Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

WhatsApp
Cyberattack malware ManageEngine Endpoint Central remote access malware VBScript attack WhatsApp

WhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools

 

A widespread malware campaign is targeting WhatsApp users across several countries by sending deceptive messages containing malicious VBScript files that can ultimately grant attackers remote access to victims' systems.

According to cybersecurity researchers at Kaspersky, the threat actors behind the campaign are disguising the malicious files as legitimate business and financial documents. These files are distributed through WhatsApp accounts that have already been compromised, making the messages appear trustworthy to recipients.

Once a victim downloads and executes the attachment, a multi-stage infection process begins. The attack eventually installs ManageEngine Endpoint Central, a legitimate system management tool commonly used by IT administrators to oversee devices from a centralized platform.

Kaspersky’s telemetry data indicates that the campaign has impacted users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

The attack starts with WhatsApp messages sent from compromised accounts. These messages typically contain only a heavily obfuscated VBScript file designed to evade detection.

To increase the likelihood of users opening the attachment, the files are named to resemble invoices, financial reports, billing records, account notifications, and other business-related documents. Researchers also observed that the filenames are adapted to different languages, highlighting the global nature of the operation.

“Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains.

“At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.”

If a Windows user opens the malicious file, the VBScript downloads two additional scripts from attacker-controlled servers. These scripts modify the Windows Registry to disable User Account Control (UAC) protections and retrieve a ZIP archive containing ManageEngine Endpoint Central.

The software is then installed silently in the background and configured to connect with servers controlled by the attackers. This setup provides cybercriminals with remote administration capabilities over the compromised machine.

Researchers noted a difference in execution behavior depending on the WhatsApp platform being used. When the file is received through WhatsApp Web, it must first be downloaded before execution. However, in the WhatsApp Desktop application, the file can be launched directly through Windows Script Host (wscript.exe).

Although Kaspersky has not attributed the campaign to a specific threat actor, investigators identified indicators suggesting the use of the Chinese language and found overlaps between the campaign’s infrastructure and IP addresses previously linked to ValleyRAT and Gh0st RAT operations.

Despite these findings, researchers emphasized that the available evidence is not sufficient to confidently identify the group responsible for the attacks.

Security experts advise WhatsApp users to exercise caution when receiving files, even from known contacts, as compromised accounts can be used to spread malware.

Users should verify unexpected attachments through an alternative communication channel before opening them. Additionally, all downloaded files should be scanned with an updated antivirus solution to help detect and block potential threats before execution.

Read more »
malware
Crypto heist Cyber Scam Malicious Campaign malware

Crypto Heist Uses Fake Reputation Campaign to Spread Malware

 

Cybercriminals are increasingly borrowing the language and tactics of public relations, and a new campaign shows how effective that can be. According to researchers, attackers promoted malicious crypto-related tools by creating a polished online presence across GitHub, YouTube, VirusTotal, and other channels. The goal was not only to spread malware, but also to build an illusion of trust that would lower suspicion among users and researchers.

At the center of the operation was a Rust-based clipboard hijacker, a type of malware that watches for cryptocurrency wallet addresses copied into a victim’s clipboard. When it detects one, it swaps the address with one controlled by the attackers, causing funds to be sent to the wrong destination. This simple trick can be highly profitable because it targets users at the exact moment they think they are making a legitimate transfer. 

What makes the campaign notable is its layered distribution strategy. Researchers found dedicated phishing pages, fake GitHub and SourceForge projects, and even a YouTube channel designed to make the software look popular and credible. The channel reportedly used AI-generated narrators, suspicious view spikes, and enthusiastic comments that were likely coordinated to reinforce the appearance of real demand. Instead of relying on one channel, the attackers created a network of signals that seemed to validate one another. 

The operation also extended into reputation manipulation on security platforms. By using large numbers of fake accounts, sometimes described as “Ghost Networks,” the attackers attempted to influence systems such as VirusTotal and make their tools appear harmless or merely falsely flagged. That tactic matters because many users and even defenders glance at reputation data before deciding whether a file is safe. If the data is polluted, the warning signs become harder to trust. 

This campaign shows how malware distribution is evolving beyond obvious spam and sketchy downloads. Attackers now understand that credibility itself can be weaponized, especially when users rely on social proof, star ratings, comments, and public scans to judge safety. The result is a more convincing, more scalable deception that blends technical abuse with marketing-style manipulation. 

For users, the lesson is to treat polished packaging as a warning sign rather than reassurance. Check the source of any crypto tool carefully, verify wallet addresses before sending money, and avoid downloading software because it looks popular or well reviewed. For defenders, the case is a reminder that reputation systems can be gamed, so detection must look beyond surface-level trust signals.
Read more »
technology
Anthropic Artificial Intelligence Frontier AI open ai technology

Five Eyes Agencies Say AI-Powered Cyber Threats Are Closer Than Expected

 




Intelligence and cybersecurity agencies from five allied nations have issued a warning that advanced artificial intelligence systems capable of performing meticulously executed cybersecurity tasks may become widely accessible much sooner than many organizations expect.

In a joint statement, representatives from the Five Eyes intelligence alliance, comprising the United States, Canada, the United Kingdom, Australia, and New Zealand, cautioned that frontier AI models are progressing at a pace that could reshape how cyber operations are conducted on both sides of the security landscape. According to the agencies, capabilities that are currently associated with a small number of highly advanced AI systems may reach broader availability within months rather than years.

The warning instills a sense of concern among governments, security practitioners, and AI researchers who have spent the past year examining how rapidly improving language models can influence vulnerability discovery, exploit development, system reconnaissance, and defensive security operations.

Officials stated that frontier AI systems are expected to outperform current industry assumptions regarding cybersecurity-related tasks. As these systems continue to improve, they may alter how organizations identify weaknesses, respond to incidents, and defend critical infrastructure. At the same time, the same technological advances could provide malicious actors with new opportunities to automate portions of cyberattacks that previously required substantial technical expertise.

Notably, the agencies emphasized that their concern is not based solely on future developments. Many of the building blocks needed for AI-assisted cyber operations already exist today.

Security-focused AI models can currently be accessed through a variety of channels, including older commercial systems, open-source releases, and models developed outside Western technology companies. While some frontier AI developers have restricted access to their most capable systems, cybersecurity experts have repeatedly noted that advanced capabilities often spread beyond their original environments as newer generations of models are released.

The agencies argued that one of the most immediate concerns is not the creation of entirely new attack techniques, but the ability of AI systems to exploit weaknesses that organizations have failed to address for years.

Among the issues highlighted were aging technology environments, delayed software patching, unnecessary exposure of internal systems to the public internet, weak identity verification practices, inadequate access controls, and insufficient preparation for responding to security incidents. These weaknesses have contributed to countless breaches over the past decade, and officials believe increasingly capable AI systems could allow attackers to identify and exploit such gaps more efficiently and at greater scale.

