Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Illegal Gambling
Confidential Data Cyber Security Data Breach data misuse Data protection data security Google Exploit Google Search History Illegal Gambling

Google Employee Charged After Allegedly Using Confidential Search Data to Win $1.2 Million on Polymarket

 

A person working at Google stands charged with misusing private internal data to make winning predictions online - profits reportedly surpassing $1.2 million. In Manhattan, federal authorities say access to unreleased insights about what people search was leveraged improperly; outcomes linked directly to Google's own ranking movements. While performing regular job duties, the individual allegedly monitored patterns not meant for public view, then applied that knowledge elsewhere. Bets placed on future trends were informed by information obtained through employment. 

The case centers on whether insider awareness crossed into illegal territory when used outside corporate boundaries. Though common tools were involved, their application in forecasting events raised legal concerns. What began as routine work activity appears to have branched into personal financial gain. Investigators emphasize timing and access as critical elements under review. Working at Google as an information security engineer, Michele Spagnuolo reportedly gained access to user interaction logs tied to search activity. With such access came the ability - allegedly - to observe patterns others could not. 

From there, it is claimed he placed multiple wagers on Polymarket, where event-based predictions are monetized. The charges stem from a federal filing stating those trades relied on nonpublic insights. Though meant to remain confidential, the data supposedly guided his entries on the betting site. Each transaction appears linked to specific shifts in public interest tracked internally at Google. What followed was scrutiny when usage anomalies matched his market moves. It is claimed by investigators that Spagnuolo leveraged private data on Google searches to forecast movements tied to the company's yearly ranking releases. 

Because he had clearance to sensitive corporate details, prosecutors argue, he was aware of outcomes ahead of official announcements. With such insight came an edge - bets were made under conditions most market participants could not replicate. His position reportedly created opportunities far beyond what typical traders experience. Later came confirmation - Google's 2025 search data showed D4vd ranked highest by public interest. That result lined up exactly with a gamble made earlier under the alias "AlphaRaccoon." The bet had favored musician D4vd despite slim odds offered on prediction platforms. Authorities now connect Spagnuolo to that username. Before the list dropped, few expected such an outcome. Profits surged after the official release. 

Unlikely forecasts sometimes pay off, especially when timing aligns. Funds from successful trades reportedly added up to about $1..2 million, according to federal authorities. Following the influx of money, Spagnuolo began altering records - shifting details around - to mask who really controlled the accounts. Behind these actions lay an attempt, officials claim, to cover up improper use of confidential data. Prosecutors filed charges over commodities fraud, followed by wire fraud, along with money laundering accusations. 

Held in New York, Spagnuolo - an Italian national - gained release after posting a $2.25 million bond backed not only by cash but also by additional financial assurances as legal proceedings continue. When questioned about the claims, Google mentioned working alongside law enforcement. While workers may access certain internal systems normally, turning private data into gambling material crosses clear policy lines, according to the firm. 

Following review procedures, the individual involved was temporarily removed from duties until outcomes are determined. Two big court cases this year in New York target Polymarket, showing growing scrutiny. Behind the scenes, officials are digging into ways secret data might sway betting odds on forecasts. Questions grow about whether stronger rules should block insiders from exploiting these platforms. What happens next could reshape how such markets operate under watch.
Read more »
US
Ads Chrome Digital Ads Google Location Privacy Tech US

Hackers Use Phone Location Data to Attack US Military Personnel

Hackers Use Phone Location Data to Attack US Military Personnel

Threat actors are targeting U.S. military personnel deployed in active war zones, exploiting commercially available location data. 

This shows how the global surveillance economy (digital targeted advertising) affects battlefield security. 

Location data exposing military location

The US Central Command (Centcom) confirmed this attack and said, "multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater."

Details about the incident

This alarming development was shared with Reuters by Senator Ron Wyden, but no particular detail about the incident was offered. 

But Centcom’s operation area consists of the Gulf, where the US forces are at war with the Iranian military. This is the first time that US forces have confirmed it is being targeted in an active war zone with the help of digital ads that are exposing location data. 

Officials’ statements

According to Pentagon and the US lawmakers, “"commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, and for counterintelligence."

Lawmakers warned that "commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, and for counterintelligence."

The risk of digital advertising targeting in wars

Senator Wyden has warned that it is time to “"start treating the adtech industry as a national security threat." 
The problem has again exposed the underlying privacy threats concerning location data, which is the foundation of digital advertising.

The Pentagon did not return messages seeking comment, and lawmakers' efforts to obtain more information from military officials about the targeting reports.

Attack tactic

The location data is retrieved by apps through smartphones or service providers. For instance, a third-party sometimes collects the data which is sold on the web for advertising purposes.

The privacy threats of selling personal location data is not new. In 2016, a US defense contract bought commercially available location data to trace special ops forces from their domestic bases to a private staging post in Syria, according to a Wall Street Journal (WSJ) report. 

Recently, reporters from two German news outlets and the Wired used billions of coordinates from a data broker to leak detailed locations of individuals near eleven US military sites in Germany. 

The US lawmakers wrote a letter to the Pentagon which argued that military officials should act faster to protect military personnel, as their location is sometimes exposed due to the complex location data trade market.

The US lawmakers have suggested to:
  1. Disable location sharing on field smartphones
  2. Shifting military staff away from Google Chrome in favour of privacy focused browsers.
  3. Turn off digital advertising on military devices.

The impact

Advertising groups such as the Association of National Advertisers and the Interactive Advertising Bureau have not responded to any questions or comments.

North Carolina Republican and former U.S. Army Special Forces officer, representative Pat Harrigan, co-signed the letter, saying that browsers such as Google Chrome “are built from the ground up to collect and share user data. every day they remain on government-issued devices is another day we are handing our adversaries a weapon against our own troops.”

Responding to the statement, Google said that its browser has “industry-leading security" and has "long advocated for stronger rules and safeguards against data brokers."
Read more »
User Data
Carnival Cruise Data Breach Data Privacy Unauthorised Access User Data

Carnival Confirms Breach Affecting Nearly 6 Million Travelers

 

Carnival Cruise has confirmed a significant data breach that affected nearly 6 million people, exposing a wide range of personal information after attackers gained access to part of its IT systems through social engineering. The company began notifying 5,995,277 customers after investigating unauthorized activity tied to an employee account and later determined that personal data had been copied. 

The breach reportedly began on April 10, 2026, and by April 14 Carnival’s security team had identified suspicious access involving an employee account. According to the company, an attacker tricked an employee into granting access to a limited portion of its system, which allowed the intruder to move inside the network long enough to steal files before the activity was blocked. Carnival said it brought in outside security experts and started a formal investigation immediately after the incident was detected.

