Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Data Safety User Data
ai browser AI technology Browser Security Browser Session Hijacking Chrome Extensions Critical Flaws Cyber Security Data Safety User Data

Critical Flaws in SiderAI and MaxAI Chrome Extensions Expose Millions to Browser Hijacking

 

Over ten million people might face major online threats following the discovery of severe weaknesses in two common AI-based Chrome add-ons, SiderAI and MaxAI. Though designed to assist with summaries and automated tasks, these tools were found carrying dangerous bugs - dubbed “Spyder” and “MaXSS” - by analysts at Rebora Security during a routine check of such software. Once exploited, either flaw lets unauthorized parties hijack active browsing activities. 

Information saved on sites, along with files on personal devices, may become reachable without permission. While built for convenience through side panels and smart responses, their broad adoption across Chromium-linked browsers amplifies how far harm could spread. Despite appearing helpful, the underlying structure allows invasive access when misused. One of the leading tools on the Chrome Web Store, SiderAI sits in the top quarter of all extensions by popularity. 

A recent analysis revealed flaws in how SiderAI and MaxAI managed data flow between sites and their inner workings, especially involving content scripts. Although these scripts should serve as controlled messengers - keeping site code apart from backend logic - the boundaries blurred in practice. Messages sent by web pages entered without sufficient checks. Because verification steps were missing, untrusted inputs could move deeper into the system than intended. A flaw in MaxAI allowed harmful sites to transmit manipulated data directly to its content script. 

Though meant to relay information, the system passed these signals onward - into the background process - with little checking. Because of this gap, unauthorized users gained access to powerful functions. Hidden tabs appeared without warning, snapshots of screens were captured, site interactions occurred - all while riding on logged-in accounts. Security weakened when trust was misplaced across internal components. Testing revealed researchers gaining entry to live Gmail and Google Calendar sessions, pulling confidential data while leaving no trace. 

What made the Spyder vulnerability in SiderAI alarming was its ability to mimic real user behavior - clicks, typing - all within integrated browser windows. A compromised site, using this loophole, might load Google Gemini unseen, harvest ongoing AI dialogues, then send them outward. Detection during such an event remained unlikely. What happens because of these flaws goes well past messages or chat tools. 

Through them, hackers might grab login codes, see private correspondence, change files, while acting like the victim on many sites. Sometimes, the broad access given to such add-ons lets intruders reach data saved directly on a person's device. What stands out most is how little effort an attacker needs - just opening a harmful webpage can trigger the flaw. Because of this low barrier, threats can spread fast without clear signs. 

After uncovering the problem, Rebora Security reached out to the creators of the affected tools; silence followed. With no reply, the details eventually appeared online, while a heads-up also went to Google. Should SiderAI or MaxAI appear in a user's browser, removal is urgent. This case brings attention to rising risks tied to artificial intelligence add-ons - especially those collecting sensitive online behavior. 

When apps gain deep access to personal information, careful review of their privileges becomes unavoidable. Security grows more complex as these tools spread across everyday browsing routines.
Read more »
Technology
AI CISO Cyber Threats Cybersecurity ISSA Technology

Cybersecurity Leaders Face Growing Workloads as AI Changes the Job

 



The responsibilities placed on cybersecurity leaders are becoming increasingly difficult to manage as organizations face a growing number of cyber threats, rapid adoption of artificial intelligence technologies, and increasing demands for security oversight across the business.

A recent survey conducted by the Information Systems Security Association (ISSA) International and research firm Omdia found that 68% of cybersecurity and IT professionals believe their jobs are more difficult today than they were two years ago. More than half of respondents reported heavier workloads and greater operational complexity (55%), while 52% said the volume and intensity of cyber threats have become more overwhelming.

Security teams are being asked to protect increasingly complex digital environments while also helping organizations adopt new technologies such as generative AI. At the same time, many security leaders say they are struggling to secure sufficient support from other parts of the business.

According to Shawn Murray, former president of ISSA and a fractional Chief Information Security Officer (CISO), many security executives regularly work long hours while attempting to address security concerns that are often introduced without their involvement. In some organizations, new technologies are adopted before security teams are included in planning discussions, creating additional challenges for risk management and governance.

As a result, some experienced CISOs are leaving traditional full-time leadership positions and choosing consulting or fractional roles instead. These arrangements allow security professionals to work with multiple organizations while focusing on businesses that are willing to involve cybersecurity leaders in strategic decision-making.

While legal accountability was once considered one of the largest concerns facing CISOs, the survey suggests that anxiety around personal liability has become less prominent than in previous years. Instead, many respondents identified the security implications of artificial intelligence as one of the most significant new sources of pressure.

AI has created both opportunities and challenges for cybersecurity teams. One growing concern is the rise of "shadow AI," where employees begin using AI tools and services without notifying security teams or obtaining formal approval. Similar issues emerged during the early stages of cloud adoption, when departments could deploy new services independently without providing visibility to cybersecurity staff.

This lack of visibility can create greater security gaps. When security teams do not know which AI applications, models, or processes are being used across an organization, it becomes more difficult to identify risks, monitor suspicious activity, and respond effectively to potential incidents.

Despite these concerns, cybersecurity professionals are increasingly interested in using AI to improve their own operations. The survey found that 37% of respondents are already using AI-powered tools to address cybersecurity challenges, while another 46% plan to adopt such technologies in the future.

Among the most common use cases identified by respondents were automated cybersecurity assessments, software testing, predictive risk analysis, and threat detection. These capabilities could help security teams reduce manual workloads and process large volumes of security data more efficiently.

Alex Hutton, CISO at Atlantic Union Bank, noted that the cybersecurity environment has changed significantly in recent years. Whether organizations fully embrace advanced AI systems or not, security professionals must continuously learn about new technologies, understand emerging risks, and adapt their security strategies accordingly.

The survey also highlighted a notable shift in how organizations obtain cybersecurity leadership. The percentage of companies employing full-time CISOs declined from 76% in 2024 to 63%, while the use of fractional CISOs increased from 6% to 15% over the same period.

Industry observers believe this trend reflects growing demand for cybersecurity expertise rather than a reduction in the importance of the CISO role. Many small and mid-sized organizations face the same security, compliance, and governance challenges as larger enterprises but often lack the budget required to hire a full-time executive.

Cyber insurance requirements are also contributing to demand for experienced security leadership. Organizations are increasingly expected to demonstrate strong cybersecurity practices and effective risk management controls before obtaining coverage or meeting insurer requirements. CISOs frequently play a central role in helping businesses assess risks, improve security programs, and document compliance efforts.

