Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Abbott Investigates Two Cyber Incidents Following Extortion Claims


 

Two separate cybersecurity incidents are being investigated by Abbott Laboratories after threat actors reportedly gained access to the company's systems and accessed sensitive information. While one incident has been linked to the ShinyHunters extortion group, the other involves claims of unauthorized access to Abbott's LabCentral customer portal. The company said both incidents are being investigated, and operations have not been disrupted. 

Both incidents have not adversely affected Abbott's business operations, manufacturing, laboratory services, product availability, or customer support. According to the company, the unauthorized access was restricted to systems that operate independently of Abbott's core infrastructure within its Cancer Diagnostics business, with no impact reported across other business units or sites due to the unauthorized access discovered. 

Several legacy Exact Sciences systems were discovered to have been accessed unauthorizedly by Abbott's Cancer Diagnostics business. As a consequence of the ShinyHunters extortion group listing the company on its data leak site, Abbott confirmed the breach, and threatened to publish allegedly stolen information if negotiations were not held. Exact Sciences is part of Abbott's Cancer Diagnostics division, which the company acquired earlier this year for $21 billion. 

Aside from Abbott's core systems, Exact Sciences' legacy infrastructure operates separately, which limits the scope of the incident. According to Abbott, the incident is isolated to the Cancer Diagnostics division and has not affected manufacturing, laboratory operations, product availability, patient services, or any other Abbott business systems.

A notification was sent to law enforcement, the company activated its incident response procedures, and external cybersecurity experts were engaged. In addition, Abbott stated that the incident will not negatively affect its financial performance. In response to the incident, Abbott has not provided information regarding the type of information that was accessed, noting that its investigation is ongoing. 

The company claims to have gained initial access to a Microsoft Entra single sign-on (SSO) account by launching a voice phishing (vishing) attack targeting Abbott employees in mid-June. A number of enterprise platforms, including Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, were accessed by the group, which alleges that internal documents, contracts, customer information, and millions of medical records containing personally identifiable information (PII) have been exfiltrated. 

These claims have not been independently verified, however. Separately, a threat actor claiming the name ShadowByt3$ has been associated with the breach of Abbott's Core Laboratory Diagnostics business by exploiting compromised customer credentials by accessing the LabCentral customer portal hosted by a third party. It has been claimed that the attacker has obtained technical documentation, manufacturing certificates, regulatory files, and other product-related information. 

LabCentral was investigated by Abbott, but the attacker's claims were disputed, as the portal only contains publicly available technical reference materials such as operating manuals, troubleshooting guides, and product specifications. The company indicated that confidential business information and sensitive customer information are not included in the environment. 

In the LabCentral portal, Abbott explained that it is hosted by a third party provider and serves as a repository of publicly available technical reference documents, including operating instructions, troubleshooting guides, and product specifications. In accordance with the company, sensitive customer information or proprietary business data is not known to have been compromised as a result of the reported incident. 

There has been a growing trend of cyberattacks targeting healthcare and medical technology over the past few years. In recent months, a number of companies, including Clover Health, Stryker, Medtronic, Novo Nordisk, and West Pharmaceutical Services, have reported cybersecurity incidents, illustrating the increasing risks associated with handling patient and healthcare-sensitive data. Several cyber-incidents have occurred in the medical technology sector in recent months, causing significant damage to the industry. 

A number of companies, including Stryker, Medtronic, Intuitive Surgical, iRhythm, and AdaptHealth, have reported cybersecurity incidents as well, underscoring the growing threat landscape for healthcare and medtech organizations. As of yet, neither ShinyHunters nor ShadowByt3$ has disclosed the data that they claim to have stolen. In addition to engaging external cybersecurity experts and notifying law enforcement, Abbott has also continued to investigate the possibility of access to any potentially sensitive information.

In addition, Abbott stated that it does not anticipate either incident to negatively impact its business or financial results. Abbott's ongoing investigations highlight the increasing cybersecurity challenges in the healthcare and medical technologies industries. 

However, despite the company's assurances that operations remain unaffected and that no sensitive customer information has been exposed, the incidents demonstrate how important it is to take quick action, to use robust security measures, and to continuously monitor against cyber threats as they evolve.

Group-IB Uncovers ClickLock macOS Malware Targeting Passwords and Crypto Wallets


An aggressive social engineering technique has been used by ClickLock, an information-stealing macOS malware, to obtain victims' information about their system login passwords. Security researchers at Group-IB report that the malware disables normal system functionality, leaving users with little interaction other than a password prompt designed to harvest their credentials. 


After a malicious shell script was uploaded to VirusTotal in June, ClickLock was discovered to have already compromised 100 computer systems in 33 countries since May after first being identified in June. According to researchers, ClickLock is still undergoing active development and remained undetected by security engines on the platform when it was discovered, showing its ability to evade traditional antivirus solutions. 

Despite analyzing the full payload chain of the malware, the initial lure pages used to deliver the attack have not yet been identified, suggesting that the campaign's distribution infrastructure is still evolving. Despite the complete analysis of the malware chain, investigators have not yet identified the original lure pages that were used to deliver the attack. Group-IB researchers also believe ClickLock is still under active development. 

The compromised websites hosting the malicious payloads have been identified, but the exact methods used to drive victims to those pages remain under investigation. Over half of the known victims are located in Europe, according to Group-IB. Despite the fact that it is unclear how precisely the malware is distributed, researchers believe that it has been active since late May. 

According to experts, the attackers use SEO poisoning, compromised websites, or social media posts to lure users to fake verification pages that send them to malicious websites.

How the Attack Works

According to experts, the infection is believed to have originated through a social engineering campaign similar to ClickFix, in which victims are fooled into copying and pasting a malicious command into the macOS Terminal, pretending to complete a Cloudflare "human verification" process. 

It has not been determined which initial infection source was employed, but it is believed that attackers may have utilized SEO poisoning, compromised websites, or malicious social media posts to redirect victims to a fake verification page that triggers the attack. As soon as the malware has been executed, it suppresses system notifications, hides the Terminal cursor, and silently downloads additional malicious components. 

A script initially executed acts as an orchestrator, downloading four separate components responsible for the theft of credentials, the theft of cryptocurrency, the collection of Keychain data, and the installation of a persistent backdoor, among others. After completing their tasks, data-stealing modules automatically delete themselves in order to reduce forensic evidence; however, the backdoor remains active to allow attackers long-term access to compromised computers.

In addition, it displays a false macOS password prompt based on the victim's actual username and an Apple-style interface in order to make it appear legitimate. After clicking the login button, ClickLock validates the credentials and immediately sends them to the attackers through Telegram. If the prompt is dismissed, the malware establishes persistence via LaunchAgents and repeatedly launches until the correct password is entered. 

System Lockdown and Data Theft

One of ClickLock's most disruptive features is its repeated termination of essential macOS processes, including Finder, Dock, Terminal, Activity Monitor, System Settings, Spotlight, and major web browsers. This malware continuously destroys these applications, causing users to be locked out of their computer for extended periods of time. 

