Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Telus Digital Faces Scrutiny Following Claims of Large-Scale Data Extraction

 



Canadian outsourcing and digital services firm Telus Digital has confirmed that it experienced a cybersecurity incident after threat actors alleged they had extracted an enormous volume of data, estimated at nearly one petabyte, over a prolonged period of unauthorized access.

Telus Digital operates as the outsourcing and digital solutions division of Telus. The company provides services such as customer support, content moderation, artificial intelligence data operations, and other business process outsourcing functions to organizations around the world. Because firms in this sector often manage customer interactions, billing systems, and internal authentication tools on behalf of multiple clients, they are frequently targeted by attackers aiming to gain access to large datasets through a single compromise.

The breach has been linked to a threat group known as ShinyHunters, which claims it obtained a wide range of customer-related data connected to Telus Digital’s outsourcing services, along with call records tied to Telus’ consumer telecommunications operations.

Reports about a possible breach had surfaced earlier this year, and inquiries were made to the company at the time, though no response was received then. Telus has now acknowledged the incident, stating that it is investigating what information may have been accessed and which customers could be affected.

In its official statement, the company said unauthorized access was identified in a limited number of systems. It added that immediate steps were taken to contain the activity and prevent further intrusion. Telus also stated that its operations remain fully functional, with no evidence of disruption to customer connectivity or services. The company confirmed that external cyber forensics specialists have been engaged and that law enforcement authorities are involved. It further noted that additional safeguards have been implemented and that affected customers will be notified where appropriate.

Sources indicated that the attackers attempted to extort the company, but Telus did not engage in communication with them.


Attack Method and Data Exposure Claims

After learning that the company was not negotiating, the attackers were contacted for further details regarding the incident.

According to their claims, the intrusion began with access to Google Cloud Platform credentials that were previously exposed in data linked to the Salesloft Drift breach. In that earlier incident, attackers extracted Salesforce data belonging to approximately 760 organizations, including customer support tickets. These records were then examined to locate credentials, authentication tokens, and other sensitive information, which could be reused to access additional systems.

The threat actors stated that they identified credentials associated with Telus within that dataset. These credentials allegedly enabled them to access multiple internal systems, including a large BigQuery data environment. After extracting initial data, they reportedly used the tool trufflehog to scan for further secrets, allowing them to expand their access into additional parts of the company’s infrastructure.

The group claims that the total amount of data taken is close to one petabyte, though this figure has not been independently verified. They also shared the names of 28 well-known companies that they allege were affected. However, these claims have not been confirmed, and the identities of those organizations remain undisclosed.

The data described by the attackers covers a wide range of business operations. This includes information related to customer support services, call center activities, agent performance metrics, AI-powered support systems, fraud detection mechanisms, and content moderation processes. In addition, they claim to have accessed source code, financial records, Salesforce data, background verification documents, and recordings of customer service calls.

The breach is also said to affect Telus’ telecommunications operations, particularly its consumer fixed-line services. The allegedly exposed data includes detailed call logs, voice recordings, and campaign-related information. Samples of these call records reportedly contain timestamps, call durations, originating and receiving numbers, and technical metadata such as call quality indicators.

Overall, the nature of the exposed data appears to vary significantly depending on the organization, indicating that multiple business functions across different clients may have been impacted.

The attackers stated that they began extortion attempts in February, demanding $65 million in exchange for not releasing the stolen data. The company did not respond to these demands.

Telus has indicated that further updates may be provided as its investigation progresses.


Who Are ShinyHunters

The name ShinyHunters has been associated with various individuals and cyber incidents over time, but the group currently operating under this identity has emerged as one of the more active data extortion actors in recent months. Their operations have largely focused on compromising cloud-based platforms, particularly those connected to enterprise software ecosystems.

The group has been linked to incidents involving major organizations such as Google, Cisco, and Match Group, among others.

More recently, their tactics have expanded to include voice phishing, or vishing, attacks. In these cases, employees are contacted by individuals posing as IT support staff and are persuaded to reveal login credentials or multi-factor authentication codes through fraudulent websites. The group has also been observed using device code phishing techniques to obtain authentication tokens linked to identity platforms such as Microsoft Entra.

Once valid credentials and authentication codes are obtained, attackers can take control of single sign-on accounts and gain access to interconnected enterprise services, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.


Security Implications

This incident reflects a broader trend in which attackers reuse previously stolen data to launch new intrusions. It also highlights the elevated risk associated with outsourcing providers that centralize sensitive operations for multiple organizations.

Cybersecurity experts increasingly note that modern attacks often occur in stages, where one breach creates opportunities for subsequent compromises. As businesses continue to rely on cloud platforms and third-party service providers, the potential scale and impact of such incidents continue to grow.

The situation is currently under investigation, and additional verified details are expected as more information surfaces.

AiLock Ransomware Hits England Hockey: 129GB Data Breach Under Probe

 

England Hockey, the national governing body for field hockey in England, is grappling with a serious cybersecurity incident as the ransomware group AiLock claims responsibility for stealing 129GB of sensitive data.The organization, which supports over 800 clubs, 150,000 players, and thousands of coaches and officials, confirmed it is investigating the potential breach alongside law enforcement to assess system compromises and data impacts. AiLock listed England Hockey on its data leak site, threatening to publish the stolen files unless a ransom is paid, following a classic double-extortion tactic. 

This attack highlights the growing menace of ransomware targeting sports organizations, where vast databases of member information become prime targets.AiLock, a ransomware operation first observed in 2025 and documented by Zscaler researchers, employs sophisticated methods including ChaCha20 and NTRUEncrypt encryption, appending .AILock extensions to files and dropping ransom notes across directories.The group pressures victims with strict deadlines—72 hours to start negotiations and five days for payment—or faces data leaks and recovery tool destruction, often exploiting privacy law violations for leverage. 

England Hockey has prioritized data security in its response, engaging internal teams and external cybersecurity experts to evaluate the breach's scope amid ongoing uncertainty. While specifics on affected data remain undisclosed due to the investigation, the sheer volume of 129GB suggests potential exposure of personal records, club details, and operational files. The organization emphasized that understanding any data impacts is its top priority, urging caution without commenting further. 

Ransomware incidents like this expose organizations to immediate and secondary risks, including phishing, credential theft, and social engineering attacks fueled by leaked data claims. Sports bodies, often resource-constrained compared to corporate giants, face heightened vulnerabilities as cybercriminals increasingly target non-profits with high-profile memberships.AiLock's rise in 2025-2026 underscores a trend of newer groups adopting aggressive playbooks to infiltrate networks, exfiltrate data, and encrypt systems swiftly. 