According to Hutton, the rise of fractional and virtual CISOs provides organizations with access to executive-level security guidance without requiring a full-time appointment. Rather than signaling the decline of cybersecurity leadership positions, the change may represent an expansion of cybersecurity services to organizations that previously could not afford dedicated executive expertise.

As cyber threats continue to grow and AI reshapes business operations, cybersecurity leaders are expected to remain critical decision-makers. However, the role itself is changing, requiring security professionals to balance technical oversight, business strategy, regulatory expectations, and emerging technologies in an increasingly demanding environment.

Read more »
European Union
Cyber Networks cyber resilience Cyber Security Cyberattacks Cybersecurity Precautions EU European Union

Ukraine Joins EU Cybersecurity Reserve to Strengthen Cyber Resilience and Emergency Response

 

Now able to tap into the EU’s emergency cyber network, Ukraine joins a support framework cleared by the Council of the European Union. When overwhelming cyberattacks strike, help may come faster because Kyiv can formally seek aid beyond what it handles alone. Specialized teams and resources from across the bloc stand ready, activated through shared crisis procedures. 

This link strengthens real-time defense options amid severe digital threats. Help arrives via the EU Cybersecurity Reserve, run by ENISA - the European Union’s cybersecurity agency. Born from the Cyber Solidarity Act, it lets member nations turn to vetted private experts if local teams cannot keep up. As attacks grow more complex, ties in tech defense strengthen between the bloc and Ukraine. Their collaboration now includes shared readiness against online risks. 

If a cyberattack overwhelms Ukraine’s internal resources, it can officially trigger emergency support through the framework. When that happens, digital security specialists from various European nations might step in to help control, examine, and recover systems. Officials view this measure as one piece of wider work aimed at boosting readiness, speeding up reactions, and building stronger collaboration amid rising complexity in online attacks. 

Though cyber threats grow more frequent, unity among nations strengthens defenses. Because attacks target government systems, companies, and vital services, joint efforts matter more now. The European Commission views this move as a step toward stronger cooperation. When one country acts alone, risks rise - yet shared knowledge reduces vulnerability. As digital dangers spread, responses must shift from isolated attempts to unified strategies. Now ranking as the second non-EU nation within the reserve, Ukraine follows Moldova’s inclusion during 2024. 

That year, rising cyber threats tied to Russian activity prompted Moldova’s entry. Seen by European authorities as pivotal for regional collaboration on digital security, its involvement highlights ongoing efforts. Resilience in cyberspace continues shaping how the EU engages nearby states. Progress here reflects broader aims, yet depends heavily on real-time readiness. Besides tackling cyber threats, the European Union now works more closely with Moldova on various digital fronts. 

Recently, an accord was reached politically, paving the way for Moldova’s entry into the EU Roaming Zone - pending official approval. Should it pass, people from both regions could make calls, send messages, or access data while traveling, free of extra fees. Now operating within the EU Third Countries’ Trusted List, Moldova streamlines how electronic signatures and digital seals are recognized across entities and individuals. 

Backed by EU funding, a fresh node of the European Digital Media Observatory - named FACT - emerges to counter disinformation and external manipulation efforts. Now comes news on cyber defense, right after fresh progress in how the EU engages Ukraine and Moldova. Talks to join the bloc officially started, backed unanimously by national leaders lately. 

Marking the moment, Commission head Ursula von der Leyen called it a turning point - not just symbolic, but rooted in real changes made amid hardship. Her view: this step shows lasting support for peace, resilience, and shared effort where it matters most. 

Now more shielded, Ukraine taps into the EU Cybersecurity Reserve, linking efforts with European allies when large-scale digital threats emerge. This cooperation builds lasting strength in facing future attacks, not just immediate fixes. Through shared response channels, new stability takes root beyond borders. Long-term readiness grows quietly but steadily from such joint undertakings.
Read more »
Telegram Ban
Mobile Security NEET UG NTA Paper Leak Telegram Ban

India Temporarily Bans Telegram Ahead of NEET UG 2026 Re-Exam to Curb Fraud

 

India has temporarily restricted Telegram ahead of the NEET UG 2026 re-examination, as authorities move to curb exam fraud and protect the integrity of one of the country’s most important medical entrance tests. The decision has drawn attention because Telegram is widely used for communication, study groups, and information sharing, making the restriction both significant and controversial. 

The action was taken after the National Testing Agency recommended stronger controls amid concerns that organized cheating groups were exploiting the app to circulate question papers and misleading claims. Officials said the temporary ban is intended to stop candidates from being targeted by fraud networks that can spread manipulated content quickly during a high-stakes exam period. 

Under the order, access to Telegram in India is restricted until June 22, 2026, covering the exam day and the immediate aftermath. Authorities also directed the company to disable its message-editing feature in India until June 30, 2026, saying that feature had allegedly been misused to make old posts look like proof of a paper leak. 

The measure has sparked debate because Telegram is used not only for illicit activity but also for legitimate education, work, and community communication. Telegram has reportedly challenged the decision in court, while the Delhi High Court upheld the government’s temporary block on June 19, citing emergency grounds and compliance with the law. 

The broader issue goes beyond one app: exam leaks and digital fraud are becoming harder to control as messaging platforms, edited content, and anonymous groups make false claims easier to spread. For students, the immediate focus is on the re-exam schedule, but for policymakers, the case is a reminder that future exam security may require faster monitoring, tighter platform cooperation, and clearer digital enforcement rules.
Read more »
spear phishing
BYOVD Attack Inc ransomware LockBit malware Ransomware spear phishing

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims

 



The ransomware operation known as INC has grown into one of the most active cybercrime groups of 2026, with security researchers linking it to more than 830 victims since it first appeared in August 2023.

According to researchers at Acronis, the group's rise coincided with disruptions affecting major ransomware brands such as LockBit and BlackCat. As affiliates sought alternative platforms, INC appears to have benefited from that shift. More than 65% of the victims listed by the group are based in the United States, with legal firms, healthcare providers, manufacturers, construction companies, and technology organizations among the most frequently targeted sectors.

Researchers also observed major changes to the ransomware itself. INC's malware for Windows and Linux/VMware ESXi systems has been rewritten in Rust, a programming language increasingly adopted by malware developers because it supports multiple operating systems and can complicate reverse-engineering efforts.

The group's toolkit has expanded as well. Recent attacks have involved a credential-stealing utility capable of extracting authentication data from newer Veeam backup deployments that use salted DPAPI encryption. Access to backup infrastructure can give attackers valuable credentials while also making recovery efforts more difficult for victims.