The data believed to have been exposed includes names, dates of birth, email addresses, genders, geographic locations, and loyalty program information linked to Carnival’s cruise brands. Reporting also suggests that some records may contain more sensitive identifiers such as government-issued ID numbers, passports, or driver’s license details, depending on the affected person. Have I Been Pwned said the leaked material appeared to relate to the Mariner Society loyalty program run by Holland America, a Carnival brand. 

The ShinyHunters extortion group claimed responsibility for the attack and said it had obtained millions of records, along with internal corporate data. While Carnival has not publicly confirmed the group’s claim, the scale of the incident and the types of information exposed make it especially serious because the stolen details could be used for identity theft, account takeover, or highly targeted phishing. The breach also follows earlier security incidents at Carnival, adding to concerns about the company’s handling of sensitive customer data. 

For affected travelers, the most immediate risk is that criminals could use the stolen information to impersonate Carnival or other travel companies in convincing scams. Customers should be alert for messages asking them to reset passwords, confirm bookings, or share documents, because those requests may be based on real personal details from the breach. Security experts generally advise changing account passwords, enabling multi-factor authentication, and monitoring financial and travel accounts closely after incidents like this.
Read more »
Ransomware Protection
Attack Disruption Automatic Device Isolation Cyber Security Cyber Threat Detection Endpoint security Microsoft Defender Microsoft Defender XDR Ransomware Protection

Microsoft Adds Automated Endpoint Isolation to Strengthen Cyber Defense


Microsoft is advancing its automated cyber defence strategy with the release of Microsoft Defender for Endpoints, which is capable of isolating compromised devices as soon as malicious activity is detected. 


The feature was introduced as a preview and has been designed to curb the most damaging stage of an intrusion by preventing endpoints from connecting to the broader corporate network while maintaining a secure connection to Microsoft's Defender service. By integrating this capability into the automatic attack disruption framework, the company hopes to accelerate containment, reduce the attacker's operating window, and provide security teams with valuable time for investigation and remediation during the critical early moments of a breach without relying solely on manual interventions. 

In spite of Microsoft's assertion that automated response systems can be deployed quickly in the event of active intrusions, security researchers caution that they must be implemented with carefully defined safeguards. Microsoft introduced the feature earlier this month as part of ongoing enhancements to Microsoft Defender, though a timeline for general availability has not yet been provided. 

In addition, a recent SANS Institute report outlined a potential risk scenario in which threat actors could manipulate automated disruption workflows to interfere with administrator accounts, potentially resulting in difficulties during incident response. According to Johannes Ullrich, Dean of Research at SANS Institute, automated isolation and attack disruption technologies have existed in both commercial and open-source security platforms for years, yet their effectiveness relies heavily on how they are configured and tuned. 

As Ullrich points out, organizations with limited security resources will significantly benefit from automated containment, however poorly configured policies may allow attackers to delay remediation by targeting privileged accounts, leading to delayed remediation. Nonetheless, industry experts agree that automation has become increasingly important as ransomware and malware operations continue to execute at machine speed. 

According to Robert Enderle, when a human analyst detects malicious activity, adversaries might have already established persistence, expanded their foothold, or begun encryption of data by the time he identifies it. Through the introduction of the new capability, Microsoft Defender XDR addresses this gap by automatically isolating workstations that are subject to ransomware or advanced intrusion activity upon detection of high-confidence indicators. 

While the network access is severed to prevent command-and-control communications, lateral movement, and data exfiltration, the endpoint is still connected to Microsoft Defender services, which enables continuous telemetry collection, remote investigation, and forensic analysis. The functionality is currently restricted to managed devices enrolled in Microsoft Defender for Endpoint and does not yet extend to servers or unmanaged assets. 

In addition to integrating signals from endpoints, identities, email environments, and SaaS applications, Defender XDR creates a comprehensive incident view by correlating signals across these technologies to trigger containment actions when malicious activity reaches a certain level of confidence. 

With a focus on isolated devices rather than wider network segments, the platform aims to contain threats with minimal operational impact, while reducing the potential for ransomware to spread throughout an organisation. In addition to operational safeguards built into the feature, Microsoft has also implemented measures to ensure that aggressive containment measures do not disrupt business operations in an unnecessary manner.

At present, only end-user workstations that have been onboarded through Microsoft Defender for Endpoint are capable of automatic isolation, with security teams remaining in control of remediation decisions once investigations are completed and threats have been mitigated.

Defender portal administrators have immediate control over recovery actions, as they can release devices directly from the Device Inventory or through the individual device management page. This latest development is a continuation of Microsoft's ongoing commitment to endpoint containment, a strategy that has steadily grown over the past several years. 

By June 2022, Defender introduced manual containment capabilities for unmanaged Windows devices, enabling administrators to prevent inbound and outbound communication from Defender-protected endpoints that are compromised. In early 2023, support for isolating onboarded Linux devices began testing, and general availability was expected later that year. 

The Microsoft Corporation has subsequently extended its automatic attack disruption framework to include user account isolation, a measure aimed at preventing lateral movement during the exploitation of hands-on-keyboard ransomware attacks. As part of an ongoing evaluation of Defender for Endpoint enhancements, the company is currently testing automatic traffic blocking for previously undiscovered Windows devices, thereby reducing the possibility of attackers pivoting to unprotected devices within a network. 

The Microsoft company has also provided an overview of scheduled antivirus scanning for Linux-onboarded systems, in addition to these containment-focused developments. Administrators can schedule quick or full scans recurring through the Defender portal, managed JSON configurations, or command-line controls, with options for low-priority execution, idle-time scheduling, and randomised scans. 

Providing flexibility through automated recovery, administrator-driven release controls, exclusion policies for business-critical assets, and targeted containment logic that isolates only systems that are directly associated with malicious activity is a major component of the new automated isolation framework. 

Throughout the Microsoft Defender portal, all isolations, restorations, and response actions are recorded, and security teams can review detailed event timelines, trigger detections, and automated remediation activities through centralised investigation and action management interfaces. 

In a world where speed of detection is no longer sufficient without equally rapid containment, Microsoft's latest move highlights a broader shift in enterprise security. With threat actors increasingly automating intrusion, ransomware deployment, and lateral movement, organisations are increasingly relying on security platforms capable of determining the appropriate response in real time based on their high level of confidence.

However, the effectiveness of such automation ultimately relies upon its careful implementation, ongoing validation, and clearly defined operational safeguards. The challenge for defenders is not simply adopting autonomous security capabilities, but also ensuring they remain accurate, transparent, and aligned with corporate objectives. Success in cyber resilience is determined by finding the right balance between speed and control.
Read more »
SafeBreach
Android Data Breach Gemini Google notifications SafeBreach

Researchers Show How Android Notifications Could Be Used to Manipulate Google Gemini

 





Security researchers have disclosed a now-remediated flaw that could have allowed specially crafted notifications from common messaging and social networking applications to influence the behavior of Google Gemini on Android devices.

