ransomware. In accordance with these findings, Huntress investigators discovered that operators consistently used Net Monitor for Employees Professional and SimpleHelp to secure low-noise, durable access to victim environments using Net Monitor for Employees Professional. 

The monitoring agent was initially sideloaded with the legitimate Windows Installer utility, msiexec.exe, during its initial deployment, resulting in a combination of malicious installation activity and routine administrative processes. The agent, once embedded, provided complete access to victim desktops, allowing for real-time screen surveillance, file transfers, and remote command execution without causing the behavioral anomalies commonly associated with customized backdoors. 

A scripted PowerShell command was used by the attackers to install SimpleHelp, which was renamed frequently to mimic benign system artifacts such as VShost.exe or files related to OneDrive synchronization in order to strengthen persistence. As a result of this deliberate masquerading, cursory process reviews and endpoint inspections were less likely to be scrutinized. Attempts were also made to weaken native defenses, including the disablement of Microsoft Defender protections, by researchers. 

It was found several times that the remote management client generated alerts related to cryptocurrency wallet activity or the presence of additional remote access utilities, an indication that the intrusions were not opportunistic reconnaissance alone, but rather preparatory steps aligned with ransomware deployment and the theft of assets. 

In the absence of disparate affiliates, correlated command-and-control endpoints and recurring filename conventions suggest that a single, coordinated operator is responsible for the incidents. The broader trend indicates a growing preference for legitimate remote management and monitoring software as an access vector due to their widespread use in enterprise IT administration. As such, their presence rarely raises immediate suspicions. 

Initial compromise in the cases examined was caused by the exposure or theft of SSL VPN credentials, which enabled adversaries to authenticate into networks and then silently layer commercial management tools over that access. 

Observations such as these reinforce the need for multi-factor authentication to be enforced across all remote access services as well as continuous monitoring controls designed to detect unauthorized deployments of remote management tools. Those who lack such safeguards can exploit trusted administrative frameworks to move laterally, persist, and eventually execute ransomware. The operational model observed in these intrusions has been seen previously. 

During the year 2025, DragonForce ransomware operated on a managed service provider and leveraged SimpleHelp deployments to pivot into downstream customer environments. By utilizing the MSP's own remote monitoring and management system, the attackers were able to conduct reconnaissance at scale without installing conspicuous malware. 

In order to exfiltrate sensitive data and deploy encryption payloads across client networks, the platform was used to enumerate user accounts, system configurations, and active network connections. Upon subverting trusted administrative infrastructure, it can function as a force multiplier—extending a single breach into multiple organizations, thus demonstrating the power of trusted administrative infrastructure. 

Researchers have observed attackers configuring granular monitoring rules within SimpleHelp to track specific operational activities. The agent was configured to continuously search for cryptocurrency-related keywords in connection with wallet applications, exchanges, blockchain explorers, and payment service providers, an indication that digital assets were being discovered and potential financial targets were being targeted. 

Meanwhile, it monitored for references to remote access technologies such as RDP, AnyDesk, UltraViewer, TeamViewer, and VNC so that legitimate administrators or incident responders would be able to determine whether they were communicating with infected systems. Upon reviewing log data, investigators found that the agent repeatedly cycled through triggers and resets associated with these keyword sets, indicating automated surveillance that alerted operators to threats in near real time.

In addition to redundancy, threat actors maintained multiple remote access pathways to maintain control even when one tool was identified and removed from the deployment strategy. The layered persistence approach aligns with a wider “living off the land” strategy, which is a form of adversary exploitation that relies upon legitimate, digitally signed software that has already been trusted within an enterprise environment. 

Remote support utilities and employee monitoring platforms are commonly used as productivity monitors, troubleshooters, and distributed workforce management tools. These platforms offer built-in capabilities such as screen capture, keystroke logging, and file transfer.