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi. Researchers identified significant code similarities between the groups.

Investigators found that INC affiliates rely on several entry points to compromise networks, including spear-phishing campaigns, credentials purchased from Initial Access Brokers (IABs), and the exploitation of publicly exposed systems running vulnerable versions of Citrix NetScaler, Fortinet EMS, and SimpleHelp software.

Once inside a network, attackers harvest credentials, move between systems using legitimate administrative tools such as RDP and PsExec, and attempt to weaken security controls through a technique known as Bring Your Own Vulnerable Driver (BYOVD). Researchers observed the use of vulnerable drivers including filwfp.sys, filnk.sys, and fildds.sys. The group also deploys tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer to maintain access and control compromised environments.

Before encryption begins, stolen files are collected and transferred using Rclone, often after being packaged into password-protected archives. The ransomware then encrypts systems using multithreading and partial-encryption techniques to speed up the process. When launched against VMware ESXi environments, the malware can also attempt to shut down virtual machines.

Data from ZeroFox ranked INC as the fourth most active ransomware operation during the first quarter of 2026, recording more than 120 incidents. Researchers said the group's growth demonstrates how ransomware operators can build large-scale campaigns using widely available tools, stolen credentials, and unpatched systems rather than relying on highly specialized malware.

Read more »
TinyPulse breach
Data Breach employee data leak Nintendo Nintendo of America ransomware attack Shadowbyt3$ TinyPulse breach

Nintendo Confirms Third-Party Survey Data Breach, Says Customer Information Remains Secure

 


 Nintendo of America has acknowledged that employee survey data was exposed through a security incident involving TinyPulse, a third-party platform used for internal feedback and engagement surveys. The company emphasized that its own systems were not compromised and that no customer or financial information was affected.

The confirmation follows claims made by the Shadowbyt3$ cybercrime group, which alleged that it had obtained sensitive information linked to Nintendo of America employees.

“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo.

“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed."

"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company told BleepingComputer.

Nintendo of America, which oversees operations across the United States, Canada, and parts of Latin America, explained that the affected information was restricted to internal survey content collected through TinyPulse.

TinyPulse is a workplace engagement platform that enables organizations to conduct anonymous employee surveys, gather feedback, analyze workforce sentiment, and assess company culture.

Nintendo added that it is “working with the service provider to address the issue.”

Meanwhile, BleepingComputer reached out to WebMD Health Services, the owner of TinyPulse, seeking additional details about the incident and its potential impact. However, no response had been received at the time of publication.

Despite Nintendo’s statement that only survey-related information was exposed, the Shadowbyt3$ group claims the stolen data includes more extensive employee records.

The threat actor initially alleged that nearly 1GB of data had been taken from Nintendo and gave the company 48 hours to begin negotiations before the information would be released publicly.

According to the group, the dataset contains employee names, email addresses, survey and analytics information, bank statements, W-9 forms, employee identification details, progress plans, and reports spanning from 2016 to 2026.

"If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars," reads the Shadowbyt3$ post.

In a follow-up statement, the group claimed that the incident did not impact Nintendo’s gaming operations and instead affected “a small amount of employees that work for nintendo and have used tinypulse.”

The attackers later published another message suggesting additional organizations could be targeted and shared a link to what they claimed was leaked employee communications. The post implied that Nintendo declined to meet the ransom demand.

BleepingComputer stated that it did not download or verify the authenticity of the allegedly leaked files. Regardless of the claims, Nintendo has maintained that customer information was not involved in the incident and that users do not need to take any action.

Shadowbyt3$ is a relatively new cybercriminal operation that describes itself as an “extortion as a service” group and claims to have been active since October 2025. The group says it publishes stolen information from organizations that refuse to pay ransom demands and promises that data “will be Deleted Permanently and you will not hear from us again” if a payment agreement is reached.

Cybersecurity experts and law enforcement agencies continue to advise organizations against paying ransom demands, noting that doing so can encourage future attacks. They also warn that there is no assurance stolen information will not be retained or sold even after a payment is made.

Read more »
Windows Clipper Malware
Clipboard hijacking cryptocurrency theft malware Microsoft security Remote Code Execution Tor-Based C2 USB LNK Worm Windows Clipper Malware

Microsoft Exposes Malware Operation Combining USB LNK Worms and Tor-Based C2 Servers

 


A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server. 

Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands. 

A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft. USB-Borne Infection Chain Drives Initial Compromise Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft. 

In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms. An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets. 

Obfuscation and Persistence Mechanisms Enhance Stealth As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically. 

In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection. 

According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption. This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion. 

Tor-Based Communications Power Clipboard Hijacking Operations Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.

Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats. 

Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet. By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced. During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control. 

By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world. 

Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets. 

Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise. 

The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.

Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely. 

Remote Code Execution Expands Malware Capabilities Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims. 

Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so. 

Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures. There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains. 

Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised. Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve. 

In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.
Read more »
vulnerability exploitation
cybercrime forums Cybersecurity hacking tutorial Nuclei framework threat actors Vulnerabilities and Exploits vulnerability disclosure vulnerability exploitation

Underground Forum Tutorial Reveals How Cybercriminal Communities Teach Vulnerability Exploitation and Profit-Making

 

A forum discussion titled “Hacking for Profit. Working method” has provided cybersecurity researchers with a unique look into how underground communities educate aspiring hackers on vulnerability exploitation and monetization. While the original post is neither highly technical nor extensive, its significance lies in presenting a structured, easy-to-follow roadmap that simplifies a complex process.

The post, authored by a threat actor operating under the alias "Hercules," outlines the stages of identifying, assessing, exploiting, and ultimately profiting from vulnerabilities. Researchers from Flare examined both the original content and the subsequent discussions over several months, finding that the thread sparked considerable engagement among forum members.

The discussion attracted numerous responses from users who expressed appreciation for the guidance, sought private communication with "Hercules," and identified themselves as beginners hoping to transition from theoretical cybersecurity knowledge to practical application. According to researchers, the thread appeared to serve as more than just an instructional post, functioning as a source of motivation and mentorship for inexperienced individuals.

The popularity of the tutorial extended beyond its original platform, with the same methodology being reposted and debated across four additional underground forums. Through the post, "Hercules" presents a straightforward framework that helps novice threat actors understand vulnerability exploitation and methods of generating revenue from discovered flaws.