The research was conducted by SafeBreach researcher Or Yair, who found that Gemini's ability to access and process notifications could be abused to deliver hidden instructions through otherwise legitimate messages. According to the findings, the technique did not rely on malware or a rogue application being installed on a target device. Instead, any service capable of sending a notification, including WhatsApp, Slack, Signal, Instagram, Messenger, or SMS, could potentially be used to deliver malicious content.

The study builds on SafeBreach's earlier "Invitation Is All You Need" research, which demonstrated how malicious Google Calendar invitations could manipulate Gemini through indirect prompt injection. Following that disclosure, Google introduced new safeguards designed to prevent external content from influencing sensitive actions. Yair's latest work examined whether similar manipulation could still occur through a different source of user data.

At the center of the issue was Gemini's Utilities feature on Android. The functionality allows the assistant to read, manage, and respond to notifications from connected applications. Researchers found that under certain circumstances, notification text could be interpreted not only as information but also as instructions that influenced the assistant's responses and actions.

Because the feature is available on Android devices and not through Gemini's web version or iOS implementation, the attack scenario was limited to Android users who had granted Gemini access to notifications.

According to SafeBreach, the number of potential entry points was unusually large because notifications can originate from countless applications and online services. This meant attackers would not necessarily need direct access to a device. Delivering a crafted notification could be sufficient to introduce malicious instructions into Gemini's processing workflow.

One of the simpler demonstrations involved altering the information Gemini presented to users. Researchers showed that manipulated notifications could cause the assistant to relay fabricated messages while making them appear to originate from legitimate contacts. In some scenarios, Gemini could process real notifications first and then attribute attacker-controlled content to an actual sender already present in the notification queue.

The researchers noted that this type of deception could be particularly effective when users interact with Gemini through voice. For example, someone driving a vehicle may hear a message that appears to come from a manager, colleague, or trusted contact and have little opportunity to verify the information displayed on the screen.

The research also examined Google's post-Calendar security protections. According to Yair, Gemini included mechanisms intended to prevent sensitive actions from being triggered without proper authorization. These checks evaluated both the user's response and the assistant's preceding output to determine whether a requested action was consistent with the conversation.

During testing, direct attempts to inject hidden commands were repeatedly blocked. To overcome these restrictions, Yair developed a technique called "Fake Context Alignment," which sought to make a user's approval appear valid to Gemini's authorization system while obscuring the true request from the user.

One variation involved displaying a sensitive authorization prompt in a language unfamiliar to the victim. Researchers used an example where a request such as "Do you want to open the window?" appeared in Chinese while a harmless English-language question followed. If the user responded with "Yes," Gemini could potentially associate that response with the hidden authorization request rather than the visible conversation.

A second technique relied on differences between information displayed on-screen and information spoken aloud by Gemini's text-to-speech system. Researchers found that certain hidden content embedded within hyperlinks might not be read aloud. In a demonstration, the visible interface contained a sensitive authorization request while the spoken response presented a routine message, increasing the likelihood that a user would unknowingly approve an action.

SafeBreach reported that combining these techniques increased the chances of bypassing the authorization safeguards that Google had introduced after the earlier Calendar-based attack research.

Once authorization was obtained, the researchers demonstrated several potential outcomes. Through integrations with Google Home, Gemini could interact with connected smart-home devices, including windows, lighting systems, and boilers. Additional demonstrations involved opening websites that could expose a user's approximate location through IP address information or trigger file downloads.

The research also explored interactions with third-party applications. In one proof-of-concept scenario, Gemini followed a trusted web address that later redirected to a Zoom link, resulting in the device joining an online meeting. SafeBreach emphasized that this occurred within a controlled testing environment and stated that its own public domain was not configured to redirect users to Zoom. Instead, the redirect was performed through a local test server used during the demonstration.

Researchers additionally identified a persistence mechanism involving Gemini's memory capabilities. Unlike the earlier Calendar-based research, the notification technique enabled the assistant to store attacker-controlled information as long-term memory. In one demonstration, Gemini was persuaded to remember an incorrect name for the user. Because memory is associated with a Google account rather than a single device, inaccurate information could potentially appear wherever that account later accessed Gemini.

The study also demonstrated the creation of recurring automated tasks. Researchers showed that instructions could potentially be scheduled to execute repeatedly, including examples involving regular access to recent messages at specific times.

SafeBreach disclosed the findings to Google's Vulnerability Reward Program on August 17, 2025. Google classified the report as a high-priority issue and later confirmed that changes to its content-classification systems mitigated both the notification-based prompt injection technique and the related authorization bypass method. The company confirmed the remediation on November 14, 2025.

No CVE identifier was assigned to the issue, and SafeBreach stated that it found no evidence indicating the technique had been exploited in real-world attacks before the fixes were implemented.

Because Google's mitigation was deployed through server-side updates, users did not need to install a software update to receive protection. However, individuals seeking additional safeguards can restrict Gemini's access to notifications by disabling the Utilities feature through Connected Apps settings or by revoking the Google app's notification-reading permissions on Android.

The findings provide another example of the security challenges that emerge as AI assistants gain access to messages, notifications, calendars, and connected services. As these systems become increasingly capable of performing actions on behalf of users, researchers continue to examine how external content can influence AI-driven decision-making and whether existing safeguards are sufficient to prevent misuse.

Read more »
Ethical Hacking
AI cybersecurity AI Hacking AI Systems AI Tool AI-powered hacking Cyber Security ethical AI Ethical Hacking

AI Cybersecurity Tools Raise Questions About the Future of Ethical Hacking Competitions

 

Surprisingly, artificial intelligence is changing cybersecurity faster than expected. Some elite ethical hackers now wonder whether human-driven hacking contests will stay relevant much longer. Momentum built around this idea when someone prominent at Pwn2Own this year pointed to advanced AI systems possibly surpassing numerous expert analysts. Performance gaps might widen as these tools grow stronger. 

Among those who took part in Berlin’s yearly Pwn2own contest, Valentina Palmiotti stood out - not just by name but by result. Though many go by handles online, she competes under the tag “Chompie,” a nickname familiar across security circles. Success came her way more than others’, marking her top among solo entrants. Instead of waiting for flaws to be misused, the event encourages finding hidden bugs first. Rewards follow when researchers expose weaknesses in digital tools that were not yet public knowledge. 

This year’s competition handed out close to $1..3 million for spotting 47 previously unknown weaknesses in various software and systems. Because researchers shared the details with makers first, fixes arrived ahead of potential exploitation. Midway through the event, Chompie exposed weaknesses across several platforms - some tied to Nvidia - securing significant rewards. Her method? Endless stretches of probing flaws, something she laughed about calling "zombie hacker mode," where nights blurred into days thanks to sheer persistence and concentration. 

