Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cloud. Show all posts
malware
AI Cloud Data GlassWorm Internet malware

GlassWorm Malware Campaign Attacks Developer IDEs, Steals Data


About GlassWorm campaign 

Cybersecurity experts have discovered another incident of the ongoing GlassWorm campaign, which uses a new Zig dropper that's built to secretly compromise all integrated development environments (IDEs) on a developer's system. 

The tactic was found in an Open VSX extension called "specstudio.code-wakatime-activity-tracker”, which disguised as WakaTime, a famous tool that calculates the time programmes spend with the IDE. The extension can not be downloaded now. 

Attack tactic 

In previous attacks, GlassWorm used the same native compiled code in extensions. Instead of using the binary as the payload directly, it is deployed as a covert indirection for the visible GlassWorm dropper. It can secretly compromise all other IDEs that may be present in your device. 

The recently discovered Microsoft Visual Studio Code (VS Code) extension is a replica (almost).

The extension installs a universal Mach-O binary called "mac.node," if the system is running Apple macOS, and a binary called "win.node" for Windows computers.

Execution 

These Zig-written compiled shared libraries that load straight into Node's runtime and run outside of the JavaScript sandbox with complete operating system-level access are Node.js native addons.

Finding every IDE on the system that supports VS Code extensions is the binary's main objective once it has been loaded. This includes forks like VSCodium, Positron, and other AI-powered coding tools like Cursor and Windsurf, in addition to Microsoft VS Code and VS Code Insiders.

Malicious code installation 

Once this is achieved, the binary installs an infected VS Code extension (.VSIX) from a hacker-owned GitHub account. The extension, known as “floktokbok.autoimport”, imitates “steoates.autoimport”, an authentic extension with over 5 million downloads on the office Visual Studio Marketplace.

After that, the installed .VSIX file is written to a secondary path and secretly deployed into each IDE via editor's CLI installer. 

In the second-stage, VS Code extension works as a dropper that escapes deployment on Russian devices, interacts with the Solana blockchain, gets personal data, and deploys a remote access trojan (RAT). In the final stage, RAT installs a data-stealing Google Chrome extension. 

“The campaign has expanded repeatedly since then, compromising hundreds of projects across GitHub, npm, and VS Code, and most recently delivering a persistent RAT through a fake Chrome extension that logged keystrokes and dumped session cookies. The group keeps iterating, and they just made a meaningful jump,” cybersecurity firm aikido reported. 

Read more »
Technology
Claude Cloud Copilot Data GenAI Microsoft Technology

Microsoft Releases AI Upgrades, Launches Copilot Cowork to Early Access Customers


In an effort to enhance its AI offering and increase adoption, Microsoft (MSFT.O) recently introduced new features in its Copilot research assistant that would enable users to employ various AI models concurrently within the same workflow.

Instead of relying on a single model, Copilot's Researcher agent can now pull outputs from both OpenAI's GPT and Anthropic's Claude models for each response, thanks to a new feature called "Critique."

According to Microsoft, Claude will check the quality and correctness of the response before GPT provides it to the user. In the future, the business hopes to make that workflow bidirectional so that GPT may also evaluate Claude's writings.

"Having different models from ​different vendors in Copilot is highly attractive - but we're taking this to the next level, where customers actually get the benefits of the models working together," Nicole Herskowitz, VP of Copilot and  Microsoft, said to Reuters. 

The multi-model strategy will assist in increasing productivity and quality for customers by accelerating user workflow, controlling AI hallucinations, which occur when systems give incorrect information, and producing more dependable outputs.

Additionally, Microsoft is introducing a feature called "Council" that will let users compare results from various AI models side by side. The updates coincide with Microsoft expanding access to its new Copilot Cowork agentic AI tool for members of its "Frontier" program, which gives users early access to some of its most recent AI innovations.

According to Jared Spataro, Microsoft's AI-at-Work efforts leader, “We work only in a cloud environment, and we work only on behalf of the user. So you know exactly what information it (Copilot Cowork) has access ​to.”

On Monday, the company's stock increased by almost 1%. However, as investor confidence in AI declines, the stock is poised for its worst quarter since the global financial crisis of 2008, with a nearly 25% decline.

Microsoft capitalized on the increasing demand for autonomous AI agents earlier this month by releasing Copilot Cowork, a solution based on Anthropic's popular Claude Cowork product, in testing mode.