According to researchers, ClickLock is able to exploit vulnerabilities in software without exploiting elevated privileges or exploiting software vulnerabilities. It relies on social engineering to persuade users to execute the malicious command themselves and repeatedly force them to interact with fake authentication prompts until they divulge their login credentials. 

Additionally to stealing login credentials, ClickLock attacks a wide range of sensitive information, including the following: 

  • Browser passwords, cookies, bookmarks, and autofill data. 
  • Cryptocurrency wallet files and browser wallet extensions. 
  • Password manager data. 
  • Shell histories and FileZilla FTP configurations. 
  • Basic system information and the victim's public IP address. 

It is the primary objective of the attackers to obtain the Chrome Safe Storage encryption key. By using this key, cybercriminals can decrypt stolen browser databases offline, allowing them to retrieve saved passwords, cookies, and other encrypted Chromium-based browser data without requiring continued access to the victim's computer. 

A modified version of the open-source GSocket tool is also installed by the malware, allowing attackers to gain persistent remote access to compromised devices by compressing collected data into ZIP archives and exfiltrating it through the Telegram Bot API. A legitimate system authorization prompt provides attackers with persistent remote access to compromised devices in addition to targeting macOS Keychain through a request for Chrome's Safe Storage encryption key. 

Using this malware, attackers can decrypt passwords, cookies, and other sensitive Chromium-based browser data offline if the user grants permission. Researchers noted that instead of exploiting software vulnerabilities, the malware's operators appear to rely exclusively on legitimate Mac OS features. 

ClickLock bypasses many of the operating system's built-in security protections through deception instead of technical exploit by convincing users to execute malicious commands. 

Staying Protected

ClickLock provides a limited detection window due to the fact that most of its components are deleted after execution and are hosted on compromised legitimate websites, according to Group-IB. It is strongly recommended that users should never copy and paste Terminal commands from websites or untrusted sources, regardless of their convincing appearance. Before investigating an infection on macOS, it is recommended that you force a shutdown by pressing the power button and restarting the device in Safe Mode.

AssuranceAmerica Data Breach Exposes Personal Information of Nearly 7 Million Individuals

 

Auto insurance company AssuranceAmerica is notifying almost 6.99 million people of the possible exposure of their private information after experiencing a data breach. The company appeared on the state attorney generals earlier this month to reveal the cyberattack occurred on March 16th 2026. 

Almost 7 million clients’ personal information was copied after hackers infiltrated the system using company employees’ credentials before being discovered a day later; they are now alerting policyholders and advising them to remain wary of contacting financial institutions as imposters may be using the stolen information to impersonate them Company officials stated that the information acquired from the breach includes customer’s name, address, social security numbers, driver license numbers, tax ID numbers, insurance policies, and claims history. 

South Carolina, for instance, has over 611,000 customers affected by the data theft, making it the state with the most affected people. The security analysts note that the exposure of personal information such as social security and driver’s license numbers increases the risk of identity theft since the stolen data provides an avenue for thieves to open credit accounts in someone’s name, take out loans, submit fraudulent taxes, circumvent identification processes, and even more. 

Edelson Lechtzin LLP law firm, which is investigating the exposure case, reports that the collected data can offer a wide window for committing financial fraud crimes against the unsuspecting ones. Though the company responded promptly to the issue by taking down their systems after discovering the unusual activity in their network on March 17th, the day after the cyberattack, customers were not notified of what occurred until mid-June, nearly 3 months later. 

According to the insurer’s report, the review of the compromised data concluded on June 15th, days before the customers were informed of what happened, which prompted consumer advocates to criticize the sluggish response by AssuranceAmerica. Furthermore, even though the company asserts that it has reinforced its system and reminded workers of the importance of cybersecurity awareness, it has not stated whether the affected people will be offered free credit monitoring or other services to guarantee their safety. 

The current case comes at a time when there has been a series of data breaches involving the exposure of people’s identities, with hackers targeting government-issued credentials such as licenses and passports. The attacks have been recorded in various industries, including the hospitality, finance, government, and technology sectors, and put every citizen at risk as their personal information is stored in numerous places. 

For instance, the individuals in the states affected by the breach should remain extra cautious when dealing with financial services, whether online or not, and apply for a security alert for their credit reports to help detect unauthorized applications for credit. They can also turn to their respective state attorney’s office to get more significant help. 

The AssuranceAmerica incident is a sobering reminder that the most effortless way to protect oneself is by changing passwords after such an occurrence, especially since other measures such as social security or driver’s license numbers may take longer to replace if they get into the wrong hands.

AI Agent Runs First End-to-End Ransomware Attack

 

Security researchers have long warned that AI would lower the barrier to cybercrime, but the latest case makes that threat tangible. In the operation described by Sysdig and covered by Forbes, an autonomous agent carried out the technical steps of a ransomware attack from initial access to encryption and ransom-note generation. The group’s analysis suggests the attack was not a simple script; it adapted when it hit obstacles, corrected its own mistakes, and kept moving without a human at the keyboard. 

The campaign reportedly began with an exposed Langflow incident, which the attacker used to gain access through a known vulnerability. From there, the agent searched for secrets, including credentials and cloud keys, then expanded into a production environment and escalated privileges. Researchers said it encrypted more than 1,300 configuration records and generated its own ransom note with a Bitcoin address, showing how an AI system can combine reconnaissance, exploitation, and extortion in one chain. 

What makes the story unsettling is not only the automation, but the speed. One reported login failure was fixed in 31 seconds, a reminder that AI can iterate much faster than a human operator can type, think, or troubleshoot. That kind of responsiveness matters because ransomware succeeds by compressing the defender’s reaction time. If attackers can use agents to scan, pivot, and encrypt at machine speed, security teams will need similarly automated detection, containment, and recovery tools to keep up. 

Still, the incident also shows that “fully autonomous” cybercrime may be more complicated than the headline suggests. Later reporting said humans may have still chosen the target, prepared infrastructure, or supplied stolen credentials, even if the AI handled the intrusion itself. That distinction matters, because it means defenders are not just facing smarter malware, but a new hybrid model in which human planning and AI execution reinforce each other. The lesson for businesses is clear: reduce exposed services, enforce strong credential hygiene, segment critical systems, and assume that the next serious attack may be built and operated with far less human effort than before.

Nearly 7 Million Driver's License Numbers Exposed After AssuranceAmerica Data Breach

 


Nearly seven million people are being notified after a cyberattack on Atlanta-based auto insurer AssuranceAmerica exposed highly sensitive personal information, including driver's license numbers, Social Security numbers and insurance records, raising concerns about long-term identity theft risks.

According to the company's breach notice and filings submitted to state regulators, the incident began on March 16, 2026, when a threat actor gained unauthorized access to AssuranceAmerica's internal network using compromised employee credentials obtained through a phishing attack. The company detected suspicious activity the following day, secured the affected systems, and launched a forensic investigation to determine the scope of the compromise.

