Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

supply chain security
Cybersecurity Education Cybersecurity Workforce Data Breach Data Breaches Digital Espionage Emerging Market Cyber Risks global cybercrime ransomware attacks Regulatory Cyber Frameworks supply chain security

Surge in Cybercrime Undermines Online Safety Efforts


 

With data breaches, ransomware incidents, and state-sponsored digital espionage increasingly dominating global headlines, cybersecurity has become a strategic priority for governments and corporations alike, moving from a back-office concern to a front-line concern. 

A widening gap between risk and readiness is visible in almost all industries due to the rapid acceleration of the threat landscape. This has resulted in a global demand for qualified cybersecurity professionals. 

Among the findings of the 2024 ISC2 Cybersecurity Workforce Study, which underscores the magnitude of the problem, is the finding that the shortage has now exceeded four million cybersecurity professionals worldwide, and it is only expected to increase. 

Currently, this imbalance is affecting both job seekers and career changers, reshaping the workforce and positioning cybersecurity as a field of unparalleled resilience and opportunity in the digital economy. In a world where skilled personnel are scarce, but essential to safeguarding critical infrastructure and sensitive data worldwide, cybersecurity has become one of the most valuable and resilient fields. 

The concept of cybercrime, which consists of criminal activity that targets or exploits computers, networks, or connected devices, has evolved into a complex and globally networked threat ecosystem. 

Cybercriminals continue to be motivated primarily by financial gain, but they are also influenced by political, ideological, or personal goals, such as espionage and disruption, which contributes to the increase in cybercrime attacks. 

There are many kinds of threat actors, from loosely organized novice hackers to highly coordinated criminal syndicates with sophisticated tools and techniques. In emerging economies, internet penetration has steadily increased.

As a result, regions like Africa have become increasingly the testing ground for new cyberattack techniques as they have deepened across emerging economies. GI-TOC (Global Initiative Against Transnational Organized Crime) published a report that revealed that cybercrime has been rising steadily over the African continent in recent years, with Kenya, Nigeria, and South Africa, which is among the most digitally connected countries in sub-Saharan Africa, facing a constant attack from cybercriminals.

There is evidence that malicious actors are testing new strains of ransomware and cyber-based attacks in these environments before they are deployed elsewhere, underscoring the global nature and adaptiveness of the threat. However, India is faced with a parallel challenge that is shaped by its digital transformation on a scale and at a pace that cannot be matched. 

With the advent of online banking, e-commerce, government platforms, and mobile services, the country has seen a surge in cybercrime, affecting individuals and businesses alike. This is a result of the ongoing implementation of technology in everyday life. 

According to official data released by the National Cyber Reporting Platform in 2024, over 1.7 million complaints about cybercrime were filed, an increase of more than 10 percent from last year. This is a result of a growing awareness of cybercrime and an increase in attacks. 

It has been found that a significant proportion of these incidents were linked to transnational cybercrime hubs located in Southeast Asia. Thus, it highlights the limitations of purely domestic defenses against cybercrime. Several reports, such as PwC's Global Digital Trust Insights for India for 2025, rank cyber and digital risks among the top concerns for corporate leaders across the country. 

Cyber and digital risks have also been ranked high in the assessment as prevalent concerns among Indian businesses. In addition to this, security researchers report that Indian websites receive millions of malicious requests every year, while attackers are increasingly targeting mobile applications and potentially exposed APIs, pointing to a strategic shift to disrupt connected and consumer-facing digital services and networks as a result. 

As cybercrime becomes more sophisticated and sophisticated across Africa, structural weaknesses in law enforcement and regulatory capacity are compounding this problem, so there is an increasingly uneven playing field between the states and the sophisticated criminal networks that are well funded. 

GI-TOC analysts noted that a number of law enforcement agencies in the continent lack advanced digital forensics capabilities, secure evidence storage systems, and real-time network monitoring technologies, as well as advanced digital forensics capabilities. 

These limitations have a significant impact on the ability of law enforcement agencies to investigate cybercriminal activities and dismantle transnational cybercriminals in a timely manner. 

Due to this capability gap, attackers have enhanced their techniques by targeting vulnerable government institutions and businesses in critical sectors such as finance, energy, and manufacturing, so that they can then export these techniques to jurisdictions with strengthened defenses. 

It is generally believed that ransomware and distributed denial-of-service attacks remain some of the most prevalent ways for hackers to disrupt economic and social systems, causing severe economic and social disruption. In terms of the financial toll, cyber incidents have cost African economies billions of dollars each year, and are causing a great deal of damage. 

As a result of high-profile attacks, Ghana's national power distribution system has been disrupted, health and statistical agencies in Nigeria and South Africa have been compromised, sensitive customer data has been exposed in Namibia, and the Ugandan central bank has sustained considerable losses. 

The incidents underscore the fragmentation of regulations, underdeveloped infrastructure, and lack of policy coordination that have made some parts of the African continent a hub of illicit activity. This includes the large-scale online fraud and the digitally enabled transnational crimes that are taking place there. 

The GI-TOC estimates that in 2025, cybercrime would account for nearly one-third of reported criminal activity in West and East Africa, totaling approximately $3 billion in lost revenue and reputational damages, figures which, the organization warns may be understated due to systemic transparency gaps. 

Cybercrime has emerged as one of the biggest vulnerabilities in the cybersecurity industry against this backdrop, and the shortage of cybersecurity professionals has become an even more critical concern. 

A well-structured cybersecurity education has become a cornerstone of resilience, giving individuals the technical skills to identify weaknesses in systems, respond to evolving threats, and maintain ethical and regulatory standards as well as enabling them to identify system weaknesses. 

It is now possible to take courses ranging from foundational courses covering networks, operating systems, to advanced, role-specific courses in cloud security, application protection, and governance, risk, and compliance, among others. 

It is becoming increasingly important for national security and economic stability to develop a skilled, well-trained workforce in order to combat cyber threats that are becoming more complex and interconnected. 

In addition to deploying technical defenses themselves, a single cyber incident can result in severe consequences, which extend well beyond the financial losses caused by the incident, ranging from data breaches to malware infections to ransomware attacks. 

Based on the findings of the Hiscox Cyber Readiness Report 2024, there are a large number of businesses that have suffered a cyberattack over the past year. More than two-thirds of them report that they have experienced a rise in cyberattacks since the previous 12-month period, while half also report that they have experienced a rise in incidents during that period. 

It is often difficult for organizations to attract new customers and retain existing clients due to a long-term fallout. Many organizations reported experiencing erosion of existing client relationships, and sustained reputational damage due to negative publicity. 

There are many aspects of these attacks that are not limited to businesses, but also individuals caught in them, who may face identity theft, direct financial loss, and a loss of trust in digital systems as a result. 

The emergence of remote work and hybrid work models has made small and medium-sized enterprises or SME's particularly attractive targets, especially due to the greater digital attack surfaces they offer and the increase in security resources they already have. 

There have been a significant number of high-profile incidents involving widely used service providers and their trusted third-party vendors, highlighting the fact that cybercriminals are increasingly exploiting supply chain vulnerabilities to compromise multiple organizations simultaneously. As reported by a number of industry experts, SMEs are often unable to cope with the financial and operational shocks resulting from a successful cyberattack. 