The statement suggests that organizations should reassess assumptions about how much time they have to prepare. Traditional planning cycles often operate on the expectation that technological shifts unfold gradually. However, intelligence officials warned that AI-related cyber risks may evolve quickly enough to render existing security assumptions obsolete within a matter of months.

"The rapid pace of frontier AI development means cyber risk assumptions can become outdated in months, not years," the agencies wrote, urging organizations to prepare for changing threat conditions before they become operational realities.

The warning also comes amid growing debate surrounding the release and control of advanced AI systems. The statement references frontier models such as Anthropic's Fable 5 and the cybersecurity-focused Mythos model family, which have attracted attention because of their reported performance on security-related tasks.

While companies have attempted to limit access to some of their most advanced systems, researchers have repeatedly observed that the gap between proprietary frontier models and publicly available alternatives continues to narrow. Historically, open-source models have often trailed leading commercial systems by only several months. As a result, capabilities that are initially restricted to a limited group of users can eventually become available through other channels.

This pattern has intensified concerns among policymakers who worry that highly capable cyber-oriented AI tools may become accessible to a broader range of actors, including criminal groups and nation-state operators seeking to automate parts of their operations.

Government officials and AI developers have already begun exploring ways to use these technologies defensively before they become commonplace in offensive campaigns. Programs such as Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber Program are designed to provide vetted organizations with access to advanced AI systems for security testing, vulnerability identification, and defensive research.

The objective is straightforward: allow defenders to discover and remediate weaknesses before increasingly capable AI systems can routinely identify and exploit them.

Recent research has reinforced the view that AI is becoming increasingly effective at cybersecurity tasks. Studies conducted in controlled environments have shown that advanced models can assist with vulnerability analysis, code review, system enumeration, and portions of attack-chain development. Although these systems still require human oversight and are far from replacing experienced security professionals, their capabilities continue to improve with each generation.

Despite the attention surrounding frontier AI, the recommendations issued by the Five Eyes agencies are remarkably familiar. Rather than advocating entirely new security frameworks, officials argue that organizations should focus on practices that have long formed the foundation of effective cybersecurity programs.

These include maintaining timely patch management processes, reducing unnecessary internet-facing exposure, strengthening identity and access management controls, developing incident response plans, and treating cybersecurity as a strategic business responsibility rather than a compliance exercise delegated solely to technical teams.

For business leaders, the warning serves as a reminder that advances in artificial intelligence are unlikely to eliminate longstanding cybersecurity challenges. Instead, they may increase the speed at which those challenges can be exploited.

As frontier AI design systems continue to upgrade, organizations that maintain strong operational discipline, address known weaknesses promptly, and integrate cybersecurity considerations into decision-making processes will be better positioned to withstand a rapidly changing threat environment. Those that fail to do so may find that vulnerabilities once considered manageable can be identified, analyzed, and exploited far faster than before.

Read more »
Messaging App Security
Account Hacking Cyber Attacks Data Breaches Data Safety User Data data security French Government Hijacking attacks Messaging App Security

French Government Messaging Platform Tchap Breached After Hijacked User Account Attack

 

A surprise alert came from Paris when officials revealed a security flaw in Tchap, the nation’s encrypted chat system. Through a hijacked login, intruders slipped inside without immediate detection. Only later did analysts at the country's cyber defense unit spot unusual activity. Their probe began quietly, tracing paths taken and files touched during the unauthorized visit. Questions now linger about what data could have been seen or copied in the gap before discovery. 

Starting in 2018, France's DINUM introduced Tchap alongside the country’s cybersecurity body, ANSSI. Built using the Matrix framework, this tool serves only state workers and official institutions through secure chats and teamwork functions. Since launch, usage expanded - now counting above 300,000 people logging in each month, with half a million installs just on Android. Growth picked up speed when Prime Minister François Bayrou advised staff to switch work conversations to Tchap rather than rely on non-European apps. 

Later that week, signs of intrusion appeared on the interface - ANSSI spotted irregular behavior tied to one logged-in profile. That channel got shut down fast, stopping extra breaches. From there, scrutiny turned to stored records, checking what exchanges or documents might have leaked. Though control slipped briefly, response narrowed the risk without delay. Even though no breach occurred, France's digital agency reached out to CNIL due to possible exposure of personal details via the app. 

While public discussions remain accessible to verified participants, those conversations lack encryption safeguards. Because privacy risks exist, officials emphasize handling delicate data strictly within protected one-on-one exchanges. Only secured channels offer the level of protection needed for such content. Over the weekend, someone took credit for the incident, saying they got in by manipulating people rather than exploiting code. 

Though officials haven’t shared specifics about how it happened, the claim points to deception as the entry method. Access reportedly began with an account tied to Tchap’s school-focused systems. From there, information visible within that account was gathered without permission. Among the claims made was access to fixed LDAP login details, left visible inside a PowerShell file circulated by someone working for the state. 

It followed that large volumes of data - over 13 gigabytes - were reportedly copied, spanning both documents and multimedia content. From those materials emerged close to 650,000 individual messages. Account-related records tied to over seventy-three thousand users were pulled apart, revealing emails, affiliations, scheduled call URLs, plus background system logs. 

A separate assertion pointed to how easily such scripts could expose sensitive internal structures. Still examining the reports, investigators work to measure how far the effects reach. When hackers trick users or steal logins, even coded messaging apps can fail - this case shows it once again.
Read more »
Third-Party Risk
Cloud Security CRM Data Exposure Data Breach Icarus Extortion Group Klue Breach OAuth Token Theft Salesforce Security Supply Chain Attack Third-Party Risk

Klue Breach Exposes Cybersecurity Firms to Supply Chain Risk


 

Klue, which provides competitive intelligence services, has been implicated in a supply chain compromise as an example of how trusted third-party integrations can lead to high-impact attacks on enterprise systems. As a consequence of the incident, which occurred on June 11, unauthorized access to Klue's backend infrastructure allowed threat actors to deploy malicious code designed to harvest authentication tokens related to customer integrations, resulting in the theft of customer authentication tokens.

Security firms Huntress and Recorded Future confirmed that they were among the organizations affected by the breach, which has drawn attention across the cybersecurity industry. In addition, investigations found that the attackers accessed and extracted customer data through connected business platforms by leveraging compromised integrations.

An interconnected SaaS ecosystems present significant risks, where a single compromise can rapidly extend beyond the initial target and affect multiple downstream organizations, thereby increasing the risk associated with the ecosystem. 

In addition, details indicate that the compromise went beyond Klue's internal environment and into customer-connected cloud platforms via an unlawfully accessed legacy integration credential. Threat actors accessed Salesforce instances by leveraging the credential on June 12 to synchronize customer data across linked cloud environments, leading to unauthorized access to customer information. 

Despite the fact that Klue has not revealed the exact number of individuals or organizations affected, multiple organizations, including Gong, Jamf, HackerOne, Insurity, OneTrust, Snyk, Sprout Social, Tanium, Huntress, and Recorded Future, have acknowledged exposure. As a result of the hacking, the cybercrime group Icarus has claimed responsibility for the incident. If a ransom demand is not met, the stolen data will be released publicly. 