As England Hockey navigates this crisis, the episode serves as a stark reminder for enhanced cybersecurity in amateur and community sports sectors. Proactive measures like regular backups, multi-factor authentication, and employee training could mitigate future threats, preventing disruptions to grassroots programs. With global warnings of AI-driven attacks on sporting events rising, swift collaboration with authorities may limit damage and deter further extortion. Ultimately, transparency post-investigation will be key to rebuilding trust among its vast community.

Global Law Enforcement Disrupts SocksEscort Proxy Network Powered by AVRecon Malware

 

Federal and regional police units, working alongside independent digital security experts, took down the SocksEscort hacking infrastructure. This setup used hacked gateway gadgets - infected by AVRecon - to route illicit online traffic through hidden channels. 

A team at Black Lotus Labs, under Lumen Technologies, aided the takedown operation together with officials from the U.S. Department of Justice. Over multiple years, authorities found the proxy system kept around twenty thousand compromised gadgets active weekly - revealing both reach and staying power. 

SocksEscort first came into view back in 2023, though signs point to activity stretching well beyond ten years. Operation relied on offering entry to seemingly legitimate IP addresses - pulled from home and office network devices. Because these connections appeared ordinary, users could mask malicious data flows under normal ISP cover. Detection tools often failed, misled by the everyday digital footprint left behind. 

By early 2026, authorities reported the system had provided entry to vast numbers of IP addresses across its lifespan. Nearly 8,000 compromised routers remained operational at that point. Within the U.S., roughly a quarter of those devices were found scattered throughout the country. Though focused on one case, the ripple effects touched various forms of monetary misconduct. 

A trail led authorities to connect SocksEscort with nearly $1 million siphoned from digital wallets belonging to someone in New York. Separate findings showed about $700,000 lost due to deceptive schemes targeting an industrial company based in Pennsylvania. Victims among American military personnel also faced damage after personal banking records were breached, adding further strain. 

Dozens of domains and servers linked to the network were seized across Europe through joint efforts steered by Europol. Backing came from law enforcement agencies in Austria, France, and the Netherlands. Around $3.5 million in digital currency was blocked during the course of the mission. What powered the entire operation was AVRecon, a form of malicious software aimed at Linux-run home and small office routers. 

By June 2023, it had taken hold on over seventy thousand machines, forming a vast network of hijacked devices. This network served one purpose: strengthening the reach of SocksEscort. Analysts found something unusual - none of the affected IPs showed up in unrelated botnet activity, pointing toward tightly managed usage. Despite setbacks during early 2023 that briefly disrupted operations through severed command channels, the group managed recovery by reconstructing systems. Control returned via decentralized nodes rather than a single hub. Activity restarted months afterward with modified communication pathways. 

Early in 2025, more than 280,000 distinct IP addresses got caught up in the activity. Although infections spread globally, those based in the U.S. and the U.K. stood out - due to their appeal in hiding harmful network behavior. Outdated routers should be swapped out, many professionals suggest. Firmware updates come next on the list for staying protected. Default login details? Better revise them promptly. Remote functions that go unused tend to invite trouble - shutting those off helps block intrusions. Reducing exposure often begins with these small shifts. 

A single operation reveals how digital crime groups using hidden relay systems are expanding their reach. Global teamwork across borders proves essential to weaken such operations.

Deceptive VPN Websites Become Gateway for Corporate Data Theft


 

The financial motivation of a threat group tracked by Microsoft as Storm-2561 has been quietly exploiting the familiarity of enterprise VPN ecosystems in a campaign intended to demonstrate how easy it is to weaponize trust in routine IT processes. 

Rather than rely solely on technical exploits, this group has adopted a more insidious approach that blends search engine manipulation with near-perfect impersonations of popular VPN products from companies such as Check Point Software Technologies, Cisco, Fortinet, and Ivanti.

Storm-2561 has been active since May 2025 and is representative of an emerging class of cyber criminals that prioritize deception over disruption, leveraging SEO poisoning techniques to ensure fraudulent download pages appear indistinguishable from legitimate vendor resources. As a result of this strategy, malicious VPN installers have been positioned at the top of search results since mid-January, effectively transforming a routine search into an attack vector. 

Users looking for common enterprise tools such as Pulse Secure are directed to convincingly spoofed websites instead of real-world enterprise tools. By blurring the distinction between legitimate software distribution and carefully orchestrated credential theft, the campaign extends its reach to SonicWall, Sophos, and WatchGuard Technologies products. 

With the foundation of this initial access vector, the operation displays a carefully layered deception system capable of withstanding moderate user scrutiny. As a result of poisoning search engine results for queries such as "Pulse Secure client" or "Pulse VPN download," attackers ensure that fraudulent vendor portals occupy prime visibility, effectively intercepting users at the point of intent by poisoning search engine results. 

A lookalike site designed to replicate legitimate branding and user experience is used to deliver malware rather than authentic software as a channel for malicious payloads. When victims attempt to download software, they are directed to ZIP archives hosted on public code repositories, which are resembling trusted VPN clients while trojanized installers are deployed. 

The installer initiates a multistage infection chain when executed, dropping files into directories corresponding to actual installation paths and using DLL side-loading techniques to introduce malicious components into the system silently. Hyrax infostealer is an example of such a payload. Specifically designed to extract VPN credentials and session data, this payload is then exfiltrated to the threat actor's infrastructure. 

Further reducing suspicion and bypassing conventional security controls, the malicious binaries were signed using a genuine digital certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd, an approach that lends the malicious binaries a sense of authenticity and makes detection more difficult. 

Despite its revoked validity, the certificate illustrates the increasing abuse of trusted code-signing mechanisms throughout the threat landscape. The campaign, as noted by Microsoft in their findings, demonstrates a broader shift toward combining social engineering with technical subversion, in which attackers do not need to breach hardened perimeters directly but instead manipulate user behavior and trust in widely used enterprise tools to accomplish the same objective. 

In analyzing the intrusion chain in greater detail, it is evident that a carefully orchestrated execution flow was designed to appear comparable to legitimate software behavior. As documented, victims of the malicious attack are directed to a now-removed repository that hosts a compressed archive that contains a counterfeit VPN installer in the form of an MSI file. 

Upon execution of the installer, Pulse.exe is installed within the standard %CommonFiles%/Pulse Secure directory, accompanied by additional components such as a loader (dwmapi.dll) and a malicious module known as the Hyrax infostealer (inspector.dll). As a result of incorporating itself into a directory structure consistent with authentic installation, the malware utilizes side-loading of DLL files in order to ensure that the payload is executed under the guise of trusted applications. 