Though today's AI tools speed up code analysis and threat detection, Chompie sees a shift on the horizon. Her view: present systems boost efficiency, yet future versions may make several classic roles obsolete. What now requires teams might soon run on smarter algorithms alone. Nowhere has scrutiny been more intense than around Claude Mythos, a powerful AI said to detect vast quantities of software weaknesses. The creators state it has uncovered countless security issues spanning many applications. Because of risks tied to abuse, only certain government bodies and cyber defense groups are allowed to use it. Access remains tightly controlled amid ongoing debate. Some scientists see things differently. 

A top Pwn2-Owned champion, Orange Tsai of Taiwan, treats artificial intelligence as a helpful tool instead of a substitute for people's knowledge. Because it speeds up testing, new approaches get checked faster - this means more attacks can be studied quickly. Still, originality, gut instinct, and sideways leaps in logic stay within human reach only; these traits often spot flaws machines miss. Though tech advances, certain mental moves resist automation. 

Though artificial intelligence is advancing, hackers now employ automation more often to speed up tasks like scanning networks, crafting phishing messages, or building malicious software. Yet a large number of breaches continue depending on older methods - manipulating people or stealing login details - instead of exploiting cutting-edge flaws. 

Even with worries over automation, some specialists think artificial intelligence might boost digital defense by spotting flaws more quickly than hackers can act. Because systems evolve fast, teams protecting networks may rely on smart tools to stay ahead - provided those resources are used carefully and shared wisely.
Read more »
Malware attacks
Cyber Attacks GTA 6 GTA 6 Scams malware Malware attacks

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

 

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early. 

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists. 

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts. 

Safety tips 

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately. 

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.
Read more »
WannaCry ransomware
cybersecurity leaks EternalBlue NotPetya attack NSA hacking tools Shadow Brokers Vulnerabilities and Exploits WannaCry ransomware

Shadow Brokers Mystery Remains One of Cybersecurity’s Biggest Unsolved Cases

 

dThe world of cybersecurity has witnessed countless data breaches and hacking incidents over the years, many of which remain unresolved despite extensive investigations. While several notorious cybercriminal groups and state-backed hacking operations have eventually been exposed, some of the most significant cyber mysteries continue to puzzle experts.

Among these unsolved cases, few are as intriguing as the story of the Shadow Brokers — a mysterious online group that shocked the cybersecurity community by releasing a cache of advanced hacking tools allegedly linked to the U.S. National Security Agency (NSA) before disappearing without a trace.

The group first emerged in the summer of 2016, a period already marked by heightened attention on cyberattacks connected to the U.S. presidential election. Shadow Brokers appeared on Twitter and directed users to a Pastebin post, tagging several media organizations in the process. However, the unusual method of communication meant many of those outlets likely never noticed the messages.

Those who followed the link encountered a document titled “Equation Group Cyber Weapons Auction — Invitation,” referring to the Equation Group, a sophisticated cyber operation widely believed to be associated with the NSA.

In the announcement, the hackers wrote, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies’ cyber weapons?” They claimed to have breached the Equation Group and offered access to stolen cyber tools. The post included downloadable samples along with an encrypted archive that could supposedly be unlocked by the highest bidder.

Promoting the contents, the group stated, “Auction files better than Stuxnet,” referencing the malware deployed against Iranian nuclear facilities during a joint U.S.-Israeli cyber operation in 2007. The hackers demanded bids of at least one million Bitcoin.

The leak rapidly drew global attention. As cybersecurity experts examined the released tools, many concluded that the software was exceptionally advanced and likely originated from the NSA. This belief strengthened when researchers noticed similarities between the leaked tools and programs previously revealed through disclosures by former NSA contractor Edward Snowden.

Over time, it became apparent that the auction itself may never have been intended as a genuine sale. Months later, the Shadow Brokers publicly released many of the tools without receiving the requested payment. Their behavior often appeared contradictory. The group’s unusual and frequently broken English raised questions about whether they were deliberately disguising their identity or attempting to mislead investigators.

Despite attracting widespread media coverage, the group remained remarkably elusive. They communicated with journalists only once, granting a brief interview to Joseph Cox, now of 404 Media, during his tenure at VICE Motherboard. A decade later, the true identities behind the Shadow Brokers remain unknown.

At the time, journalists and researchers consulted former NSA personnel, some of whom speculated that a current or former agency insider could have played a role. Yet no individual has ever been formally charged for carrying out one of the most damaging intelligence-related cyber leaks in U.S. history.

One frequently discussed suspect was Harold T. Martin III, an NSA contractor arrested for removing classified materials from the agency. However, investigators faced a significant challenge with that theory: Shadow Brokers continued posting online after Martin had already been taken into custody. As a result, he has never been officially linked to the leaks through criminal charges.

A more widely accepted explanation among analysts suggests that the Shadow Brokers may have been a front created by a Russian intelligence operation designed to influence public perception and advance strategic objectives.

The consequences of the leak were profound. Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically. Because zero-day vulnerabilities are unknown to software developers, they often remain unpatched and highly dangerous until discovered.

The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak, while Russian operators incorporated it into the NotPetya malware campaign. Although initially aimed at targets in Ukraine, NotPetya spread globally and is estimated to have caused around $10 billion in economic losses.

For organizations worldwide, the incident underscored a critical cybersecurity lesson: vulnerabilities stockpiled by intelligence agencies can eventually escape into the public domain, creating enormous risks for businesses and governments alike.

Even years later, researchers continue uncovering new insights from the leaked materials. One tool contained a list of project names, including an entry called Fast16 that carried the unusual note, “NOTHING TO SEE HERE — CARRY ON.”

Last month, cybersecurity researchers announced that they had successfully located and analyzed the project. Their investigation uncovered malware dating back to 2005 that was reportedly designed to manipulate software believed to be used by Iranian nuclear scientists, demonstrating that the Shadow Brokers leak continues to reveal new chapters in cyber espionage history.


Read more »
Phishing
AI Bug Cloud Cyber Attacks Data KnowledgeDeliver Phishing

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells


Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration,” said Bleeping Computer, throughout all KnowledgeDeliver consumer deployments. 

Deserialization of ViewState

Hackers found the stolen machine key and used it in ViewState deserialization campaigns to sign infected ViewState payloads and launch remote code execution (RCE) at the OS level. 

In 2025, Mandiant responded to a campaign on a KnowledgeDeliver server and said that in the beginning, the bug was abused as a zero-day to deploy a compromised script into the web platform.

Attack tactic

The compromise was also possible as threat actors used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the experts said. 

According to Mandiant, “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”

Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor. 

The encrypted payload used a key “that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant report said.

Similar attacks in 2025

In August last year, experts from ASEC also disclosed that Godzilla was planted in ASP.NET environments in ViewState deserialization attacks against firms in the finance industry.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Hackers targeting unsecured machines

In recent years, threat actors are increasingly exploiting unsafe  machine keys in Viewstate deserialization attacks against web platforms for a few products.