According to preliminary assessments, the accessed records primarily contain business-related information about customers, such as names, e-mail addresses, phone numbers, job titles, and some account details. There has been an increasing trend for threat actors to target middleware and integration providers as strategic aggregation points, leading to a single compromised credential or service connection being used as a gateway into the cloud data environments of many downstream companies. 

According to Klue, CrowdStrike has been engaged as part of its response efforts, and affected integrations have been suspended while containment and forensic investigations are ongoing. As containment efforts progressed, the operation footprint of the intrusion became increasingly apparent. Upon discovering the compromise, Klue revoked all customer OAuth tokens and suspended integrations with various enterprise platforms, such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, as a means to prevent further unauthorized activity from taking place. 

Upon further investigation, it was discovered that the attackers had used compromised integration access to extract extensive data through Salesforce's REST API by leveraging compromised integration access. ReliaQuest researchers observed unusually high volumes of CRM queries over a 24-hour period. These included a concentrated burst of nearly 1,000 requests within 15 minutes and sustained extraction activity that lasted over six hours. 

Salesforce mentioned that the findings caused the application Klue Battlecards to be disabled on June 17 as a result of abnormal behavior that might have exposed customer information. Huntress reported that among those organizations publicly confirming impact, accessed records contained only business-facing information like contact information, quotations, and sales communications. There was no evidence that threat intelligence, authentication credentials, payment information, or product engineering systems were exposed. 

Recorded Future stated in a similar manner that the incident affected specific customer and contractual data fields, but not its internal infrastructure and critical operational environments. According to the investigators, the activity was confined to Klue-Salesforce integration rather than the affected companies' networks, distinguishing the incident from broader enterprise compromises. 

In addition, Huntress reported receiving extortion messages from an individual whose communications referenced identifiers previously associated with the Icarus extortion group. A combination of the stolen datasets and material advertised on the Icarus-operated leak infrastructure has strengthened industry assessments linking the group to the attack, however, the intrusion appears to be distinct from other campaigns attributed to actors such as ShinyHunters or UNC6395 that were previously attributed to the group. This incident serves as another reminder that modern cybersecurity risks extend beyond an organization's own perimeter and into a wider ecosystem of trusted applications, integrations, and service providers.

A growing number of attackers are focusing on high value aggregation points within interconnected cloud environments, increasing the need for security teams to strengthen oversight of third-party access, continuously monitor privileged integrations, and swiftly revoke exposed credentials when suspicious activity occurs. 

The investigation into the breach is ongoing, but the event underscores the necessity of making supply chain security a core part of enterprise security rather than a secondary risk, especially because a single compromised connection can create consequences across multiple organizations simultaneously.
Read more »
VPN security
CISA alert Credential Theft Cyber Security Cybersecurity firewall security FortiBleed Fortinet security VPN security

CISA Warns Organizations to Secure Fortinet Devices Amid Massive FortiBleed Credential Theft Campaign

 

 



The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised organizations to strengthen the security of internet-facing Fortinet devices following the discovery of a large-scale credential theft operation that may affect more than 86,000 firewalls and VPN systems.

The campaign, known as FortiBleed, was first brought to light earlier this week. Cybersecurity firm SOCRadar initially reported that over 30,000 Fortinet devices had been compromised, potentially putting enterprise networks at risk. The company has since revised its estimate, indicating that more than 86,000 devices may be impacted.

“Discovered in June 2026, the operation has produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure,” the company says.

According to researchers, threat actors compiled a large database of usernames and passwords and validated them using automated testing tools. Many of the exposed credentials are believed to have originated from previous security incidents and were never updated or revoked.

Security researcher Kevin Beaumont, in collaboration with Hudson Rock, worked with several affected organizations and confirmed that many of the credentials remain active and recently used.

“The data comprises roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan,” Beaumont says.

Further investigation by security researcher Bob Diachenko suggests that a Russian-speaking threat actor is behind the campaign. Reports indicate that at least four organizations have already experienced complete network compromise.

“They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” Diachenko says.

Researchers estimate that the attackers carried out approximately 1.16 billion credential-stuffing attempts against more than 320,000 FortiGate devices. Additionally, around 2.1 billion brute-force login attempts were directed at over 160,000 Microsoft SQL (MSSQL) servers.

Hudson Rock noted that thousands of organizations have been affected, “including major government entities and critical infrastructure providers”.

Cybersecurity company Huntress also highlighted the scale of the incident. “While the overall campaign is massive, Huntress has cross-referenced the listed IP addresses against their own data corpus and identified 845 partner organizations specifically impacted by this credential dump.”

In response to the growing threat, CISA released an advisory on Thursday urging Fortinet customers to take immediate action. Recommended measures include terminating active user sessions, resetting passwords, adopting the Password-Based Key Derivation Function 2 (PBKDF2) algorithm for storing administrator credentials, reviewing logs for suspicious activity, enabling phishing-resistant multi-factor authentication (MFA), and restricting management access to minimize exposure and reduce the attack surface.

Read more »
Technology
Anthropic AI Claude AI Global Outage Technology

Anthropic's Claude AI Back Online After 90-Minute Global Outage

 

Anthropic’s Claude AI platform suffered a global outage that left users and developers dealing with elevated error rates and service interruptions for nearly 90 minutes before recovery was completed. The disruption hit the Claude ecosystem at a time when many teams depend on it for chat, coding, and API-driven workflows. 

The incident began at 00:37 UTC on June 22, 2026, when Anthropic opened an investigation into errors affecting several Claude models at the same time. The outage was broad, impacting Opus 4.8, Opus 4.7, Opus 4.6, Sonnet 4.6, and Haiku 4.5, which made it one of the widest multi-model incidents reported for the service this month. 

Users felt the effects across multiple products, including Claude.ai, the Claude API, Claude Code, and Claude Cowork. That meant the problem was not limited to casual chatbot access; it also disrupted software developers, enterprise teams, and anyone depending on Claude through automated integrations. 

Anthropic identified the root cause by 01:11 UTC and then started a staged fix rather than restoring everything at once. Recovery moved model by model, with Opus 4.8 returning first, followed by Haiku 4.5 and Opus 4.7, before the company declared full resolution at 02:06 UTC. This was not an isolated event, since Claude has faced several disruptions in 2026, including outages in March and earlier in June. The repeated incidents underline a bigger issue for the AI industry: as usage grows, reliability becomes just as important as model quality.

Safety tips 

To protect users from an Anthropic Claude AI outage, the best approach is to combine monitoring, fallback options, and simple user-facing safeguards. Since Claude outages can affect the web app, API, and coding tools at the same time, protection should be built into both user workflows and product systems. 

The first step is detection. Check Anthropic’s official status page, track incident reports, and monitor error spikes so you can confirm whether the issue is platform-wide or local. For developers, test a small API request and watch for 5xx responses such as overloaded or unavailable errors, which usually indicate a backend outage rather than a user-side problem. 