In the face of fierce competition from rivals like Google (GOOGL.O), the new tab Gemini, and autonomous agents like Claude Cowork, the Windows manufacturer has been rushing to enhance its Copilot assistant to promote greater usage.

Read more »
South Korea
Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea


GitHub attacked by state-sponsored hackers 

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. 

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution 

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. 

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. 

Successful exploit scenario 

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. 

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. 

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. 

Campaign history 

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. 

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 


Read more »
phishing
AI Cloud Data malware phishing

China-based TA416 Targets European Businesses via Phishing Campaigns

Chinese state-sponsored attacks

A China-based hacker is targeting European government and diplomatic entities; the attack started in mid-2025, after a two-year period of no targeting in the region. The campaign has been linked to TA416; the activities coincide with DarkPeony, Red Lich, RedDelta, SmugX, Vertigo Panda, and UNC6384.

According to Proofpoint, “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."

Multiple attack campaigns

Additionally, TA416 organized multiple campaigns against the government and diplomatic organizations in the Middle East after the US-Iran conflict in February 2026. The attack aimed to gather regional intelligence regarding the conflict.

TA416 also has a history of technical overlaps with a different group, Mustang Panda (UNK_SteadySplit, CerenaKeeper, and Red Ishtar). The two gangs are listed as Hive0154, Twill Typhoon, Earth Preta, Temp.HEX, Stately Taurus, and HoneyMyte. 

TA416’s attacks use PlugX variants. The Mustang Panda group continually installed tools like COOLCLIENT, TONESHELL, and PUBLOAD. One common thing is using DLL side-loading to install malware.

Attack tactic

TA416’s latest campaigns against European entities are pushing a mix of web bug and malware deployment operations, while threat actors use freemail sender accounts to do spying and install the PlugX backdoor through harmful archives via Google Drive, Microsoft Azure Blob Storage, and exploited SharePoint incidents. The PlugX malware campaigns were recently found by Arctic Wolf and StrikeReady in October 2025. 

According to Proofpoint, “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target.”

The TA416 attacks in December last year leveraged third-party Microsoft Entra ID cloud apps to start redirecting to the download of harmful archives. Phishing emails in this campaign link to Microsoft’s authentic OAuth authorization. Once opened, resends the user to the hacker-controlled domain and installs PlugX.

According to experts, "When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it."

Read more »
Internet
AI Cloud Cyber Attacks Data Internet

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data


Credential-stealing operation

A massive credential-harvesting campaign was found abusing the React2Shell flaw as an initial infection vector to steal database credentials, shell command history, Amazon Web Services (AWS) secrets, GitHub, Stripe API keys. 

Cisco Talos has linked the campaign to a threat cluster tracked as UAT-10608. At least 766 hosts around multiple geographic regions and cloud providers have been exploited as part of the operation. 

About the attack vector

According to experts, “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, which are then posted to its command-and-control (C2). The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.”

Who are the victims?

The campaign targets Next.js instances that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a severe flaw in React Server Components and Next.js App Router that could enable remote code execution for access, and then deploy the NEXUS Listener collection framework.

This is achieved by a dropper that continues to play a multi-phase harvesting script that stores various details from the victim system. 

SSH private keys and authorized_keys

JSON-parsed keys and authorized_keys

Kubernetes service account tokens

Environment variables

API keys

Docker container configurations 

Running processes

IAM role-associated temporary credentials

Attack motive

The victims and the indiscriminate targeting pattern are consistent with automated scanning. The key thing in the framework is an application (password-protected) that makes all stolen data public to the user through a geographical user interface that has search functions to browse through the information. The present Nexus Listener version is V3, meaning the tool has gone through significant changes.

Talos managed to get data from an unknown NEXUS Listener incident. It had API keys linked with Stripe, AI platforms such as Anthropic, OpenAI, and NVIDIA NIM, communication services such as Brevo and SendGrid, webhook secrets, Telegram bot tokens, GitLab, and GitHub tokens, app secrets, and database connection strings. 

Read more »
Technology
AI AI Malware Cloud Data Hive Technology

Experts Warn About AI-assisted Malwares Used For Extortion


AI-based Slopoly malware

Cybersecurity experts have disclosed info about a suspected AI-based malware named “Slopoly” used by threat actor Hive0163 for financial motives. 

IBM X-Force researcher Golo Mühr said, “Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” according to the Hacker News.

Hive0163 malware campaign 

Hive0163's attacks are motivated by extortion via large-scale data theft and ransomware. The gang is linked with various malicious tools like Interlock RAT, NodeSnake, Interlock ransomware, and Junk fiction loader. 