In addition to complicating detection efforts and reducing the forensic footprint typically associated with custom backdoors, their behavior closely mirrors sanctioned administrative behavior when repurposed for malicious purposes. Health care and managed services sectors are particularly affected by remote management frameworks, which are often integrated into workflows supporting medical devices, telehealth systems, and electronic health record platforms.

It is possible for attackers to gain privileged access to protected health information and critical infrastructure if these tools are commandeered. A deliberate strategy was demonstrated by ransomware operators in exploiting widely used RMM software: compromising authentication, blending into legitimate management channels, and expanding laterally through the very mechanisms organizations rely on for operational resilience.

Following the successful deployment of the monitoring utility, it became a fully interactive remote access channel for organizations. This allowed operators to monitor victim computers in real time, transfer files bidirectionally, and execute arbitrary commands, effectively assuming the role of local privileged users. 

There were several instances where they used the command net user administrator /active:yes to activate the built-in Windows Administrator account, which was consistent with privilege consolidation and fallback access planning. Through scripted execution of PowerShell, the threat actors obtained and installed the SimpleHelp client, reinforcing persistence. Filenames mimicking Microsoft Visual Studio VShost.exe were frequently used to rename the binary to resemble legitimate development or system artifacts.

A number of times it was staged within directories designed to appear associated with the OneDrive services, including C:/ProgramData/OneDriveSvc/OneDriveSvc.exe, thereby reducing suspicion during routine administrative review processes. Once executed, the payload ensured continued remote connectivity, even if the original employee monitoring agent was identified and removed. Huntress researchers observed attempts to weaken host-based defenses as well. 

By stopping and deleting related services, the attackers attempted to disable Microsoft Defender, reducing real-time protection prior to any encryption attempts. As part of SimpleHelp’s monitoring policies, they were configured so that alerts were generated when cryptocurrency wallets were accessed or remote management tools were invoked behavior which suggests a preparation for reconnaissance and a desire to detect potential incident response activities. 

Based on log telemetry, it is evident that the agent repeatedly triggers based on keywords associated with wallets, cryptocurrency exchanges, blockchain explorers, and payment platforms, while simultaneously flagging references to RDP sessions, AnyDesk sessions, UltraViewer sessions, TeamViewer sessions, and VNC sessions. 

By utilizing multiple remote access mechanisms simultaneously, operational redundancy was achieved. Despite the disruption of one channel, alternative channels permitted the intruders to remain in control of the network. 

Although only one of the documented intrusions resulted in the deployment of the Crazy ransomware gang encryptor, an overlap in command and control infrastructure as well as the re-use of distinctive filenames such as vhost.exe across incidents strongly suggests the presence of one operator or coordinated group. 

Due to the widespread use of remote monitoring and support tools within enterprise environments, their network traffic and process behavior tend to align with sanctioned IT operations, reflecting a larger shift in ransomware tradecraft toward strategic abuse of legitimate administrative software. The result is that malicious activity can remain concealed within routine management processes. 

To identify unauthorized deployments, Huntress suggests that organizations implement strict oversight over the installation and execution of remote monitoring utilities. This can be accomplished through the correlation of endpoint telemetry with change management logs. Because both breaches originated from compromised SSL VPN credentials, the implementation of multi-factor authentication across all remote access services remains a foundational control to prevent adversarial persistence following initial entry. 

All of these incidents illustrate that modern enterprise security models have a structural weakness: trust in administrative tools is not generally scrutinized in the same way as unfamiliar executables or overt malware. Due to the continued operationalization of legitimate remote management frameworks by ransomware groups, defensive strategies must expand beyond signature-based detections and perimeter controls. 

A mature security program will consider unauthorized implementation of RMM as a high-severity event, enforce strict administrative utility access governance, and perform behavioral monitoring to distinguish between sanctioned IT activity and anomalous control patterns in the network.

It is also critical to harden authentication pathways, limit credential exposure, and segment high-value systems in order to reduce blast radius during compromises. It is not possible to ensure resilience in an environment where adversaries are increasingly blending into routine operations by blocking every tool, but by ensuring that every instance of trust is validated.