The investigation later revealed that the attackers had copied files containing personal information belonging to approximately 6.99 million individuals. The exposed data varies by person but may include names, residential addresses, driver's license numbers, Social Security numbers, taxpayer identification numbers, insurance policy and account details, claims information, as well as driver and vehicle records.

The scale of the breach makes it one of the larger disclosures involving government-issued identity documents this year. South Carolina alone reported that 611,046 residents may have been affected, according to the state's Department of Consumer Affairs.

Unlike passwords, driver's license numbers are not easily replaced after they are exposed. These identifiers are widely used to verify identity across banks, insurers, vehicle rental companies, government agencies and financial institutions. When combined with Social Security numbers and other personally identifiable information, they can enable criminals to apply for loans, open fraudulent accounts, submit false tax returns or impersonate victims during identity verification processes.

Law firm Edelson Lechtzin LLP, which announced an investigation into the incident, warned that the compromised information could be used to facilitate identity theft and other forms of financial fraud.

Although AssuranceAmerica identified the intrusion within roughly 24 hours, affected individuals were not notified until late June after investigators completed their review of the compromised data on June 15. The nearly three-month gap between the initial breach and customer notifications has drawn attention to the time required to determine exactly whose information had been accessed before notifications could be issued.

In its public notice, AssuranceAmerica said it disabled the compromised accounts, reset credentials, strengthened network monitoring and provided additional cybersecurity awareness training to employees. The company also engaged external forensic specialists to investigate the incident. However, it has not publicly confirmed whether all affected individuals will receive complimentary credit monitoring or identity protection services.

The AssuranceAmerica breach comes amid a growing number of incidents involving government-issued identity documents. In June, Texas disclosed a separate cyberattack affecting approximately three million driver's license and passport records maintained by the Texas Parks and Wildlife Department, adding to a broader trend of organizations reporting the theft of sensitive identification data.

The growing reliance on digital identity verification has also increased the amount of personal identification collected by businesses and online platforms. As governments and private organizations increasingly require users to upload driver's licenses and other official documents for account verification and age checks, cybersecurity experts warn that breaches involving these records can have lasting consequences because many of these identifiers cannot be easily changed once exposed.

Individuals who may have been affected are encouraged to closely review financial and insurance accounts for suspicious activity, consider placing a credit freeze or fraud alert with the major credit bureaus, monitor their credit reports for unauthorized accounts and remain cautious of phishing emails or phone calls that attempt to exploit information exposed during the breach. Victims should also follow guidance issued by their state consumer protection agencies and promptly report any suspected identity theft.

Why Digital Supply Chain Attacks Are Emerging as the Biggest Cybersecurity Threat for Businesses

 

As businesses strengthen their internal cybersecurity defenses, cybercriminals are increasingly shifting their focus to a more vulnerable target—the digital supply chain. Rather than attempting to breach organizations directly, attackers are exploiting trusted third-party vendors, software providers, cloud services, and open-source components that already have authorized access to critical systems and sensitive data.

Traditional cybersecurity strategies have long emphasized protecting internal networks through firewalls, encryption, access controls, and employee awareness programs. However, the growing reliance on interconnected digital ecosystems means these measures alone are no longer enough. Organizations now depend on a broad network of suppliers and technology partners, creating multiple entry points that hackers can exploit.

How Digital Supply Chain Attacks Work

Instead of targeting businesses head-on, cybercriminals increasingly infiltrate suppliers and service providers that support an organization's operations. These may include software vendors, web development companies, cloud storage providers, testing platforms, or third-party integrations.

A supply chain attack typically compromises one or more components that organizations rely on to deliver products or services. Attackers may introduce malicious software updates, steal login credentials, exploit insecure integrations, or take advantage of vulnerable open-source software libraries.

Open-source components present a particularly significant risk. Software developers often integrate publicly available libraries into applications to accelerate development. If attackers successfully insert malicious code into these widely used components, every organization that later incorporates them into their software may unknowingly introduce a serious security vulnerability.

One notable example occurred in 2024, when malicious code was embedded into XZ Utils, a widely used open-source compression utility for Linux systems. Rather than directly hacking organizations, attackers compromised the software supply chain itself. Although the affected versions had not yet reached widespread production deployment, they had already been integrated into development versions of major Linux distributions, forcing maintainers to rebuild packages after the vulnerability was identified.

Computer scientist Alex Stamos warned that if the attack had gone unnoticed, it would have “given its creators a master key to any of the hundreds of millions of computers around the world that run SSH”.

Once attackers successfully compromise a supplier's products or services, they can use that trusted access to infiltrate customer environments. In many cases, these attacks remain undetected until operations are disrupted, sensitive information is stolen or encrypted, or ransomware demands are issued. The XZ Utils compromise itself was only uncovered after a developer noticed unusual system performance during routine testing.

By the time organizations discover such incidents, significant operational and financial damage has often already occurred.

Cyberattacks frequently result in substantial financial losses. Organizations may face costly ransom demands, especially when attackers recognize that disruptions affect multiple customers or essential business services.

Even when no ransom is paid, businesses incur significant expenses related to operational downtime, system restoration, cybersecurity investigations, legal support, and business recovery.

For companies operating primarily through digital platforms, even short periods of downtime can severely impact revenue. Following a cyberattack in 2025, retailer Co-op reported that the incident “impacted both financial and operational areas”, leading to at least £206 million in lost revenue.

Operational disruptions can be equally damaging. If a critical supplier suspends services while containing a cyber incident, organizations may lose access to essential systems, preventing order fulfillment, transaction processing, and other core business functions.

A major example occurred in 2025 when Marks & Spencer (M&S) temporarily suspended online orders for nearly two months and relied on manual processing following a cyberattack. Rather than directly targeting M&S infrastructure, attackers exploited vulnerabilities in MoveIt, a widely used enterprise file transfer platform.

The breach exposed sensitive employee and customer information, including contact details, payroll records, and in certain cases, National Insurance numbers. Although payment information was reportedly unaffected, the scale of the incident triggered formal investigations, internal reviews, and regulatory scrutiny from the Information Commissioner's Office (ICO). The retailer estimated the financial impact at approximately £300 million in lost profits.

Beyond financial losses, reputational harm often proves to be the most enduring consequence of supply chain cyberattacks.

Customers generally do not distinguish between an organization and its suppliers when services fail. Regardless of where the breach originated, customers typically hold the business responsible.

Poor communication or delayed responses following an incident can rapidly erode trust that may have taken years to build. Restoring customer confidence often requires significant investment in communication, service improvements, and strengthened security measures, while long-term effects on customer loyalty and commercial relationships may continue long after systems have recovered.

Growing Regulatory Expectations

Regulators worldwide are increasingly emphasizing digital supply chain resilience as cyber risks extend beyond internal IT environments.