Threat actors utilized a hardcoded machine key in March of last year to create a malicious payload that gave them access to Gladinet CenterStack's secure file-sharing servers.

After obtaining the machine key to generate signed malicious ViewState payloads, hackers gained access to 85 Microsoft SharePoint systems in July 2025.

Additionally, state-sponsored actors utilized ViewState deserialization assaults to install WeepSteel, a spying tool that revealed the ASP.NET machine key on Sitecore servers.

Read more »
Vulnerability Management
AI-Assisted Exploitation Attack Surface Management CERT-In Blueprint cyber resilience Cyber Security Exposure Management Security Automation Threat Detection Vulnerability Management

The Growing Threat of AI-Driven Exploitation in Vulnerability Management


 

In vulnerability management programs, it has been assumed that defenders will have adequate time to evaluate newly disclosed flaws, prioritize remediation efforts, and deploy patches prior to large-scale exploitations occurring. This assumption is rapidly becoming obsolete. Artificial intelligence is increasingly being utilized by threat actors to compress every stage of the attack lifecycle from vulnerability discovery to proof-of-concept to automated weaponizing to mass exploitation.

Organizations are finding themselves caught between escalating pressures to patch faster and the operational realities of maintaining critical systems while exploitation timelines continue to shrink. 

A security team's challenge is no longer just identifying vulnerabilities, but managing risks in an environment in which attackers can quickly progress from disclosure to exploitation within hours, often faster than traditional remediation mechanisms can respond. The scope of this challenge is becoming increasingly difficult to ignore. 

Even though patch management remains a fundamental security control, the increasing volume of vulnerabilities being discovered is forcing IT organizations to acknowledge the limitations of relying solely on remediation speed to prevent security breaches. 

When Anthropic reported, in May 2026, that Project Glasswing, in collaboration with nearly 50 industry partners, utilized Claude Mythos Preview to uncover more than 10,000 critical- and high-severity vulnerabilities in widely used and systemically important software within a single month through its use of Claude Mythos Preview, a tool developed by Claude Mythos. 

Several internal research programs are confirming similar outcomes, demonstrating how artificial intelligence is allowing security flaws to be identified and validated at a much faster rate, despite the fact that this shift is not limited to defenders and software vendors. In addition to simplifying vulnerability analysis and rapidly reproducing revealed vulnerabilities, threat actors are able to reduce the time it takes to operational exploitation by utilizing the same AI-driven capabilities. Thus, security imbalances are no longer solely determined by patching delays, but rather by the unprecedented speed with which both legitimate researchers and adversaries can utilize newly discovered weaknesses to accomplish their objectives. 

The growing concern is also beginning to shape national cybersecurity strategy. CERT-In recently released its Blueprint on Reducing Exposure and Protecting Digital Infrastructure against Artificial Intelligence-Assisted Vulnerabilities Exploitation, which recognizes that Artificial Intelligence fundamentally alters the economics and speed of cyber operations.

Specifically, the guidance discusses how artificial intelligence is facilitating adversaries' identification and weaponization of vulnerabilities, exposed internet-facing services, insecure APIs, weak identity controls, misconfigurations, and software supply chain vulnerabilities in an increasingly interconnected enterprise environment by identifying and weaponizing vulnerabilities.

As AI-assisted attacks accelerate multiple stages of the cyber kill chain, including reconnaissance and exploitation, lateral movement, and data exfiltration, CERT-In indicates, traditional security models are becoming increasingly difficult to maintain in response. 

According to the framework, continuous exposure management, adaptive defense mechanisms, and resilience-driven cybersecurity operations should be replaced by periodic assessments and reactive remediation. This blueprint advocates the implementation of AI-enabled, intelligence-led security programs that are capable of continuously validating defenses across stakeholders, endpoints, networks, applications, cloud platforms, operational technology environments, and evolving AI systems. 

As part of the strategy, the company places significant emphasis on strengthening governance, ensuring executive accountability, providing proactive threat hunting, ensuring incident response readiness, and reducing exposure by enhancing attack surface management and continuing security validation. 

Additionally, CERT-In emphasizes the importance of securing software supply chains, cloud ecosystems, artificial intelligence models, and third-party dependencies as a result of ongoing assurance activities such as audits, adversarial testing, red teaming, and independent assessments.

Further, the guidance emphasizes that effective defense against AI-based exploitation will require more than just technical measures, but also coordinated threat intelligence sharing, collaborative response efforts, and sustained cooperation between organizations, cybersecurity communities, and national cyber authorities. There are, however, practical limitations in eliminating risk at the speed modern threats require that go beyond identifying risk. 

The exploitation timeline has steadily contracted for years, but artificial intelligence adoption is increasing this trend to the point where newly disclosed vulnerabilities can attract active exploitation attempts within hours of public disclosure due to its increasing adoption. As attackers increasingly utilize automated workflows and highly scalable workflows, remediation processes continue to be hampered by business continuity requirements, testing cycles, change management procedures, regulatory requirements, and the complexity of modern enterprise environments. 

Across the industry, this disparity has become increasingly pronounced. The Verizon Data Breach Investigations Report 2026 (DBIR) indicates that the median remediation time for critical vulnerabilities increased from 32 days to 43 days over the past three years, illustrating the growing gap between organization response capability and exploitation speed. 

With regulators such as CERT-In advocating more aggressive remediation timelines for critical vulnerabilities as well as sub-day patching expectations, security leaders are faced with balancing the need for urgency with the needs of operational stability. The emerging reality is that some vulnerabilities will inevitably be targeted prior to the completion of full remediation. 

The effectiveness of cyber defense cannot be solely assessed by the pace at which patches are deployed, but also by an organization's ability to limit exposure, contain exploitation opportunities, and maintain resilience during the period between vulnerability disclosures and remediation. As a result, automation is increasingly becoming regarded as a prerequisite rather than an enhancement to modern security operations against this backdrop. 

CERT-In focuses its efforts on continuous monitoring, verification, and adaptive defense, reflecting a broader industry recognition that manual security workflows cannot cope with the scale and velocity of AI-driven threats. Ruvala commented that traditional operating models based on human analysis and response are becoming increasingly unsustainable as security teams contend with an expanding attack surface, growing number of vulnerabilities, and a constant flow of alerts and telemetry generated across distributed environments. 

It is no longer feasible for security events to be manually investigated and prioritized under such circumstances. The use of artificial intelligence-enabled security platforms is therefore being increased for the purpose of accelerating threat detection, coordinating activities between disparate systems, automating investigative processes, and determining the priority of remediation efforts based on real-time risk exposure. 

In light of adversaries' use of artificial intelligence to accelerate reconnaissance, vulnerability identification, and active exploitation, these capabilities are becoming increasingly important. To achieve better response effectiveness at scale, Ruvala believes the industry is shifting toward platform-centric, increasingly autonomous Security Operations Center (SOC) models with artificial intelligence, automation, and unified visibility.