The next layer is graceful fallback. If Claude is unavailable, route urgent tasks to another AI provider or a backup model so users can keep working without a hard stop. For teams, this can mean switching prompts, disabling nonessential AI features temporarily, or offering a manual workflow until service returns. 

For API products, build retry logic carefully. Use exponential backoff, limit repeated retries, and avoid hammering the service during an incident because that can worsen delays for your users. It also helps to decouple the front end from a single AI endpoint so the app can still load, save work, or queue requests even when Claude is down.
Read more »
TeamPCP
CI CD Security Cloud Credential Theft Cyber Threats Dependency Attacks Open Source Security Shai Hulud Malware Software Supply Chain Attack Software Supply Chain Security TeamPCP

TeamPCP Exposes the Hidden Risks of Software Development’s Speed Culture


Software industry companies have emphasized development velocity as a competitive advantage for years, streamlining release cycles, automating deployments, and increasingly utilizing sprawling open-source ecosystems to accelerate innovation as a competitive advantage. However, a recent campaign orchestrated by TeamPCP has revealed the security debt underpinning that speed-first approach.

Within a short period of time, the threat actor compromised more than 1,000 software packages and weaponized trusted development channels, showing the reliance on assumptions rather than verification that modern software supply chains have in place. The most recent escalation occurred following the public release of the Shai-Hulud worm's source code, a malicious tool previously used in numerous supply chain intrusions, along with operational guidance aimed at encouraging broader misuse. 

Through open distribution of the malware and promotion of a reward-driven "supply chain challenge," TeamPCP has demonstrated its ability to shift the threat from a single adversary to a potentially broader ecosystem threat. There is a growing reality for software developers, enterprises, and security teams alike that this development emphasizes: the greatest vulnerability in modern software development is not necessarily a flaw in the code itself, but rather a trust placed in repository repositories, dependencies, and automated workflows. 

A key component of TeamPCP's campaign is the ability to weaponize vulnerabilities already embedded within modern software development practices rather than developing new malware and previously unknown exploitation techniques. With organizations accelerating release cycles through automated continuous integration/continuous delivery pipelines and increasingly integrating artificial intelligence-driven coding assistants, trust decisions are making more frequently without meaningful human verification.

The security research community notes that this environment has created a fertile ground for supply chain abuse, in which unvetted packages, compromised dependencies, and stolen publisher credentials are able to move through development workflows at unprecedented speed. TeamPCP demonstrates exactly how a single compromise within a trusted distribution channel can have an impact on thousands of downstream users through a single breach. 

In the process of conducting the attacks, the group has highlighted a long-standing industry concern: although software packages are often thoroughly tested before deployment, identities, credentials, and publishing environments that distribute those packages are usually less scrutinized. It is believed that much of TeamPCP activity may be attributed to a small group of operators following threat intelligence investigations conducted by Palo Alto Networks and Google. These investigations have identified a central figure known online as "ResoluteXBF" with connections to South African-based infrastructure. 

Even though the group was relatively new when it emerged in 2010, it has rapidly evolved from the Shai-Hulud campaign to subsequent operations that involved malware such as GlassWorm, as well as the public release of Shai-Hulud's source code, and even a high-profile GitHub breach that compromised Visual Studio Code to expose thousands of private repositories. 

The security analysts cite these incidents as evidence that attackers have shifted their approach, making developers themselves primary targets and trusted software ecosystems the preferred method of intrusion. As a result, TeamPCP's significance is greater than its volume of compromises, but it also illustrates the fragility of trust relationships that continue to underpin large portions of open-source supply chains throughout the world. 

Researchers gained a better understanding of TeamPCP's operations after digging deeper into the company's operations. Palo Alto Networks' threat intelligence assessments identified a central figure operating under the alias "ResoluteXBF," as well as associates known as "diencracked" and "Shinigami." However, numerous researchers remain of the opinion that the group is an essentially loosely connected operation with a relatively small core.

There has been speculation that a successful law enforcement action against a few individuals or possibly even one key operator  could significantly disrupt the campaign based on this structure. Even so, the group's influence has surpassed its apparent size. TeamPCP has consistently been associated with underground communities and criminal affiliates linked to BreachForums, DragonForce, ShinyHunters, Vect, Lapsus$, and HasanBroker, thereby expanding its influence and reputation through these networks. 

One notable instance occurred when the group advertised 4,000 private code repositories with a reported asking price of $95,000 on a dark web forum. Despite this, researchers contend the group is not solely concerned with financial gain. Based on the group's behavior, such as public feuds, open recruitment, reward-based challenges for supply-chain attacks, and deliberate release of offensive tooling, it is apparent that the campaign is centered on notoriety, disruption, and influence within cybercrime circles.

It is clear from TeamPCP's own metrics that there is a significant disparity: even though the group has claimed more than 10,000 victims, and earned approximately $90,000 in extortion-related earnings, its reputation and operational damage have been disproportionately greater than its revenues. 

TeamsPCP has been aggressively targeting open-source repositories and developer infrastructure in order to spread credential-stealing malware designed to harvest credentials, cloud credentials, and secrets associated with Kubernetes environments, Amazon Web Services, Microsoft Azure, Google Cloud, and other enterprise platforms. This impact is visible across the software ecosystem. Those organizations affected directly or indirectly by compromised packages include Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, Mistral AI, Microsoft DurableTask, Red Hat, and Nx Console, among others. 

Researchers have estimated that malicious packages linked to TeamPCP represent nearly 500 million weekly downloads, showing how a compromise which affects only a few repositories can spread rapidly due to interconnected dependency chains. 

The success of the group has largely been attributed to its understanding of modern development workflows rather than its malware sophistication. Through compromise of CI runners, TeamPCP effectively converted trusted software distribution channels into malware delivery channels by compromising automated systems that build, test, and publish software. 

By automatically retrieving the infected updates from a repository, downstream developers were able to retrieve them using package managers, GitHub Actions, Python libraries, NPM registries, and other software components that were configured to pull the latest releases from the repository. Using the security best practices strategy, the group aims to exploit a fundamental characteristic of software development: rapid patching and continuous updates encourage rapid trust automation, resulting in an environment where trust is routinely automated on a large scale. 

Researchers note that the group's operational tempo remains unusually aggressive. New package compromises occur almost every day, with validations, credential harvestings, and follow-on activities occurring shortly after initial access. The detection speed of defenders has increased, resulting in some malware packages being exposed within minutes, rather than several hours, as whereas TeamPCP has continued to adapt its techniques. 

A variety of toolsets have been developed by it, ranging from JavaScript and Python-based payloads to Kubernetes API attacks, bundled software development kits, and custom credential theft mechanisms. Additionally, the group's objectives have grown as they have spread the use of Mini Shai-Hulud, a self-replicating malware strain that infected hundreds of open-source packages across multiple registries, and was then publicized to encourage imitations. These developments indicate that a scale-oriented operating model has taken precedence over precision as an operating model. 