Under the UK's implementation of the General Data Protection Regulation (GDPR) through the Data Protection Act 2018, organizations acting as data controllers remain responsible for protecting personal information, even when third-party providers process that data on their behalf.

This means organizations must ensure their suppliers implement appropriate technical and organizational security measures while also reporting data breaches without unnecessary delay. Failure to meet these obligations can result in regulatory enforcement, financial penalties, and reputational damage.

The EU Artificial Intelligence Act follows a similar principle for AI technologies. Organizations deploying AI systems—including those supplied by external vendors—are expected to understand how those systems function, the associated cybersecurity risks, and how they are secured, particularly when high-risk AI applications are involved.

As a result, regulators increasingly expect businesses to actively manage cyber and AI risks throughout their digital supply chains rather than relying solely on vendor assurances.

Organizations are therefore encouraged to establish comprehensive cybersecurity governance frameworks that include supplier due diligence, continuous monitoring, documented risk management processes, and clearly defined incident response procedures.

Best Practices to Reduce Supply Chain Cyber Risks

While eliminating supply chain risk entirely is impossible, organizations can significantly reduce exposure by adopting proactive security measures, including:

  • Performing comprehensive cybersecurity due diligence before engaging suppliers.
  • Verifying vendors maintain strong security controls such as patch management, employee training, access management, and multi-factor authentication.
  • Conducting regular risk assessments across the supply chain to identify critical vulnerabilities.
  • Including clear cybersecurity obligations, incident reporting requirements, liability provisions, audit rights, and data protection clauses within supplier contracts.
  • Thoroughly testing systems and software developed by external vendors before deployment.
  • Providing guidance and collaboration to strengthen cybersecurity across supplier networks.
  • Developing and regularly updating incident response plans that specifically address third-party cyber incidents, customer communications, regulatory reporting, and ransomware scenarios.
  • Promoting cybersecurity awareness through continuous education and information sharing among internal teams and external partners.
  • Investing in cyber insurance while ensuring key suppliers also maintain appropriate coverage.
As organizations become increasingly dependent on interconnected technologies, digital platforms, and external suppliers, cybersecurity has evolved into a broader governance challenge rather than simply an IT responsibility.

Recent cyber incidents demonstrate how weaknesses within trusted supplier networks can rapidly escalate into severe financial losses, operational disruptions, and long-term reputational damage.

Regulators now expect organizations to proactively identify, assess, and manage supply chain cyber risks before incidents occur. Businesses that invest in stronger supplier oversight, robust governance, and comprehensive risk management strategies will be better positioned to safeguard operations, meet regulatory obligations, and preserve customer trust in an increasingly connected digital landscape.

Coca-Cola says ransomware attack disrupts Fairlife operations, temporarily suspends U.S. dairy production

 


The Coca-Cola Company has revealed that a ransomware attack targeting its Fairlife dairy business has temporarily disrupted production across the United States after threat actors gained unauthorized access to company systems, including those supporting manufacturing operations.

The incident was disclosed in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), a regulatory filing used by publicly traded companies to report significant corporate events. According to Coca-Cola, the cyberattack affected certain Fairlife systems, including production-related infrastructure, prompting the company to temporarily suspend manufacturing at its U.S. facilities while recovery efforts are underway.

Upon detecting the unauthorized activity, Coca-Cola said it immediately activated its incident response and business continuity protocols to contain the incident and minimize operational disruption. The company has engaged external cybersecurity advisors and experts to support its investigation and recovery efforts, while law enforcement has also been notified.

Although manufacturing operations have been interrupted, Coca-Cola emphasized that the ransomware attack has not affected the quality or safety of Fairlife products. The temporary production halt is part of the company's response as it works to restore impacted systems and verify operational readiness before resuming normal manufacturing activities. Fairlife's Canadian production facilities continue to operate normally and have not been affected by the incident.

The company said its investigation remains ongoing and that it is continuing to assess both the nature of the attack and its potential business impact. At this stage, Coca-Cola has not determined whether the incident is reasonably likely to have a material effect on the company's financial condition or overall operations.

Fairlife is one of Coca-Cola's dairy brands and manufactures a range of ultra-filtered milk products, protein shakes and nutrition beverages sold across the United States. Its product portfolio includes Ultra-Filtered Milk, Core Power Protein Shakes and Nutrition Plan.

Several aspects of the incident remain undisclosed. Coca-Cola has not confirmed whether attackers exfiltrated any data during the intrusion, whether the company has received an extortion demand or which ransomware operation may be responsible for the attack. As of publication, no known ransomware group has publicly claimed responsibility for the incident.

Ransomware attacks increasingly target organizations' operational environments in addition to traditional corporate networks, as disrupting production can exponentially multiply pressure on victims during recovery efforts. Many modern ransomware operations also employ double-extortion tactics by stealing sensitive information before encrypting systems and later threatening to publish the stolen data unless a ransom is paid. However, Coca-Cola has not indicated that any data theft occurred in this incident, and there is currently no public evidence confirming that attackers exfiltrated information from Fairlife's systems.

When asked whether data had been stolen, whether the company had received an extortion demand or which ransomware group may have been behind the attack, a Coca-Cola spokesperson declined to provide additional details beyond the company's public statement.

Coca-Cola continues to restore affected systems while its investigation remains ongoing, with U.S. Fairlife production expected to resume once recovery efforts are completed and manufacturing systems have been safely brought back online.

TRAI Seeks IT Act Powers to Act Against Spam-Tagging Apps Like Truecaller

 

The Telecom Regulatory Authority of India (TRAI) seeks new powers in the Information Technology (IT) Act to take action against call management apps, including Truecaller, Hiya, and Whoscall, for marking or blocking legitimate commercial calls as spam. The regulator has requested additional authority to act against call management apps for misidentifying or blocking approved commercial numbers. 

Sources said TRAI wanted to act against call management apps for misidentifying or blocking approved commercial numbers. Numbers in the 1400 and 1600 series have been designated for official promotional and customer service purposes. TRAI does not have the authority to prosecute such digital platforms because, unlike telecom licensees, who are bound by TRAI’s directions issued under the Telecom Regulation Act, they function as information intermediaries under the IT Act. 

However, authorities said TRAI had sought amendments to the IT Act to designate it as an “authorized agency” to notify such digital platforms of alleged violations of the IT Act, directing them to stop or take steps to bring their services within the bounds of the law. Authorities said the electronics and information technology ministry had approved the proposal in principle and that DoT would take up the needed legislative action with the ministry. However, authorities said TRAI did not seek to regulate call identifier apps but that the regulator felt that as information intermediaries, they should follow the laws and regulations administered by TRAI. 

Authorities felt that such apps’ labeling or blocking of numbers in the 1400 and 1600 series not only deprived authorized users of a reliable means of reaching out to them but also disrupted government-led outreach efforts, especially those using numbers in these series. Authorities said such interference disincentivized enterprises from using the 1400 and 1600 series of numbers and tempted them to use ordinary 10-digit mobile numbers for customer outreach. 