Read more »
UNC2814 China hacking group
Cyber Espionage Campaign Cyber Security Google Google cyber security report Google Sheets API abuse GRIDTIDE malware UNC2814 China hacking group

Google Disrupts China-Linked UNC2814 Cyber Espionage Network Targeting 70+ Countries

 

Google on Wednesday revealed that it collaborated with industry partners to dismantle the digital infrastructure of a suspected China-aligned cyber espionage group known as UNC2814, which compromised at least 53 organizations spanning 42 countries.

"This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas," Google Threat Intelligence Group (GTIG) and Mandiant said in a report published today.

UNC2814 is believed to be associated with additional breaches across more than 20 other nations. Google, which has monitored the group since 2017, observed the attackers leveraging API requests to interact with software-as-a-service (SaaS) platforms as part of their command-and-control (C2) framework. This method allowed the threat actor to blend malicious communications with normal traffic patterns.

At the core of the campaign is a previously undocumented backdoor named GRIDTIDE. The malware exploits the Google Sheets API as a covert channel for C2 operations, enabling attackers to conceal communications while transferring raw data and executing shell commands. Written in C, GRIDTIDE supports file uploads and downloads, along with arbitrary command execution.

Dan Perez, GTIG researcher, told The Hacker News via email that they cannot confirm if all the intrusions involved the use of the GRIDTIDE backdoor. "We believe many of these organizations have been compromised for years," Perez added.

Investigators are still examining how UNC2814 gains its initial foothold. However, the group has a documented track record of exploiting web servers and edge devices to infiltrate targeted networks. Once inside, the attackers reportedly used service accounts to move laterally via SSH, while relying on living-off-the-land (LotL) tools to perform reconnaissance, elevate privileges, and maintain long-term persistence.

"To achieve persistence, the threat actor created a service for the malware at /etc/systemd/system/xapt.service, and once enabled, a new instance of the malware was spawned from /usr/sbin/xapt," Google explained.

The campaign also involved the use of SoftEther VPN Bridge to establish encrypted outbound connections to external IP addresses. Security researchers have previously linked misuse of SoftEther VPN technology to several Chinese state-sponsored hacking groups.

Evidence suggests that GRIDTIDE was deployed on systems containing personally identifiable information (PII), aligning with espionage objectives aimed at monitoring individuals of strategic interest. Despite this, Google stated that it did not detect any data exfiltration during the observed operations.

The malware’s communication mechanism relies on a spreadsheet-based polling system, assigning specific functions to designated cells for two-way communication:
  • A1: Used to retrieve attacker-issued commands and update status responses (e.g., S-C-R or Server-Command-Success)
  • A2–An: Facilitates the transfer of data such as command outputs and files
  • V1: Stores system-related data from the compromised endpoint
In response, Google terminated all Google Cloud projects associated with the attackers, dismantled known UNC2814 infrastructure, and revoked access to malicious accounts and Google Sheets API operations used for C2 activity.

The company described UNC2814 as one of the "most far-reaching, impactful campaigns" encountered in recent years. It confirmed that formal notifications were issued to affected entities and that assistance is being provided to organizations with verified breaches linked to the group.

Security experts note that this activity reflects a broader strategy by Chinese state-backed actors to secure prolonged access within global networks. The findings further emphasize the vulnerability of network edge devices, which frequently become entry points due to exposed weaknesses and misconfigurations.

Such appliances are increasingly targeted because they often lack advanced endpoint detection capabilities while offering direct access or pivot opportunities into internal enterprise systems once compromised.

"The global scope of UNC2814's activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders," Google said.

"Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish its global footprint."
Read more »
semiconductor cybersecurity
Advantest ransomware attack Cyber Security Japanese tech company breach ransomware in manufacturing semiconductor cybersecurity

Advantest Confirms Ransomware Breach After Suspicious Network Activity

 

Japanese semiconductor testing equipment manufacturer Advantest has confirmed it was targeted in a ransomware attack following the discovery of suspicious activity within its IT systems on February 15, 2026. The company publicly acknowledged the incident last Thursday.

Headquartered in Tokyo, Advantest is a major producer of automatic test and measurement systems essential to semiconductor development and manufacturing. Its technologies support a wide range of applications, including computers, consumer electronics such as mobile phones, autonomous vehicles, and high-performance computing systems like artificial intelligence platforms. The company operates across the Americas, Asia, and Europe and employs more than 7,600 people worldwide.

In an official statement, the company said, “Preliminary findings appear to indicate that an unauthorized third party may have gained access to portions of the company’s network and deployed ransomware,” the company said.

The firm added, “Upon detection, Advantest immediately activated its incident response protocols, isolated affected systems, and engaged leading third-party cybersecurity experts to assist in the investigation and containment of the incident.”

The investigation remains ongoing, and it is not yet clear whether any customer or employee information was compromised. Advantest has not reported any major operational interruptions at its manufacturing facilities so far.

Reaffirming its response efforts, the company stated, “Advantest is focused on understanding the full extent of this incident while reinforcing all possible defenses,” the company added, and promised to provide regular updates about the investigation.

Manufacturing Sector Increasingly Targeted by Ransomware Groups

The incident highlights a broader cybersecurity challenge facing industrial organizations worldwide. According to industrial cybersecurity firm Dragos, ransomware actors targeted more than 3,300 industrial entities over the past year, with 119 separate ransomware groups involved. Manufacturers accounted for over two-thirds of those affected organizations.

Similarly, UK-based cybersecurity company Sophos reported a significant rise in attacks against manufacturing firms. The company stated, “[In 2025], Sophos X-Ops has observed ransomware activity across leak sites and found that 99 distinct threat groups targeted manufacturing organizations. The most prominent groups targeting manufacturing organizations based on leak site observations are [Akira, Qilin, and Play],” the UK-based cybersecurity company shared in December 2025.

Sophos further emphasized the growing use of double extortion tactics, noting, “Over half of the ransomware incidents handled by Sophos Emergency Incident Response involved both data theft and data encryption, underscoring the continued rise of double extortion tactics where stolen data is held to ransom and threatened with publication on a leak site.”

Beyond financially motivated cybercriminal groups, the semiconductor supply chain has increasingly drawn attention from state-sponsored threat actors seeking to obtain valuable intellectual property, including proprietary chip designs and specialized manufacturing processes.
Read more »
Korea
Bitcoin Bitcoin Cyber Threat Bithumb cryptocurrency Cryptocurrency news Cyber Security digital currency Financial Regulators Korea

Bithumb Error Sends 620,000 Bitcoins to Users, Triggers Regulatory Scrutiny in South Korea

 

A huge glitch at Bithumb, South Korea’s second-biggest digital currency platform, triggered chaos when users suddenly found themselves holding vast quantities of bitcoin due to a flawed promotion. Instead of issuing minor monetary rewards, a technical oversight allowed 620,000 bitcoins to be wrongly allocated. Regulators quickly stepped in, launching investigations as the scale of the incident became clear. Recovery efforts are now underway for assets exceeding $40 billion, stemming directly from the mishap. Legal pressure mounts on the firm while authorities assess compliance failures. What began as a routine marketing effort has turned into one of the largest operational blunders in crypto trading history.  

On 6 February, a mistake unfolded amid a promotion meant to give rewards to 695 qualifying users - totaling 620,000 Korean won, about $423. Instead of using local currency, one employee typed in bitcoin by accident; this shifted the reward value dramatically. What should have been small bonuses became 620,000 bitcoins, valued around $42 billion then. Among those who qualified, nearly half accessed their digital boxes before anyone noticed. These 249 people ended up with massive deposits, exceeding the entire crypto balance held by the platform. 