In fact, a substantial number are indicating that they may have to suspend operations if such an event occurs. In response to the escalating threat environment, governments and international bodies have increased their efforts to coordinate and regulate.

A growing number of law enforcement agencies across borders are collaborating more closely with one another, while new legislative frameworks, including strengthened European network security directives and global cybercrime conventions, are bringing greater accountability to organizations regarding the safeguarding and strengthening of information, and the timely disclosure of breaches as part of a broad effort to reduce cybercrime's economic and social costs.

The combination of all of these developments suggests that the world is entering a turning point in its digital economy, where cybersecurity is no longer just a niche function, but has become a fundamental element needed for sustained growth and public trust. 

Despite the fact that cyber threats continue to transcend borders, sectors, and technologies, the effective governance and response to future cyber threats will be dependent on ensuring that strong policy frameworks are in place, cross-border cooperation is encouraged, and sustained investments in human capital are made. 

Cybersecurity education and reskilling programs can help to create inclusive economic opportunities as well as close workforce gaps, particularly in regions that are most vulnerable to digital threats. 

While organizations need to move beyond reactive security models in order to remain compliant with the threat landscape, they should also make sure they build cyber resilience into their business strategies, supply chain governance practices, and technology designs from the very beginning. 

Having clear accountability, regular risk assessments, and transparent incident reporting can further strengthen collective defenses. 

In the end, as digital systems become more intertwined with daily life and critical infrastructure, it is imperative to create a cybersecurity ecosystem that is resilient so that not only financial and operational losses can be minimized, but confidence in the digital transformation that is shaping economies globally will also be reinforced.
Read more »
Username Switch
Account Rollout Email Change Gmail Update Google Alias Technology Username Switch

Google Rolls Out Gmail Address Change Feature

 

Google has rolled out a major update that will allow users to change their main @gmail.com address. This much-needed feature is being rolled out starting January 2026. Before this update, Gmail users were stuck with their original username for the entire life of the account, which resulted in users making new accounts so that they could have a fresh start. This update will resolve issues such as choosing the wrong or outdated email addresses set up by users or their families earlier in life. 

The feature makes the former address an alias, hence maintaining continuity without losing data. Emails sent to either the former or new addresses will still land in the same inbox, and all account information, including pictures, messages, and Drive files, will be maintained. Devices that were authenticated using the former address do not need to log out, as both addresses are associated with the same Google account for services such as YouTube, Maps, and Play Store. 

The feature can be accessed through myaccount.google.com/google-account-email. The steps include Personal info > Email > Google Account email, and then choose the change option when it is available. The users will enter a new available username, and then the steps are completed through email confirmation. If the option is not available, then the rollout has not yet been implemented in that account, and initial reports came from Hindi support pages, indicating a global rollout. 

It has built-in protections against abuse, such that when you change your address, you cannot change or modify it again for a period of one year. Yet even when you have changed your address, your old pseudonym is available for all life if you want to log back into your accounts or send emails, but you cannot keep alternating names all the time. 

For the cybersecurity expert and the creator, the upgrade enhances their level of privacy because it eliminates old handles that are linked to a personal history and does not transfer any data. It is also a good improvement because it eliminates the risks associated with old emails that appear on breaches. As 2026 progresses and the feature is fully deployed, one should monitor the support pages provided by Google.
Read more »
malware
Aisuru botnet Android Malware Black Lotus Labs command and control servers cybersecurity research DDOS Attacks Kimwolf botnet Lumen security malware

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks

 

Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse.

Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions.

Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services.

The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures.

Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab.

Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts.

Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult.

Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands.

Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers.

By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies.

“The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen.

In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion.

Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time.

“To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.


Read more »
malware
Aisuru Android Botnets IP Address malware

Researchers Disrupt Major Botnet Network After It Infects Millions of Android Devices

 


Security researchers have dismantled a substantial portion of the infrastructure powering the Kimwolf and Aisuru botnets, cutting off communication to more than 550 command-and-control servers used to manage infected devices. The action was carried out by Black Lotus Labs, the threat intelligence division of Lumen Technologies, and began in early October 2025.

Kimwolf and Aisuru operate as large-scale botnets, networks of compromised devices that can be remotely controlled by attackers. These botnets have been used to launch distributed denial-of-service attacks and to route internet traffic through infected devices, effectively turning them into unauthorized residential proxy nodes.

Kimwolf primarily targets Android systems, with a heavy concentration on unsanctioned Android TV boxes and streaming devices. Prior technical analysis showed that the malware is delivered through a component known as ByteConnect, which may be installed directly or bundled into applications that come preloaded on certain devices. Once active, the malware establishes persistent access to the device.

Researchers estimate that more than two million Android devices have been compromised. A key factor enabling this spread is the exposure of Android Debug Bridge services to the internet. When left unsecured, this interface allows attackers to install malware remotely without user interaction, enabling rapid and large-scale infection.

Follow-up investigations revealed that operators associated with Kimwolf attempted to monetize the botnet by selling access to the infected devices’ internet connections. Proxy bandwidth linked to compromised systems was offered for sale, allowing buyers to route traffic through residential IP addresses in exchange for payment.

Black Lotus Labs traced parts of the Aisuru backend to residential SSH connections originating from Canadian IP addresses. These connections were used to access additional servers through proxy infrastructure, masking malicious activity behind ordinary household networks. One domain tied to this activity briefly appeared among Cloudflare’s most accessed domains before being removed due to abuse concerns.

In early October, researchers identified another Kimwolf command domain hosted on infrastructure linked to a U.S.-based hosting provider. Shortly after, independent reporting connected multiple proxy services to a now-defunct Discord server used to advertise residential proxy access. Individuals associated with the hosting operation were reportedly active on the server for an extended period.

During the same period, researchers observed a sharp increase in Kimwolf infections. Within days, hundreds of thousands of new devices were added to the botnet, with many of them immediately listed for sale through a single residential proxy service.

Further analysis showed that Kimwolf infrastructure actively scanned proxy services for vulnerable internal devices. By exploiting configuration flaws in these networks, the malware was able to move laterally, infect additional systems, and convert them into proxy nodes that were then resold.

Separate research uncovered a related proxy network built from hundreds of compromised home routers operating across Russian internet service providers. Identical configurations and access patterns indicated automated exploitation at scale. Because these devices appear as legitimate residential endpoints, malicious traffic routed through them is difficult to distinguish from normal consumer activity.

Researchers warn that the abuse of everyday consumer devices continues to provide attackers with resilient, low-visibility infrastructure that complicates detection and response efforts across the internet.

Read more »
Technology
agentic browser AI Chrome for Android Chrome Glic Chromium update Gemini integration Google Gemini Technology

Google Appears to Be Preparing Gemini Integration for Chrome on Android

 

Google appears to be testing a new feature that could significantly change how users browse the web on mobile devices. The company is reportedly experimenting with integrating its AI model, Gemini, directly into Chrome for Android, enabling advanced agentic browsing capabilities within the mobile browser.