This defeats the purpose of having designated numbers since it becomes difficult for consumers to differentiate between legitimate and fraudulent callers, ultimately undermining consumer confidence and making it easier for spammers to masquerade as legitimate entities. Truecaller said in a statement reacting to the reports that it complied with the TRAI regulations about commercial numbers. 

The firm stated that it did not put spam labels over or block numbers in the 1400 and 1600 series despite being reported as spam on its app by many users. India seeks to balance consumer rights and obligations by regulating commercial communications while ensuring that legitimate communication avenues are not cut off for businesses that use spam calls to sell or inform the public.

UK Court Sentences Two Hackers to 5.5 Years for Transport for London Cyberattack That Caused £29 Million in Damages

 

Two hackers have been sentenced to five and a half years in prison each for carrying out the 2024 cyberattack on Transport for London (TfL), in what the UK's National Crime Agency (NCA) has described as the country's largest cybercrime prosecution to date.

Owen Flowers, 18, and Thalha Jubair, 20, received their sentences at Woolwich Crown Court on July 16, 2026. The duo had pleaded guilty on June 22, 2026, to an offence under Section 3ZA of the Computer Misuse Act 1990, acknowledging they acted recklessly and created a significant risk of serious harm to public welfare.

The cyberattack, which lasted from August 31 to September 3, 2024, severely disrupted TfL's operations. Around 148 systems were taken offline, forcing all 27,000 employees to report to offices in person to reset their passwords. Authorities estimate the attack resulted in approximately £29 million in financial losses and recovery costs.

Transport for London, which manages nearly 9 million passenger journeys daily, experienced widespread service disruptions. Dial-a-Ride services for vulnerable passengers became unavailable, digital payment systems were affected, concessionary travel card issuance was interrupted, Oyster photocard applications were suspended, and refunds faced significant delays.

The breach also exposed customer information, including names, email addresses, and, where stored, home addresses. Additionally, Oyster refund records containing bank account details and sort codes of approximately 5,000 customers may have been compromised.

According to prosecutors, messages exchanged between the defendants suggested they intended to erase their access before leaving the network. Investigators noted that a complete shutdown of TfL's systems could have caused economic losses of up to £56 billion. However, those damages were avoided after TfL proactively disconnected its own network to contain the intrusion.

Flowers was arrested on September 6, 2024, just days after the TfL breach ended. The NCA said officers found him actively targeting two U.S. healthcare organisations—SSM Health Care Corporation and Sutter Health—during the arrest.

Authorities recovered multiple digital devices, including laptops, desktop computers, hard drives, and USB storage devices. Evidence included screenshots showing access to TfL infrastructure and videos allegedly recorded by Flowers documenting Jubair's activity inside TfL systems. Investigators also uncovered Telegram conversations and an online collaboration platform used during the attacks.

The prosecution established that Flowers had access to the remote infrastructure used to launch all three cyberattacks, while evidence connecting Jubair to the TfL breach was obtained through international law enforcement cooperation.

Flowers also admitted to two additional cybercrime offences linked to attacks on the U.S. healthcare organisations. Prosecutors stated that he threatened to lock down healthcare systems while acknowledging in online conversations that it "might kill some 90-year-old on life support." Authorities said his arrest prevented those attacks from progressing further.

The NCA identified both individuals as senior members of the cybercrime group Scattered Spider, also known as Octo Tempest, UNC3944, and 0ktapus. However, the Crown Prosecution Service (CPS) stated only that the defendants had claimed affiliation with a group investigators believe was responsible for hundreds of cyberattacks between 2022 and 2025. The FBI has linked the group to data extortion, SIM swapping, and social engineering campaigns.

While authorities have not disclosed the exact method used to compromise TfL's network, Google has recommended strengthening identity verification procedures during password resets, device enrolment, and MFA changes to defend against such attacks.

Paul Foster, head of the NCA's National Cyber Crime Unit, urged organisations to contact law enforcement as soon as they detect cyber incidents, noting that the successful prosecution would likely not have been possible without TfL's prompt reporting.

Following the sentencing, the City of London Police also renewed calls for the introduction of Cyber Crime Risk Orders, which would allow courts to impose restrictions on offenders' access to digital devices, online services, and technology based on the level of cyber risk they pose. Commander Ollie Shaw described the proposed measures as a "digital prison" for cyber offenders. The two convicted hackers were 17 and 18 years old when the offences were committed.

Deepfake Cyber Fraud Costs Capillary Technologies Over ₹32 Crore

 

Capillary Technologies’ recent deepfake-enabled cyber fraud incident highlights how rapidly evolving AI tools are transforming from business enablers into serious security threats for global enterprises. The Bengaluru-based SaaS company disclosed that an overseas step-down subsidiary lost around €3 million, or over ₹32 crore, after attackers used sophisticated AI-powered impersonation to divert funds to unauthorized bank accounts. This case, reported in regulatory filings and multiple business media outlets, is now being seen as one of the most significant deepfake-related corporate frauds involving an Indian technology firm. 

According to the company’s stock exchange disclosure, fraudsters combined deepfake voice cloning, forged signatures and social engineering to convincingly pose as key managerial personnel and approve high-value fund transfers. By mimicking senior executives and manipulating trust within internal workflows, they managed to circumvent standard verification controls at the affected overseas subsidiary. The transfers were executed just before the first weekend of July, giving criminals a narrow yet effective window to move money across multiple accounts before robust checks could kick in. 

Capillary Technologies has said that no customer data, employee data or core technology infrastructure were compromised in the attack, which was restricted to banking transactions. The company has already recovered about €0.45 million and worked with local authorities to trace and freeze additional suspicious accounts linked to the fraud. Importantly, the impacted subsidiary is covered under cyber and crime insurance, and the insurer has been informed as the firm assesses how much of the loss will ultimately be absorbed.

Operationally, Capillary has emphasized that its business continues without material disruption and that this incident does not alter its annual or long-term growth guidance. However, the episode lands at a time when investors are already wary about rising AI-related pressures on the company’s business model and recent profit softness, potentially adding another layer of risk perception. While the direct fraud targeted a specific overseas unit, it underlines how AI-driven threats can quickly become a boardroom and investor concern, beyond just a cybersecurity issue. 

For the broader ecosystem, the Capillary case is a cautionary illustration of how deepfake voice and identity spoofing can defeat traditional approval chains, especially in finance and treasury operations. Enterprises now need multi-factor verification for high-value transactions, routine out-of-band confirmations, and continuous employee training to resist social engineering built on AI-generated content. As deepfake tools become cheaper and more accessible, robust cyber insurance, AI-aware internal controls, and proactive regulatory reporting will be critical to limit financial and reputational damage when such attacks inevitably occur.