Unless these levels of operational augmentation are in place, most organizations will remain challenged to meet the rapid remediation and response timeframes now expected by regulators, business leaders, and threat realities alike. Increasingly, artificial intelligence is becoming increasingly influential when it comes to vulnerability discovery and exploitation, reshaping long-held assumptions about cyber security. 

As the gap between vulnerabilities being disclosed and actively exploited narrows, organizations are being forced to acknowledge that remediation alone is no longer sufficient to protect against malicious attacks. As threats evolve rapidly, the challenge is not simply responding faster, but developing security programs that continuously identify vulnerabilities, validate controls, prioritize risks, and adapt accordingly. 

As adversaries and defenders have increasingly powerful AI capabilities available, the ability of organizations to effectively combat the next generation of cyber threats will be determined by resilience, visibility, and operational agility.
Read more »
Windows driver
API BYOVD Attack Cyber Security Lenovo Windows driver

Signed Lenovo Driver Could Be Misused to Shut Down Security Software, Researcher Warns

 


A security researcher has uncovered a weakness in a Lenovo-signed Windows driver that could allow attackers to disable antivirus and endpoint security tools, potentially weakening a system's defenses before carrying out additional malicious activity.

The finding involves BootRepair.sys, a driver linked to Lenovo PC Manager. According to research conducted by security researcher Jehad Abudagga, the driver contains functionality that can be exploited to terminate processes directly from the Windows kernel. Because the file is legitimately signed by Lenovo, it may appear trustworthy to operating systems and security products that rely on digital signatures when evaluating software.

At the time of the analysis, the driver, identified by the SHA-256 hash 5ab36c116767eaae53a466fbc2dae7cfd608ed77721f65e83312037fbd57c946, reportedly had no detections on VirusTotal. Security researchers note that attackers often favor signed and seemingly legitimate software components because they can help malicious activity blend into normal system operations.

The research surfaces the growing nature of this particular attack technique known as Bring Your Own Vulnerable Driver, or BYOVD. In these attacks, threat actors deliberately use trusted but flawed drivers to gain elevated capabilities inside a system. Rather than exploiting security software directly, attackers abuse weaknesses in legitimate drivers to bypass protections and interfere with defensive tools.

A detailed examination of BootRepair.sys revealed several security weaknesses. The driver creates a device object called "\Device\::BootRepair" without applying a secure discretionary access control list (DACL). In practical terms, this means users with limited privileges may still be able to communicate with the driver.

The driver also creates a symbolic link named "\DosDevices\BootRepair," making the functionality accessible from user-mode applications. Researchers further found that the driver does not perform access-control validation when processing IRP_MJ_CREATE requests. As a result, any user can potentially obtain a handle to the driver without undergoing meaningful permission checks.

Analysis of the driver's input and output control functionality identified a single exposed IOCTL code, 0x222014. This control code accepts a four-byte input buffer that contains a process identifier, commonly referred to as a PID. Once received, the PID is passed to an internal routine responsible for terminating the specified process.

The underlying mechanism relies on the Windows kernel function ZwTerminateProcess. Because the operation is performed in kernel mode, the driver can terminate processes that would ordinarily be protected from interference. This includes security-sensitive services and endpoint protection products that are designed to prevent unauthorized shutdown attempts.

According to the research, these weaknesses create two primary attack opportunities. If the driver is already installed on a target system, an attacker with limited privileges could interact with it directly and terminate antivirus or endpoint detection and response (EDR) processes. If the driver is not present, an attacker could deploy the signed driver as part of a BYOVD operation, load it into the kernel, disable security controls, and then proceed with post-compromise activities.

In a proof-of-concept demonstration, the researcher showed that even protected processes could be terminated once the driver had been loaded. The test used standard Windows APIs to communicate with the driver. The process involved opening a handle to "\\.\BootRepair," sending a target process identifier through IOCTL code 0x222014, and allowing the driver to terminate the selected process from kernel mode.

The simplicity of the proof-of-concept demonstrates how little effort may be required to exploit the functionality once access to the driver is available. Researchers warn that after security products are disabled, attackers may be able to run credential theft tools, information stealers, or other post-exploitation utilities with a lower likelihood of detection.

The findings also reinforce concerns surrounding BYOVD attacks, which have become increasingly common in ransomware operations and advanced intrusion campaigns. Because vulnerable drivers often carry legitimate digital signatures, they can sometimes evade security controls that place significant trust in signed software.

To reduce exposure, organizations are encouraged to implement Microsoft's vulnerable driver blocklist, monitor systems for unusual driver-loading activity, restrict the installation of unauthorized drivers, and watch for suspicious kernel-level behavior. Security teams should also ensure that endpoint protection platforms are configured to detect attempts to abuse legitimate drivers.

The research serves as another example of how trusted software components can become security liabilities when design weaknesses are present. As attackers continue searching for legitimate tools that can be repurposed for malicious activity, organizations will need stronger controls around driver management, behavioral monitoring, and endpoint visibility to prevent security products from being disabled before an attack fully unfolds.

Read more »
VISA
Cyber Fraud Data Breach sensitive information UK government VISA

UK Visa Application Service Left More Than 100,000 Identity Documents Accessible Online

 




A private visa assistance website used by travelers seeking permission to enter the United Kingdom left a large collection of customer records accessible online, exposing passport copies, identity verification photographs, and location information linked to applicants.

The website, known as UK Visa Portal, offers paid assistance for visa and travel authorization applications. The platform is not operated by the U.K. government, although reports indicate that some users may have mistaken it for an official government service and paid application-related fees through the site instead of using government channels.

The exposure came to light after an individual discovered a security issue affecting the platform and reported it to journalists. According to information shared by the source, the accessible records included more than 100,000 files uploaded by applicants during the visa application process. These files reportedly contained passport images and selfie photographs that users submitted to verify their identities.

Following inquiries from journalists, the exposed data was secured. However, details regarding how long the information remained accessible have not been publicly disclosed.

According to reporting on the incident, the exposed records were stored in an Amazon-hosted cloud storage repository used by UK Visa Portal. While the storage system did not openly display a list of documents to the public, individual files could still be accessed by anyone who possessed the correct web address. The individual who identified the issue stated that a flaw within the website's backend functionality made it possible to view references to files stored in the cloud environment.

Journalists investigating the incident reportedly verified the authenticity of the exposed records by contacting individuals whose documents appeared in the dataset. Those contacted confirmed that the information matched records they had submitted through the platform.

Beyond passport scans and identity photographs, some uploaded images reportedly contained embedded geolocation metadata. This information can be automatically recorded by smartphones and digital cameras when a photograph is taken. In certain cases, the metadata was reportedly detailed enough to reveal the location where the image was captured, including locations associated with applicants' residences.