In a ransomware incident found in early 2026, the gang was found installing Slopoly during the post-exploit phase to build access to gain persistent access to the compromised server. 

Slopoly’s detection can be tracked back to PowerShell script that may be installed in the “C:\ProgramData\Microsoft\Windows\Runtime” folder via a builder. Persistence is made via a scheduled task called “Runtime Broker”. 

Experts believe that that malware was made with an LLM as it contains extensive comments, accurately named variables, error handling, and logging. 

There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables. 

The comments also describe the script as a "Polymorphic C2 Persistence Client," indicating that it's part of a command-and-control (C2) framework. 

According to Mühr, “The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution. The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

The PowerShell script works as a backdoor comprising system details to a C2 server. There has been a rise in AI-assisted malware in recent times. Slopoly, PromptSpy, and VoidLink show how hackers are using the tool to speed up malware creation and expand their operations. 

IBM X-Force says the “introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint. It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.”

Read more »
Technology
agentic browser AI Cloud Comet Internet Perplexity Technology

Perplexity's Comet AI Browser Tricked Into Phishing Scam Within Four Minutes


Agentic browser at risk

Agentic web browsers that use AI tools to autonomously do tasks across various websites for a user could be trained and fooled into phishing attacks. Hackers exploit the AI browsers’ tendency to assert their actions and deploy them against the same model to remove security checks. 

According to security expert Shaked Chen, “The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, 'narrating' is quite an understatement - It blabbers, and way too much!,” the Hacker News reported. Agentic Blabbering is an AI browser that displays what it sees, thinks, and plans to do next, and what it deems safe or a threat. 

Tricking the browsers

By hacking the traffic between the AI services on the vendor’s servers and putting it as input to a Generative Adversarial Network (GAN), it made Perplexity’s Comet AI browser fall prey to a phishing attack within four minutes. 

The research is based on established tactics such as Scamlexity and VibeScamming, which revealed that vibe-coding platforms and AI browsers can be coerced into generating scam pages and performing malicious tasks via prompt injection. 

Attack tactic

There is a change in the attack surface as a result of the AI agent managing the tasks without frequent human oversight, meaning that a scammer no longer has to trick a user. Instead, it seeks to deceive the AI model itself. 

Chen said, “If you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal.” Chen added that the “scam evolves until the AI Browser reliably walks into the trap another AI set for it."

End goal?

The aim is to make a “scamming machine” that improves and recreates a phishing page until the agentic browser accepts the commands and carries out the hacker’s command, like putting the victim’s passwords on a malicious web page built for refund scams. 

Guardio is concerned about the development, saying that, “This reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact.”

Read more »
Network
Cloud Cyber Security Data FortiGate Network

Hackers Exploit FortiGate Devices to Hack Networks and Credentials


Exploiting network points to hack victims 

Cybersecurity experts have warned about a new campaign where hackers are exploiting FortiGate Next-Gen Firewall (NGFW) devices as entry points to hack target networks. 

The campaign involves abusing the recently revealed security flaws or weak password to take out configuration files. The activity has singled out class linked to government, healthcare, and managed service providers. 

Attack tactic 

According to experts, “FortiGate network appliances have considerable access to the environments they were installed to protect. In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”

"This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device,” the experts added. 

Misconfigurations opening doors for hackers 

But the experts noticed that this access could be compromised by hackers who hack into FortiGate devices via flaws or misconfigurations.

In one attack, the hackers breached a FortiGate appliance last year in November to make a new local admin account “support” and built four new firewall policies that let the account to travel across all zones without any limitations. 

The hacker then routinely checked device access. “Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne reported. 

How was the account used?

After this, hacker leveraged the service account to verify the target's environment and put rogue workstations in the AD for further access. Following this, network scanning started and the breach was found, and lateral movement was stopped. 

The contents of the NTDS.dit file and SYSTEM registry hive were exfiltrated to an external server ("172.67.196[.]232") over port 443 by the Java malware, which was triggered via DLL side-loading.

SentinelOne said that “While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment.”

Read more »
Personal Data
Cloud Conduent Cyber Attacks Data Leak Personal Data

Conduent Leak: One of the Largest Breaches in The U.S


Conduent, a business that offers printing, payment, and document processing services to some of the biggest health insurance companies in the nation, has had at least 25 million people's personal information stolen. Addresses, social security numbers, and health information were exposed to ransomware hackers in what some have already dubbed one of the biggest data breaches in American history. 