Bitdefender Uncovers Windows Bind Link Technique That Evades EDR Detection


 

Researchers at Bitdefender have discovered a new technique for hiding malware from Endpoint Detection and Response (EDR) solutions by utilizing bind links, a valid Windows feature. Despite Microsoft's classification of this issue as low severity due to the fact that administrator privileges are required, Bitdefender maintains that the attack technique poses a significant risk since attackers frequently obtain elevated access during actual intrusions. 

The Bind Link feature is a valid kernel-level functionality that can be used by components such as Windows Sandboxes, Microsoft Store apps, and Windows containers to redirect virtual paths to actual system locations. As Bitdefender reports, attackers can manipulate these links so that trusted Windows paths point to malicious files instead of legitimate ones, enabling malware to execute while appearing harmless to security applications.

The issue affects Windows 10 RS4 and later versions, including Windows 11, meaning that most modern enterprise Windows systems may be vulnerable if attackers gain local administrator privileges. As a result, Bitdefender reports that this technique is particularly relevant as ransomware groups often seek elevated permissions before deploying malicious software or disabling security controls, making it particularly effective. 

Several attack methods were identified by researchers that abuse bind links. The first, file-binding, redirects trusted Dynamic Link Libraries (DLLs) paths to malicious DLLs, thus allowing attackers to bypass security mechanisms such as the Antimalware Scan Interface (AMSI). Second, process-binding tricks EDR solutions into inspecting trusted executables while a malicious file is actually being executed. 

By using Windows silos to create isolated filesystem views, silo-binding is the most advanced technique. Using this technique, malware is permitted to run within the silo while external security tools will only view clean, legitimate files. By disguising Invoke-Mimikatz as a trusted Windows system process, Bitdefender successfully bypassed an EDR solution by demonstrating the technique in practice. 

In addition to bypassing built-in Windows security measures such as AppLocker, Windows Firewall, and Sysmon, researchers observed that bind-link abuse was an effective post-compromise evasion technique. A legitimate Windows capability is exploited by bind-link abuse, unlike traditional "EDR killer" techniques which often rely upon vulnerable drivers. 

Instead of creating a permanent file on disk, the malicious redirection occurs only in memory via the Windows' bindflt.sys minifilter driver. Although Microsoft acknowledged these findings, they rated the issue as low severity since it requires local administrator privileges to exploit it. A ransomware group and advanced threat actor routinely obtain elevated privileges after compromising a computer system, according to Bitdefender, who disagreed with that assessment. 

Using bind-link abuse is similar to the increasingly common Bring Your Own Vulnerable Driver (BYOVD) approach, as attackers are able to evade endpoint protection similarly, but utilizing legitimate Windows functionality rather than vulnerable drivers for evasion. To detect path manipulation, endpoint security products should repeatedly verify the underlying file during execution to detect path manipulation. 

In addition, Bitdefender recommended that security vendors refrain from solely using trusted file paths when validating processes. Moreover, the researchers noted that Windows 24H2 offers protection against certain bind-link scenarios, although they described the safeguard as only a partial one. The findings of Bitdefender have been shared with Microsoft and the company has recommended strengthening monitoring of administrator-level activity and kernel-level filesystem changes. 

In spite of the low severity of the issue, researchers report that attackers are increasingly utilizing legitimate Windows features rather than exploiting software vulnerabilities, resulting in a new challenge to endpoint security. Bitdefender's findings illustrate the importance of stronger endpoint security beyond trustable file paths as attackers continue to exploit legitimate Windows features to evade detection. To protect against evolving post-compromise threats, organizations should closely monitor privileged activity and employ advanced detection techniques.

Dutch Authorities Arrest Multiple Suspects in Global Investment Fraud Investigation


 

Dutch authorities have arrested multiple suspects as part of an international investigation into an alleged investment fraud network that investigators believe defrauded victims worldwide through fake online investment schemes, with the operation at one point generating more than €100 million in monthly proceeds.

According to the Dutch Police, the criminal organization is suspected of operating an extensive network of approximately 20 call centers staffed by more than 700 individuals who allegedly posed as professional financial advisers. Investigators said the operation targeted victims across multiple countries, with teams assigned to specific regions and responsibilities to maximize the effectiveness of the fraudulent campaigns.

The investigation's primary suspect, a 46-year-old dual Israeli-Polish national, was arrested in Poland on May 26 before being extradited to the Netherlands, where he has been placed in pre-trial detention. Dutch authorities allege that he played a central technical role in building and maintaining the infrastructure that enabled the organization to conduct its activities while making it more difficult for law enforcement agencies to identify those involved.

Police also noted that publicly available information indicates the suspect had previously faced prosecution in connection with cyberattacks targeting several foreign government organizations. Authorities now believe he occupied an indispensable position within the investment fraud network.

The investigation expanded further between July 7 and July 10, when law enforcement officers arrested several Dutch and Belgian nationals in Cyprus, Greece, and Belgium for their suspected involvement in the scheme. Officials said the investigation remains active and additional arrests are possible as authorities continue to identify other members of the organization.

Investigators describe the alleged operation as a highly organized criminal enterprise that functioned similarly to a legitimate international business. Multiple call centers reportedly operated under centralized coordination while individual teams focused on victims in different countries. Employees allegedly used false identities, pseudonyms, and technical measures designed to conceal both their real identities and their physical locations during communications with potential victims.

According to investigators, the fraud relied heavily on long-term social engineering rather than immediate financial deception. Victims were first approached by individuals presenting themselves as experienced investment advisers who gradually established trust through repeated conversations. Once that trust had been developed, victims were encouraged to invest relatively small amounts through professional-looking online investment platforms that appeared to display genuine market activity and growing returns.

Authorities said these platforms did not reflect legitimate investments. Instead, the displayed profits were fabricated to create the impression of successful trading and encourage victims to continue depositing larger sums. Many of the payments were made using cryptocurrency, making it incredibly more difficult to recover stolen funds after they had been transferred. While victims believed their portfolios were increasing in value, investigators said the money was instead diverted directly to the criminal organization.

Dutch investigators have linked at least 550 fraud reports and approximately €25 million in reported losses in the Netherlands to the organization. Belgian authorities have also connected around 200 complaints to the same network. Police believe these figures represent only a fraction of the total impact, estimating that the operation may have claimed tens of thousands of victims globally, with many individuals losing more than €10,000 each.

Authorities believe the organization has been active since at least 2021 and employed sophisticated operational security practices to avoid detection. Investigators said members routinely relied on pseudonyms, concealed calling locations, and other technical methods to obscure their identities while communicating with victims.

The investigation ultimately progressed after authorities traced digital evidence, including IP addresses, financial transaction routes, and other forensic artifacts that helped identify critical infrastructure associated with the operation. The examination of technical equipment provided investigators with additional insight into how the organization functioned and helped establish the locations of several suspects.

Dutch Police said the investigation was conducted in cooperation with international law enforcement partners, while commercial service providers also assisted in disrupting elements of the group's digital infrastructure. Authorities emphasized that efforts to identify additional suspects and victims remain ongoing.