There is also a convincing replica of the Pulse Secure login screen provided by the rogue client, leading users to enter their credentials under the assumption that an authentication process is standard. In place of establishing a VPN session, the application intercepts these inputs and transmits them to the attacker-controlled infrastructure, along with additional sensitive data, such as VPN configuration information obtained from the connectionstore.dat file located in the C:/ProgramData/Pulse Secure/ConnectionStore location. 

A once-valid certificate issued by Taiyuan Lihua Near Information Technology Co., Ltd. was used to sign the malicious binaries, further bolstering the perception of their legitimacy. After credential harvest, evasion mechanisms are employed immediately in order to maximize evasion. This application displays a plausible installation error instead of maintaining persistence or creating obvious system anomalies, which subtly attributes the failure to benign technical problems. 

After receiving the genuine VPN client, users are redirected -often automatically - to the official vendor website. By redirecting traffic post-exploitation, the likelihood of being detected is significantly reduced, as successful installation of legitimate software masks the compromise completely, thereby obscuring any immediate suspicions from the standpoint of the user. 

Microsoft disclosed that the campaign is accompanied by a defined set of indicators of compromise and defensive guidance, highlighting the need to pay close attention to software sourcing, code signing validation, and anomalous installation behaviors in enterprise environments. 

In the end, the campaign emphasizes the necessity for organizations to reconsider how trust is established within the everyday operation of their business processes as a broader defensive imperative.  A security team should extend their awareness efforts beyond user awareness and enforce stricter controls regarding the acquisition of software, including limiting downloads to trusted sources, implementing application allowlistings, and validating digital signatures against trusted certificate authorities. The monitoring of anomalous process behavior, especially side loading patterns of DLLs and unexpected outbound connections, will lead to earlier detection. 

The adoption of multi-factor authentication and conditional access policies, among other phishing-resistant authentication mechanisms, is equally critical to minimize credential exposure consequences. According to Microsoft, these types of attacks focus less on exploiting technical weaknesses and more on exploiting implicit trust, which makes using zero-trust and layered verification principles essential to reducing organizational risk.

AI Actress Tilly Norwood's Controversial Oscars Music Video Sparks Debate

 

Tilly Norwood, billed as the world's first AI-generated actress, has released a new music video titled "Take The Lead" just ahead of the Oscars, promoting AI's role in entertainment. Created by Particle6 Group's Xicoia division under CEO Eline van der Velden, the video features Norwood singing pro-AI lyrics like "AI’s not the enemy, it’s the key" while riding a pink flamingo and performing in stadiums.Despite claims of 18 human collaborators, including costume designers and prompters, the project has drawn sharp criticism for its uncanny visuals and generic composition. 

The video's launch ties into Hollywood's awards season, with Norwood teasing an Oscars appearance in the caption: "Can’t wait to go to the Oscars! Does anyone know if they have free valet parking for my flamingo?" However, view counts remain low, hovering around 4,000 to 23,000 shortly after upload, with comments largely mocking its lack of "human spark."Norwood's social media reflects uneven popularity: nearly 90,000 Instagram followers but under 4,000 YouTube subscribers and just 3 on TikTok. 

Lyrics drawn from van der Velden's essay defend AI creativity, with lines like "When they talk about me, they don’t see the human spark" amid visuals of falling dollar bills with garbled symbols. Critics highlight the "standard AI sheen" where details falter under scrutiny, questioning if it truly showcases innovation. Particle6 positions this as part of the expanding "Tillyverse," a digital universe for AI characters, recently bolstered by hires like Amazon's Mark Whelan for strategy. 

Backlash has been fierce since Norwood's 2025 debut. SAG-AFTRA condemned her, actors threatened boycotts of agencies "signing" her, and outlets like The Guardian slammed early projects like "AI Commissioner." Even supporter Kevin O’Leary misnamed her "Norwell Tillies" while advocating AI replace background actors.Particle6 insists on building AI-human collaborations, but no major film or TV roles have materialized beyond short content. 

As the Oscars approach, Norwood's stunt underscores AI's disruptive potential in Hollywood, blending hype with hostility.While Particle6 eyes a "Scarlett Johansson of AI," industry resistance persists amid fears of job losses. The "Tillyverse" launch later this year could escalate tensions, forcing a reckoning on AI's creative boundaries.

Stryker Hit by Major Cyberattack as Hacktivist Group Claims Wiper Malware Operation

 

A major cybersecurity breach hit Stryker, the international medical tech company, throwing operations into disarray across continents. Claiming responsibility is a hacktivist faction supportive of Palestine, said to have ties to Iranian networks. Outages spread quickly through digital infrastructure after the intrusion became active. Emergency protocols were activated by staff as normal workflows collapsed without warning. 

Following the incident, blame was placed on Handala - a collective that openly admitted initiating a cyberattack involving destructive software aimed at Stryker’s infrastructure. Data removal affected numerous devices throughout the organization's environment. From those systems, about 50 terabytes containing confidential material were copied before transmission outside secure boundaries. 

Even though confirmation remains absent, whispers among workers stretch from Dublin to San Jose, pointing at chaos. Over two hundred thousand gadgets - servers mostly, but also handheld units - supposedly vanished under digital assault, according to Handala. Operations froze in clusters of buildings scattered through nearly thirty nations. Evidence trickles in from office staff in Perth, San José, Cork, and beyond, painting a fractured picture of stalled systems. 

One moment staff noticed work phones wiped without warning. Then came reports of private gadgets - once linked to office networks - suddenly cleared too. Afterward, guidance arrived: uninstall every business-related app. Tools meant to manage phones, along with messaging software tied to the organization, had to go. Removal became expected across all equipment. Work slowed in certain areas when digital tools went offline, pushing staff toward handwritten logs instead. With networks down, employees handled tasks by hand until technology recovered. 

A breach within Stryker’s Microsoft-based network led to widespread IT outages worldwide, as disclosed in a regulatory document. Right after spotting the problem, the firm triggered its internal cyber crisis protocol. Outside specialists joined the effort soon afterward - helping examine and limit further damage. Even though the disturbance was serious, Stryker said it found no signs of ransomware and thinks the situation is now under control. Still, the company admitted work continues to restore systems, without saying when operations will return fully. 

Yet completion remains uncertain despite progress so far. Emerging in late 2023, Handala already shows patterns of focusing on Israeli entities - using tactics that pair information exfiltration with damaging software meant to erase digital traces. Public exposure of obtained files forms a consistent part of their method, typically done via web-based disclosure channels. Though relatively new, its actions follow a clear playbook centered around visibility and disruption. 