As an alternative to focusing on a select number of high-value targets, TeamPCP has adopted an approach aimed at maximizing downstream exposure, exploiting interconnected software dependencies, and generating disruption across as many environments as possible in order to maximize downstream exposure a formula that has made it one of the most consequential supply-chain threats facing the open-source community in recent years. 

The TeamPCP campaign emphasizes that the most disruptive cyber threats do not always arise from sophisticated exploits or new malware. The most common causes of these attacks are vulnerabilities in trust mechanisms that maintain the rapid pace of software development. 

By exploiting interconnected repositories, automated build systems, and dependency chains repeatedly, the threat actor has demonstrated how quickly a localized compromise can ripple across the entire digital landscape. 

Software supply chains are becoming increasingly complex, and AI-driven development is accelerating code adoption, so organizations are under increasing pressure to strengthen publisher security, validate dependencies, protect development environments, and continuously monitor build pipelines. As a consequence of TeamPCP, the resilience of the software ecosystem will be dependent not only on securing code, but on verifying every link in the delivery chain.
Read more »
Malware Campaigns
Botnet Botnet attack Cyber Attacks Cyber Hijack Cyber Networks Internet Routers Malware attacks Malware Campaigns

AryStinger Malware Botnet Hijacks Over 4,000 Outdated Routers for Cyberattacks

 

AryStinger, a fresh malware botnet, has breached over four thousand aging routers across the globe. Devices caught in its grip now serve as launchpads for online attacks, quietly repurposed without user knowledge. Detected by analysts at Qianxin's XLab division, the threat operates under external direction. Once inside, these systems scan networks - acting as hidden pathways through which data flows undetected. Remote operators exploit them to reroute traffic, build concealed links, or run unauthorized code.

Warnings stress continued expansion if neglected. Activity spans continents, tied together by weak firmware defenses. One way hackers advance their goals is by turning weak routers into tools they call “executors,” say experts. Tasks flow from a main control point to these hijacked machines, which then act without owners knowing. 

Instead of running scans from one location, criminals spread the work across many devices at once. This method breaks big jobs into tiny pieces, handled quietly by each node in the network. Speed increases because searching happens all over rather than in sequence. Spotting targets becomes smoother when effort scales through scattered access points. 

What makes AryStinger especially dangerous isn’t just its role in launching further attacks - it directly threatens device owners too. Because it alters DNS configurations, victims might unknowingly land on harmful sites instead of the ones they intended. Traffic moving through infected routers could be watched or captured at any moment, even when everything seems normal. Personal data, login details, financial records - none are safe once the system is compromised. 

Most of the time, it takes advantage of outdated security gaps still present on aging hardware no longer supported by updates. Vulnerabilities like CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837 appear frequently within its attack pattern. Older routers bear the brunt - especially models such as the D-Link DIR-850L and DIR-818LW. Previously, those exact units fell victim to AVrecon, a botnet dismantled by Lumen during 2023. 
Among affected devices, nearly half belong to users in South Korea - data from XLab indicates 48.5%. Following behind is China, where more than three out of ten infections occur. Smaller shares show up in Sweden, Malaysia, and Singapore. These nations report fewer cases within the overall pattern. One variant of AryStinger was found coded in C, aiming mostly at older router models. 

Though less widespread, the second form - built in Go - shifts attention toward network-attached storage systems. This newer edition brings extra functions: it scans IPs and DNS entries, runs commands remotely, drops payloads, explores local networks. Open-source pentesting utilities support these inside-network probes. Each version differs not just in codebase but also in reach and complexity. Despite no evidence yet, experts suggest AryStinger's DNS-scanning setup might enable massive DNS assaults later. 

Following infection, the NAS variant allows command execution through Shell, along with support for Go, Java, and Python scripts - opening multiple paths for attacker control. Even after figuring out what the malware can do, XLab scientists mention no connection between AryStinger and recognized hacking groups. Unresolved issues still linger around the botnet - its operators, along with their future aims, stay unclear. Older routers without support draw attention from specialists concerned about safety online. 

When devices miss updates, they open doors hackers might walk through. A fresh model often closes those paths by staying current behind the scenes. Firmware kept up to date plays a quiet but vital role in blocking intrusions. Default logins invite trouble - switching them strengthens access control. Remote management, though convenient, widens exposure; turning it off tightens defenses. Each step reduces how easily systems can be taken over.
Read more »
Microsoft
Credential Theft CryptoBandits cryptocurrency malware Microsoft

CryptoBandits Malware Combines Crypto Theft and Backdoor Access

 



Microsoft has disclosed details of a newly identified Windows malware campaign that combines cryptocurrency theft, covert command-and-control communications, and remote access capabilities, creating a threat that extends well beyond traditional crypto-stealing malware.

Tracked as CryptoBandits, the malware has been active since at least February 2026 and is designed to compromise Windows systems through malicious shortcut (LNK) files. While its primary objective is to steal cryptocurrency-related information, Microsoft researchers found that the malware also functions as a lightweight backdoor, allowing attackers to maintain ongoing access to infected devices and issue remote commands.

According to Microsoft's analysis, the threat relies heavily on built-in Windows scripting technologies, including Windows Script Host and ActiveX components, to execute malicious actions while avoiding more obvious indicators typically associated with conventional malware families. Once executed, CryptoBandits deploys a portable version of the Tor anonymity network and establishes communications with attacker-controlled hidden services through a local SOCKS5 proxy, concealing the infrastructure used to manage infected systems.

Researchers observed the malware being distributed through malicious shortcut files that masquerade as legitimate content. After compromising a system, CryptoBandits deploys two distinct modules: a worm component responsible for spreading the infection and a cryptocurrency clipper designed to monitor and manipulate wallet-related data.

The propagation mechanism enables the malware to scan connected USB storage devices and generate additional malicious shortcut files that imitate legitimate documents. By replacing or disguising genuine files with weaponized shortcuts, attackers increase the likelihood that the malware will spread when removable media is shared between systems. Microsoft also noted that the malware can deploy additional payloads while excluding them from Microsoft Defender scanning, helping attackers reduce the likelihood of detection.

One of the most dangerous aspects of CryptoBandits is its clipboard-monitoring functionality. Cryptocurrency clippers are designed to watch for wallet addresses copied by victims during transactions. When a targeted wallet address is detected, the malware silently replaces it with an attacker-controlled address before the victim pastes the information into a cryptocurrency application or exchange platform. Because cryptocurrency addresses are often long and difficult to verify manually, victims may unknowingly transfer digital assets directly to criminal-controlled wallets.

Beyond address substitution, Microsoft found that the malware can harvest cryptocurrency seed phrases and private keys, information that can provide direct access to digital wallets. The malware also captures screenshots and transmits collected information to attacker-controlled infrastructure through Tor-based communications channels.

