The first tool is called Amadey, a malware-as-a-service platform for disrupting devices and deploying infected payloads for ransomware and related attacks. Amadey was first discovered in 2018 and in 2025, it exploited GitHub as it stored system info from malicious devices and deployed custom payloads.
The second tool is called StealC, it is an infostealer-as-a-service tool that steals cryptocurrency wallets, browser extensions, authentication cookies, and login credentials.
Amadey and StealC are distinct tools that function autonomously. They are widely used, but many people use them in their personal cybercrime operations.
The tools depend on the same infrastructure to function. Microsoft made this link after analyzing the tools using AI. The discovery allowed Microsoft to stop both tools simultaneously.
“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services. Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain,” Microsoft said.
Companies gathered proof that the tools shared the same infrastructure and invoked RICO statutes against organized crime. This resulted in treating the two tools as part of a single scam.
Microsoft has disrupted over 200 C2 servers and shut down criminal control of over 18,000 compromised computers. Europol also assisted in the operation to track down the culprits and recovered around 27 million stolen login details and found $47 million worth of crypto assets tied to cybercriminals.
“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover,” Europol said.
Other firms that helped in “Operation Endgame” are ESET, IBM X-Force, ESET, Mitsui Bussan Secure Directions, and Bitsight.
According to Europol, another tool that disrupted Operation Endgame was SocGholish. It is a malware installer tied to the Russian cybercrime group Evil Corp. that distributes via hacked websites. If you visit such sites, you will be tricked into installing malware apps mimicking as browser extensions or genuine software.
IBM researchers have developed a new semiconductor architecture that could dramatically increase the number of transistors packed onto a silicon chip while improving both computing performance and energy efficiency. The company's experimental design, known as NanoStack, represents a departure from conventional chip scaling by expanding vertically instead of relying solely on shrinking transistor dimensions.
According to IBM, the new architecture has the potential to accommodate approximately 100 billion transistors on a silicon chip roughly the size of a fingernail. Although the technology remains in the research phase and is still years away from commercial manufacturing, the announcement underlines one of the industry's latest efforts to overcome the physical limitations confronting modern semiconductor development.
IBM says NanoStack is comparable to a 0.7-nanometre technology generation, placing it below the 1-nanometre threshold that has long been viewed as a significant milestone in chip manufacturing. While node names such as 2 nm or 0.7 nm no longer represent the exact physical dimensions of transistors, they generally indicate successive generations of manufacturing technology that deliver greater transistor density, improved performance, and lower power consumption.
In laboratory testing, IBM reported that its prototype achieved up to 50% higher performance than its previously demonstrated 2 nm research chip while consuming as much as 70% less energy under comparable conditions. Those improvements, if successfully translated into commercial manufacturing, could support faster artificial intelligence workloads, improve cloud computing efficiency, reduce power consumption in data centres, and extend battery life in mobile devices.
Rather than focusing exclusively on making individual transistors smaller, NanoStack introduces a new architectural approach by stacking multiple layers of transistors vertically. Traditional semiconductor manufacturing has primarily increased computing capability by placing more transistors across the surface of a silicon wafer. As transistor miniaturization approaches fundamental physical limits, researchers are increasingly exploring three-dimensional designs that use vertical space to continue increasing transistor density without proportionally expanding chip size.
Transistors serve as the fundamental electronic switches inside every processor, enabling calculations performed by smartphones, personal computers, gaming systems, enterprise servers, networking equipment, and the rapidly expanding infrastructure supporting artificial intelligence. As more transistors are integrated into a processor, chips are generally able to execute more operations simultaneously, improving computational performance across a wide range of applications.
The continued drive toward higher transistor density has historically been guided by Moore's Law, the observation that the number of transistors integrated onto a chip approximately doubles every two years. For decades, that trend has driven advances in computing performance while reducing the cost of processing power. However, maintaining that pace has become increasingly difficult as transistor dimensions approach atomic scales, where issues such as heat generation, electrical leakage, manufacturing complexity, and quantum effects become far more challenging to manage.
IBM's NanoStack architecture represents one possible response to those constraints by building upward rather than outward. Industry researchers often compare this concept to urban development. Instead of constructing additional houses across limited land, engineers create increasingly taller buildings to accommodate more occupants within the same footprint. Similarly, vertically stacking transistor layers allows exponentially more computing elements to occupy the same silicon area.