The development was first highlighted by Leo on X, who shared that Google has begun testing Gemini integration alongside agentic features in Chrome’s Android version. These findings are based on newly discovered references within Chromium, the open-source codebase that forms the foundation of the Chrome browser.

Additional insight comes from a Chromium post, where a Google engineer explained the recent increase in Chrome’s binary size. According to the engineer, "Binary size is increased because this change brings in a lot of code to support Chrome Glic, which will be enabled in Chrome Android in the near future," suggesting that the infrastructure needed for Gemini support is already being added. For those unfamiliar, “Glic” is the internal codename used by Google for Gemini within Chrome.

While the references do not reveal exactly how Gemini will function inside Chrome for Android, they strongly indicate that Google is actively preparing the feature. The integration could mirror the experience offered by Microsoft Copilot in Edge for Android. In such a setup, users might see a floating Gemini button that allows them to summarize webpages, ask follow-up questions, or request contextual insights without leaving the browser.

On desktop platforms, Gemini in Chrome already offers similar functionality by using the content of open tabs to provide contextual assistance. This includes summarizing articles, comparing information across multiple pages, and helping users quickly understand complex topics. However, Gemini’s desktop integration is still not widely available. Users who do have access can launch it using Alt + G on Windows or Ctrl + G on macOS.

The potential arrival of Gemini in Chrome for Android could make AI-powered browsing more accessible to a wider audience, especially as mobile devices remain the primary way many users access the internet. Agentic capabilities could help automate common tasks such as researching topics, extracting key points from long articles, or navigating complex websites more efficiently.

At present, Google has not confirmed when Gemini will officially roll out to Chrome for Android. However, the appearance of multiple references in Chromium suggests that development is progressing steadily. With Google continuing to expand Gemini across its ecosystem, an official announcement regarding its availability on Android is expected in the near future.

Read more »
Lynx ransomware
Cyber Attacks Cyber Breach Cyber Security Ransomware Attacks cybercrime gangs data security Data Stolen Lynx ransomware

Russia-Linked Lynx Gang Claims Ransomware Attack on CSA Tax & Advisory

 

A breach surfaces in Haverhill - CSA Tax & Advisory, a name among local finance offices, stands at the center. Information about clients, personal and business alike, may have slipped out. A digital crew tied to Russia, calling themselves Lynx, points to the act. Their message appears online, bold, listing the firm like an entry in a ledger. Data, they say, was pulled quietly before anyone noticed. Silence hangs from the office itself - no word given, no statement released. What actually happened stays unclear, floating between accusation and proof.  

Even though nothing is confirmed by officials, Lynx put out what they call test data from the breach. Looking over these files, experts at Cybernews noticed personal details like complete names, Social Security digits, home locations, billing documents, private company messages, healthcare contracts for partners, and thorough income tax filings. What stands out are IRS e-signature approval papers - these matter a lot because they confirm tax returns. Found inside the collection, such forms raise concerns given how crucial they are in filing processes.

A single slip here might change lives for the worse if what's said turns out true. With Social Security digits sitting alongside home addresses and past tax filings, danger lingers far beyond the first discovery. Fraudsters may set up fake lines of credit, pull off loan scams, file false returns, or sneak through security gates at banks and public offices. Since those ID numbers last forever, harm could follow people decade after decade. 

Paperwork tied to taxes brings extra danger. Someone might take an IRS e-filing form and change real submissions, send fake ones, or grab refunds before the rightful person notices. Fixing these problems usually means long fights with government offices, draining both money and peace of mind. If details about a spouse’s health plan leak, scammers could misuse that for false claims or pressure someone by threatening to reveal private medical facts. 

What happened might hit companies harder than expected. Leaked messages inside the firm could expose how decisions get made, who trusts whom, along with steps used to approve key tasks - details that open doors for scams later on. When private info like Social Security digits or tax records shows up outside secure systems, U.S. rules usually demand public alerts go out fast. Government eyes tend to follow, including audits from tax authorities, pressure from local agencies, even attention at the national level. Legal fights may come too, alongside claims about failed duties, especially if proof confirms something truly went wrong here. Trust once broken rarely bounces back quickly.
Read more »
Technology
AI ai agents Corporate Data Technology

AI Agent Integration Can Become a Problem in Workplace Operations


AI agents were considered harmless sometime ago. They did what they were supposed to do: write snippets of code, answer questions, and help users in doing things faster. 

Then business started expecting more.

Slowly, companies started using organizational agents over personal copilots- agents integrated into customer support, HR, IT, engineering, and operations. These agents didn't just suggest, but started acting- touching real systems, changing configurations, and moving real data:

  • A support agent that gets customer data from CRM, triggers backend fixes, updates tickets, and checks bills.
  • An HR agent who overlooks access throughout VPNs, IAM, SaaS apps.
  • A change management agent that processes requests, logs actions in ServiceNow, updates production configurations and Confluence.
  • These AI agents automate oversight and control, and have become core of companies’ operational infrastructure

Work of AI agents

Organizational agents are made to work across many resources, supporting various roles, multiple users, and workflows via a single implement. Instead of getting linked with an individual user, these business agents work as shared resources that cater to requests, and automate work of across systems for many users. 

To work effectively, the AI agents depend on shared accounts, OAuth grants, and API keys to verify with the systems for interaction. The credentials are long-term and managed centrally, enabling the agent to work continuously. 

Threat of AI agents in workplace 

While this approach maximizes convenience and coverage, these design choices can unintentionally create powerful access intermediaries that bypass traditional permission boundaries.

Although this strategy optimizes coverage and convenience, these design decisions may inadvertently provide strong access intermediaries that go beyond conventional permission constraints. The next actions may seem legitimate and harmless when agents inadvertently grant access outside the specific user's authority. 

Reliable detection and attribution are eliminated when the execution is attributed to the agent identity, losing the user context. Conventional security controls are not well suited for agent-mediated workflows because they are based on direct system access and human users. Permissions are enforced by IAM systems according to the user's identity, but when an AI agent performs an activity, authorization is assessed based on the agent's identity rather than the requester's.

The impact 

Therefore, user-level limitations are no longer in effect. By assigning behavior to the agent's identity and concealing who started the action and why, logging and audit trails exacerbate the issue. Security teams are unable to enforce least privilege, identify misuse, or accurately assign intent when using agents, which makes it possible for permission bypasses to happen without setting off conventional safeguards. Additionally, the absence of attribution slows incident response, complicates investigations, and makes it challenging to ascertain the scope or aim of a security occurrence.

Read more »
Vulnerabilities and Exploits
Cl0p Ransomware Data Leak Korean Air Supply-Chain Attack Vulnerabilities and Exploits

Korean Air Employee Data Exposed in Cl0p Ransomware Supply-Chain Attack

 

Korean Air has acknowledged the theft of sensitive data belonging to 30,000 current and former employees in a serious data breach. The breach occurred via a supply-chain compromise at KC&D Service, the airline's former catering subsidiary. Hackers exploited a critical flaw in Oracle E-Business Suite, tracked as CVE-2025-61882, that enabled code execution remotely without requiring any user interaction or authentication to login. Cl0p ransomware operators claimed responsibility for the attack, and after ransom demands were apparently ignored, they dumped almost 500 GB of stolen archives on their dark web site. 