The malware establishes persistence through scheduled tasks and incorporates anti-analysis checks intended to identify whether system monitoring tools are active. Researchers observed the clipper verifying whether Windows Task Manager was running before continuing execution, a technique commonly used by malware operators attempting to evade investigation and detection.

After installation, CryptoBandits launches a renamed Tor executable and registers the infected device with its command-and-control infrastructure. The malware then continuously polls its operators for instructions at intervals of roughly 500 milliseconds, enabling rapid execution of attacker-issued commands. This capability transforms the malware from a simple financial stealer into a remotely managed backdoor capable of supporting additional malicious activity.

Microsoft's investigation also revealed extensive use of runtime obfuscation. Core malware components remain encrypted until execution, while both the Python-based installation routines and JavaScript payloads are intentionally obscured to complicate reverse engineering efforts. Such techniques make static analysis significantly more difficult and can delay detection by traditional signature-based security tools.

At the center of the operation is the malware's bundled Tor client. Rather than relying on exposed internet-facing servers, CryptoBandits routes traffic through localhost: 9050 using a SOCKS5 proxy and communicates with hidden-service infrastructure hosted within the Tor network. By concealing command-and-control traffic behind anonymized routing, attackers reduce network visibility and make infrastructure disruption efforts considerably more challenging.

The campaign gives us a foray into the new trend of financially motivated cybercrimes, where lightweight malware increasingly combines credential theft, cryptocurrency targeting, covert communications, and remote-access functionality within a single package. Security researchers have repeatedly observed threat actors moving away from easily identifiable command-and-control servers in favor of anonymized infrastructure that blends malicious traffic with legitimate network activity.

To mitigate the threat, Microsoft recommends restricting unnecessary use of scripting engines such as Windows Script Host, monitoring systems for unauthorized local SOCKS proxy activity, reviewing unusual clipboard access patterns, and implementing behavioral detection mechanisms capable of correlating script execution, network communications, process activity, and data exfiltration attempts. Additional safeguards include disabling autorun functionality for removable media, restricting execution of shortcut files from USB devices, and closely monitoring Tor-related network traffic originating from enterprise endpoints.

Read more »
WordPress security flaw
CVE-2026-4020 Gravity SMTP exploit Gravity SMTP vulnerability Vulnerabilities and Exploits WordPress security flaw

Gravity SMTP Vulnerability Under Active Exploitation, Over 17 Million Attack Attempts Detected

 


Cybersecurity researchers are warning WordPress administrators about ongoing attacks targeting a recently fixed security flaw in the Gravity SMTP plugin, which is currently installed on nearly 100,000 websites.

The vulnerability, identified as CVE-2026-4020 and assigned a CVSS score of 5.3, is classified as a medium-severity information disclosure issue. The flaw enables unauthenticated attackers to access sensitive information, including configuration settings, API credentials, secrets, and OAuth tokens associated with the plugin’s email service integrations.

"This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it," Wordfence said.

"When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report."

By exploiting the weakness, attackers can gain access to a broad range of system details, including:

* PHP version
* Loaded extensions
* Web server version
* Document root path
* Database server type and version
* WordPress version
* Active plugins and their versions
* Active theme information
* WordPress configuration settings
* Database table names
* API keys and tokens configured for services such as Amazon SES, Google, Mailjet, Resend, and Zoho

Security experts note that the exposed information can be leveraged to obtain credentials that may allow malicious actors to send emails using the affected website’s connected services. Additionally, the extensive system information could help attackers identify further weaknesses and launch follow-up attacks.

"As with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed," Wordfence added. "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site."

The issue has been addressed in Gravity SMTP version 2.1.5. However, threat actors have already begun actively exploiting vulnerable installations by sending unauthenticated HTTP GET requests to the affected REST API endpoint with the "?page=gravitysmtp-settings" parameter. These requests trigger the server to disclose valuable site information without requiring authentication.

According to Wordfence, more than 17 million exploitation attempts targeting CVE-2026-4020 have been blocked so far. Malicious activity was first observed in early May 2026 and surged significantly around June 6, 2026, peaking at more than 4 million requests within a single day.

The primary IP addresses associated with the attack activity include:

* 45.148.10.95
* 193.32.162.60
* 176.65.148.139
* 173.199.90.188
* 45.148.10.120
* 185.8.107.155
* 185.8.106.37
* 185.8.106.92
* 185.8.106.145
* 176.65.148.30

Website owners using affected versions of Gravity SMTP, particularly those with third-party email integrations enabled, are strongly advised to update to the latest version immediately. Security experts also recommend rotating all associated API credentials after updating, as a precautionary measure.

Administrators should further inspect server logs for requests originating from the identified IP addresses and review any suspicious activity involving the vulnerable API endpoint to determine whether their systems may have been targeted.

Read more »
RDP
Cryptographic Dark Web Data Theft malware Prinz Eugen RAAS ransomware RDP

New Prinz Eugen Ransomware Targets Recently Modified Files First, Researchers Find

 



Security researchers have revealed a ransomware operation known as Prinz Eugen that employs an unusual file-encryption strategy designed to increase pressure on victims. According to an investigation by ThreatDown, Malwarebytes' enterprise security division, the malware gives priority to files that have been modified most recently, focusing its efforts on data that organizations are most likely to rely on for day-to-day operations.

Researchers describe the actors behind Prinz Eugen as highly interactive intruders who rely on direct involvement throughout the attack process rather than fully automated deployment methods. Instead of depending on large-scale ransomware affiliate networks, the group appears to conduct attacks manually, using legitimate administration tools and built-in system utilities to move through victim environments and maintain access.

Evidence collected during incident response investigations suggests that attackers may initially gain entry through compromised Remote Desktop Protocol (RDP) credentials. After securing access, operators manually retrieve and launch the ransomware payload, identified as servertool.exe. In one investigated intrusion, researchers observed the use of the RemotePC remote management platform, alongside the creation of a backdoor administrator account that allowed the attackers to retain access to the compromised environment.

ThreatDown noted that Prinz Eugen does not currently appear to operate under the ransomware-as-a-service model that has become common across the cybercriminal ecosystem. Researchers found no indication that the group's operators are actively recruiting affiliates or distributing their malware to external partners. Instead, available evidence points to a more centralized operation in which attacks are carried out directly by the threat actors themselves.

Although the group's data-leak platform presently displays only three victims, researchers believe the actual number of affected organizations is higher. Information gathered during investigations indicates that multiple organizations have experienced incidents linked to the ransomware. Depending on the attack, victims may face file encryption, data theft, or a combination of both. Security researchers have identified at least five organizations impacted by the operation, including an incident involving Standard Bank, where attackers reportedly demanded a ransom payment of one Bitcoin. The demand was ultimately rejected.

One of the most distinctive characteristics of Prinz Eugen is its approach to selecting files for encryption. Analysis of the malware revealed that it processes files according to modification time, encrypting the most recently changed data before moving to older content. When several files share the same timestamp, the malware follows alphabetical order to determine which file is processed next.