Amid rising global tensions, a fresh assault emerges - tied to surging digital threats fueled by ongoing regional disputes. Noted specialists stress these events reveal a shift: large-scale interference now walks hand-in-hand with widespread information theft. While conflict zones heat up offline, their shadows stretch deep into network spaces. With Stryker rebuilding its digital infrastructure, the event highlights how sophisticated cyberattacks increasingly endanger vital sectors - healthcare and medtech among them - where uninterrupted function matters most.

Can a VPN Protect Your Privacy During Age Verification? A Complete Breakdown

 



The heightened use of age verification systems across the internet is directly influencing how people think about online privacy tools. As more governments introduce these requirements, interest in privacy-focused technologies is rising in parallel.

Age verification laws are now being implemented in multiple countries, requiring millions of users to submit personal and often sensitive information before accessing certain websites, particularly those hosting adult or restricted content. While policymakers argue that these rules are necessary to prevent minors from being exposed to harmful material, critics continue to highlight the serious privacy risks associated with handing over such data.

Virtual Private Networks, commonly known as VPNs, are widely marketed as tools designed to protect user privacy and secure online data. In recent months, there has been a noticeable surge in VPN adoption in regions where age verification laws have come into force. This trend was particularly evident in the United Kingdom and the United States during the latter half of 2025, and again in Australia in March 2026.

However, whether VPNs can truly protect users during age verification processes is not a simple yes-or-no question. Their capabilities are limited in certain areas, and understanding both their strengths and weaknesses is essential.


What VPNs Can Protect

At a fundamental level, VPNs work by encrypting a user’s internet connection, which prevents third parties from easily observing online activity. This includes internet service providers, network administrators, and in some cases, government surveillance systems.

When a VPN connection is active, external observers are generally unable to determine which websites or applications a user is accessing. In the context of age verification, this means that third parties monitoring network traffic will not be able to tell whether a user has visited a platform that requires identity checks, provided the VPN is properly configured.

Certain platforms, including X (formerly Twitter), Reddit, and Telegram, have introduced age verification requirements in specific regions. Many adult websites have implemented similar systems.

In addition to hiding browsing activity, VPNs also encrypt the data being transmitted. This ensures that any information entered during the verification process cannot be easily intercepted by external parties while it is in transit. Even after the verification step is completed, ongoing internet activity continues to be routed through the VPN’s secure tunnel, maintaining a level of privacy.

Modern VPN services are also evolving into broader cybersecurity platforms. Leading providers such as NordVPN, Surfshark, and ExpressVPN now offer additional tools beyond basic encryption. These may include password management systems, encrypted cloud storage, antivirus protection, and identity theft monitoring services.

Some of these services also provide features such as dark web monitoring, financial compensation options in cases of identity theft, credit tracking, and access to support teams that assist users in resolving security incidents. These added layers can help reduce the impact if personal data submitted during an age verification process is later exposed or misused.

One of the central criticisms of age verification systems is the cybersecurity risk they introduce. In this context, advanced VPN subscriptions can offer tools that help users respond to potential data breaches, even if they cannot prevent them entirely.


What VPNs Cannot Protect

Despite their advantages, VPNs are not a complete solution for online anonymity. They do not eliminate all risks, nor do they make users invisible.

In the case of age verification, a VPN cannot prevent the verification provider from accessing the information that a user voluntarily submits. Organizations such as Yoti, Persona, and AgeGo are responsible for processing this data. These companies will still be able to view, verify, and in many cases temporarily store personal details.

Typical verification methods require users to submit sensitive information such as credit card details, government-issued identification documents, or biometric inputs like selfies. This data is directly accessible to the verification service, regardless of whether a VPN is being used.

Data retention practices vary between providers. For example, Yoti states that it deletes user data immediately after verification unless further review is required. In cases where manual checks are necessary, the data may be retained for up to 28 days.

The longer personal information remains stored, the greater the potential risk to user privacy and security. This concern has already been validated by real-world incidents. In October 2025, Discord experienced a data breach in which attackers accessed information related to users who had requested manual reviews of their age verification results.

It is important to understand that any personal data submitted online can potentially be used to identify an individual. The use of a VPN does not change this fundamental reality.


Why VPN Interest Is Increasing

The expansion of age verification systems has given rise to public awareness of online privacy issues. As a result, many users are exploring VPNs as a way to better protect themselves.

At the same time, some individuals are attempting to use VPNs to bypass age verification requirements altogether. This is typically done by connecting to servers located in countries where such laws have not yet been implemented. However, this approach is not consistently reliable and does not guarantee success, as many platforms use additional verification mechanisms beyond geographic location.


Final Considerations

VPNs remain an important tool for strengthening online privacy, particularly when it comes to protecting browsing activity and securing data in transit. However, they are not a complete safeguard against all risks associated with age verification systems.

Users should also be cautious when choosing a VPN provider. Many free services operate on business models that involve collecting and monetizing user data, which can undermine privacy rather than protect it. In contrast, reputable paid VPN services generally offer stronger security features and more transparent data handling practices.

Among paid options, some lower-cost services are widely marketed to new users entering the VPN space. For instance, Surfshark has been advertised at approximately $1.99 per month under long-term plans, while PrivadoVPN has promoted multi-year subscriptions priced near $1.11 per month.

However, pricing alone should not be the deciding factor. Security architecture, logging policies, and transparency practices remain far more critical when evaluating whether a VPN service genuinely protects user privacy. While VPNs can reduce certain risks, they cannot fully protect personal information once it has been directly shared with a verification service.



Ransomware Attack Hits South Africa’s Land Bank, Hackers Demand Bitcoin Payment

 



South Africa’s Finance Minister Enoch Godongwana has disclosed that the Land and Agricultural Development Bank of South Africa was targeted in a ransomware incident earlier this year.

The cyberattack took place on January 12, according to official confirmation.

Details of the breach were made public through a parliamentary response after Adil Nchabeleng requested clarification on how the incident occurred, which systems were impacted, and whether the attackers issued any ransom demands.

In his response, the Minister stated that the attackers demanded 5 Bitcoin, estimated to be worth around R5.4 million. The bank chose not to comply with this demand. He further confirmed that core banking infrastructure and data related to farmers were not accessed or compromised.

Initial investigations revealed that suspicious activity was detected within certain parts of the bank’s IT environment. Further analysis suggested that an external party gained entry by exploiting a vulnerability in an internet-facing server. Following this, ransomware was deployed, leading to encryption of portions of the bank’s server systems as well as several employee laptops.

The attack specifically affected servers operating within virtual environments that run on Microsoft systems. Authorities have identified the perpetrators as part of a Ransomware-as-a-Service group, indicating the use of commercially distributed ransomware tools.