The concept also distinguishes IBM's research from other advanced semiconductor initiatives pursuing three-dimensional integration. While several major chip manufacturers have already adopted various forms of 3D packaging and transistor architectures, IBM's proposal seeks to extend vertical integration even further, reflecting the growing industry focus on architectural innovation as conventional transistor scaling becomes more difficult.
Despite its promise, vertically stacked semiconductor designs introduce substantial engineering challenges. Heat generated by densely packed transistors becomes more difficult to dissipate as additional layers are added, potentially affecting reliability and long-term performance. Extremely thin insulating materials separating transistors may also allow unintended electrical leakage, making it harder for components to switch cleanly between operating states. Engineers must additionally solve complex manufacturing problems involving layer alignment, interconnections between stacked components, power delivery, fabrication precision, and production yield before such architectures can be manufactured at commercial scale.
Although NanoStack remains an experimental technology, IBM's latest research illustrates how semiconductor innovation is evolving beyond simply reducing transistor size. Future advances are increasingly expected to depend on new chip architectures, advanced materials, and sophisticated three-dimensional integration techniques capable of delivering the computing performance required by artificial intelligence, high-performance computing, cloud infrastructure, and next-generation consumer electronics.
Security researchers have identified six vulnerabilities in the widely deployed U-Boot bootloader that could allow attackers to execute malicious code during the earliest stages of a device's startup process. If successfully exploited, the flaws could enable firmware-level attacks capable of bypassing security protections before the operating system loads and establishing malware designed to remain on affected systems.
As one of the most widely used open-source bootloaders, U-Boot plays a fundamental role in the startup sequence of embedded Linux devices by initializing hardware and loading the operating system. It is integrated into a broad range of technologies, including enterprise server Baseboard Management Controllers (BMCs), networking equipment, industrial control systems, Internet of Things (IoT) devices, and numerous other embedded appliances.
Because the bootloader executes before the operating system and endpoint security tools become active, vulnerabilities at this stage can have far-reaching consequences. An attacker who gains control during the boot process may be able to interfere with the system's trusted startup sequence before conventional security controls have an opportunity to detect or prevent malicious activity.
One of U-Boot's primary security mechanisms is Verified Boot, which uses cryptographic signatures to verify the authenticity of firmware and operating system images before they are executed. During startup, only images signed with a trusted cryptographic key are intended to be loaded, helping prevent unauthorized or modified firmware from running on the device.
In a technical report published this week, firmware security company Binarly disclosed six vulnerabilities affecting U-Boot's Flattened Image Tree (FIT) signature verification code. The FIT framework is responsible for validating firmware images during the boot process, making it a critical component of the platform's chain of trust.
According to Binarly, researchers examined the verification logic because of its importance in maintaining firmware integrity during startup. Their analysis uncovered six distinct vulnerabilities ranging from denial-of-service conditions that can interrupt the boot process to flaws capable of enabling arbitrary code execution while processing untrusted firmware images.
The researchers said two of the vulnerabilities could potentially allow arbitrary code execution during firmware verification, while the remaining four can be exploited to trigger crashes during the boot process. Since these weaknesses affect the validation of firmware before the operating system starts, a successful exploit could allow malicious instructions to execute before higher-level security mechanisms become operational.
The disclosed vulnerabilities include a flaw identified as BRLY-2026-037 that can cause U-Boot to crash when processing a specially crafted firmware image and, under certain conditions, may also permit arbitrary code execution. BRLY-2026-038 is a memory corruption vulnerability that could enable attackers to execute malicious code during firmware signature verification. BRLY-2026-039 involves an out-of-bounds read that may force U-Boot to access memory beyond the firmware image, resulting in a system crash. BRLY-2026-040 is a null pointer dereference vulnerability that allows crafted firmware images to terminate the bootloader unexpectedly. BRLY-2026-041 stems from insufficient validation of externally stored firmware data and can also be used to crash vulnerable systems. The sixth flaw, BRLY-2026-042, involves unbounded recursion that can exhaust available stack memory and prevent the bootloader from completing the startup process.
Binarly noted that much of the affected code has been present since U-Boot version 2013.07, meaning the vulnerabilities could impact more than 50 stable releases of the project. Because many hardware manufacturers maintain customized downstream versions of U-Boot within their own firmware, the potential exposure extends beyond the upstream project to a large number of commercial products deployed across multiple industries.