According to a letter the business issued online, Conduent initially learned it was the victim of a "cyber incident" more than a year ago on January 13, 2025. The actual breach occurred between October 21, 2024, and January 13, 2025, and it included Conduent's data because the company offers services to health plans.

Names, social security numbers, health insurance details, and unspecified medical information were among the data. In its notice, the business stressed that "not every data element was present for every individual," which implies that some individuals may have had their health insurance information taken but not their social security number, or vice versa. 

According to Bleeping Computer, the Safepay ransomware organization claimed responsibility for the attack, which allegedly captured more than 8 gigabytes of data. Conduent stated online, "Presently, we are unaware of any attempted or actual misuse of any information involved in this incident," while it is unclear if Safepay has demanded payment for the information's recovery.

10.5 million people were affected by the incident, according to Oregon's consumer protection website, although it's unknown how many people in Oregon alone were affected. According to Wisconsin, the national total is more than 25 million. 

Notifications have also been sent to residents of other states, such as California, Delaware, Massachusetts, New Hampshire, and New Mexico. According to the state's attorney general, just 374 people's data was compromised in Maine, one of the states with very tiny numbers. Conduent, a New Jersey-based company, did not reply to emails on Tuesday inquiring about the full extent of the incident and what victims could do about it.

Conduent is providing free credit monitoring and identity restoration services through Epiq to certain individuals, but those affected must join before April 30, 2026, according to a letter given to victims in California.

Read more »
Technlogy
AI Cloud Data GenAI Microsoft phishing Technlogy

Microsoft Report Reveals Hackers Exploit AI In Cyberattacks


According to Microsoft, hackers are increasingly using AI in their work to increase attacks, scale cyberattack activity, and limit technical barriers throughout all aspects of a cyberattack. 

Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity. 

About the report

In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said. 

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.

AI in cyberattacks 

Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams. 

The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages. 

The impact

A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations. 

When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content. 

Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks. 

Read more »
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
Technology
Bitcoin Blockchain Cloud Crypto Data Technology

Too Much Data Regulation Can Create Security Risks


Bitcoin transactions are transparent by design, they work as a pseudonym where operations are visible but identity is hidden. But the increasing amount of identity-based data around users is affecting the transparency into a personal security threat. 

The problem 

The increasing regulatory data collection is now mixing with bitcoin’s on-chain transparency, making a trove of identity linked data that hackers can abuse for forced, real-world attacks. 

What makes data a target? 

Physical attacks against cryptocurrency holders are on the rise due to a number of factors, including social engineering, frequent major data breaches, KYC requirements, and regulatory data collection. 

These occurrences, which are frequently referred to as "wrench attacks," entail coercion to gain private keys or force transactions by threats or physical violence. With France emerging as a focus point, this movement is highlighting a weakness in the industry's regulation.

Threats has become the rule rather than the exception, with at least 47.2% of cases involving verified torture or physical assault and 51.5% including firearms. There were 19 fatal occurrences, which resulted in 24 deaths overall and a 6.2% fatality rate. 2025 was the most violent year on record in terms of recorded cases, but analysts warn that the actual number of occurrences is probably greater because of underreporting. All numbers are based on cases that were publicly available at the time of reporting.

What are the risks?

The risk profile for Bitcoin holders is very harsh. Transactions are irreversible once private keys are turned over under duress. Chargebacks, account freezes, and institutional recovery procedures are nonexistent. When coupled with actual compulsion, the protocol's famed finality becomes a liability. 

France serves as an example of how rapidly this risk might increase. In France, there were twenty bitcoin-related physical attacks in 2025, compared to a total of just four between 2017 and 2024. Eight more cases had already been reported by early February 2026, indicating that the rise is continuing rather than leveling down. Europe now accounts for around 40% of all events worldwide, up from about 22% in 2024.

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
Vulnerabilities and Exploits
AI Bug Cloud Data Vulnerabilities and Exploits

Exposed Training Opens the Gap for Crypto Mining in Cloud Enviornments


Purposely flawed training apps are largely used for security education, product demonstrations, and internal testing. Tools like bWAPP, OWASP Juice Shop, and DVWA are built to be unsafe by default, making them useful to learn how common attack tactics work in controlled scenarios. 

The problem is not the applications but how they are used in real-world cloud environments. 

Penetra Labs studied how training and demo apps are being deployed throughout cloud infrastructures and found a recurring pattern: apps made for isolated lab use were mostly found revealed to the public internet, operating within active cloud profiles, and linked to cloud agents with larger access than needed. 