In response to the breach, the bank acted swiftly to contain the damage. Affected systems were isolated, indicators of compromise were removed, and additional security measures were implemented to strengthen defenses.

Officials emphasized that critical platforms, including enterprise resource planning systems, core banking infrastructure, and customer relationship management tools, were not accessed. This was attributed to the fact that the SAP environment is maintained separately from other server systems, providing an additional layer of protection.

However, other parts of the IT environment were significantly impacted. Systems outside the SAP infrastructure were either encrypted or rendered inaccessible to staff, and multiple laptops were also locked by the ransomware.

The attackers reportedly demanded payment in Bitcoin in exchange for restoring access to data and refraining from releasing any stolen information. Despite this, the bank confirmed that it did not make any ransom payment.

During the recovery phase, the bank continued to isolate affected environments, remove malicious traces, and enhance its cybersecurity posture. This included strengthening firewall configurations, patching known vulnerabilities, and improving detection mechanisms to better respond to future threats.

This incident follows a series of cyberattacks affecting organizations in South Africa. In May of the previous year, South African Airways experienced a major cyber disruption that affected its website, mobile application, and several internal systems. Immediate steps were taken at the time to reduce the impact on flight operations and customer services.

The Land Bank attack sheds light on the increasing frequency of ransomware incidents targeting key institutions. It also underscores the importance of proactive cybersecurity measures, including system segmentation, timely updates, and continuous monitoring to prevent and mitigate such threats.

Large Scale Data Breach at Conduent Hits 25 Million Users Nationwide


 

A central component of public service delivery, Conduent is entrusted with the invisible yet indispensable machinery that keeps the system running from healthcare eligibility systems to benefits administration, and occupies a unique position at the intersection of government operations and private data stewardship. This centrality, however, is the subject of recent scrutiny.

Several months ago, from October 2024 to January 2025, a covert intrusion occurred within the organization's network, resulting in the exfiltration of at least 25 million individuals' personal data. It was not simply routine identifiers exposed in the breach; it also compromised information related to Medicaid and SNAP programs as well as Social Security numbers. 

Modern digital infrastructure faces a sobering reality in light of the incident: the fallout of compromised organizations that are responsible for managing critical public services extends far beyond corporate boundaries, putting millions of individuals at risk for years to come. In the subsequent disclosures, it has been established that the scope of the compromise has been clarified, suggesting a much greater impact than was initially anticipated. 

Approximately 25 million individuals in the United States were affected by the breach, according to a February update provided by the Wisconsin Department of Agriculture, Trade and Consumer Protection, thereby cementing the incident's ranking as one of the most consequential data breaches in recent history.

There appears to have been sustained access to internal systems during the period late 2024 to early 2025, as determined by forensic assessments. There are multiple layers of personally identifiable and regulatory information that have been exfiltrated during this period, including full names, social security numbers, insurance records, and sensitive medical information. 

Observing the nature and composition of the compromised information, it appears that the attackers were not merely opportunistic, but also understood the value embedded within aggregated service provider environments, where administrative, healthcare, and benefits data are converged to create highly lucrative targets. In light of Conduent's operational footprint, it becomes more apparent that the incident has scale and systemic implications. 

By 2019, the company reported serving over 100 million people across the United States with its services, while maintaining relationships with the majority of Fortune 100 companies and hundreds of government agencies. Considering that public-sector programs and private enterprise workflows are integrated in such an extensive way, one may understand why the affected population appears to be fragmented and unrelated.

As part of Conduent's administrative processes, the company processes state-run benefit programs, such as Medicaid and the Supplemental Nutrition Assistance Program, across a multitude of states, as well as document handling, payment processing, and claims support for healthcare providers and insurers, including Blue Cross Blue Shield networks. 

A significant portion of the Volvo Group's workforce is exposed to this virus through its corporate services division, which also involves large-scale workforce management. This virus has also been confirmed to affect employees connected with major industrial organizations, including several segments of the Volvo Group workforce. There is a strong correlation between the intrusion and the SafePay ransomware group, which publicly claimed responsibility following the breach, suggesting a financially motivated operation with an emphasis on data exfiltration and extortion. 

As a result of the compromised dataset, this incident exceeds the traditional narrative of ransomware. In regulatory disclosures and notification communications, it is reported that the exfiltrated information consists of a dense accumulation of personally identifiable and protected health information, including full legal names, residence information, date of birth, Social Security numbers, and detailed insurance and medical records. 

Since Conduent serves as an intermediary processor, many of those affected may not have been directly connected with the company, which highlights an opacity in third-party data ecosystems, which routinely transmit sensitive information to vendor-controlled environments without the knowledge of end users due to the company's role as an intermediary processor. As a result of its expanding scope, as well as its long-term risk profile associated with the data exposed, this breach is distinguishable from previous disclosures. 

An initial estimate of approximately 10 million affected individuals has since more than doubled, illustrating the delay in visibility often associated with third-party compromises as downstream entities gradually become aware of their vulnerabilities.

In addition, by including immutable identifiers such as Social Security numbers with medical and insurance data, the introduction of long-term vectors for identity fraud, medical exploitation, and precision-targeted social engineering campaigns is greatly enhanced. 

The incident highlights a persistent blind spot in organizational security strategies: breaches originated within vendor infrastructure often go unnoticed by the organizations that rely on them, thereby making it difficult for them to respond appropriately and to hold vendors accountable. Hence, the appearance of breach notifications from an unfamiliar service provider does not represent an anomalous occurrence, but rather indicates the degree to which modern data processing ecosystems are becoming increasingly interconnected and vulnerable. 

A series of remedial measures have been implemented by Conduent following the disclosure in order to mitigate downstream risk for affected individuals, including providing free identity monitoring services to consumers and setting up dedicated support channels. Several state-level advisories, including those issued by the Wisconsin Department of Agriculture, Trade, and Consumer Protection, indicate that call center infrastructure has been activated to assist affected residents. 

However, officials and cybersecurity experts have emphasized that large-scale breach notifications frequently attract opportunistic fraud campaigns, in which attackers attempt to exploit public awareness by using phishing and impersonation techniques. People are advised to independently verify enrollment links and communication channels-preferably via state notices or hotlines-before providing sensitive identifiers. 

The company is also being subjected to increased regulatory scrutiny in addition to its response efforts. Investigations conducted by multiple state attorneys general are ongoing, as well as an internal review conducted by the company. 