The intrusion occurred at KC&D, which, though it was sold to Hahn & Company in 2020, was still handling in-flight meals and duty-free services. Korean Air continues to own a 20% stake and has continued sharing employee data through KC&D's ERP server. The attackers targeted Oracle EBS versions 12.2.3 through 12.2.14 to bypass authentication and reach sensitive systems. The vulnerability was publicly disclosed in early October 2025, after initial exploitation that started in August. Although Oracle promptly released patches, the combination of late detection and widespread exposure caused data exfiltration to spread across many victims. 

The stolen information includes full names and bank account numbers, which increases the risk of identity theft, financial fraud and phishing attacks for those whose information was compromised. Importantly, no customer data, including flight records or payment information, was compromised, preventing wider impact on operations. Korean Air on Dec. 29, 2025, advised the employees to be cautious of scams and took emergency security measures, disconnecting the KC&D servers and filing a report with the Korea Internet and Security Agency (KISA).

This attack is reminiscent of the 2023 MOVEit Transfer breach conducted by Cl0p, a similar file-transfer exploit that resulted in the compromise of millions of records from hundreds of companies. Dozens of EBS victims have surfaced, including Envoy Air, Harvard University, Schneider Electric, Emerson, Cox Enterprises, Logitech, and Barts Health NHS Trust, underscoring the campaign's global scale. Cl0p, a Russia-nexus extortion group linked to FIN11, prioritizes data theft over encryption for high-value targets. 

The incident emphasizes enduring supply-chain risk in aviation and enterprise software, underscoring the importance of timely patching, third-party risk assessments, and zero-trust architectures. Korean Air Vice Chairman Woo Kee-hong confirmed full dedication to breach scoping and support for its employees in the midst of South Korea's wave of cyberattacks, which also targeted Coupang and SK Telecom in recent days. Organizations around the globe need to review their Oracle EBS exposures and keep an eye on Cl0p leak sites in order to reduce risk.
Read more »
Voice-Driven AI
AI Hardware Ecosystem AI Security Infrastructure Cross-Platform AI OpenAI Agora Real-Time AI Communication Secure Digital Platforms Technology Tokenised Payments Voice-Driven AI

ChatGPT Prepares Cross-Platform Expansion With Project Agora


It appears that OpenAI is quietly setting the foundation for its next significant product evolution, as early technical signals indicate the development of a new cross-platform initiative that is internally codenamed "Agora" and promises to be the next major step forward for its translation capabilities. 

Tibor Blaho, a prominent AI researcher, discovered previously undisclosed placeholders buried within the latest versions of OpenAI’s website code, as well as its Android and iOS applications. It was evident from that evidence that active development takes place across desktop and mobile platforms. 

'Agora' is the Greek word for a public gathering space or marketplace, which means community, and its use within the software industry has sparked informed speculation, with leaks revealing references like 'is_agora_ios' and 'is_agora_android' as hints of a tightly controlled, cross-platform experience. 

As a result of the parallels between the project and established real-time media technologies bearing the same name, analysts believe the project could signal anything from the development of a unified, cross-platform application, a collaborative social environment, to the development of a more advanced, real-time voice or video communication framework. 

As news has surfaced recently about OpenAI's interest in developing an AI-powered headset, which raises the possibility that Agora could serve as a foundational layer for a broader hardware and software ecosystem, this timing is noteworthy, as reports since surfaced indicate OpenAI is interested in building a headset powered by AI. 

Although the project has not yet been officially acknowledged by the company, OpenAI has already demonstrated its execution momentum by providing tangible improvements to its voice input capabilities that have been logged in to the system.

In this way, it has demonstrated a clear strategy toward providing seamless, interactive, and real-time AI experiences for logged-in users. These references suggest that the initiative is manufactured to operate seamlessly across multiple environments, possibly pointing to a unified application or a device-level feature that may be able to operate across platforms due to its breadth and depth of references. 

A term commonly associated with public gathering spaces and marketplaces is the name “Agora,” which has fueled speculation that OpenAI is exploring the possibility of collaborating with communities in an effort to enhance their interaction with each other.

A number of experts have suggested that the name may be a reference to real-time communication technology, given that it has been associated with a variety of audio and video development frameworks.

It is interesting to note that these findings have been released alongside reports that OpenAI is considering new AI-powered hardware products, such as wireless audio devices positioned as potential alternatives to Apple's AirPods, and that Agora could be an integral part of this tightly integrated hardware-software ecosystem in the future.

In addition to these early indicators, ChatGPT has already seen tangible improvements as a result of the latest update. OpenAI, the artificial intelligence system, has significantly improved the performance of dictation by reducing empty transcriptions and improving overall accuracy of dictation, thus reinforcing the company's commitment to voice-driven, real-time interaction. 

An important part of this initiative is to address longstanding inefficiencies in cross-border payments that have existed for a long time. Due to the fragmented correspondent banking networks that they rely on, cross-border payments remain slow, expensive, and difficult to track. They are characterized by a lack of liquidity and difficulty managing cash flows. 

In addition, the Agorá Project is exploring alternatives to existing wholesale payment frameworks based on tokenization and utilizing advanced digital mechanisms such as smart contracts to achieve faster settlements, greater transparency, and better accessibility than their current counterparts. 

Developing tokenized representations of commercial bank deposits and central bank reserves is an example of the project's focus on understanding how to execute transactions in a secure and verifiable manner, while preserving the crucial role that central bank money plays in terms of being the final settlement asset. 

There are several benefits to this approach, such as eliminating counterparty credit risk, ensuring transaction finality, and strengthening financial stability, in addition to providing new payment capabilities such as atomic, always-on, or conditional payments, among others. 

The initiative is not only evaluating the technical aspects of tokenised money, but will also assess both the regulatory and legal consequences of tokenised money, including they will assess if the tokenised money complies with settlement finality rules, anti-money laundering obligations, and counter-terrorism financing regulations across different jurisdictions. 

Although Project Agorá is being positioned as an experimental prototype rather than a market-ready product, the results of its research could help shape the development of a more efficient, reliable, and transparent global payments infrastructure, and provide a blueprint for the future evolution of cross-border financial systems in the long run. 

Taking this into account, Agora's emergence reveals a broader strategic direction in which OpenAI has begun going beyond incremental feature updates toward building platform-agnostic platforms which can be extended across devices, use cases, and even industries in order to achieve their goals. 

In spite of the fact that Agora may ultimately be developed as a real-time communication layer, a collaborative digital environment, or a component of the infrastructure necessary to support future hardware and financial systems, its early signals indicate that it is focused strongly on interoperability, immediacy, and trust.

The advantages of taking such an approach could include better AI-driven workflows, closer integration between voice, data, and transactions, and the opportunity to design services that operate seamlessly across boundaries and platforms for enterprises and developers alike.

It has also been suggested that the parallel focus on regulatory alignment and system resilience reflects a desire to strike a balance between fast innovation and the stability needed for a wide-scale adoption of the innovations. 