The guide begins by advising readers on how to monitor newly disclosed vulnerabilities, particularly high-impact categories such as remote code execution (RCE), authentication bypass, account takeover, insecure direct object references (IDOR), and data exposure vulnerabilities. It then explains how to locate potentially vulnerable systems, verify exposure, and determine whether findings should be reported, sold, or exploited.

Researchers identified three particularly notable aspects of the tutorial. First, it highlights the use of the Nuclei framework developed by ProjectDiscovery, a widely adopted tool among offensive security professionals. Second, it demonstrates an understanding of the difficulties organizations face when patching newly disclosed vulnerabilities. Third, the tutorial is deliberately separated into “legal” and “illegal” paths, allowing readers to choose at which stage they transition from vulnerability disclosure activities into malicious actions.

One of the tutorial’s most effective features is its approachable tone. Rather than relying on technical jargon, "Hercules" explains concepts in simple language and portrays hacking as a skill that can be learned through practical experience.

He argues that many educational resources focus excessively on subjects such as operating systems, programming languages, scanner configurations, and computer science fundamentals, while many newcomers simply want to "hack," "break in," and "gain access."

The author further suggests that aspiring hackers do not need advanced software development expertise to get started. Publicly available tools, community-created templates, automation, and artificial intelligence are presented as resources that lower the entry barrier, while programming knowledge is described as beneficial but not essential.

This message resonated strongly with forum members. One participant noted that despite completing numerous hacking courses, they struggled to apply their knowledge in real-world scenarios. Another admitted having no programming experience and questioned whether that would prevent them from succeeding.

Many respondents praised the post for its clarity and organization, while others requested direct mentorship or private communication with "Hercules."

A key element of the tutorial is its focus on turning vulnerability discoveries into financial opportunities. According to "Hercules," individuals who uncover vulnerabilities have several options available.

One approach involves contacting the owner of the affected website, server, or hosting provider and offering vulnerability details in exchange for compensation. As the author explains, some organizations are willing to reward responsible disclosure efforts, adding that “…you can take your money home and be proud of yourself”.

The tutorial also discusses selling discovered vulnerabilities through underground marketplaces. In some cases, "Hercules" suggests that actors may simultaneously approach the victim while marketing the same information elsewhere.

Additionally, the guide encourages exploiting vulnerabilities to determine what assets or information reside on compromised systems. Remote code execution vulnerabilities are described as opportunities that can be sold to botnet operators, abused for unauthorized resource usage, or leveraged for data theft. Similarly, account takeover, IDOR, and data leakage vulnerabilities are portrayed as valuable commodities that can be quickly monetized.

"Hercules" characterizes himself as a hacker rather than a fraudster, claiming a preference for rapid sales of access or information rather than engaging in subsequent fraudulent activities.

The forum responses indicate that the thread's influence stemmed from the confidence and practical direction it provided rather than from groundbreaking technical information.

Many users requested additional mentorship, private conversations, and more detailed follow-up material. Others expressed frustration with the limitations of theoretical learning and viewed the tutorial as a useful bridge toward hands-on experience.

Researchers noted that unlike highly technical exploit analyses, which typically appeal to a specialized audience, simple and motivational workflows can attract a much broader group of aspiring participants. Because the methodology is not tied to any specific vulnerability, its relevance can persist for extended periods.

The tutorial promotes a repeatable process: monitor newly disclosed vulnerabilities, identify exposed systems, validate findings, monetize opportunities, and repeat the cycle. This mindset, researchers suggest, provides insight into how inexperienced actors are introduced to cybercrime and encouraged to prioritize certain categories of vulnerabilities.

The post also appears to function as an informal recruitment channel, as "Hercules" repeatedly encourages users to initiate private conversations.

The tutorial highlights several important considerations for organizations responsible for cybersecurity.

First, critical vulnerabilities that are easily reachable remain prime targets for attackers. While automated botnets often begin scanning for exploitable systems shortly after vulnerabilities and proof-of-concept exploits become public, the tutorial demonstrates that even novice threat actors are being encouraged to pursue these opportunities.

Second, older vulnerabilities continue to pose significant risks. Legacy systems running outdated versions of platforms such as Drupal or WordPress may remain attractive targets for less experienced attackers seeking accessible entry points.

Third, researchers emphasize the importance of maintaining effective vulnerability disclosure programs. Financial incentives can encourage security researchers to report vulnerabilities responsibly rather than seeking alternative methods of monetization. Even if information eventually reaches underground markets, early disclosure provides organizations with an opportunity to mitigate risk before widespread exploitation .

Researchers argue that the significance of the thread lies not in the introduction of a new exploitation technique but in its ability to simplify cybercrime into a repeatable business process.

By transforming a technically complex subject into an understandable workflow, "Hercules" makes vulnerability exploitation appear achievable to newcomers. The enthusiastic responses from inexperienced users suggest that this approach is effective.

The findings underscore a broader trend within the cybercrime ecosystem: malicious capabilities do not grow solely through advanced malware development or zero-day discoveries. They also expand through accessible tutorials, mentorship, publicly available tools, and online communities that lower barriers to entry and make illicit activity appear attainable.

Read more »
iOS security
Ad Blockers Ad Blocking Ads App security Apple Apple security features Cyber Security iOS iOS security

New Apple Ad Blocker Filtr Expands Protection Beyond Browsers on iPhone, iPad and Mac

 

Filtr, a fresh ad-blocking app, extends privacy for Apple device owners. Instead of limiting itself to web browsers, it stops advertisements inside mobile and desktop applications too. Created by Kaylee Serena Calderolla - known for developing Wipr, a tool that blocks ads in Safari - it taps into features unveiled in iOS 26 and macOS 26. Through these updates, the software intercepts ad-related data directly within the system’s network layer. Beyond the usual add-ons confined to Safari alone, Filtr taps into Apple’s updated method for handling web traffic. 

With that foundation, it intercepts connections aimed at known ad networks long before content appears - stopping trackers and pop-ups not just in browsers but throughout compatible apps. Blocking happens earlier, silently, cutting down unwanted surveillance along with cluttered visuals wherever digital activity occurs. Filtr comes as a premium feature inside Wipr, an often-used tool that stops ads in Safari. 

Its creator, Calderolla, claims it runs without gathering any personal details or needing entry to sensitive user content. Updates to a custom blocklist - kept current by the maker - allow the filter system to work effectively. Working begins with an initial screening done locally on the device. This step uses a built-in catalog of sites that often serve ads. When uncertainty remains, a follow-up check occurs using a fuller database kept by Calderolla. Communication moves through Apple’s infrastructure, which keeps individual users anonymous to service creators. 