According to Conduent's form 10-K filing with the Securities and Exchange Commission for 2025, evidence of active misuse of the compromised data has not been uncovered to date. Since the affected datasets are large, highly sensitive, and widely distributed, the absence of immediate exploitation does not significantly reduce long-term risk exposure, as regulators seek greater transparency, and affected parties pursue accountability through the courts, it is widely anticipated that disclosures, supplemental notifications, and legal proceedings will occur in the aftermath of the incident, prolonging its lifecycle well beyond its initial discovery. 

As well as its immediate impact, the incident illustrates the systemic risks that are embedded within third-party ecosystems, which can undermine even robust internal defenses due to vulnerabilities resulting from external dependences. 

As a result, organizations linked to service providers such as Conduent are exposed to the same threat surface. Therefore, a more detailed and continuously enforced vendor security posture is necessary.  It is critical to develop tightly scoped access controls on an operational basis, ensuring that third parties are given only the minimal permissions necessary to access the system and data, which are ideally controlled by just-in-time authentication methods. 

Using segmentation strategies, including demilitarized zones and isolated environments, further reduces the possibility of lateral movement from a compromised partner environment. These measures can be enhanced by implementing application allowlisting and execution controls which can prevent unauthorized tools from being deployed after a compromise, which is often the basis for post-compromise escalation. 

Increasingly, organizations are required to adopt continuous validation frameworks that monitor access to regulated datasets in real time, as opposed to periodic audits. It is important that vendors adhere to defined security baselines, breach disclosure timelines, and audit rights as stipulated in their contracts, and that data volumes and sensitivity are minimized wherever possible as a means of reducing security risks. 

To reconstruct attack paths and meet regulatory expectations in the event of an incident, robust logging and telemetry, designed for forensic readiness, remains critical. During this period, security operations and incident response teams must maintain close monitoring of vendor-linked authentication patterns and data access patterns in order to take prompt action, such as revocation of credentials or isolation of compromised endpoints at the onset of an attack.

In terms of executive level security strategy, the breach underscores the need to embed third-party risk into a multi-layered security strategy rather than treating it as a peripheral issue. Controls such as application allowlisting, formalized third-party risk management programs, which continuously evaluate partner security posture are among the steps required to ensuring cross-functional coordination, and implementation of standardized third-party risk management programs. 

A breach such as the one experienced by Conduent illustrates the fact that resilience in a profoundly interconnected digital infrastructure is no longer confined solely to internal controls, but is determined by the collective security discipline of every organization within it. This incident indicates that organizations need to rethink how trust is distributed across digital ecosystems in order to avoid further occurrences. It is no longer sufficient to consider security as a boundary confined within enterprise perimeters; it must be continuously validated across all external dependencies that process, store, or transmit sensitive data. 

A shift toward verifiable trust models, increased supply chain visibility, and enforceable accountability mechanisms is required to address this issue that extend beyond contractual assurances into measurable technical controls. As well as proactive resilience, it is vital to rigorously test detection, containment, and recovery capabilities against realistic scenarios of third-party compromise. 

It is anticipated that regulatory expectations will continue to evolve, and threat actors will continue to exploit aggregation points within service-driven architectures. Thus, organizations with a focus on transparency, continuous assurance, and coordinated response mechanisms will be better able to survive cascading breaches from afar.

Microsoft Unveils ‘Copilot Cowork’ to Push Agentic AI Into the Workplace

 

Microsoft is intensifying its efforts to capture consumer attention in the AI space, where rivals like ChatGPT and Gemini have gained significant traction. On Monday, the company introduced a fresh set of “agentic” AI updates, with its most notable addition being Copilot Cowork.

Developed in partnership with Anthropic, Copilot Cowork is designed to function as an autonomous digital assistant. Similar in concept to Anthropic’s Claude Cowork, it can access data from files, emails, and calendars to independently carry out tasks without requiring constant human input. From generating spreadsheets to conducting research and compiling reports, the tool aims to act like a true workplace collaborator.

"Cowork is the new chat. It's the new way of interacting with AI," said Charles Lamanna, Microsoft’s president of business applications and agents. He emphasized the shift from interactive AI usage to full task delegation, adding, "With chat, you're babysitting every step -- this is much more like 'fire and forget' with Cowork to get the job done."

Lamanna shared a personal use case where he employed Copilot Cowork to evaluate his meeting schedule over the next three months. By analyzing his emails and calendar, the AI identified meetings that might not require his presence and presented the findings in a clear chart. After his review, the system declined certain meetings and attached AI-generated summaries when necessary. He described the 40-minute process as "delightful and practical," noting that it saved both him and his executive assistant several hours.

Currently available as a limited research preview, Copilot Cowork is part of a broader push by Microsoft into agent-based AI. The company also announced that its AI agent management platform, Agent 365, will become widely available starting May 1. This platform enables organizations to monitor and manage multiple AI agents used across workflows. Microsoft revealed it has already created over 500,000 AI agents internally using this system. Additionally, new AI models from both Anthropic and OpenAI will be integrated into Copilot, signaling Microsoft’s neutral stance amid increasing competition among AI developers.

Agentic AI tools are rapidly gaining popularity, especially among professionals seeking automation. Even in its preview stage, Claude Cowork has attracted widespread attention while also raising concerns in financial markets. Earlier this year, major tech stocks dipped as advancements from Anthropic prompted uncertainty about the future of employment.

Tools such as Claude Code and Codex are becoming capable of replacing traditional software solutions—an area where Microsoft has long been dominant. This shift explains Microsoft’s urgency in advancing its own agentic AI capabilities. Industry experts increasingly believe that 2026 could mark a breakthrough year for such technologies, with projects like OpenClaw highlighting their growing influence.

Lamanna noted that "the shape of what we do on a day-to-day basis will change," but stressed that AI should ultimately free up time for more meaningful work. He described the transition as moving from using AI to assist with tasks toward fully delegating them to autonomous agents.

However, as these tools become more accessible, questions around their impact on jobs persist. Concerns have been amplified by AI-driven layoffs at major companies like Amazon and Block. At the same time, some research suggests that AI adoption may lead to longer work hours and reduced job satisfaction for certain employees. As with any emerging technology, its real impact will depend on how effectively it is implemented in the workplace.

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat

 


A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.

Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.

Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.

The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.

To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.

The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.

After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.

Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.

For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.

Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.

The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.

BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.

At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication.

This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

North Korean Hackers Orchestrate Impeccable Multi Million Dollar Crypto Theft

 


Several highly calculated cloud intrusion campaigns have been linked to a North Korean threat actor identified as UNC4899, demonstrating the growing convergence between cyber espionage and financial crime. Using a sophisticated methodology, the operation appears to have been meticulously designed with the singular objective of siphoning millions of dollars in digital assets off a cryptocurrency organization in 2025. 