In the meantime, OpenAI is continuing to refine these initiatives behind the scenes. Moreover, the Agora project shows how we may soon find that the next phase of AI evolution will be defined more by interconnected ecosystems, rather than by isolated tools, enabling real-time interaction, secure exchange, and sustained economic growth worldwide.

Read more »
Websites
Credit Card Cyber Security Financial Data Web Skimming Websites

Ongoing Web Skimming Operation Quietly Harvests Payment Data From Online Stores

 



Cybersecurity analysts have identified a sophisticated web skimming operation that has been running continuously since early 2022, silently targeting online checkout systems. The campaign focuses on stealing payment card information and is believed to affect businesses that rely on globally used card networks.

Web skimming is a type of cyberattack where criminals tamper with legitimate shopping websites rather than attacking customers directly. By inserting malicious code into payment pages, attackers are able to intercept sensitive information at the exact moment a customer attempts to complete a purchase. Because the website itself appears normal, victims are usually unaware their data has been compromised.

This technique is commonly associated with Magecart-style attacks. While Magecart initially referred to groups exploiting Magento-based websites, the term now broadly describes any client-side attack that captures payment data through infected checkout pages across multiple platforms.

The operation was uncovered during an investigation into a suspicious domain hosting malicious scripts. This domain was linked to infrastructure previously associated with a bulletproof hosting provider that had faced international sanctions. Researchers found that the attackers were using this domain to distribute heavily concealed JavaScript files that were loaded directly by e-commerce websites.

Once active, the malicious script continuously monitors user activity on the payment page. It is programmed to detect whether a website administrator is currently logged in by checking for specific indicators commonly found on WordPress sites. If such indicators are present, the script automatically deletes itself, reducing the risk of detection during maintenance or inspection.

The attack becomes particularly deceptive when certain payment options are selected. In these cases, the malicious code creates a fake payment form that visually replaces the legitimate one. Customers unknowingly enter their card number, expiration date, and security code into this fraudulent interface. After the information is captured, the website displays a generic payment error, making it appear as though the transaction failed due to a simple mistake.

In addition to financial data, the attackers collect personal details such as names, contact numbers, email addresses, and delivery information. This data is sent to an external server controlled by the attackers using standard web communication methods. Once the transfer is complete, the fake form is removed, the real payment form is restored, and the script marks the victim as already compromised to avoid repeating the attack.

Researchers noted that the operation reflects an advanced understanding of website behavior, especially within WordPress-based environments. By exploiting both technical features and user trust, the attackers have managed to sustain this campaign for years without drawing widespread attention.

This discovery reinforces the importance of continuous website monitoring and script validation for businesses, as well as cautious online shopping practices for consumers.

Read more »
Organization security
Corporate Cyber Security data security EOCC Organization security

EOCC Hit by Security Breach Due to Contractor's Unauthorised Access


The Equal Employment Opportunity Commission (EOCC) was hit by an internal security data breach that happened last year. The incident involved a contractor's employees exploiting sensitive data in an agency's systems. 

About the breach

The breach happened in EEOC's Public Portal system where unauthorized access of agency data may have disclosed personal data in logs given to agency by the public. “Staff employed by the contractor, who had privileged access to EEOC systems, were able to handle data in an unauthorized (UA) and prohibited manner in early 2025,” reads the EEOC email notification sent by data security office. 

The email said that the review suggested personally identifiable information (PII) may have been leaked, depending on the individual. The exposed information may contain names, contact and other data. The review of is still ongoing while EOCC works with the law enforcement. 

EOCC has asked individuals to review their financial accounts for any malicious activity and has also asked portal users to reset their passwords. 

Contracting data indicates that EEOC had a contract with Opexus, a company that provides case management software solutions to the federal government.

 Prevention measures 

Open spokesperson confirmed this and said EEOC and Opex “took immediate action when we learned of this activity, and we continue to support investigative and law enforcement efforts into these individuals’ conduct, which is under active prosecution in the Federal Court of the Eastern District of Virginia.” 

Talking about the role of employees in the breach, the spokesperson added that “While the individuals responsible met applicable seven-year background check requirements consistent with prevailing government and industry standards at the time of hire, this incident made clear that personnel screening alone is not sufficient." 

The second Trump administration's efforts to prevent claimed “illegal discrimination” driven by diversity, equity, and inclusion programs, which over the past year have been examined and demolished at almost every level of the federal government, centre on the EEOC. 

Large private companies all throughout the nation have been affected by the developments. In an X post this month, EEOC chairwoman Andrea Lucas asked white men if they had experienced racial or sexual discrimination at work and urged them to report their experiences to the organization "as soon as possible.”

Read more »
Malwares
Booking.com Booking.com scam Cyber Attacks Cyber Phishing Fake Emails Malware attacks Malwares

PHALT#BLYX Malware Campaign Targets European Hotels With Fake Booking Emails

 

A fresh wave of digital threats emerged just after Christmas 2025, aimed squarely at European lodging spots. Instead of random attacks, it used clever email tricks made to look like they came from Booking.com. Staff members got messages that seemed urgent, nudging them to click without thinking twice. Once opened, hidden code slipped inside their systems quietly. That backdoor let attackers take control through software called DCRat. Behind the scenes, the whole scheme ran under the name PHALTBLYX. 

Research from Securonix shows the attack kicks off using fake emails made to look like Booking.com alerts. A supposed booking cancellation triggers the alert. Displayed boldly is a charge in euros - frequently more than €1,000. That sum aims straight at emotions, sparking alarm. Fear takes over, nudging people toward clicking before checking details. 

Clicking the “See Details” button sends people nowhere near Booking.com. A hidden detour happens first - through another web address entirely. Then comes a counterfeit site built to trick. There, a phony CAPTCHA pops up out of nowhere. After that, a fake Blue Screen appears like it is urgent. Words flash: fix this now by clicking here. Those clicks run harmful PowerShell scripts without warning. The whole chain relies on looking real until it is too late. 

Something begins before the main event - stages unfold slowly, one after another. A hidden rhythm runs through it all, tied to familiar parts of Windows, used in ways they were never meant to be. An XML file shows up without notice, slipped into place while no one watches. It looks harmless, built like a regular project for MSBuild.exe, which itself is real software from Microsoft. Instead of old tricks involving clunky HTML apps, attackers now twist everyday tools into something else. 

What seems ordinary might already be working against you. Normal actions become cover, hiding intent inside routine noise. A hidden DCRat program gets activated during execution. At the last step, a compressed .NET tool called staxs.exe unlocks its internal settings through advanced encryption like AES-256 paired with PBKDF2. To stay active across restarts, it drops a misleading Internet Shortcut into the Startup directory on Windows. After turning on, DCRat reaches out to several hidden servers, then checks what kind of machine it has landed on. Information about the software, settings, and person using the device gets gathered piece by piece. 

Remote operators gain complete control right after. Instead of running openly, it sneaks inside normal system tasks by reshaping them from within. That trick helps it stay put without drawing attention. Noticing clues in the code, experts link the operation to hackers who speak Russian. 