Only matching results trigger deeper analysis, limiting exposure of personal activity. Some people trying the function notice fewer commercials when opening certain programs, though a few show blank spaces instead of promotions. Enabling the link blocker just one time lets the software manage changes on its own, making preparation straightforward. Not every application behaves the same way - some skip ads entirely, others leave gaps. Updates happen in the background after initial activation, reducing ongoing effort. Filtr cannot stop all ads - some slip through when they come straight from an app’s built-in servers. 

Since cutting those might break how the app works, certain promotions stay visible. So, while using platforms like Facebook, Google, or Reddit, users may still spot occasional banners. Even with its constraints, progress shows clearly in how Wipr tackles ads across Apple devices. Priced at five dollars, it works on any device, whereas Filtr adds yearly fees unless users opt to pay twenty-five upfront inside the app.
Read more »
Zcash
Bitcoin Cyber Security Orchard Privacy Zcash

Peter Todd Warns Zcash Privacy Tech Is Too Risky for Bitcoin Consensus Layer

 

Bitcoin developer Peter Todd has warned that Zcash-style privacy technology is too risky to integrate into Bitcoin’s consensus layer, arguing that the cryptographic complexity behind Zcash’s shielded transactions introduces unacceptable operational risk for Bitcoin’s base protocol. His comments erupted after the Zcash Open Development Lab disclosed a critical issue in Zcash’s Orchard shielded pool on June 1, 2026, which temporarily paralyzed the network and required an emergency hard fork to fix. 

The vulnerability affected Orchard, Zcash’s most widely used shielded pool for private transactions, and was discovered during routine security auditing on May 29 by researcher Taylor Hornby using an AI-assisted tool. The flaw centered on just two lines of code in the Orchard circuit, the cryptographic core that processes Zcash’s private transactions, and dated back to when Orchard launched in May 2022. CoinDesk reported that the issue could theoretically have allowed an attacker to mint counterfeit ZEC without leaving any on-chain evidence, though the bug was identified before any known exploitation occurred. 

Fixing it demanded a coordinated hard fork that forced nodes, wallets, and block explorers to update simultaneously, with Orchard transactions suspended during the upgrade window until re-enabled around 23:00 EDT on June 1. Nodes that failed to upgrade quickly became desynchronized, leaving the network paralyzed for several hours and exposing a major coordination problem unique to complex privacy protocols. Todd’s argument centers on the difference between visible and hidden failures in blockchain systems. In Bitcoin’s transparent accounting model, counterfeit coins or invalid outputs are immediately visible on-chain, making it relatively straightforward to detect bugs, identify affected coins, and reverse the chain if necessary. 

He cited Bitcoin’s 2010 value overflow incident and 2013 chain split as examples where rollback was feasible because only a small fraction of coins were affected and the exploit was trivial to notice. In Zcash’s shielded system, however, privacy cryptography using Halo 2 zk-SNARKs allows transaction validation without revealing sender, recipient, or amount, creating a dangerous blind spot where a bug could destroy shielded funds without developers being able to quantify the damage in real time. 

Todd emphasized that approximately 30% of Zcash’s total supply is already shielded in the Orchard pool, meaning a catastrophic failure would wipe out holdings for a high percentage of all Zcash users. He rejected comparisons to Bitcoin’s historical bugs, stating that neither the 2010 overflow nor CVE-2018-17144 could destroy the currency because counterfeit coins were trivially visible and easily rolled back. 

He argued that different types of cryptography have different levels of risk, and that Zcash-style cryptography carries a very high risk level reflected in Zcash having experienced much more serious issues than Bitcoin. The debate reflects a fundamental divide in crypto between innovation and protocol conservatism, with Todd favoring maintaining Bitcoin’s deliberately simple core design. 

Privacy advocates seeking Bitcoin improvements without consensus-layer changes point to Silent Payments, an application-layer solution that generates unique addresses for each transaction without exposing payment history. Unlike Zcash’s approach, Silent Payments does not modify Bitcoin’s base protocol, though adoption remains limited to wallets like Sparrow Wallet and Cake Wallet. At press time after the incident, ZEC traded around $532 following a 37.8% slide before recovering, demonstrating market volatility tied to Orchard’s technical stability.
Read more »
phishing
AI Driven Cyber Attacks Anthropic Artificial Intelligence MITRE ATT&CK phishing

Researchers Warn AI Is Blurring the Line Between Skilled and Unskilled Hackers

 




For years, cybersecurity teams have relied on established methods to determine how dangerous a threat actor might be. Analysts typically examine the techniques an attacker uses, the tools involved, and the complexity of an operation to estimate the level of risk. New research from Anthropic, however, recommends that artificial intelligence is beginning to disrupt those assumptions.

The company's Frontier Red Team recently analyzed 832 user accounts that were removed from Anthropic's platforms for engaging in malicious cyber activity between March 2025 and March 2026. Researchers compared the observed behavior against the MITRE ATT&CK framework, a widely used industry resource that categorizes adversary tactics and techniques. Portions of the findings were also referenced in Verizon's 2026 Data Breach Investigations Report.

It's a signal to keep up with how cybercriminals are using AI. Rather than limiting AI to basic tasks, attackers are increasingly applying it to activities that take place after gaining access to a target environment. This trend suggests that AI is becoming part of deeper operational stages of cyber intrusions, including tasks that traditionally required stronger technical expertise.

Among all observed cases, malware development was the most common use of AI. Researchers found that 560 of the 832 analyzed accounts, representing more than two-thirds of the dataset, used AI-assisted tools to help create or modify malicious software. While this finding was expected, the more notable change appeared elsewhere.

Throughout the study period, researchers recorded a movement away from AI-assisted initial access activities and toward post-compromise operations. One example was account discovery, a process attackers use to identify valid user accounts within a breached network. AI-assisted account discovery increased by 8.9% during the reporting period. By contrast, AI-supported phishing activity declined by 8.6%.

The data also showed growing use of AI during lateral movement operations. Lateral movement refers to the actions attackers take after entering a network to expand their access and reach more valuable systems, users, or data repositories. According to the report, 54 of the 832 observed actors used AI assistance during this stage of an intrusion.

Historically, activities such as account discovery, privilege escalation, and lateral movement have been associated with more experienced operators because they require a stronger understanding of network environments and attack workflows. Researchers argue that AI is reducing those technical barriers, allowing a broader range of actors to perform tasks that were previously more difficult to execute effectively.

This change became visible in the study's risk assessment data. During the first half of the observation period, approximately 33% of threat actors were categorized as medium-risk or higher. During the second half, that proportion rose to 56%. Researchers described this increase as evidence that AI is helping a larger segment of the threat landscape carry out more advanced cyber activity.