Deployment Patterns analysis 

Pentera Labs found that these apps were often used with default settings, extra permissive cloud roles, and minimal isolation. The research found that alot of these compromised training environments were linked to active cloud agents and escalated roles, allowing attackers to infiltrate the vulnerable apps themselves and also tap into the customer’s larger cloud infrastructure. 

In the contexts, just one exposed training app can work as initial foothold. Once the threat actors are able to exploit linked cloud agents and escalated roles, they are accessible to the original host or application. But they can also interact with different resources in the same cloud environment, raising the scope and potential impact of the compromise. 

As part of the investigation, Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP.

Proof of active exploitation 

The investigation revealed that the exposed training environments weren't just improperly set up. Pentera Labs found unmistakable proof that attackers were actively taking advantage of this vulnerability in the wild. 

About 20% of cases in the larger dataset of training applications that were made public were discovered to have malicious actor-deployed artifacts, such as webshells, persistence mechanisms, and crypto-mining activity. These artifacts showed that exposed systems had already been compromised and were still being abused. 

The existence of persistence tools and active crypto-mining indicates that exposed training programs are already being widely exploited in addition to being discoverable.

Read more »
Solar Winds
Cloud Cyber Security Data RCE Solar Winds

SolarWinds Web Help Desk Compromised for RCE Multi Stage


SolarWinds compromised 

The threat actors used internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and then proceed laterally across the organization's network to other high-value assets, according to Microsoft's disclosure of a multi-stage attack. 

However, it is unclear if the activity used a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8) or recently revealed vulnerabilities (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), according to the Microsoft Defender Security Research Team.

"Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold," the company said in the report. 

About the exploit

CVE-2025-40551 and CVE-2025-26399 both relate to untrusted data deserialization vulnerabilities that could result in remote code execution, and CVE-2025-400536 is a security control bypass vulnerability that might enable an unauthenticated attacker to access some restricted functionality.

Citing proof of active exploitation in the field, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its list of known exploited vulnerabilities (KEVs) last week. By February 6, 2026, agencies of the Federal Civilian Executive Branch (FCEB) were required to implement the solutions for the defect. 

The impact 

The successful exploitation of the exposed SolarWinds WHD instance in the attacks that Microsoft discovered gave the attackers the ability to execute arbitrary commands within the WHD application environment and accomplish unauthenticated remote code execution.

Microsoft claimed that in at least one instance, the threat actors used a DCSync attack, in which they impersonated a Domain Controller (DC) and asked an Active Directory (AD) database for password hashes and other private data. 

What can users do?

Users are recommended to update WHD instances, identify and eliminate any unauthorized RMM tools, rotate admin and service accounts, and isolate vulnerable workstations to minimize the breach in order to combat the attack. 

"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the creator of Windows stated.

Read more »
Ukraine
Cloud Data Starlink Technology Ukraine

Ukraine Increases Control Over Starlink Terminals


New Starlink verification system 

Ukraine has launched a new authentication system for Starlink satellite internet terminals used by the public and the military after verifying that Russia state sponsored hackers have started using the technology to attack drones. 

The government has also introduced a compulsory “whitelist” for Starlink terminals, where only authenticated and registered devices will work in Ukraine. All other terminals used will be removed, as per the statement from Mykhailo Fedorov, country's recently appointed defense chief. 

Why the new move?

Kyiv claims that Russian unmanned aerial vehicles are now being commanded in real time using Starlink links, making them more difficult to detect, jam, or shoot down. This action is intended to counteract these threats. "It is challenging to intercept Russian drones that are equipped with Starlink," Fedorov stated earlier this week. "They can be controlled by operators over long distances in real time, will not be affected by electronic warfare, and fly at low altitudes." The Ministry of Defense is implementing the whitelist in collaboration with SpaceX, the company that runs the constellation of low-Earth orbit satellites for Starlink.

The step is presently the only technological way to stop Russia from abusing the system, Fedorov revealed Wednesday, adding that citizens have already started registering their terminals. "The government has taken this forced action to save Ukrainian lives and safeguard our energy infrastructure," he stated. 

How will it impact other sectors?

Businesses will be able to validate devices online using Ukraine's e-government services, while citizens will be able to register their terminals at local government offices under the new system. According to Ukraine's Ministry of Defense, military units will be exempt from disclosing account information and will utilize a different secure registration method.