Built into everyday tools users trust, this malware plays on emotions while slipping past alarms. What stands out is how each step connects - carefully strung - to avoid detection. Staying hidden matters most, especially where guest data flows through open networks.
Read more »
Technology
Android app pinning guided access iphone iPhone lock apps phone snooping smartphone privacy Technology

This Built-In Android and iPhone Feature Lets You Share Your Phone Safely

 


Handing your phone to someone, even briefly, can expose far more than intended. Whether it is to share a photo, allow a quick call, or let a child watch a video, unrestricted access can put personal data at risk. To address this, both Android and iPhone offer built-in privacy features that limit access to a single app. Android calls this App Pinning, while Apple uses "Guided Access", allowing you to share your screen safely while keeping the rest of your phone locked.

Your smartphone holds far more than just apps. It contains banking details, private messages, location history, emails, and photos you may not want others to see. Even a quick glance at your home screen can reveal which banks you use or who you communicate with. This is why unrestricted access, even for a moment, can put your privacy and identity at risk. Handing over your phone without restrictions—especially to a stranger—is never a good idea.

There are many everyday situations where this feature becomes useful. A child may want to watch a YouTube video, but you do not want them opening emails or messages. A stranger may need to make a call in an emergency, but nothing beyond that. Even a friend doing a quick Google search does not need access to your search history or other apps. App Pinning and "Guided Access" make sure the phone stays exactly where you want it.

On Android, enabling App Pinning is simple. Head to Settings, search for “App Pinning,” and turn it on. Make sure authentication is required to exit the pinned app. Once enabled, open the app you want to share, go to the recent apps view, tap the app icon, and select Pin. The phone will stay locked to that app until you authenticate. To exit, swipe up and hold, then unlock using your PIN, password, or biometrics.

iPhone users can achieve the same result using "Guided Access". This feature lives under Settings → Accessibility. After setup, it can be activated by triple-clicking the power button. Open the app you want to share, triple-click the power button, and hand over the phone. When finished, triple-click again and authenticate with Face ID, Touch ID, or a passcode to return to normal use.

One limitation exists when sharing photos on both platforms. If you pin the Photos app, the other person can still swipe through your gallery. On iOS, this can be fixed by disabling touch input from the "Session Settings" menu when starting "Guided Access". Android, however, does not currently allow disabling touch during App Pinning, which means extra caution is needed when sharing photos.

The takeaway is simple: never hand your phone to someone without locking it to a single app first. App Pinning on Android and "Guided Access" on iOS are easy to use and extremely effective at protecting your privacy, keeping prying eyes away from your personal data.
Read more »
Technology
AI Cinema Bollywood AI Deepfake VFX Generative Tools Indian Films Technology

Here's How AI is Revolutionizing Indian Cinema

 

Indian cinema is setting the pace for the use of AI across the globe, beating Hollywood's cautious approach to the emergence of the new technology. With the aid of tools like Midjourney and ChatGPT, filmmakers are now able to create storyboards, write screenplays, and even produce final visuals at unprecedented speeds. That's because India produces more than any other country in the world and, consequently, needs to cut costs wherever possible. It's changing everything from pre-production to visual effects. 

Director Vivek Anchalia epitomizes the change with "Naisha," India's first fully AI-generated feature film, scheduled to be released in 2025. Unable to attract funding earlier, he built some stunning visuals and the story elements himself using AI, which attracted interest from producers. Midjourney crafted intimate imagery, while ChatGPT brainstormed plots, enabling Anchalia to refine the shots over a little more than a year. 

Big-budget productions seamlessly weave AI into everyday workflows: de-aging veteran actors, cloning voices for dubbing, and pre-shooting visualizations to save time and cut costs. Generative AI drafts screenplays in minutes, predicts box office success via data analysis, and powers virtual sets mimicking international locations sans travel.

The film industry is already experiencing a radical transformation due to deepfakes and motion capture technology by artificial intelligence, where actors are transformed into their younger or digital avatars with minimal use of expensive hardware. The consequence? Superhero movies with cinematic magic at affordable prices without the million-dollar film shoots.

However, there is a certain tension in this rush of AI technology as well. “There’s a great concern that the jobs of editors, writers, and tech crews could be at risk, as technology continues to automate the editing process,” indicates Sekhar Kambamudi, a film expert. Deepfake technology is a source of concern with regard to abuse, and the use of AI technology could make the emotional depth of the content appear less. 

India, which produces the largest number of films every year, is walking a thin line between innovation and safety. Unlike the Hollywood labor disputes, Bollywood films, although churning at breakneck speeds, require regulation in terms of authenticity and fair use, according to authorities. With advancements taking place in AI, a new dimension is going to arrive, where human innovation and AI’s efficiency will integrate in ways that have never been witnessed before.
Read more »
VoidLink Framework
Advanced Persistent Threats Cloud Infrastructure Threats Cloud Security Container Security Cyber Threat Intelligence malware supply chain attacks VoidLink Framework

VoidLink Malware Poses Growing Risk to Enterprise Linux Cloud Deployments


 

A new cybersecurity threat has emerged beneath the surface of the modern digital infrastructure as organizations continue to increase their reliance on cloud computing. Researchers warn that a subtle but dangerous shift is occurring beneath the surface. 

According to Check Point Research, a highly sophisticated malware framework known as VoidLink, is being developed by a group of cyber criminals specifically aimed at infiltrating and persisting within cloud environments based on Linux. 

As much as the industry still concentrates on Windows-centric threats, VoidLink's appearance underscores a strategic shift by advanced threat actors towards Linux-based systems that are essential to the runtime of cloud platforms, containerized workloads, and critical enterprise services, even at a time when many of the industry's defensive focus is still on Windows-centric threats. 

Instead of representing a simple piece of malicious code, VoidLink is a complex ecosystem designed to deliver long-term, covert control over compromised servers by establishing long-term, covert controls over the servers themselves, effectively transforming cloud infrastructure into an attack vector all its own. 

There is a strong indication that the architecture and operational depth of this malware suggests it was designed by well-resourced, professional adversaries rather than opportunistic criminals, posing a serious challenge for defenders who may not know that they are being silently commandeered and used for malicious purposes.

Check Point Research has published a detailed analysis of VoidLink to conclude that it is not just a single piece of malicious code; rather, it is a cloud-native, fully developed framework that is made up of customized loaders, implants, rootkits, and a variety of modular plugins that allows operators to extend, modify, and repurpose its functionality according to their evolving operational requirements. 

Based on its original identification in December 2025, the framework was designed with a strong emphasis on dependability and adaptability within cloud and containerized environments, reflecting the deliberate emphasis on persistence and adaptability within the framework. 

There were many similarities between VoidLink and Cobalt Strike's Beacon Object Files model, as the VoidLink architecture is built around a bespoke Plugin API that draws conceptual parallels to its Plugin API. There are more than 30 modules available at the same time, which can be shifted rapidly without redeploying the core implant as needed. 

As the primary implant has been programmed in Zig, it can detect major cloud platforms - including Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, and Tencent - and adjust its behavior when executed within Docker containers or Kubernetes pods, dynamically adjusting itself accordingly. 