The exposure of identity documents can create opportunities for fraud and impersonation. Passports, facial images, dates of birth, addresses, and other personal identifiers are frequently used during account verification processes. If obtained by unauthorized parties, such information may be used in attempts to create fraudulent accounts, bypass identity checks, or conduct targeted social engineering operations.

The handling of the incident has also left several questions unanswered. Reports indicate that journalists attempted to notify the company about the security issue but were unable to identify a dedicated vulnerability reporting channel. The website reportedly did not provide public contact information for company executives or security personnel responsible for addressing cybersecurity matters.

After initial contact was made through customer support, a manager was identified as a potential point of contact. However, reports indicate that direct engagement with company management did not occur. Instead, communication later involved representatives from a public relations firm and attorneys from a U.S.-based law firm.

Following publication of the findings, journalists sought additional information regarding the incident, including the length of time the storage repository remained exposed, whether access logs exist, whether any files were downloaded by unauthorized parties, and who oversees cybersecurity operations within the organization. Public answers to those questions have not been released.

The company is reportedly linked to an organization called Active Leadgen LLC, which is described as having connections to the United Arab Emirates. However, independent verification of the ownership structure has not been publicly established.

The incident comes amid increasing reliance on online identity verification systems by governments, financial institutions, and digital service providers. As more organizations require users to submit passports and photographs electronically, the protection of those documents has become a critical responsibility for any company handling sensitive personal information.

Applicants seeking authorization to travel to the United Kingdom are generally advised to confirm that they are using official government services before submitting identity documents or making payments. In most cases, travelers can complete the application process directly through official U.K. government channels without relying on third-party visa assistance platforms.

Read more »
Signal Jamming
Cyber Security Defence Secretary RAF Jet Russian Border Signal Jamming

RAF Jet Carrying UK Defence Secretary John Healey Has Signal Jammed Near Russia Border

 

An RAF jet carrying UK Defence Secretary John Healey experienced signal jamming near the Russian border earlier this week, highlighting the growing security risks faced by military and government flights operating close to tense front lines. The incident took place while Healey was returning to the UK after visiting British troops stationed in Estonia. According to the BBC report, the aircraft’s GPS was affected, forcing the crew to rely on an alternative navigation system for the three-hour journey. 

The reported disruption has raised fresh concerns about electronic interference in areas bordering Russia, where GPS jamming and related forms of signal disruption have become a familiar feature of the strategic environment. The BBC said it is suspected that Russia was behind the interference, although it remains unclear whether Healey himself was deliberately targeted. The flight path was reportedly visible on aircraft-tracking platforms, which may have made the plane easier to monitor. 

Signal jamming is not only a technical nuisance; it can also carry serious operational implications. When GPS is disabled or distorted, pilots must depend on backup systems and heightened crew awareness to maintain safe navigation. The BBC noted that a similar incident occurred in 2024, when an RAF aircraft carrying then-Defence Secretary Grant Shapps also faced GPS jamming near Russian airspace. That history suggests the latest case is part of a broader pattern rather than an isolated event. 

For the UK, the episode underlines the pressures of supporting allies in Eastern Europe while deterring hostile interference. Britain has maintained a military presence in Estonia as part of its NATO commitments, and visits by senior officials send a message of solidarity and readiness. Yet incidents like this show that even routine travel in the region can be affected by electronic warfare and other forms of disruption. The incident adds another layer of caution for defence planners and transport crews working in contested airspace. 

Although the full circumstances remain under review, the incident is a reminder that modern conflict is increasingly fought in invisible ways. Jamming signals, disrupting navigation, and probing aircraft movements are part of a wider contest that extends beyond traditional battlefields. As European tensions remain high, the UK and its allies are likely to keep paying close attention to the safety of flights operating near Russia’s borders.
Read more »
Google Research
AI Generated Content Law AI manufacturing research Cyber Security Fake Data generative AI fraud Google Research

AI-Generated Fake Citations Surge Across Scientific Papers and Peer-Reviewed Journals

 

Surprising numbers of made-up sources now show up in research articles, thanks to artificial intelligence. Instead of slowing down, the problem grew fast - around 150,000 false references slipped into academic work just in 2025 alone. While some stay hidden in early drafts online, others make it through review systems and land in official journals. What once seemed rare has become common, raising concerns across universities and publishing houses alike. 

From 2020 to 2025, scholarly articles totaling 2.5 million were examined by analysts at Cornell, UCLA, and Berkeley. These documents contributed a citation count of 111 million. Data originated in prominent archives - arXiv, bioRxiv, SSRN, and PubMed Central being among them. Attention shifted toward references that lacked confirmation in standard indexing systems. Tools like Semantic Scholar, OpenAlex, and Google Scholar failed to validate certain paper titles. Scrutiny centered on these unverifiable instances. Work unfolded without reliance on assumed accuracy. 

Instead, gaps in traceability became the point of departure. Midway through 2024, a noticeable spike emerged in made-up citations. This shift came alongside broader adoption of advanced language software - systems initially built for drafting text but now able to produce full reference lists. Although such tools speed up writing tasks, they sometimes invent scholarly sources that sound real yet lead nowhere. 

A paper called "LLM Hallucinations in the Wild" traced this pattern directly to how these models operate when asked to cite materials. Because false references mimic genuine ones so closely, spotting them becomes difficult without careful checking. Surprisingly, the investigation reveals fabricated citations appear beyond clearly dishonest work. These false references turn up across credible-looking documents, implying certain authors include AI-suggested sources without checking them first. What stands out is how casually unverified material slips into accepted formats. 

Most current safety measures faced questions about how well they work. The research showed that close to 78.8% of made-up citations got through arXiv’s review process without detection. Even after some bioRxiv papers appeared in journals listed by PubMed Central, around 85.3% still kept their false references unchanged. A study appearing in The Lancet highlighted recurring issues in biomedical literature. 

Over 4,000 false references turned up in nearly three thousand reviewed articles from 2023 through early 2026. Papers drawn from that span showed a sharp climb in made-up sources. While just one in 2,828 works contained such problems at the start, the proportion jumped - by early 2026, it was one out of every 277. Growth like this signals deeper cracks forming beneath the surface. 

One concern gaining traction: false references might cycle back into AI training data once they land in shared digital archives. Because these inaccuracies can persist, journals are being pushed toward using software checks on citations prior to accepting articles. 

As artificial intelligence plays a larger role in research tasks, closer scrutiny seems less like an option and more like a necessity. Some now see automated validation not as extra effort but as basic hygiene in scholarly communication.
Read more »
Ukraine
Gamaredon GammaPhish GammaWorm malware Russia Ukraine

Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware


The Russian Hacking group called Gamaredon has been linked to the constant hack of a WinRar bug to install a few malware strains aiming to propagate and steal data.

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server. The main goal is to fingerprint the host device and update the network settings in the registry via dead drop resolvers (DDRs), retrieve and launch arbitrary VBScript payloads from the C2 servers.