Using Starlink connectivity, Ukraine discovered a Russian drone operating over Ukrainian territory at the end of January. After then, Kyiv got in touch with SpaceX to resolve the problem, albeit the specifics of the emergency procedures were not made public. Army, a Ukrainian military outletSetting a maximum speed at which Starlink terminals can operate was one step, according to Inform, which cited an initial cap of about 75 kilometers per hour. According to the study, Russian strike drones usually fly faster than that, making it impossible for operators to manage them in real time.


Read more »
Youtube
AI ChatGPT Cloud Data GenAI Technology Youtube

YouTube's New GenAI Feature in Tools Coming Soon


Youtube is planning something new for its platform and content creators in 2026. The company plans to integrate AI into its existing and new tools. The CEO said that content creators will be able to use GenAI for shorts. While we don't know much about the feature yet, it looks like OpenAI’s Sora app where users make videos of themselves via prompt. 

What will be new in 2026? 

“This year you'll be able to create a Short using your own likeness, produce games with a simple text prompt, and experiment with music “ said CEO Neal Mohan. All these apps will be AI-powered which many creators may not like. Many users prefer non-AI content. CEO Neil Mohan has addressed these concerns and said that “throughout this evolution, AI will remain a tool for expression, not a replacement.”

But the CEO didn't provide other details about these new AI capabilities. It is not clear how this will help the creators and the music experimentation work. 

That's not all, though.

Additionally, YouTube will introduce new formats for shorts. According to Mohan, Shorts would let users to share images in the same way as Instagram Reels does. Direct sharing of these will occur on the subscribers' feed. 

In 2026, YouTube will likewise concentrate on the biggest displays it can be accessed on, which are televisions. According to Mohan, the business will soon introduce "more than 10 specialized YouTube TV plans spanning sports, entertainment, and news, all designed to give subscribers more control," along with "fully customizable multiview.”

Why new feature?

Mohan noted that the creator economy is another area of concern. According to YouTube's CEO, video producers will discover new revenue streams this year. The suggestions made include fan funding elements like jewelry and gifts, which will be included in addition to the current Super Chat, as well as shopping and brand bargains made possible by YouTube. 

YouTube's new venture

The business also hopes to grow YouTube Shopping, an affiliate program that lets content producers sell goods directly in their videos, shorts, and live streams. The business stated that it will implement in-app checkout in 2026, enabling users to make purchases without ever leaving the site.


Read more »
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Ransomware
AI Black Basta Black Basta Ransomware Cloud Cyber Crime Data Ransomware

Federal Agencies Worldwide Hunt for Black Basta Ransomware Leader


International operation to catch Ransomware leader 

International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine. 

As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia. 

About the operation 

The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”

According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta. 

The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations.

The suspects

Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers." 

Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks.

Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Read more »
Technology
AI Apple Cloud Data Location Technology

Apple's New Feature Will Help Users Restrict Location Data


Apple has introduced a new privacy feature that allows users to restrict the accuracy of location data shared with cellular networks on a few iPad models and iPhone. 

About the feature

The “Limit Precise Location” feature will start after updating to iOS26.3 or later. It restricts the information that mobile carriers use to decide locations through cell tower connections. Once turned on, cellular networks can only detect the device’s location, like neighbourhood instead of accurate street address. 

According to Apple, “The precise location setting doesn't impact the precision of the location data that is shared with emergency responders during an emergency call.” “This setting affects only the location data available to cellular networks. It doesn't impact the location data that you share with apps through Location Services. For example, it has no impact on sharing your location with friends and family with Find My.”

Users can turn on the feature by opening “Settings,” selecting “Cellular,” “Cellular Data Options,” and clicking the “Limit Precise Location” setting. After turning on limited precise location, the device may trigger a device restart to complete activation. 

The privacy enhancement feature works only on iPhone Air, iPad Pro (M5) Wi-Fi + Cellular variants running on iOS 26.3 or later. 

Where will it work?

The availability of this feature will depend on carrier support. The mobile networks compatible are:

EE and BT in the UK

Boost Mobile in the UK

Telecom in Germany 

AIS and True in Thailand 

Apple hasn't shared the reason for introducing this feature yet.

Compatibility of networks with the new feature 

Apple's new privacy feature, which is currently only supported by a small number of networks, is a significant step towards ensuring that carriers can only collect limited data on their customers' movements and habits because cellular networks can easily track device locations via tower connections for network operations.

“Cellular networks can determine your location based on which cell towers your device connects to. The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks,”

Read more »
Subscribe to: Comments (Atom)