Furthermore, the malware is capable of harvesting credentials linked to cloud services as well as extensively used source code management platforms like Git, showing an operational focus on software development environments, although the malware does not appear to be aware of the environment. 

A researcher has identified a framework that is actively maintained as the work of threat actors linked to China, which emphasizes a broader strategic shift away from Windows-centric attacks toward Linux-based attacks which form the basis for cloud infrastructures and critical digital operations, and which can result in a range of potential consequences, ranging from the theft of data to the compromise of large-scale supply chains. 

As described by its developers internally as VoidLink, the framework is built as a cloud-first implant that uses Zig, the Zig programming language to develop, and it is designed to be deployed across modern, distributed environments. 

Depending on whether or not a particular application is being executed on Docker containers or Kubernetes clusters, the application dynamically adjusts its behavior to comply with that environment by identifying major cloud platforms and determining whether it is running within them. 

Furthermore, the malware has been designed to steal credentials that are tied to cloud-based services and popular source code management systems, such as Git, in addition to environmental awareness. With this capability, software development environments seem to be a potential target for intelligence collection, or to be a place where future supply chain operations could be conducted.

Further distinguishing VoidLink from conventional Linux malware is its technical breadth, which incorporates rootkit-like techniques, loadable kernel modules, and eBPF, as well as an in-memory plugin system allowing for the addition of new functions without requiring people to reinstall the core implant, all of which is supported by LD_PRELOAD. 

In addition to adapting evasion behavior based on the presence of security tooling, the stealth mechanism also prioritizes operational concealment in closely monitored environments, which in turn alters its evasion behavior accordingly. 

Additionally, the framework provides a number of command-and-control mechanisms, such as HTTP and HTTPS, ICMP, and DNS tunneling, and enables the establishment of peer-to-peer or mesh-like communication among compromised hosts through the use of a variety of command-and-control mechanisms. There is some evidence that the most components are nearing full maturity.

A functional command-and-control server is being developed and an integrated web-based management interface is being developed that facilitates centralized control of the agents, implants, and plugins by operators. To date, no real-world infection has been confirmed. 

The final purpose of VoidLink remains unclear as well, but based on its sophistication, modularity, and apparent commercial-grade polish, it appears to be designed for wider operational deployment, either as a tailored offensive tool created for a particular client or as a productized offensive framework that is intended for broader operational deployment. 

Further, Check Point Research has noted that VoidLink is accompanied by a fully featured, web-based command-and-control dashboard that allows operators to do a centralized monitoring and analysis of compromised systems, including post-exploitation activities, to provide them with the highest level of protection. 

Its interface, which has been localized for Chinese-language users, allows operations across familiar phases, including reconnaissance, credential harvesting, persistence, lateral movement, and evidence destruction, confirming that the framework is designed to be used to engage in sustained, methodical campaigns rather than opportunistic ones.

In spite of the fact that there were no confirmed cases of real-world infections by January 2026, researchers have stated that the framework has reached an advanced state of maturity—including an integrated C2 server, a polished dashboard for managing operations, and an extensive plugin ecosystem, which indicates that its deployment could be imminent.

According to the design philosophy behind the malware, the goal is to gain long-term access to cloud environments and keep a close eye on cloud users. This marks a significant step up in the sophistication of Linux-focused malware. It was argued by the researchers in their analysis that VoidLink's modular plug-ins extend their reach beyond cloud workloads to the developer and administrator workstations which interact directly with these environments.

A compromised system is effectively transformed into a staging ground that is capable of facilitating further intrusions or potential supply chain compromises if it is not properly protected. Their conclusion was that this emergence of such an advanced framework underscores a broader shift in attackers' interest in Linux-based cloud and container platforms, away from traditional Windows-based targets. 

This has prompted organizations to step up their security efforts across the full spectrum of Linux, cloud, and containerized infrastructures, as attacks become increasingly advanced. Despite the fact that VoidLink was discovered by chance in the early days of cloud adoption, it serves as a timely reminder that security assumptions must evolve as rapidly as the infrastructure itself. 

Since attackers are increasingly investing in frameworks built to blend into Linux and containerized environments, organizations are no longer able to protect critical assets by using perimeter-based controls and Windows-focused threat models. 

There is a growing trend among security teams to adopt a cloud-aware defense posture that emphasizes continuous monitoring, least-privilege access, and rigorous monitoring of the deployment of development and administrative endpoints that are used for bridging on-premise and cloud platforms in their development and administration processes. 

An efficient identity management process, hardened container and Kubernetes configurations, and increased visibility into east-west traffic within cloud environments can have a significant impact on the prevention of long-term, covert compromises within cloud deployments.

There is also vital importance in strengthening collaboration between the security, DevOps, and engineering teams within the platform to ensure that detection and response capabilities keep pace with the ever-changing and adaptive threat landscape. 

Modern enterprises have become dependent on digital infrastructure to support the operation of their businesses, and as frameworks like VoidLink are closer to real-world deployment, investing in Linux and cloud security at this stage is important not only for mitigating emerging risks, but also for strengthening the resilience of the infrastructure that supports them.
Read more »
Technology
AI healthcare tools AI medical records analysis Anthropic Claude for Healthcare Claude health data privacy Technology

Anthropic Launches “Claude for Healthcare” to Help Users Better Understand Medical Records

 
Anthropic has joined the growing list of artificial intelligence companies expanding into digital health, announcing a new set of tools that enable users of its Claude platform to make sense of their personal health data.

The initiative, titled Claude for Healthcare, allows U.S.-based subscribers on Claude Pro and Max plans to voluntarily grant Claude secure access to their lab reports and medical records. This is done through integrations with HealthEx and Function, while support for Apple Health and Android Health Connect is set to roll out later this week via the company’s iOS and Android applications.

“When connected, Claude can summarize users' medical history, explain test results in plain language, detect patterns across fitness and health metrics, and prepare questions for appointments,” Anthropic said. “The aim is to make patients' conversations with doctors more productive, and to help users stay well-informed about their health.”

The announcement closely follows OpenAI’s recent launch of ChatGPT Health, a dedicated experience that lets users securely link medical records and wellness apps to receive tailored insights, lab explanations, nutrition guidance, and meal suggestions.

Anthropic emphasized that its healthcare integrations are built with privacy at the core. Users have full control over what information they choose to share and can modify or revoke Claude’s access at any time. Similar to OpenAI’s approach, Anthropic stated that personal health data connected to Claude is not used to train its AI models.

The expansion arrives amid heightened scrutiny around AI-generated health guidance. Concerns have grown over the potential for harmful or misleading medical advice, highlighted recently when Google withdrew certain AI-generated health summaries after inaccuracies were discovered. Both Anthropic and OpenAI have reiterated that their tools are not replacements for professional medical care and may still produce errors.

In its Acceptable Use Policy, Anthropic specifies that outputs related to high-risk healthcare scenarios—such as medical diagnosis, treatment decisions, patient care, or mental health—must be reviewed by a qualified professional before being used or shared.