Researchers believe this strategy is intended to maximize operational disruption. Files that have been edited recently are often associated with ongoing business activities, active projects, financial records, or other information that employees depend on regularly. By rendering this data inaccessible first, attackers can create immediate pressure on organizations to engage with extortion demands.

Technical analysis further showed that the ransomware scans directories recursively without imposing depth restrictions. Unlike some ransomware families that avoid certain locations or system folders, the examined Prinz Eugen sample applies very few limitations. The malware attempts to encrypt virtually every accessible file it encounters, excluding only files that already carry the .prinzeugen extension, which is added to data after encryption has been completed.

The encryption mechanism itself incorporates multiple modern cryptographic components. Researchers found that the ransomware uses the ChaCha20-Poly1305 algorithm together with a 32-byte master key. Each targeted file receives its own randomly generated initialization vector, while key generation and derivation processes rely on Argon2id, SHA-256, and HKDF-SHA256. Data is encrypted in 1 MB segments, and SHA-256 hashing is used to verify file integrity throughout the process.

Investigators also identified a safeguard built into the malware's deletion routine. When operators use the – delete option, the ransomware removes original files only after confirming that the encrypted version can be successfully decrypted. This verification step reduces the likelihood of accidental data destruction that could undermine the attackers' leverage over victims.

Beyond encrypting files, Prinz Eugen incorporates measures intended to frustrate forensic investigations. Researchers observed that the malware overwrites encryption keys with zero values once they are no longer needed, triggers garbage collection routines to remove remaining traces from memory, and then attempts to delete itself from disk. These actions are designed to make post-incident analysis and key recovery efforts more difficult.

Another noteworthy aspect of the ransomware is the absence of conventional extortion artifacts. The analyzed sample contains no functionality for dropping a ransom note onto infected systems, nor does it alter the victim's desktop wallpaper to display payment instructions. While such techniques have historically been common among ransomware groups, ThreatDown researchers noted that some organized operations are increasingly shifting away from visible on-system communications.

Instead, attackers may conduct negotiations through external channels such as email correspondence, direct phone contact, or dedicated dark-web portals. By moving communications outside the compromised environment, threat actors leave behind fewer artifacts that investigators can collect and reduce opportunities for automated security tools to identify the extortion phase of an attack.

To assist defenders, ThreatDown has published a collection of indicators of compromise associated with Prinz Eugen activity. These indicators can help security teams, incident responders, and researchers identify potential infections, investigate suspicious activity, and strengthen defenses against future attacks involving the ransomware. 

Read more »
Financial Monitoring
Bitcoin Crypto Market crypto market risks cryptocurrency Cryptocurrency news Cyber Security Financial Monitoring

Bitcoin Drops Below $60,000 as Market Selloff and Security Fears Weigh on Crypto

 

Falling further now, Bitcoin dipped under $60,000 again - the first time since early 2024 - amid softness across financial markets and rising unease about digital safety. Around $59,909, it lost close to 6% in one session, almost 18.5% in seven days. This slump stretches beyond just Bitcoin. Ethereum followed closely behind, sliding 23% over the week until reaching approximately $1,555. Meanwhile, Solana saw a similar drop of 22%, settling near $63.75 after sharp downward pressure. 

Bitcoin now trades over 52 percent below its peak of $126,080 set last October. A mix of pressures drives the drop, according to market observers. Attention earlier centered on steady withdrawals from physical Bitcoin ETFs along with Strategy offloading coins for the first time since 2022. Lately, though, shifts in outlook regarding Federal Reserve interest moves have added pressure, alongside fresh unease about digital asset safety. 

Surprising strength marked last month's U.S. labor numbers, as payrolls expanded by 172,000 during May. That outcome ran well ahead of forecasts - almost twice what analysts had predicted - shifting how investors view future rate moves. With inflation concerns lingering, officials may feel less pressure to ease policy soon. Because higher yields often make safer investments more appealing, digital coins typically face headwinds under such conditions. Market participants now weigh whether extended tightening cycles could dampen speculative flows. 

Despite recent gains in employment figures, expectations for lower interest rates have faded, according to Nicolai Søndergaard of Nansen. Having shed roughly 15 percent lately, Bitcoin now faces added strain without any obvious economic trigger to spark rebound. Though digital assets struggle, broader uncertainty lingers due to unrest in the Middle East. That stress shows up in cautious trading behavior worldwide. 

With few positive signals on the horizon, momentum remains fragile. Even as attention grows around blockchain safety, news of a serious weakness in Zcash - a coin built for anonymity - has raised alarms. Though programmers pushed out an update to correct the problem, they stated plainly that tracking past misuse is impossible due to hidden transaction details. Without clear evidence of abuse, doubt spread quickly among investors. 

That hesitation showed in price movements: ZEC plunged over two-fifths in value in just one day. Now worries spread through crypto circles after the event. Because AI tools might detect weak spots in blockchains, investor unease grows. Questions emerge - could similar flaws threaten more digital currencies? As machine learning advances, trust faces new tests. Out of nowhere, a slight uptick appeared for Bitcoin ETFs amid continued market softness. 

On Thursday, U.S. spot Bitcoin funds saw inflows exceeding $3 million - breaking a run of 13 straight days of outflows. While tiny next to the billions pulled so far this year, the shift hinted at changed sentiment, if only briefly. Not long after prolonged pullbacks, investors paused, then edged back in. After tech shares slipped, so did broader market sentiment - Nasdaq dropped sharply amid wider financial strains. 

Not just crypto felt the downturn; traditional assets wavered too, pulled by similar worries. Investors moved carefully through overlapping pressures: shaky economies, global conflicts, threats in digital finance. When equities fell, digital coins followed close behind, mirroring the wariness spreading through capital markets.
Read more »
User Security
Banking scam Cyber Fraud Haldwani OTP Bypass User Security

Haldwani Cyber Fraud: ₹2.5 Lakh Stolen Without OTP, Raising Bank Security Concerns

 

In Haldwani, a cyber fraud case has once again shaken public trust in digital banking, after a victim reportedly lost money without clicking a suspicious link or sharing an OTP. The case is worrying because it shows how modern fraud can bypass the protections many users still consider reliable. For years, OTPs have been seen as a strong safety layer, but incidents like this suggest scammers are finding new ways to drain accounts while staying hidden. As digital payments grow, so does the need to understand how these silent attacks work. 

What makes such frauds especially alarming is that victims often receive no obvious warning before the money disappears. In some recent cases, cybercriminals have used methods such as SIM swap attacks, malware, account takeovers, call forwarding, or unauthorized beneficiary additions to move funds without the user’s approval. Other reports have also shown that fraud can happen through fake banking apps, remote access tools, or abuse of pre-linked payment mandates. This means the problem is no longer just about sharing an OTP; it is also about securing the phone, SIM, banking app, and personal identity. 