Bithumb said it fixed many incorrect deposits through adjustments in its internal records. Still, regulators noted approximately 13 billion won - about $9 million - was unaccounted for, lost when certain users moved or cashed out funds prior to detection. During the half-hour span before freezing actions began, 86 individuals allegedly offloaded close to 1,788 bitcoins, sparking temporary shifts in pricing across the site's trading system. 

Criticism came fast once news broke. "Catastrophic" was the word used by Lee Chan-jin - head of South Korea’s Financial Supervisory Service - to describe what happened to those who offloaded their bitcoin. With prices climbing afterward, people forced to give back holdings might now owe money instead. Not just a one-off error, according to Lee; it revealed deeper flaws in how crypto platforms handle internal ledgers and transaction safeguards. 

Disagreement persists among legal professionals regarding possible criminal consequences for users who withdrew accidentally deposited bitcoin. Though crypto assets were central to a 2021 South Korean high court decision, their exclusion from the definition of "property" in penal statutes muddies enforcement paths. Instead of pursuing drawn-out lawsuits, Bithumb initiated private talks with around eighty individuals who converted the digital value into local currency, asking repayment in won amounts. 

Now probing deeper, the Financial Supervisory Service has opened a comprehensive review; meanwhile, lawmakers in Seoul will hold an urgent session on 11 February to press officials and platform leaders for answers. Speaking publicly, Bithumb admitted changes are underway - its payout systems being rebuilt, oversight tightened - even though they insist no cyberattack occurred nor did outside actors gain access.
Read more »
Global Economy
ai strategy AI Training CISO Cyber Security ec Council Global Economy

EC-Council Introduces AI Training Programs as Demand for Skilled Professionals Grows

 



As artificial intelligence becomes embedded in daily business functions, concerns are growing over whether the workforce is adequately prepared to manage its risks and responsibilities. EC-Council has announced the launch of four new AI-focused certifications along with an updated Certified CISO v4 program, marking the largest single expansion in the organization’s 25-year history.

The rollout comes amid projections that unmanaged AI-related vulnerabilities could expose the global economy to as much as $5.5 trillion in risk, according to industry estimates attributed to IDC. At the same time, analysis from Bain & Company suggests that approximately 700,000 workers in the United States will require reskilling in AI and cybersecurity disciplines to meet rising demand.

Global institutions including the International Monetary Fund and the World Economic Forum have identified workforce capability as a primary constraint on AI-driven productivity, arguing that the barrier is no longer access to technology but access to trained professionals.

Security threats are escalating in parallel with adoption. Reports indicate that 87 percent of organizations have encountered AI-enabled cyberattacks. Additionally, generative AI-related network traffic has increased by 890 percent, significantly expanding potential attack surfaces. Emerging risks include prompt injection attacks, data poisoning, manipulation of machine learning models, and compromise of AI supply chains.

The new Enterprise AI Credential Suite is structured around EC-Council’s operational framework described as Adopt, Defend, and Govern. The “Adopt” pillar emphasizes structured and safeguarded AI deployment. “Defend” focuses on protecting AI systems from evolving threats. “Govern” integrates oversight, accountability, and risk management mechanisms into AI systems from the design stage.

Artificial Intelligence Essentials serves as the foundational certification, aimed at building practical literacy and responsible AI usage across professional roles. The Certified AI Program Manager credential prepares professionals to convert AI strategy into coordinated implementation, ensuring governance alignment and measurable return on investment.

The Certified Offensive AI Security Professional program trains specialists to identify vulnerabilities in large language models, simulate adversarial techniques, and strengthen AI infrastructure. The Certified Responsible AI Governance and Ethics certification centers on enterprise-scale oversight and compliance, referencing established standards such as those developed by NIST and ISO.

Certified CISO v4 has also been updated to prepare executive leaders for AI-integrated risk environments, where intelligent systems influence operational and strategic decisions. According to EC-Council leadership, security executives must now manage adaptive systems that evolve rapidly and require clear governance accountability.