“Claude is designed to include contextual disclaimers, acknowledge its uncertainty, and direct users to healthcare professionals for personalized guidance,” Anthropic said.
Read more »
Spearphishing Campaigns
Cloud Identity Security Credential Theft Cyber Attacks FBI cyber alert Kimsuky MFA Bypass North Korea APT QR Code Phishing Quishing Attacks Spearphishing Campaigns

FBI Flags Kimsuky’s Role in Sophisticated Quishing Attacks


 

A new warning from the US Federal Bureau of Investigation indicates that spearphishing tactics are being advanced by a cyber espionage group linked to North Korea known as Kimsuky, also known as APT43, in recent months. 

As the threat actor has increasingly turned to QR code-based attacks as a means of infiltrating organizational networks, the threat actor is increasingly using QR code-based attacks. 

There is an alert on the group's use of a technique referred to as "quishing," in which carefully crafted spearphishing emails include malicious URLs within QR codes, as opposed to links that are clickable directly in the emails.

By using mobile devices to scan the QR codes, recipients can bypass traditional email security gateways that are designed to identify and block suspicious URLs, thereby circumventing the problem. 

As a result of this gap between enterprise email defenses and personal mobile use, Kimsuky exploits the resulting gap in security to stealthily harvest user credentials and session tokens, which increases the probability of unauthorized access while reducing the chance of early detection by the security team. 

As a result of this campaign, concerns about the increasingly sophisticated sophistication of state-sponsored cyber operations have been reinforced. This is an indication that a broader shift toward more evasive and socially engineered attack methods is taking place. 

The FBI has determined Kimsuky has been using this technique actively since at least 2025, with campaigns observing that he targeted think tanks, academic institutions and both US and international government entities using spear phishing emails embedded with malicious Quick Response codes (QR codes). 

In describing the method, the bureau referred to it as "quishing," a deliberate strategy based on the notion of pushing victims away from enterprise-managed desktop systems towards networks governed by mobile devices, whose security controls are often more lax or unclear.

The Kimsuky attacker, known by various aliases, such as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, Velvet Chollima, and Emerald Sleet, is widely believed to be a North Korean intelligence agency. 

Kimsuky's phishing campaigns are documented to have been honed over the years in order to bypass email authentication measures. According to an official US government bulletin published in May 2024, the group has successfully exploited misconfigured Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to deliver emails that falsely impersonated trusted domains to send emails that convincingly impersonated trusted domains.

In this way, they enabled their malicious campaigns to blend seamlessly into legitimate communications, enabling them to achieve their objectives. The attack chain is initiated once a target scans a malicious QR code to initiate the attack chain, that then quickly moves to infrastructure controlled by the threat actors, where preliminary reconnaissance is conducted to understand the victim's device in order to conduct the attack. 

Moreover, based on the FBI's findings, these intermediary domains are able to harvest technical information, including operating system details, browser identifiers, screen resolutions, IP addresses, and geographical indications, which allows attackers to tailor follow-up activity with greater precision. 

Thereafter, victims are presented with mobile-optimized phishing pages that resemble trusted authentication portals such as Microsoft 365, Okta, and corporate VPN login pages that appear convincingly. 

It is believed that by stealing session cookies and executing replay attacks, the operators have been able to circumvent multi-factor authentication controls and seized control of cloud-based identities. Having initially compromised an organization, the group establishes persistence and utilizes the hijacked accounts to launch secondary spear-phishing campaigns. This further extends the intrusion across trust networks by extending the malware laterally. 

As described by the FBI, this approach demonstrates a high level of confidence, an identity intrusion vector that is MFA-resilient, and it originates on unmanaged mobile devices that sit outside the traditional lines of endpoint detection and network monitoring. 

A number of attacks by Kimsuky were observed during May and June 2025, including campaigns that impersonated foreign advisors, embassy employees, and think tank employees to lure victims into a fictitious conference, as demonstrated by investigators. 

Since being active for more than a decade now, North Korea-aligned espionage groups like APT43 and Emerald Sleet have been gathering information on organizations in the United States, Japan, and South Korea. These groups, also known as Velvet Chollima, Emerald Sleet, TA406, and Black Banshee, have traditionally targeted these organizations with information. 

As a result of activities related to sanctions evasion and support for Pyongyang's weapons of mass destruction programs in 2023, the U.S. government sanctioned the group.

The current spear phishing campaign relies on QR codes embedded within carefully crafted spear-phishing emails to be it's primary infection vector, as the codes run through a victim's mobile device and thereby direct them to an attacker-controlled infrastructure that the attacker controls. 

There are a number of websites host phishing pages crafted to look like legitimate authentication portals, like the Microsoft 365, the Google Workspace, Okta and a wide range of services such as VPNs and single sign-ons. 

As a general rule, investigators report that the operation typically begins with detailed open-source reconnaissance in order to identify high-value individuals, followed by tailored email messages that impersonate trusted contacts or refer to timely events in order to lend credibility to the operation. 

The malicious site either collects login credentials or delivers malware payloads, such as BabyShark or AppleSeed, to the user when they scan the QR code, enabling attackers to establish persistence, move laterally within compromised environments, and exfiltrate sensitive data as soon as it is scanned.

There are many MITER ATT&CK techniques that are aligned with the activity, which reflects an organized and methodical tradecraft, which includes credentials harvesting, command-and-control communications at the application layer, and data exfiltration via web services. 

Furthermore, the group collects data on victim devices by collecting information about the browser and geolocation of the device, which enables the phishing content to be optimized for mobile use, as well as, in some cases, facilitates session token theft, which allows multi-factor authentication to be bypassed. 

Many researchers, academic institutions, government bodies, and strategic advisory organizations have been targeted for their sensitive information, including senior analysts, diplomats, and executives.

It has been observed that while the campaign has gained a global presence covering the United States, South Korea, Europe, Russia, and Japan  it has also demonstrated an increased effectiveness because it is based on personalized lures that exploit professional trust networks and QR codes are routinely used for accessing events and sharing documents, which highlights the growing threat of mobile-centric phishing. 

In a timely manner, the FBI's advisory serves as a reminder that organizations' attack surfaces are no longer limited to conventional desktops and email gateways, but are increasingly extending into mobile devices which are operating outside of the standard visibility of enterprises. 

As malicious actors like Kimsuky develop social engineering techniques that exploit trust, convenience, and routine user behavior in order to gain access to sensitive information, organizations are being forced to reassess how their identity protection strategies intersect with their mobile access policies and their user awareness practices. 

There is an urgent need for information security leaders to place greater emphasis on maintaining phishing-resistant authentication, monitoring anomalous sign-in activity continuously, and establishing stronger governance over mobile device usage, including for those employees who are handling sensitive policy, research, or advisory matters. 

Additionally, it is imperative that users are educated on how to discern QR codes from suspicious links and attachments so that they can treat QR codes with the same amount of attention and scrutiny. 

A combined campaign of this kind illustrates a shift in state-sponsored cyber operations towards low friction, high-impact intrusion paths, which emphasize stealth over scale, pointing to the necessity for adaptive defenses that can evolve as rapidly as the tactics being used to defeat them, which emphasizes the need for a more adaptive defense system.
Read more »
Subscribe to: Comments (Atom)