About the malware

“Gamaredon’s arsenal has undergone a significant transformation over the last decade, transitioning from Pteranodon custom-built framework into a fragmented and modular malware. Based on our observation, today’s Gamaredon capacities are characterised by a proliferation and a highly active development cycle of new malware variants,” said Sekoia

Payloads attacking VBS

One payload is a VBScript worm called GammaWorm that builds persistence through scheduled tasks and is built to hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code gotten from a C2 server.

To fix C2,  GammaWorm starts a GET request to the public Telegram channel. Via genuine platforms such as Telegram, hackers blend with regular traffic, escape getting caught, and launch long-term spying campaigns. GammaWorm also depends on NTFS Alternate Data Streams (ADS) tactics to hide its core modules.

Other malware strains

A different malware family deployed through GammaLoad is a modular information stealer called GammaSteel that stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option. According to Sekoia, the infection chain could be used to launch different malware strains like GammaWipe or GamaWiper, this depends on the hacker’s targets. 

"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first,” Sekoia said.

State-sponsored hackers involved

Russian state-sponsored actor Gamaredon associated with the official Federal Security Service (FSB) has a long history of targeting Ukraine and its government, critical infrastructures, military via spear-phishing emails that consist infected attachments in “booby-trapped RAR archives”, according to the Hacker News.

Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.

Read more »
RTGS Fraud Scheme
Cyber Crime Investigation Cyber Fraud Cyber Frauds Digital Arrest Scam Karnataka Cyber Command Money Laundering Scam Mule Bank Accounts Online Financial Fraud RTGS Fraud Scheme

Fake Digital Arrest Racket Cheats Bengaluru Woman of Rs 24 Crore


 

Using cyber technology, an impersonation racket for high-net-worth individuals in India has been exposed as a sophisticated scam in the form of a so-called "digital arrest." A network of fraudsters posing as officials from central investigation agencies has allegedly coerced Bengaluru resident Lakshmi Ramamurthy into transferring large sums of money over a period of several months, involving 74-year-old Bengaluru resident Lakshmi Ramamurthy. 

The Karnataka State Cyber Command has uncovered a Rs 24 crore fraud involving her. Authorities allege that the accused exploited sensitive financial information related to recent property transactions, fabricated false allegations of money laundering, continuously monitored, and psychologically manipulated to create a false sense of legal threat. 

After Ramamurthy approached the ICICI Bank Cantonment Branch to mortgage 1.3 kilograms of gold jewellery in an effort to obtain additional funds, the scheme was undetected until he approached the bank officials. Bank officials alerted law enforcement officials, triggering an investigation that led to the arrest of six suspects from a variety of states, including Tamil Nadu, Maharashtra, Gujarat, Delhi, and Bihar. 

The victim, Ramamurthy, a former teacher who lived in Dubai and is currently residing alone in Bengaluru's Shivajinagar neighbourhood, has been deemed to be a lucrative target because she owns properties in Bengaluru and Mumbai, and she is actively seeking to liquidate certain assets for the benefit of her children in the United States. 

Police claim that the fraudulent engagement began in February when individuals claiming to be officers from the Central Bureau of Investigation (CBI) and Enforcement Directorate (ED) started calling her. She was falsely accused of involvement in a money laundering network and repeatedly threatened arrest and legal action by the callers, who repeatedly threatened her arrest. 

In the process of clarifying her position, the perpetrators escalated the deception through WhatsApp video calls, employing impersonation techniques that were designed to simulate official proceedings as well as reinforce the credibility of the false accusations. Also during the course of the investigation, police were able to seize six mobile phones thought to have been used for coordinating and executing the fraud, providing vital data regarding the network's communication infrastructure. This was followed by an extended campaign of coercive social engineering in which the victim was alleged to have been isolated from external intervention and to have been kept under constant psychological pressure through repeated calls and virtual interactions. 

During their conversation, the fraudsters falsely informed Ramamurthy that her bank accounts were connected to a money laundering investigation. The fraudsters claimed that Ramamurthy had been placed under a confidential "digital arrest" and instructed her not to discuss the matter. A number of factors were employed by the accused to convince her that large financial transfers were necessary for account verification, regulatory scrutiny, and fund clearance, including fear, authority impersonation, and fabricated legal consequences. 

A total of Rs 24 crore was allegedly transferred from the victim's ICICI Bank account between February 10 and April 24 through 26 RTGS transactions involving 23 mule accounts maintained at ten different banks nationwide. Police said the funds were distributed through a layered network of beneficiary accounts designed to obscure the money trail and complicate recovery efforts. 

On April 24, the victim reportedly attempted to secure a gold loan worth Rs 3 crore to satisfy additional demands from the scammers that were still underway when the fraud operation was still active. In response to suspicious activity detected by ICICI Bank Cantonment Branch officials, the Karnataka State Cyber Command was immediately alerted, and officers at the Karnataka State Cyber Command intervened, counselled the victim, and prevented further financial losses. 

Following the initial investigation, a large-scale interstate cybercrime investigation focused on tracking the flow of funds via the fraud network's laundering infrastructure was initiated in order to investigate the fraud. Investigators tracked first-layer mule accounts that received the proceeds of the crime by using financial intelligence, transaction analysis, and data available through the National Cybercrime Reporting Portal (NCRP) and initiated account freeze procedures across a number of banking channels.

The operation resulted in the freezing of over Rs 4 crore, while a further Rs 1.46 crore was recovered through court-directed proceedings. Approximately six individuals have been arrested as a result of the investigation - N Sivagnanam of Erode, Tamil Nadu; Akkach Mallick of Mumbai, Maharashtra; Palak Bhai Patel and Amit Narendra Patel of Ahmedabad, Gujarat; Om Prakash Rajput of New Delhi; and Gaurav Kumar of Bihar.

Furthermore, authorities seized six mobile phones suspected of being used to coordinate fraudulent activities. According to the Karnataka State Cyber Command Unit, the investigation continues as efforts continue to identify additional operatives, uncover the larger financial network, and trace the masterminds suspected of orchestrating the nationwide digital arrest fraud scheme. 

A significant aspect of the case is the fact that modern cybercrime has evolved beyond technical exploitation into highly orchestrated psychological manipulation, in which trust, fear, and perceived authority are weaponised so that rational decision-making is overridden. 

The incident underscores the fact that no legitimate law enforcement agency or government agency conducts investigations through secret video calls, requires financial transfers for verification, or instructs individuals to isolate themselves from family members or legal counsel as digital arrest scams continue to surface across the country. 

In addition to independent verification of such claims through official channels, cybersecurity experts advise citizens to be cautious when receiving unsolicited communications expressing legal threats, as well as to report suspicious activity immediately to the National Cyber Crime Reporting Portal or local cyber police authorities. One of the most effective measures against fraud schemes designed to exploit both technology and human vulnerability remains awareness in an increasingly connected world.
Read more »
Subscribe to: Posts (Atom)