The findings also raise questions about how the industry evaluates attacker sophistication. Security teams have long treated the number of techniques used during an attack as an indicator of capability. Anthropic's analysis suggests that this relationship is becoming less reliable in AI-assisted environments.

Researchers found only a small difference between lower-risk and higher-risk actors when measuring the number of techniques used. Less sophisticated actors employed an average of 16 techniques, while the most capable actors averaged 20. The narrow gap indicates that technique counts alone may no longer provide a meaningful way to prioritize threats.

The same pattern appeared when researchers examined how attackers interacted with AI systems. Whether actors used Claude Code, direct API access, or standard chat interfaces showed little connection to their assessed risk level. Simply identifying which AI tool was used did not provide a clear indication of the threat posed by an actor.

Instead, researchers found that the location of AI usage within the attack lifecycle was a stronger indicator of risk. Higher-risk operators tended to apply AI to technically demanding stages of an intrusion, including internal reconnaissance, privilege escalation, and lateral movement. These activities often have a direct impact on how effectively an attacker can establish control over a compromised environment.

Even that distinction may not remain useful indefinitely. Researchers observed that these more advanced use cases are gradually spreading throughout the broader threat ecosystem. As AI tools become more accessible and capable, activities once associated with a smaller group of highly skilled operators may become increasingly common.

Anthropic identified another characteristic that separated the most dangerous actors from the rest. Rather than using AI for isolated tasks, some operators built systems around AI models that connected multiple attack stages together. This allowed AI to support planning, execution, and decision-making across larger portions of an operation with limited human involvement.

Researchers describe this capability as agentic attack orchestration. In practical terms, it refers to AI systems that can assist with coordinating different phases of an intrusion, helping move an attack from one stage to another without requiring constant manual direction from an operator.

According to the report, this rising behavior exposes a limitation in existing cybersecurity frameworks. MITRE ATT&CK was designed to document attacker actions and techniques. It was not built to measure the degree of autonomy involved when AI systems help coordinate those actions.

Anthropic underlined this challenge using a cyber-espionage campaign it disrupted in November 2025. The operation involved attempts to use Claude Code in support of intrusion activity targeting organizations in multiple regions with relatively little direct human intervention.

When researchers mapped the operation to MITRE ATT&CK, it generated a profile containing 30 techniques across 13 tactics. On paper, that profile appeared comparable to many medium-risk actors included in the study. However, Anthropic's internal evaluation system assigned the operation the maximum possible risk score of 100.

Researchers argue that the discrepancy exists because current frameworks focus on what actions occur during an attack rather than how those actions are coordinated. An AI-assisted system capable of executing commands, identifying vulnerabilities, collecting credentials, and adapting to changing conditions throughout an intrusion presents a different operational challenge than a human manually performing each step.

The report notes that there are currently no ATT&CK categories specifically designed to capture autonomous orchestration, automated chaining of attack stages, or the reduction of human decision-making throughout an attack lifecycle.

Anthropic says it is actively discussing potential framework updates with MITRE to better account for AI-enabled attack behaviors. The company has also used insights from the research to strengthen safeguards within its own models, including controls intended to detect and prevent misuse involving malware development and large-scale data theft attempts.

For defenders, the findings suggest that traditional indicators may no longer provide a complete picture of cyber risk. A threat actor using AI to automate portions of an attack may achieve outcomes similar to those of a more experienced operator performing the same tasks manually. Likewise, an individual using a basic chat interface could potentially conduct operations that resemble those performed through more advanced integrations.


Read more »
Wearable Device Security
AI Surveillance Risks Biometric Authentication Biometric Security Face Recognition Technology Facial Recognition Security Meta AI App Meta Smart Glasses Privacy Technology Wearable Device Security

Meta Faces Privacy Questions After Secret Face Recognition Code Discovery


The concept of facial recognition in consumer wearables remained largely a theoretical discussion for many years confined to research laboratories, privacy concerns, and product development. Having now discovered that Meta had quietly embedded facial recognition-related code within its Meta AI mobile application, the software that powers and supports its Ray-Ban and Oakley smart glasses ecosystem, this conversation is moving closer to reality. 

A system known as "NameTag" was discovered inside the smart glasses in order to process images captured through their cameras, generate biometric information, and match it with local data in order to recognize individuals in real time. Based on these findings, the integration of advanced computer vision capabilities into everyday consumer devices has been heightened, particularly when these capabilities appear in applications that are installed on tens of millions of smartphones well in advance of official announcements. 

Additionally, Meta's smart glasses platform continues to expand its capabilities, raising questions regarding transparency, biometric data handling, and the future of artificial intelligence-powered wearable technology. In further analysis of the software architecture, it is apparent that the NameTag framework was not limited to experimental code fragments, but rather was integrated into the Meta AI application, which is a mandatory companion application for several smart glasses features and has been downloaded by over 50 million people. 

An analysis of the system indicates that it was designed to capture facial imagery through the glasses, generate unique biometric templates known as faceprints, and compare the collected data with data stored locally on a user's device. Upon identifying a match, the application could generate recognition alerts to the wearer, while faces that could not immediately be matched were reportedly cropped, catalogued, and queued for future consideration. 

In the investigation, researchers noted that three separate machine learning models were already installed on user devices to handle face detection, image extraction, and biometric conversion, respectively, associated with the feature. In earlier application builds, the capability was also referenced under the label "Connections," which implies a potential application use case that could involve assisting users in recalling individuals they had previously encountered. 

A portion of the technical analysis was reviewed by independent security experts who emphasized the findings of the study. Although the feature was never publicly announced, researchers indicated that the underlying components appeared sufficiently developed to facilitate operational testing. 

Security researchers reported that one security researcher uploaded a faceprint associated with French philosopher Michel Foucault to demonstrate the system's recognition workflow, which triggered a notification which indicated successful identification of the user. Despite Meta's long-standing involvement with facial-recognition technologies, which have been the subject of both commercial interest and regulatory pressure in the past, this disclosure has reignited scrutiny. 

Previously, the company operated one of the largest facial-recognition systems for consumers by using Facebook's photo-tagging infrastructure before discontinuing the program in 2021 and destroying more than a billion biometric records. The development of a new facial-recognition framework against this backdrop has inevitably drawn the attention of privacy advocates and industry observers. 