Police have also warned the public to remain cautious of so-called recovery services that claim they can retrieve money lost to investment scams. Investigators noted that, in some cases, such offers are themselves fraudulent attempts to exploit victims a second time by demanding additional payments under the false promise of recovering stolen funds.

Govt: Kudankulam Data Breach Did Not Impact Nuclear Security, No Immediate Review Planned

 

The Centre has attempted to reassure the public that the data breach incident involving electronic files of the Kudankulam Nuclear Power Plant (KKNPP) has no implication on the nation’s nuclear security or reactor operations. Union Minister of State for Atomic Energy Jitendra Singh stated that the breach did not affect any sensitive nuclear facility or infrastructure. 

Singh stated during an interaction with reporters on the sidelines of the press conference on July 16 that there was no need for an immediate security review since the breach did not concern nuclear activities or reactors. Nuclear Power Corporation of India Limited (NPCIL), which manages the Kudankulam plant, claimed that the data breach incident did not disclose any sensitive information about reactors. 

“In the given scenario, the data breach is related to the Engineering, Procurement and Construction (EPC) contract for the Common Services–Balance of Plant (BoP) package for Units 3 and 4 under Implementation Agreement 7 (IA-7),” the NPCIL stated. It added that the EPC contract is signed with Reliance Infrastructure via a public tender process in 2018 for Kudankulam NPP. “The balance of plant involves many elements such as auxiliary systems, services, and infrastructure like cooling towers, which are comparable to those in conventional thermal power stations,” NPCIL noted.

It added that the BoP does not contain any nuclear power plant equipment or components or safety and security features. “In this context, NPCIL is not contemplating any First Information Report (FIR) as the cyber-attack was on the data of Reliance Infrastructure,” an NPCIL spokesperson said. They added that the information shared with Reliance Infrastructure during the tendering procedure included indicative drawings and technical specifications on the common services balance of plant, typically provided to all bidders. “This information did not include any sensitive nuclear safety information,” the spokesperson added. 

NPCIL stated that Reliance Infrastructure develops engineering drawings using the technical specifications and drawings provided by NPCIL in coordination with original equipment manufacturers (OEMs) for the approval process. The breach of data came after Reuters reported that ransomware group World Leaks exfiltrated more than 19,000 files from servers hosting Kudankulam Nuclear Power Plant, covering the 2016 fiscal year through mid-2025. 

According to the report, the documents contain details on control, cooling, and ventilation systems, suppliers, inspections conducted by Indian and Russian personnel, meeting records, and insurance data. The breach was attributed to a server managed by data centre infrastructure provider Yotta, hosted by third-party Reliance Group, which was responsible for the EPC contract for the Kudankulam NPP, admitting that the attack resulted in a partial data breach. 

Tamil Nadu-based Kudankulam Nuclear Power Plant currently operates two 1,000 MW VVER reactors and is set to commission four more reactors under the Russian technical collaboration agreement. The project aims to make Kudankulam one of India’s largest nuclear power parks with a total capacity of 6,000 MW. The data breach incident does not appear to affect the nuclear security or safety of the nation, as the government and NPCIL continue to emphasize. 

The breach did, however, raise concerns about the safety of digital assets and data security in various contracts, including those of critical infrastructure like Kudankulam NPP.

Bengaluru Housewife’s WhatsApp Hacked; Morphed Obscene Videos Shared Online

 

A 42-year-old housewife in Bengaluru has fallen victim to a disturbing cybercrime after her WhatsApp account was hacked and morphed obscene videos were shared online, triggering widespread outrage and highlighting the growing threat of digital harassment against women. The incident came to light when the woman’s contacts began receiving explicit, AI-generated videos from her account, causing severe emotional trauma and reputational damage. City cyber police have registered a case and launched an investigation to identify the perpetrators behind the breach. 

The attack appears to follow a pattern seen in recent Bengaluru cybercrime cases, where hackers gain unauthorized access to victims’ messaging apps through deceptive tactics. In many instances, culprits trick individuals into sharing one-time passwords (OTPs) or clicking malicious links sent via SMS or WhatsApp, enabling remote control over their devices. Once inside, attackers use AI-powered tools to morph personal photos or videos into sexually explicit content, which is then circulated among the victim’s contacts or posted on social media. Such violations not only invade privacy but also weaponize technology to intimidate and shame victims, particularly women. 

This case is part of a troubling trend of gendered cyber harassment in Karnataka. Just months earlier, in April 2026, a 24-year-old woman in Bengaluru accused her cousin of using AI to morph her images into nude visuals and posting them on a fake Facebook profile. Another housewife was blackmailed with morphed photos after downloading a fraudulent loan app in 2024. These incidents underscore how rapidly evolving deepfake and morphing technologies are being misused to exploit victims, often with long-lasting psychological and social consequences. 

Legal recourse for such crimes exists under India’s Information Technology Act and the Bharatiya Nyaya Sanhita (BNS), including sections addressing sexual harassment, identity theft, and publishing sexually explicit material. In several recent cases, Bengaluru’s cybercrime police have successfully traced culprits through digital footprints and arrested suspects, including a group of four men who morphed and circulated photos of seven women, some of them minors. However, experts caution that legal processes can be slow, and many survivors hesitate to report incidents due to stigma, fear of retaliation, or lack of awareness about their rights. 

Safety recommendations 

Cybersecurity experts urge users to adopt proactive measures to protect their digital identities. Enabling two-factor authentication on WhatsApp, never sharing OTPs or verification codes, and avoiding unknown links or file downloads are critical first steps. Regularly updating apps, using strong passwords, and being cautious about the personal information shared online can significantly reduce risk. For those affected, immediate actions include reporting the incident to local cybercrime cells, preserving evidence such as screenshots and message logs, and seeking support from trusted friends or counselors. As digital threats grow more sophisticated, public awareness and robust security practices are essential to safeguard privacy and dignity in an increasingly connected world.

AI-Assisted TuxBot v3 Evolution Botnet Targets IoT Devices With Modular Multi-Channel Attack Framework


Cybersecurity researchers have uncovered a previously undocumented Internet of Things (IoT) botnet framework named TuxBot v3 Evolution, which appears to have been partially developed with the help of a large language model (LLM). However, researchers found that the AI-assisted code contained multiple implementation flaws, indicating the malware is still under development.

"While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," Palo Alto Networks Unit 42 said. "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly."

According to Palo Alto Networks' Unit 42 researchers, a manual review of the code could have easily corrected many of these issues, suggesting that more refined versions of the malware may already exist in the wild.

The TuxBot v3 Evolution framework is built using several interconnected components, including a C-based bot agent capable of cross-compiling across architectures such as ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V. It also features a Go-based command-and-control (C2) server equipped with a DDoS-for-hire management panel, a custom exploit virtual machine, Docker-based testing infrastructure, and an automated build system.