The initiative aligns with U.S. federal priorities outlined in Executive Order 14179, the July 2025 AI Action Plan’s workforce development pillar, and Executive Orders 14277 and 14278, all of which emphasize expanding AI education pathways and strengthening job-ready skills across professional and skilled trade sectors.

AI expertise remains geographically concentrated, with 67 percent of U.S. AI talent located in just 15 cities, while women account for 28 percent of the workforce, underlining ongoing participation disparities.

Founded in 2001, EC-Council is known for its Certified Ethical Hacker credential. The organization holds ISO/IEC 17024 accreditation and reports certifying more than 350,000 professionals globally, including personnel within government agencies, the Department of Defense under DoD 8140 baseline recognition, and Fortune 100 companies.

As AI transitions from experimentation to infrastructure, workforce readiness and governance capability are increasingly central to secure and sustainable deployment.

Read more »
Dragos cybersecurity
Critical Infrastructure critical infrastructure cybersecurity Cyber Security Cyber Threats Dragos Dragos cybersecurity

Dragos Warns of New State-Backed Threat Groups Targeting Critical Infrastructure

 

A fresh wave of state-backed hacking targeted vital systems more aggressively over the past twelve months, as newer collectives appeared while long-known teams kept their campaigns running, per Dragos’ latest yearly analysis. Operating underground until now, three distinct gangs specializing in industrial equipment surfaced in 2025, highlighting an ongoing rise in size and complexity among nation-supported digital intrusions. That count lifts worldwide monitoring efforts to cover 26 such organizations focused on physical machinery networks, eleven of which demonstrated live activity throughout the period. 

One key issue raised in the report involves ongoing operations by Voltzite, which Dragos links directly to Volt Typhoon. Instead of brief cyber intrusions, this group aimed at staying hidden inside U.S. essential systems - especially power, oil, and natural gas networks - for extended periods. Deep infiltration into industrial control setups allowed access beyond standard IT zones, reaching process controls tied to real-world machinery. Evidence shows their goal was less about data theft, more about setting conditions for later interference. Long-term positioning suggests preparation mattered more than immediate gain. 

Starting with compromised Sierra Wireless AirLink devices, hackers gained entry to pipeline operational technology environments during one operation. From there, sensor readings, system setups, and alert mechanisms were pulled - details that might later disrupt functioning processes. Elsewhere, actions tied to Voltzite relied on a network of infected machines scanning exposed energy, defense, and manufacturing systems along with virtual private network hardware. Analysts view such probing as groundwork aimed at eventual breaches. 

One finding highlighted three emerging threat actors. Notably, Sylvanite operates as an access provider - exploiting recently revealed flaws in common business and network-edge systems before passing entry points to Voltzite for further penetration. Following close behind, Azurite displays patterns tied to Chinese-affiliated campaigns, primarily targeting operational technology setups where engineers manage industrial processes; it gathers design schematics, system alerts, and procedural records within heavy industry, power infrastructure, and military-related production environments. 

Meanwhile, a different cluster named Pyroxene surfaced in connection with Iran's digital offensives, using compromised suppliers to breach networks while deploying disruptive actions when global political strain peaks. These developments emerged clearly through recent investigative analysis. Still, Dragos pointed out dangers extending beyond China and Iran. Operations tied to Russia kept challenging systems in power and water sectors. Across various areas, probing efforts focused on industrial equipment left visible online. Even when scans did not lead to verified breaches, their accuracy and reach signaled growing skill. 

The report treated such patterns as signs of advancing tactics. Finding after finding points to an ongoing trend: silent infiltration of vital system networks over extended periods. Instead of causing instant chaos, operations seem built around stealthy placement within core service frameworks, building up danger across nations and sectors alike. Not sudden blows - but slow seepage - defines the growing threat.
Read more »
Subscribe to: Comments (Atom)