A company representative of Meta has, however, strongly rejected interpretations that the technology had been secretly deployed or prepared for public release. The code, according to Meta spokesperson Ryan Daniels, reflects ongoing research and product exploration and not a finished consumer feature. Meta spokesperson said no facial-recognition capability has been offered to users and no decision has been made regarding its implementation in the future. 

The company will not construct a centralized facial-recognition database, he asserted, and stated that any eventual deployment would be disclosed in a clear manner. Andy Stone echoed this position, arguing that characterization of the technology as covertly released is misleading regarding both its purpose and status at present. Despite this, the episode illustrates the tension between rapidly advancing AI-powered wearable capabilities and the security expectations associated with technologies designed to process highly sensitive biometric data. 

There was further intensification in the debate when the Threat Lab of the Electronic Frontier Foundation confirmed certain aspects of the earlier findings and noted that Meta only removed the code related to facial recognition once the issue gained significant public attention. The organization cautioned, however, that deletion does not necessarily indicate an end to development efforts. 

In the course of investigating Meta, it was discovered that there appeared to be an apparent connection between Meta and the biometric technology provider Rank One Computing, a provider of facial recognition solutions for the United States Army and the U.S. Rank One's technology has been linked to Meta AI, the application used in conjunction with the company's smart glass ecosystem according to the report. 

According to the report, the contract permitted access to advanced biometric features, including facial recognition and liveness detection systems. These systems are designed to distinguish a real individual from a photograph, mask, or other spoofing attempt. Researchers expressed concern about the narrow technological gap between government-grade surveillance platforms and consumer-facing wearable devices, arguing that the gap is narrowing rapidly. 

A number of public clarifications regarding the reported partnership have not been made by either company Rank One Computing reportedly declined to respond, while Meta maintains that no consumer-facing facial-recognition features have been released and no final product decision has been reached. 

Additionally, Meta did not confirm if third-party biometric engines with military-grade accuracy are being evaluated for future wearable products. Nonetheless, the revelations have renewed discussion about Meta's long and often controversial history with facial recognition. It was due to years of regulatory pressure that the company dismantled its large-scale facial recognition infrastructure on Facebook in 2021, despite hundreds of millions of users opting into the system previously. 

Recently, Meta settled a lawsuit over allegations relating to the collection of biometric data for $1.4 billion. It was reported earlier this year that Meta had explored ways to use information related to its social media ecosystem to identify individuals using smart glasses. Further concerns have been raised about the integration of biometric intelligence into future consumer products. 

The issue of privacy and cybersecurity goes beyond the release of a single product or feature. Through the transformation of a person's face into a persistent digital credential that can be stored, matched, and analyzed, facial recognition systems fundamentally alter the balance between anonymity and identification in public spaces. 

A number of advocacy organizations have argued that such technologies are disproportionately damaging to marginalized groups, contribute to misidentification, and create avenues for unauthorized surveillance. The security threat associated with biometric identifiers is that, unlike passwords, they cannot simply be changed once they have been exposed. 

The evolution of smart glasses into platforms combining cameras, microphones, artificial intelligence, and biometric processing is increasingly challenging regulators, technologists, and consumers alike. There is the question as to whether privacy safeguards can keep pace with the capabilities being built into the next generation of wearable computing devices. 

A growing number of wearable devices can collect, analyze, and interpret real-world data, thereby expanding the debate from what a wearable device can achieve to how it should be utilized responsibly. In Meta's facial-recognition prototype, questions arise that illustrate an underlying cybersecurity and privacy challenge faced by the industry: ensuring that innovation relating to biometric data is accompanied by transparency, accountability, and meaningful user protections. 

Organizations and consumers should take note that features involving identity recognition should be carefully scrutinized, particularly as the lines between convenience, surveillance, and privacy become increasingly blurred.
Read more »
Technology
cloud storage security End-to-End Encryption Google Drive encryption Google Drive privacy Google Drive security Technology

Why Privacy-Conscious Users Should Think Twice Before Storing Sensitive Files on Google Drive

 

Google Drive has become an essential tool for millions of users worldwide. Whether it's storing contacts, backing up WhatsApp chats, or saving photos, videos, and important documents, the platform serves as a central hub for digital storage. Its deep integration with Google's ecosystem makes it a convenient choice for Android and Gmail users alike.

However, while Google Drive offers robust security against cyber threats, questions remain about whether it is the best place to store highly sensitive personal information. Documents such as passport scans, banking records, legal contracts, and tax returns may require an additional layer of protection beyond what the service provides by default.

From a security standpoint, Google Drive employs industry-standard safeguards. Data is encrypted while being transferred using TLS protocols, and files stored on Google's servers are protected with AES-128 encryption. Users can further strengthen account security through features like passkeys and two-factor authentication.

The key concern, however, lies in how the encryption system works. Unlike services that provide end-to-end encryption, Google retains control of the encryption keys used to access stored files. This means the company has the technical ability to decrypt and view user data when necessary.

"When you upload a file, Google encrypts it with a unique data encryption key, then encrypts that key with another key it controls, and stores both on its servers. To read the file, Google's systems unwrap the keys on the fly. With true end-to-end encryption, only your device holds the key, so even the service provider sees nothing but scrambled bytes. Google's setup doesn't meet that bar."

As a result, while hackers and unauthorized third parties face significant barriers in accessing files, Google itself can access stored content. Additionally, government agencies or courts may compel the company to share user data through legal processes because Google possesses the necessary decryption keys.

Another privacy consideration is automated content scanning. Google uses systems that review files for policy enforcement purposes, including identifying known illegal content and potential violations of its terms of service. Although the company states that Drive content is not used for advertising purposes, automated systems can sometimes generate false positives, potentially leading to account restrictions or suspensions.

Artificial intelligence is also expanding Google's access to stored data. As Gemini becomes more deeply integrated into Workspace products, it requires permission to analyze files in order to generate summaries and provide contextual assistance. While Google maintains that Drive files are not used to train its general AI models, some privacy advocates argue that increased AI integration broadens the potential exposure of personal information.

"This doesn't mean Google is malicious or will snoop on you. It means the threat model is different from what most people assume. You're not just trusting Google to fend off hackers; you're trusting it never to read, mishandle, or be compelled to share your data."

For users seeking stronger privacy protections, encrypting files before uploading them to Google Drive is often recommended. Applications such as Cryptomator allow users to create encrypted vaults on their devices, ensuring that files remain unreadable to Google. VeraCrypt is another option that enables users to create secure encrypted containers that can be synced to cloud storage services.

Those looking for built-in privacy protections may consider alternative platforms. Services such as Proton Drive, Tresorit, and Sync.com offer end-to-end encryption, ensuring that providers cannot access the contents of user files because they do not possess the decryption keys.