The bot agent is designed to brute-force Telnet credentials using a database of 1,496 username-password combinations while exploiting known vulnerabilities affecting more than 30 IoT device families. For communication, the malware relies on an encrypted TCP channel and incorporates multiple fallback mechanisms, including a SHA512-based domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol secured with Ed25519 signatures, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling.

Researchers traced the botnet's origins to code borrowed from multiple malware families, including Mirai, AISURU, and Wuhan, while also identifying portions adapted from the open-source MHDDoS Python DDoS toolkit. One malware sample was uploaded to VirusTotal on January 20, 2026, indicating the framework has existed for at least six months. Evidence also suggests development began approximately a year earlier after the threat actor cloned the MHDDoS repository from GitHub.

"According to the framework's description, the TuxBot developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities," researchers Chris Navarrete, Asher Davila, and Doel Santos said.

The Go-based C2 server listens on three separate TCP ports to perform different functions. Port 1999 (or 31337) handles encrypted communication with infected bots, port 2222 provides operators with an interactive SSH shell, and port 9999 offers a JSON-based interface for programmatic management.

After infecting a device, TuxBot executes a structured initialization process. This includes retrieving the C2 address through a multi-layered communication system, activating anti-debugging and anti-virtual machine protections, concealing its process name, establishing persistence, and launching several attack modules.

These modules support distributed denial-of-service (DDoS) attacks, terminate competing malware, establish communications through IRC, HTTP, DNS, and P2P channels, scan services including Telnet, SSH, HTTP, and Android Debug Bridge (ADB), deploy a SOCKS5 proxy, and reserve functionality for cryptocurrency mining.

Researchers also found that the malware's HTTP scanner is capable of maintaining up to 128 concurrent connections to identify vulnerable web interfaces. Persistence mechanisms include systemd services, cron jobs, and watchdog processes that ensure the malware remains active even after system reboots.

"Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments," Unit42 said. "These comments are the LLM's internal reasoning as it worked through porting tasks. This reasoning is complete with self-interruptions, decisions, and references to 'the user' (meaning the developer who prompted the LLM)."

Although TuxBot v3 Evolution remains an unfinished project, researchers believe its modular architecture and AI-assisted development demonstrate how threat actors can rapidly build sophisticated malware with limited resources. The framework combines multiple C2 communication channels, a custom exploit virtual machine, and a Go-based DDoS-for-hire panel into a single platform.

"Shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem," Unit 42 concluded. "This group is known for running multiple IoT botnet variants in parallel. TuxBot appears to be another variant in that portfolio. It's one that aims to go beyond the usual Mirai fork with its encrypted C2, its DGA, and a modular exploit system, even though that system does not work yet in the version we recovered."

The findings come shortly after researchers identified two additional botnets, RustDuck and AryStinger, which have been targeting routers, IP cameras, Android TV boxes, and inadequately secured servers to build networks capable of launching DDoS attacks and conducting reconnaissance activities.

Windows 11 KB5101650 and KB5099414 Updates Released With Security Fixes and New Features


 

A cumulative update for Windows 11 based on Patch Tuesday July 2026 is now available, with KB5101650 for versions 25H2 and 24H2 and KB5099414 for version 23H2. As well as addressing 571 security vulnerabilities, the mandatory updates also improve the usability, accessibility, and performance of the operating system. 

Using the Microsoft Update Catalog or by navigating to Settings > Windows Update and selecting Check for updates, users may download the updates manually, following installation. As a result of the installation, Windows 11 build numbers have been updated to 26200.8875 (25H2), 26100.8875 (24H2), and 22631.7376 (23H). It is noteworthy to note the wider rollout of Point-in-Time Restore, which allows users to restore their systems to a previous state in a more efficient manner. 

Aside from new features, Microsoft has introduced several security-focused improvements as part of the July Patch Tuesday release, as well as enhanced controls for enterprise administrators. As a result of improved device targeting in the update, more eligible systems will be able to receive updated Secure Boot certificates automatically via Windows Update, thus expanding Secure Boot certificate deployment. 

Moreover, Microsoft has also upgraded the built-in curl command-line utility to version 8.21.0, which provides additional security features. In addition to reducing unnecessary notifications and taskbar badges, this update also disables automatic opening on hover, and provides more customization options for Widgets. There are several additional improvements to File Explorer, including quicker launch times, improved responsiveness, enhanced support for complex file paths, and new quick actions such as Open File Location and Ask Copilot for work and school accounts. 

Several additional features have been added to enhance accessibility, including a Screen Tint feature which reduces eye strain and improved Magnifier controls that provide the ability to set precise zoom levels for the Magnifier. 

A number of languages are now supported by Voice Access and Voice Typing, including French, German, and Spanish. These languages now support real-time grammar, punctuation, and recognition enhancements, enhancing dictation accuracy. In addition to improving connectivity and hardware reliability, the release also enhances Bluetooth performance by improving device pairing time, microphone synchronization, voice calls that are more reliable, and LE Audio accessory stability.

With networking enhancements, Wi-Fi crashes are reduced, VPN compatibility is improved, virtualization networks are strengthened, and network settings are preserved during operating system upgrades. The security of Remote Desktop (RDP) has also been enhanced by supporting SHA-2 certificate thumbprints for trusted RDP publishers, while maintaining SHA-1 only for backward compatibility. 

In order to reduce phishing risks and prepare for eventually terminating SHA-1 support, organizations are encouraged to migrate to stronger SHA-256 certificates and update Group Policy settings for Remote Desktop files. Furthermore, the cumulative update resolves a compatibility issue that was caused by the June 2026 security update, which prevented third-party applications using OLE Automation from launching Microsoft Office or opening Office files. 

A further step to strengthen network security was taken by Microsoft by implementing stricter registration requirements for Transport Driver Interfaces (TDI). This may affect applications that rely on unregistered third-party TDI transports. Additionally, improved HD Audio reliability, stability of the Start menu, graphics performance on multiple monitors, Windows Subsystem for Linux (WSL) network improvements, improved printer installation that uses the Internet Printing Protocol (IPP) by default, and enhanced touchpad customization options are also included. 

Microsoft has reported no known issues with this month's Patch Tuesday update, which makes it a relatively stable release in comparison with previous Patch Tuesday releases. Considering the large number of security fixes included, users are encouraged to install the updates immediately to ensure protection against recently disclosed vulnerabilities. Also included in this update is a minor modification to the handling of keyboard shortcuts in Windows by altering how hotkey cleanup is conducted. 

There is a possibility that, in rare cases, certain built-in Windows experiences may temporarily cease to respond to specific keyboard shortcuts after installation. Restarting the affected application should typically resolve the issue, and users may also report persistent problems through the Feedback Hub.

Patch Tuesday updates in July 2026 reinforce Microsoft's ongoing commitment to enhancing the security, stability, and user experience of Windows 11. Hundreds of vulnerabilities have been addressed along with new features and reliability enhancements. Users and organizations are encouraged to install the updates as soon as possible to ensure optimal protection.