The Haldwani incident highlights a deeper issue in bank security: authentication systems are only as strong as the weakest device or process connected to them. If a fraudster gains access to a phone number, banking credentials, or an already trusted payment route, the transaction may look legitimate to the bank’s systems. That is why “no OTP” does not automatically mean “no compromise.” In fact, some frauds exploit loopholes where money is shifted through internal banking paths, or through beneficiary changes that may not trigger immediate user attention. 

Safety recommendations 

For users, the first rule is to monitor bank alerts closely and treat any unexpected debit, SMS, or app activity as urgent. Keep mobile software updated, avoid installing apps from unknown links, and never grant unnecessary SMS, accessibility, or call permissions to random applications. It also helps to use strong screen locks, secure SIM cards with a PIN, and enable additional notifications through email or alternate channels. If anything looks suspicious, contact the bank immediately and report the fraud through the cybercrime helpline without delay. 

This case is a reminder that cybersecurity is no longer only a technical concern; it is a daily financial survival issue. Banks need stronger fraud detection, faster alerts, and better protection against account takeover methods that bypass OTP-based trust. At the same time, users must stop assuming that OTP alone can keep money safe. The real defense is layered security, quick reporting, and constant digital caution.
Read more »
Usbliter8 Exploit
Apple A12 Security Apple A13 Exploit Apple Device Vulnerability Apple SecureROM Vulnerability BootROM Exploit Cyber Security Cyber Threats Hardware Security Flaw iPhone Security Research Usbliter8 Exploit

Unpatchable BootROM Flaw Exposes Apple A12 and A13 SecureROM Chain


 

The disclosure of a new hardware-level exploit has raised new concerns about the long-term security implications of immutable silicon vulnerabilities across Apple's entire ecosystem. Paradigm Shift researchers have revealed usbliter8, a working SecureROM exploit compromising the boot chain of Apple A12 and A13 processor-based devices. 

In 2019, checkm8 emerged as the first publicly released unpatched attack on these chip generations. By exploiting a flaw within the BootROM, the code that runs before iOS and all higher security controls, the exploit is able to bypass protections at the earliest stage of the initialization process. Physical access, a USB connection, and manual placement of the device into DFU mode are required to perform the attack, but the significance lies in the vulnerability itself. This vulnerability is not able to be remedied by updating firmware, updating operating systems, or restoring devices since it occurs in silicon rather than software.

In addition to the niche jailbreak development impacted by this disclosure, Apple hardware that is still supported, including iPhones, iPads, Apple Watches, and other Apple devices, now carry a permanent hardware weakness that can be exploited throughout the device's operational lifetime. 

Along with presenting a notable research discovery, USBliter8 also presents a significant hardware security incident due to the permanent nature of the vulnerability exploited by it. The affected SecureROM code is therefore physically embedded within the processor while the device is being manufactured, placing it beyond Apple's control once the device leaves the factory. This is in contrast to conventional vulnerabilities that can be mitigated by updating firmware or operating systems. 

During a coordinated engagement with Apple Product Security on June 18, 2026, researchers revealed the exploit and accompanying proof of concept, demonstrating that a successful attack can be carried out in less than two seconds before Apple's trusted boot sequence takes over. There remains a strict physical access requirement for the attack: a target device must be manually placed into Device Firmware Update (DFU) mode and connected to an RP2350-based microcontroller platform using USB. Nevertheless, there is a considerable range of hardware impacted. 

Publicly supported targets include devices built on Apple's A12 and A13 application processors, in addition to the S4 and S5 systems-on-chip used across Apple Watch and HomePod products. There are a number of products, such as the iPhone XS, iPhone XR, iPhone 11, two-generation iPhone SE, multiple iPad models, Apple Watch Series 4 and 5, the first-generation Apple Watch SE, HomePod mini, and others, which continue to see active deployment. 

Research indicates that support for A12X and A12Z processors may be technically achievable in the future, but this has not yet been implemented. The architectural differences in USB memory handling do not seem to affect devices based on A11 silicon, while A14 and newer generations appear to be immune due to improved DART configuration and memory isolation controls within the boot environment.

The disclosure also highlights an aspect of modern device security that is seldom encountered: there are some vulnerabilities that are beyond the reach of all software-based defense mechanisms available to vendors as well as users. The vulnerability can not be eliminated by iOS updates, firmware revisions, factory restores, or standard hardening measures since the vulnerability lies within immutable SecureROM code. It remains imperative to maintain the latest software versions, enforce strong authentication controls, and adhere to sound security practices to protect against conventional threats; however, those measures do not alter the hardware trust anchor targeted by USBliter8. 

In identifying the most practical long-term mitigation strategy for organizations and individuals seeking to reduce exposure, Paradigm Shift identified migration to devices utilizing A14 or newer silicon. While Apple has not publicly addressed the research as of publication, the researchers stated that Apple Product Security has been notified and disclosure procedures have been completed before technical details and exploit code can be released. There is a great deal of variation in the security implications associated with the various operating environments in which affected devices are used. 

For the average consumer, the requirement for physical possession, DFU mode access, and specialized hardware greatly narrows the scope of potential exploitation. Individuals who operate under elevated threat conditions, including journalists, corporate executives, activists, government employees, and others whose devices may be seized, inspected, or held for extended periods, face a significantly different risk profile. In such scenarios, a compromised device based on A12, A13, S4, or S5 could be affected by persistent boot-level intrusions that are anchored underneath the operating system itself, even after software updates are applied. Thus, device lifecycle planning now includes security considerations instead of just procurement, with the newer A14-generation hardware and later platforms posing the most obvious route to avoiding this type of exposure. 

In addition to the immediate technical accomplishments, researchers are closely tracking whether usbliter8 follows a similar path to checkm8 that was established nearly seven years ago. Along with the research, a proof-of-concept code was released that gained significant attention from the security community.

It quickly gained hundreds of GitHub stars and indicated strong interest from researchers and developers alike. It is widely anticipated that jailbreak-focused tools will emerge in the near future, but the more consequential question is whether the exploit will evolve into a mature hardware research and forensic framework for A12 and A13 devices. Ultimately, Checkm8 has become the primary tool for examining and interacting with older Apple hardware in a manner previously not possible for defenders, researchers, and forensic practitioners. 

While USBliter8 has not yet reached that level, its publication provides the first public insight into a generation of Apple silicon which, until now, has been largely beyond the reach of unpatched SecureROM exploits. With the advent of USBliter8, we are reminded that not all security risks originate with software, and not all can be resolved through patching. 

By exposing a hardware-rooted vulnerability that remains widely deployed, this research contributes to a heightened awareness of the long-term security implications of silicon-level trust boundaries. However, organizations and individuals responsible for sensitive data should reassess their device custody practices, hardware refresh strategies, and exposure to high-risk environments as a result of the exploit. 

Usbliter8 remains a significant landmark in Apple security research and is being examined by the security community in order to fully comprehend its impact. It demonstrates how important it is not only to secure the software on a device, but also the device itself.
Read more »
Subscribe to: Posts (Atom)