Researchers who have assessed the breach note a degree of precision and operational discipline that are consistent with state-sponsored activity, thereby reinforcing its moderate attribution to Pyongyang's cyber apparatus. Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor are other aliases used by the group. 

The group is part of a larger trend in which adaptive threat actors are quietly infiltrating and persisting in complex cloud environments for the purpose of monetizing access. Despite the scale and persistence of these operations, they are not without precedent. 

ased on the findings of a United Nations Panel of Experts, at least 58 targeted intrusions against cryptocurrency platforms were perpetrated by the Democratic People's Republic of Korea between 2017 and 2023 that targeted the extraction of a total of $3 billion in virtual assets. 

A number of senior U.S. officials have expressed parallel views, including Anne Neuberger, Deputy National Security Advisor for Emerging Technology, that proceeds derived from these cyber campaigns are not simply opportunistic gains, but are strategically directed, with some of the proceeds believed to be used for nuclear weapons development. 

Collectively, these developments demonstrate how the use of cyber operations has become deeply ingrained in Pyongyang's overall statecraft, serving both as a means of revenue generation and as a means of enabling strategic capabilities. 

Further strengthening this dual-use approach is the sustained investment in technological infrastructure, operator training, and tooling sophistication of North Korea’s cyber units, which has enabled them to refine their tradecraft and maintain a persistent edge in both financial and intelligence-driven operations. 

Recently, threat intelligence has indicated a significant change in both target patterns and operational methodologies regarding cryptocurrency threats. Despite the fact that exchanges will continue to account for a significant share of financial losses in 2025, a greater proportion will involve high net-worth individuals whose digital asset portfolios are becoming increasingly attractive targets as a result. 

Threat actors are often able to exploit exploitable security gaps created by these individuals compared to institutional platforms because these individuals typically operate with relatively limited security controls. In several cases, it appears that the targeting extends beyond personal holdings, with individuals being targeted for their proximity to organizations managing substantial cryptocurrency reserves. 

As victimology has evolved, attack vectors have also evolved. Social engineering techniques are presently the dominant intrusion methods. In addition to exploiting vulnerabilities within blockchain infrastructure, adversaries are increasingly obtaining credentials and bypassing authentication safeguards by deception, impersonation, and psychological manipulation, underscoring human weakness as an important point of failure. 

In parallel, the post-exploitation phase has evolved into an increasingly adaptive contest between illicit actors and blockchain intelligence providers. Due to the increasing sophistication of analytical tools used by law enforcement and compliance teams in tracing transactional flows, North Korean-linked operators have enhanced their laundering strategies by increasing the level of technical complexity and layering of operations. 

In recent years, these methods have become increasingly complex, involving iterative mixing cycles, interchain transfers, as well as the deliberate use of non-monitored blockchain networks with limited visibility. 

A number of tactics can also be employed to maximize cost through the acquisition of protocol-specific utility tokens, manipulate refund mechanisms to redirect funds to newly created wallets, and create bespoke tokens within controlled ecosystems for the purpose of obscuring data. 

A sustained and evolving cat-and-mouse dynamic is evident in these practices, in which advances in forensic capabilities are accompanied by escalation of adversarial tradecraft. Further contextualization of this incident is provided by Google Cloud’s Cloud Threat Horizons Report, which reveals an intrusion chain involving social engineering as well as the exploiting of trust boundaries between corporate and personal environments. 

Initial access was reportedly gained by tricking a developer into downloading a trojanized file masquerading as a legitimate open-source collaboration. A seemingly benign interaction resulted in compromising a personal workstation, which ultimately became the gateway to the organization's corporate environment and, ultimately, its cloud infrastructure as a whole. 

A nuanced understanding of cloud-native architecture was demonstrated by the attackers once access had been established. By exploiting legitimate DevOps processes, they harvested credentials and manipulated managed database services, including Cloud SQL instances, to enable the covert extraction of cryptocurrency assets. This post-compromise activity has been intentionally designed to blend malicious operations with normal system behavior.

Through the modification of Kubernetes configurations and the execution of carefully crafted commands, threat actors were able to maintain persistence while minimizing detection. This tactic is increasingly referred to as “living off-the-cloud” in which native platform features are repurposed to maintain unauthorized access. 

Moreover, it reveals systemic weaknesses in the management of sensitive data and credentials in hybrid environments, especially where personal and corporate workflows are not adequately separated. Security practitioners emphasize the need for layered defensive measures in order to mitigate such threats, including stringent identity verification controls, tighter governance over data transmission channels, and isolation within cloud execution contexts in order to contain potential vulnerabilities. 

A growing consensus is urging the reduction of the attack surface by limiting the use of external devices and unsecured communication methods, including ad hoc file-sharing protocols, to reduce attack vulnerabilities, as adversaries continue to develop methods for exploiting human trust alongside technical complexity.

There has been a shocking increase in losses approaching the $2 billion mark, which serves as a stark indication of both the maturation of adversarial capabilities and the expansion of the attack surface within the digital asset ecosystem. At the same time, advanced blockchain intelligence reinforces the importance of protecting against such threats at the same time. 

In spite of North Korean-linked operators' continued refinement of tactics, distributed ledger technology offers a structural advantage to investigators equipped with sophisticated forensic tools due to its inherent transparency. Using deep transaction tracing, behavioral analytics, and cross-chain visibility, firms such as Elliptic have demonstrated how illicit financial flows can be illuminated that would otherwise remain undetected. 

There is a clear indication that the balance between attackers and defenders is evolving as threat actors innovate in obfuscation and laundering. Analytics-driven oversight is paralleling this innovation, enabling industry stakeholders and law enforcement agencies to identify anomalies, attribute malicious activities, and disrupt financial pipelines in an increasingly precise manner. 

Consequently, blockchain transparency, once regarded primarily as a feature of decentralization, is now emerging as a critical enforcement mechanism, supporting efforts to maintain trust, security, and innovation while maintaining the integrity of the crypto ecosystem.

China Warns Government Staff Against Using OpenClaw AI Over Data Security Concerns

 

Recently, Chinese government offices along with public sector firms began advising staff not to add OpenClaw onto official gadgets - sources close to internal discussions say. Security issues are a key reason behind these alerts. As powerful artificial intelligence spreads faster across workplaces, unease about information safety has been rising too. 

Though built on open code, OpenClaw operates with surprising independence, handling intricate jobs while needing little guidance. Because it acts straight within machines, interest surged quickly - not just among coders but also big companies and city planners. Across Chinese industrial zones and digital centers, its presence now spreads quietly yet steadily. Still, top oversight bodies along with official news outlets keep pointing to possible dangers tied to the app. 