If the arbitrary code execution vulnerabilities are successfully exploited, attackers could gain execution during one of the earliest phases of system initialization. Operating at this level may allow threat actors to alter the boot sequence, disable firmware security mechanisms, deploy persistent firmware malware, or perform other privileged actions before the operating system begins loading.
Firmware-based attacks can also be considerably more difficult to identify than malware operating within the operating system. Since malicious activity occurs before the operating system initializes, traditional endpoint security software and many monitoring tools may have limited visibility into the compromise, allowing malicious modifications to remain undetected for extended periods.
Binarly also noted that exploitation does not necessarily require physical access to a device. Systems equipped with Baseboard Management Controllers that support remote firmware updates could become vulnerable if an attacker first compromises the management interface. In such cases, a specially crafted firmware image could be uploaded and processed during the update process, potentially triggering the identified vulnerabilities.
The researchers reported all six vulnerabilities to the U-Boot maintainers and submitted patches addressing each issue. Those fixes have since been accepted into the project's upstream codebase. However, because U-Boot is incorporated into firmware by individual hardware manufacturers, vendors must integrate the patches into their own firmware releases before updates become available to customers.
Organizations operating embedded systems should monitor firmware advisories issued by their hardware vendors and apply security updates as they become available. Restricting access to firmware management interfaces, securing remote administration services such as BMCs, and verifying firmware authenticity before deployment can further reduce exposure while patches are being distributed.
Devices that have reached end-of-life or no longer receive firmware updates may remain permanently vulnerable, underscoring the long-term security challenges posed by legacy embedded systems that continue operating long after vendor support has ended.
Instead of directly disrupting corporate headquarters, hackers gained access via third-party infrastructure, subsidiaries, and overseas operations.
The impacted organizations are Nidec, KDDI, Aflac Japan, and Sapporo Holdings. While the attacks involved different contexts, the incidents hint towards an increasing attack surface that expands well beyond a company’s primary network.
KDDI, a telecommunications provider, reported illegal access to an email platform used by various Japanese internet service providers.
KDDI reported the incident surfaced from a bug in third-party software, revealing around 14.22 million email account records throughout six ISPs.
The attack shows how a single bug inside shared infrastructure can impact various organizations continuously.
On June 30, Aflac Japan revealed that between June 15 and June 25, hackers gained access to its Japanese operations. The company claims that some 4.38 million clients and agents were impacted, and a portion of the documents included bank account details used to pay insurance premiums.
According to the insurance, the incident only affected its company in Japan and had no bearing on its operations in the United States.
The alleged tactics are similar to social engineering strategies previously linked to Scattered Spider, even though the business has not linked the attack to any particular threat organization.
Sapporo Holdings revealed possible illegal access involving two foreign subsidiaries, Canadian brewer Sleeman and Singapore-based Pokka. After identifying suspicious activity, the company shut down the impacted systems and started an investigation to find out if any data had been taken or accessed.
Nidec, a manufacturing company, has revealed that its Taiwanese subsidiary, Nidec Chaun Choung Technology, was the subject of a ransomware attack.
More than two gigabytes of firm data, including personnel, financial, procurement, manufacturing, legal, and IT information, were allegedly taken by the BlackField ransomware organization, which claimed responsibility for the attack. A $2 million ransom was allegedly demanded by the organization.
The technology industry's next computing platform may not fit in your hand. Instead, it could rest on your ears, sit on your face or hang around your neck.
Apple is reportedly exploring AirPods equipped with cameras that would give Siri the ability to interpret a user's surroundings, according to a Bloomberg report. The cameras are not expected to function like traditional smartphone cameras for photography or video recording. Instead, they would provide visual context that allows Apple's AI assistant to respond more intelligently to spoken requests. Apple has not commented on the report.
The development reveals a comprehensive industry effort to move everyday computing beyond smartphone screens. For decades, displays have served as the primary interface between people and their devices. Advances in artificial intelligence, computer vision and voice assistants are now encouraging technology companies to develop wearable devices that can understand a user's environment and respond without requiring constant screen interaction.
Snap recently expanded that vision with its latest augmented reality smart glasses, Specs, priced at £1,995 in the UK and $2,195 in the US. Unlike many existing smart glasses, the device is designed to operate independently rather than relying on a connected smartphone. Digital content appears only when needed, overlaying information onto the wearer's view of the real world instead of replacing it. Snap Chief Executive Evan Spiegel said the goal is to let users remain engaged with their surroundings while accessing digital experiences.