There are trade-offs, however. End-to-end encrypted files often cannot be searched by content, previewed in a browser, or edited collaboratively in the same way as standard cloud storage files. Additionally, users are solely responsible for managing recovery credentials, meaning forgotten passwords may result in permanent loss of access.

For particularly sensitive documents, some users may choose to avoid cloud storage altogether. External hard drives or self-hosted solutions such as Nextcloud can provide greater control over personal data while reducing dependence on third-party providers.

Despite these concerns, Google Drive remains a secure and practical solution for everyday storage needs, including photos, shared documents, and routine work files. The issue is less about security and more about privacy.

"The privacy story shifts when you start storing things that would hurt to lose to a stranger, a Google reviewer, or a court order. For those files, the answer isn't to abandon Drive but to stop treating it as a vault. Encrypt sensitive documents before you upload, or move them to a service that can't read them at all. The few minutes of friction are worth knowing that the most personal pieces of your life aren't sitting on a server with someone else's keys."

For privacy-focused users, the best approach may be to continue using Google Drive for convenience while reserving encrypted storage solutions for highly confidential files.

Read more »
Splinter Groups
Cyber Crime Met Police Ransomware Splinter Groups

Ransomware Gangs Splinter as Cyber Threat Becomes More Volatile

 

Cybercrime is moving through a major reset as the ransomware world shifts away from big, organized cartels and toward smaller, more volatile splinter groups. Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, said the underground market has become a highly accessible ecosystem where criminals can buy tools, services, and stolen data with ease. He described it as a place where threat actors can get almost everything they need, except a good drink. 

The biggest driver behind this change is convenience. Cryptocurrencies have removed one of the oldest bottlenecks in cybercrime by making it much easier to cash out illegal profits, while underground marketplaces now provide ransomware kits, phishing services, infrastructure, and support on demand. That lower barrier to entry has blurred the old lines between hacktivists, criminal gangs, and state-linked actors, creating a blended threat environment that is far more crowded and harder to police.

Lyne warned that law enforcement crackdowns are also reshaping the market. When large, centralized groups such as LockBit are disrupted, their affiliates do not disappear; they scatter into smaller factions, each trying to rebuild revenue streams in a less visible way. The result is a more fragmented and “post-trust” criminal scene, where weaker internal controls and looser coordination can make attackers more aggressive, reckless, and unpredictable. 

The threat is also becoming more global. Lyne said the ransomware ecosystem is no longer dominated by traditional Russian-speaking hubs, with actors now emerging from Brazil, Türkiye, and English-speaking groups such as Scattered Spider. At the same time, criminals are increasingly using AI to search through hoarded corporate data, turning old thefts into fresh extortion opportunities and new monetization schemes. 

For police and security teams, the response must go beyond arrests alone. Lyne said the Met Police cannot “arrest its way out” of the problem and instead needs to focus on disrupting infrastructure, weakening trust inside criminal networks, and working more closely with private-sector defenders. In practical terms, that means security teams should expect a ransomware landscape that is smaller in structure but sharper in impact, where fragmented gangs may strike faster and with fewer rules than the cartels they replaced.
Read more »
Meta Security
Cyber Security Cyber Security Ransomware Attacks Cyber Threats Cyberattacks Data Breach Threat data security Hacktivism Meta Meta Security

META Threat Landscape Report Q1 2026: Ransomware, Data Breaches and Hacktivism Rise Across Middle East, Turkey and Africa

 

Early 2026 saw sharper cyber aggression throughout the Middle East, Turkey, and Africa, fueled less by isolated incidents than by coordinated ransomware attacks, politically charged hacking efforts, and repeated exposure of sensitive information. Notably, Cyble's regional analysis highlights how public institutions, financial entities, infrastructure firms, and power providers faced relentless pressure from diverse digital adversaries during those months. Amid shifting tactics, one pattern held steady - attack volume climbed without pause. Early in the year, ransomware kept gaining ground across the region. 

Across META nations, 116 cases came to light between January and March. Leading the list was Turkey, with the UAE trailing just behind. Intrusions hit South Africa and Egypt hard, too - frequent probes and breakdowns marked their networks. Known crews like Gentlemen, INC Ransom, Qilin, Tengu, and LockBit stayed busy through the period. Each group showed steady signs of operation during those months. What stands out is construction being hit hardest, then government offices, police departments, banks, and power companies. Because these sectors manage vital systems and confidential information, they draw hackers aiming to profit or cause chaos. 

Notably, ransomware crews are acting more like businesses - some run subscription-style services so partners can launch attacks faster and wider. Terabytes of sensitive files surfaced online, allegedly pulled from Qatar’s energy infrastructure - login details, cloud backups, all circulating without permission. While ransomware grabbed headlines, leaked datasets kept spreading just beneath the surface. Cyber bazaars active throughout the year moved quietly, swapping access tokens and corporate records like currency. Healthcare providers found themselves exposed. So did hotels, sports leagues, even digital influencers promoting brands. 

A single hacker boasted control over massive archives - one claim among many. State agencies showed up repeatedly in breach reports, their systems probed by actors with unclear allegiances. Motives varied: some sought profit, others appeared driven by surveillance goals or national interests. What stands out is how often attackers used known weaknesses to break into systems. Soon after flaws became public, they appeared in hacking attempts - some quickly listed by CISA as actively abused. Targeting focused heavily on corporate networks, defensive software, besides services open to the web. 

One standout issue involved Ivanti’s mobile management tool, where a severe bug allowed remote control without login verification. Access like that remains appealing; it skips the need to harvest passwords entirely. Throughout Q1 2026, hacktivism stayed prominently in view. A steady flow of leaked data, altered websites, and network floods hit thousands of online addresses in the META area. Tied closely to simmering global conflicts, especially around Israel and Iran, these actions grew more frequent. Rather than just causing outages, they began serving as tools to push narratives into online conversations. Digital platforms turned into stages where cyber acts echoed real-world disputes. 

Though quiet at first glance, new data from Cyble’s META Threat Landscape Report reveals how quickly digital dangers shift when crime blends with global tensions. Where politics and networks meet, risks climb - especially for firms tied to essential services or disputed industries. Instead of waiting, many now see value in tracking hidden signals, patching weaknesses faster, not just reacting after breaches occur. 

As hostile actors refine methods across the Middle East, Africa, Turkey, and Asia, one thing becomes clear: staying ahead means seeing more, acting sooner, adjusting constantly.
Read more »
Subscribe to: Posts (Atom)