If given deep access to operating systems, these artificial intelligence programs might expose confidential details, wipe essential documents, or handle personal records improperly - officials say. In agencies and big companies managing vast amounts of vital information, those threats carry heavier weight. A report notes workers in public sector firms received clear directions to avoid using OpenClaw, sometimes extending to private gadgets. Despite lacking an official prohibition, insiders from a federal body say personnel faced firm warnings about downloading the software over data risks. 

How widely such limits apply - across locations or agencies - is still uncertain. A careful approach reveals how Beijing juggles competing priorities. Even as officials push forward with plans to embed artificial intelligence into various sectors - spurring development through widespread tech adoption - they also work to contain threats linked to digital security and information control. Growing global tensions add pressure, sharpening concerns about who manages data, and under what conditions. Uncertainty shapes decisions more than any single policy goal. 

Even with such cautions in place, some regional projects still move forward using OpenClaw. Take, for example, health-related programs under Shenzhen’s city government - these are said to have run extensive training drills featuring the artificial intelligence model, tied into wider upgrades across digital infrastructure. Elsewhere within the same city, one administrative area turned to OpenClaw when building a specialized helper designed specifically for public sector workflows. 

Although national leaders call for restraint, some regional bodies might test limited applications tied to progress targets. Whether broader limits emerge - or monitoring simply increases - stays unclear. What happens next depends on shifting priorities at different levels. Recently joining OpenAI, Peter Steinberger originally created OpenClaw as an open-source initiative hosted on GitHub. Attention around the tool has grown since his new role became known. 

When AI systems gain greater independence and embed themselves into daily operations, questions about safety will grow sharper - especially where confidential or controlled information is involved.

Zombie ZIP Evasion Exposes Antivirus Blind Spot

 

A recently revealed technique known as Zombie ZIP demonstrates how attackers can embed malware inside fragmented and corrupted archives that can’t be fully scanned by most security solutions. By exploiting the way ZIP headers are processed, it enables malicious payloads to evade antivirus and EDR solutions even if the file appears corrupted to end users.

Zombie ZIP works by manipulating the ZIP header so that the archive claims its contents are stored with the “Method 0” (STORED) mode, which means uncompressed data. In reality, the payload is still compressed with the standard Deflate algorithm, so scanners that trust the header see only high-entropy “noise” instead of recognizable malware signatures. Standard utilities like WinRAR, 7‑Zip, or unzip will usually throw errors or report corruption when users attempt to extract these malformed files. 

Security researcher Chris Aziz of Bombadil Systems tested this approach against VirusTotal and found that 50 out of 51 antivirus engines failed to detect the hidden payload when using Zombie ZIP archives. He also published proof-of-concept code and sample archives on GitHub, making it easier for security teams and, unfortunately, attackers to reproduce the method. A key trick is setting the CRC integrity value to match the uncompressed payload, which further confuses extraction and scanning tools. 

While common archivers fail, a custom loader can simply ignore the misleading header and decompress the data as Deflate, recovering the embedded malware without issues. This means an attacker only needs to get the loader executed once on a target system to start unpacking any number of Zombie ZIP containers. Once the loader runs, traditional defenses lose the benefit of pre-execution scanning at the file level. 

The CERT Coordination Center (CERT/CC) issued an advisory assigning CVE‑2026‑0866 to the issue and warning that malformed archives can undermine current detection models. CERT/CC notes that some tools do manage to decompress these archives correctly, but many popular solutions still fail, echoing an old flaw tracked as CVE‑2004‑0935 in early ESET antivirus versions. The agency urges vendors to validate compression method fields against actual data, detect structural inconsistencies, and enable more aggressive archive inspection. 

Not all experts agree that Zombie ZIP deserves a CVE, however, with several researchers arguing it is a clever evasion trick rather than a true vulnerability. They point out that these archives are not openable with standard tools and that using a custom loader already implies the system is compromised in some way. As one researcher put it, corrupting or encrypting any file and then requiring a special loader achieves a similar outcome without necessarily exposing a new flaw. 

For everyday users and organizations, the practical takeaway is to treat suspicious ZIP files with extra caution, especially from unknown senders. CERT/CC advises deleting archives that fail to extract and show “unsupported method” or similar errors, rather than repeatedly trying to open them. Meanwhile, defenders should pressure vendors to harden archive parsing and incorporate deeper content validation so that tricks like Zombie ZIP do not become a reliable blind spot in the malware detection chain.

Russian Cyber Campaign Targets Signal and WhatsApp Users Through Social Engineering Tactics

 

Hackers believed to be linked to Russia are attempting to gain access to Signal and WhatsApp accounts of government officials, journalists, and military personnel worldwide—not by breaking encryption, but by manipulating users into giving up their access credentials.

This warning was issued on Monday by the Netherlands’ intelligence and military agencies, AIVD and MIVD, which reported a "large-scale" cyber operation focused on compromising accounts on these messaging platforms. Instead of attacking the apps’ end-to-end encryption, the campaign aims to take control of user accounts and discreetly monitor their communications.

According to the agencies, attackers directly contact targets through chats and convince them to share verification codes or PINs, effectively handing over account access. In certain instances, the hackers impersonate a Signal support bot to make their requests appear authentic. Once the code is provided, they can log in and view private messages or track group conversations without bypassing encryption.

Another technique involves exploiting Signal’s “linked devices” feature, which allows multiple devices to connect to one account. If attackers successfully link their own device, they can observe messages in real time. Dutch authorities confirmed that this campaign has already impacted individuals, including those within the Dutch government. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that "targets and victims of the campaign include Dutch government employees" as well as journalists.

Ironically, the strong encryption that makes these platforms popular among officials and reporters also increases their value as targets once an account is compromised. While end-to-end encryption secures messages during transmission, it offers no protection if an attacker gains direct access to the account.

A Meta spokesperson told The Register that users should never share their six-digit code with others and that it provides detailed advice on how WhatsApp users can protect themselves from scams.

Signal did not immediately respond to The Register’s inquiries. Meanwhile, Dutch authorities have issued a cybersecurity advisory and are helping affected users secure their accounts. They also highlighted warning signs of a potential breach, such as duplicate contacts appearing or numbers being marked as “deleted account” unexpectedly.

The broader takeaway from intelligence officials is that while encrypted messaging apps are convenient, they are not designed for highly sensitive communication. As MIVD director Vice-Admiral Peter Reesink put it:

"Despite their end-to-end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information."

In essence, relying solely on the assumption that no one will request a verification code may not be sufficient for maintaining operational security.