Meta is also increasing its investment in wearable AI. The company has reportedly sold around seven million pairs of its Ray-Ban Meta smart glasses and recently introduced more affordable models. Reports also indicate Meta is evaluating audio-only smart glasses that could reduce some of the privacy concerns associated with built-in cameras.
Those concerns remain one of the biggest obstacles to wider adoption. Camera-equipped wearables have faced criticism after users were found recording people without their knowledge, despite recording indicator lights intended to alert those nearby. Privacy advocates continue to question whether visible indicators alone provide sufficient transparency in public spaces.
Apple could attempt to distinguish itself by relying heavily on on-device processing, allowing visual information to be analyzed locally rather than stored or transmitted to cloud servers. Such capabilities could enable users to identify objects, receive navigation guidance, ask questions about nearby landmarks or generate recipe suggestions based on ingredients already in their kitchen through simple voice interactions.
Analysts believe AI-powered wearables could gradually shift some everyday computing tasks away from smartphones. Even so, most expect the smartphone to remain central to digital life for the foreseeable future, with wearable devices evolving as complementary tools rather than direct replacements. Whether they ultimately reduce screen time or simply expand the ways people interact with technology remains an open question.
The impacted tools are Windsurf, Google Antigravity, Cursor, Amazon Q Developer, Claude Code by Anthropic, and Augment. Wiz has termed the technique GhostApproval and posted it recently.
Three of the six AI assistants have addressed, two did not, while Anthropic argues if it is a bug. The most vulnerable are the tools that modify file before you can notice.
The threat actors exploit an old Unix feature called symlink (or symbolic link), that AI assistants cannot check.
A symlink silently directs to other files somewhere else on disk, hence writing to it particularly writes to the victim.
“Symbolic links have been a security headache since the early days of Unix. From /tmp race conditions to privilege escalation exploits, symlinks have a long history of bypassing security boundaries by making one path silently resolve to another. It's a well-documented attack primitive - CWE-61 dates back decades,” Wiz said.
Wiz made a malicious repository with a symbolic link called project_settings.json that really directs to target’s SSH login file, ~/.ssh/authorized_keys. The repo’s README commands the assistant to put “a line” to project_settings.json, and this line is the hacker’s SSH key mimicking an innocent setting. “
If you ask the agent to “set up the workspace” or “follow the README,” it writes the key directly via the symlink into the login file. Following this, if the machine plays an SSH service the threat actor can access, they can sign in without password.
Another variant of the attack writes to your shell startup file, ~/.zshrc, which the shell runs the next moment you open a terminal without needing an SSH. There are no indications that any of this has been abused in real-time operations, Wiz has only demonstrated it as their research.
“Symlinks have been exploited for decades – in race conditions (CVE-2018-15664), in package managers (CVE-2021-32803), in container escapes (CVE-2024-21626). Any time a tool writes to a user-controlled path without resolving it first, symlinks become a weapon,” Wiz wrote in its blog.
"Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," Julie Agnes Sparks, senior security engineer at Datadog, said.
According to the security researchers, the majority of the observed activity has focused on collecting publicly available information. However, in a limited number of incidents, the attackers progressed beyond reconnaissance and successfully cloned private repositories.
The campaigns rely on a combination of automated scanning tools, more than 50 dormant GitHub accounts, and several legitimate accounts whose personal access tokens (PATs) had either been unintentionally exposed or compromised. These resources are used to perform extensive enumeration across multiple GitHub organizations.
A notable aspect of the operation is the use of so-called "ghost" accounts that were created between two and five years ago and deliberately left inactive before being activated for API-based reconnaissance. By using aged accounts instead of newly created ones, the attackers are able to make their activity appear more legitimate and reduce the likelihood of triggering security alerts.
Since a significant portion of GitHub's API can be accessed without authentication, the attackers are able to retrieve large amounts of publicly available data while remaining indistinguishable from routine API traffic. Their reconnaissance includes listing public repositories within organizations, mapping user followers and following relationships, identifying gists, starred repositories, and organization memberships, as well as executing GraphQL queries against public objects.
The collected information enables threat actors to build detailed profiles of an organization's GitHub environment, including its public repositories, contributors, developer relationships, and project activity. Such intelligence can be used to support future targeted attacks.
Datadog also confirmed that in a small number of cases, attackers escalated their activity by cloning a private repository belonging to a targeted organization, indicating that the campaigns can extend beyond information gathering.
"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog said. "The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning."