Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data. Show all posts
South Korea
Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea


GitHub attacked by state-sponsored hackers 

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. 

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution 

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. 

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. 

Successful exploit scenario 

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. 

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. 

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. 

Campaign history 

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. 

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 


Read more »
Technology
automotive technology Cloud systems Data Data Governance Digital Infrastructure IT system Technology

How Connected Vehicles Are Turning Into Enterprise Systems

 



The technological foundation behind connected vehicles is undergoing a monumental shift. What was once limited to in-vehicle engineering is now expanding into a complex ecosystem that closely resembles enterprise-level digital infrastructure. This transition is forcing automakers to rethink how they manage scalability, security, and data, while also elevating the strategic importance of digital platforms in shaping future revenue streams.

For many years, automotive innovation focused primarily on the physical vehicle, including mechanical systems, embedded electronics, and onboard software. That model is changing. The systems supporting connected vehicles now extend far beyond the car itself and increasingly resemble large, integrated digital platforms similar to those used by major technology-driven enterprises.

As automakers roll out connected features across entire fleets, the supporting technology stack is growing exponentially. Today’s connected vehicle ecosystem typically includes cloud environments designed to handle millions of simultaneous connections, mobile applications that allow users to control and monitor their vehicles, infrastructure for delivering over-the-air software updates, and large-scale data systems that process continuous streams of vehicle-generated information.

This architecture aligns closely with enterprise IT platforms, although the scale and operational complexity are even greater. Connected vehicles can generate as much as 25 gigabytes of data per hour, depending on their sensors and capabilities. Research from International Data Corporation indicates that data generated by connected and autonomous vehicles could reach multiple zettabytes annually by the end of this decade. This rapid growth is compelling automakers to redesign how they structure, manage, and secure their digital environments.

Traditionally, initiatives related to connected vehicles were handled by engineering and research teams focused on embedded systems. However, as deployment expands across regions and vehicle models, the challenges now mirror those seen in enterprise IT. These include scaling platforms efficiently, managing identity and access controls, governing vast datasets, coordinating multiple vendors, and ensuring security throughout the entire system lifecycle.

This transformation is also reshaping leadership roles within automotive companies. Chief Information Officers are becoming increasingly central as the supporting infrastructure around vehicles begins to resemble enterprise IT ecosystems. While engineering teams still lead vehicle software development, the broader digital environment, including cloud systems and data platforms, is now a critical area of responsibility for IT leadership. Many automakers are shifting toward platform-based strategies, treating the connected vehicle backend as a long-term digital asset rather than a feature tied to a single vehicle model.

At the same time, the ecosystem of technology providers involved in connected vehicles is expanding rapidly. These platforms often rely on a combination of telematics services, cloud providers, mobile development frameworks, cybersecurity solutions, analytics platforms, and OTA update systems. Managing such a diverse network requires structured governance and integration approaches similar to those used in large enterprise environments.

Cybersecurity has become a central pillar of this transformation. Regulatory frameworks such as ISO/SAE 21434 and UNECE WP.29 R155 now require manufacturers to implement continuous cybersecurity management across both vehicles and their supporting digital systems. These regulations extend beyond the vehicle itself, covering cloud services, mobile applications, and software update mechanisms.

The financial implications of this course are substantial. According to McKinsey & Company, software-enabled services and digital features could contribute up to 30 percent of total automotive revenue by 2030. This highlights how critical digital platforms are becoming to the industry’s long-term business model.

Industry experts emphasize that connected vehicles are no longer standalone products but part of a broader technological ecosystem. Vikash Chaudhary, Founder and CEO of HackersEra, explains that connected vehicles are effectively turning into distributed technology platforms. He notes that companies adopting strong platform architectures, robust data governance, and integrated cybersecurity measures will be better positioned to scale operations and drive innovation.

As vehicles continue to tranform into software-defined systems, the competitive landscape is shifting. The key battleground is no longer limited to the vehicle itself but is increasingly centered on the enterprise-grade platforms that enable connected mobility at scale.

Read more »
phishing
AI Cloud Data malware phishing

China-based TA416 Targets European Businesses via Phishing Campaigns

Chinese state-sponsored attacks

A China-based hacker is targeting European government and diplomatic entities; the attack started in mid-2025, after a two-year period of no targeting in the region. The campaign has been linked to TA416; the activities coincide with DarkPeony, Red Lich, RedDelta, SmugX, Vertigo Panda, and UNC6384.

According to Proofpoint, “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries. Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."

Multiple attack campaigns

Additionally, TA416 organized multiple campaigns against the government and diplomatic organizations in the Middle East after the US-Iran conflict in February 2026. The attack aimed to gather regional intelligence regarding the conflict.

TA416 also has a history of technical overlaps with a different group, Mustang Panda (UNK_SteadySplit, CerenaKeeper, and Red Ishtar). The two gangs are listed as Hive0154, Twill Typhoon, Earth Preta, Temp.HEX, Stately Taurus, and HoneyMyte. 

TA416’s attacks use PlugX variants. The Mustang Panda group continually installed tools like COOLCLIENT, TONESHELL, and PUBLOAD. One common thing is using DLL side-loading to install malware.

Attack tactic

TA416’s latest campaigns against European entities are pushing a mix of web bug and malware deployment operations, while threat actors use freemail sender accounts to do spying and install the PlugX backdoor through harmful archives via Google Drive, Microsoft Azure Blob Storage, and exploited SharePoint incidents. The PlugX malware campaigns were recently found by Arctic Wolf and StrikeReady in October 2025. 

According to Proofpoint, “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target.”

The TA416 attacks in December last year leveraged third-party Microsoft Entra ID cloud apps to start redirecting to the download of harmful archives. Phishing emails in this campaign link to Microsoft’s authentic OAuth authorization. Once opened, resends the user to the hacker-controlled domain and installs PlugX.

According to experts, "When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it."

Read more »
Internet
AI Cloud Cyber Attacks Data Internet

Attackers Exploit Critical Flaw to Breach 766 Next.js Hosts and Steal Data


Credential-stealing operation

A massive credential-harvesting campaign was found abusing the React2Shell flaw as an initial infection vector to steal database credentials, shell command history, Amazon Web Services (AWS) secrets, GitHub, Stripe API keys. 

Cisco Talos has linked the campaign to a threat cluster tracked as UAT-10608. At least 766 hosts around multiple geographic regions and cloud providers have been exploited as part of the operation. 

About the attack vector

According to experts, “Post-compromise, UAT-10608 leverages automated scripts for extracting and exfiltrating credentials from a variety of applications, which are then posted to its command-and-control (C2). The C2 hosts a web-based graphical user interface (GUI) titled 'NEXUS Listener' that can be used to view stolen information and gain analytical insights using precompiled statistics on credentials harvested and hosts compromised.”

Who are the victims?

The campaign targets Next.js instances that are vulnerable to CVE-2025-55182 (CVSS score: 10.0), a severe flaw in React Server Components and Next.js App Router that could enable remote code execution for access, and then deploy the NEXUS Listener collection framework.

This is achieved by a dropper that continues to play a multi-phase harvesting script that stores various details from the victim system. 

SSH private keys and authorized_keys

JSON-parsed keys and authorized_keys

Kubernetes service account tokens

Environment variables

API keys

Docker container configurations 

Running processes

IAM role-associated temporary credentials

Attack motive

The victims and the indiscriminate targeting pattern are consistent with automated scanning. The key thing in the framework is an application (password-protected) that makes all stolen data public to the user through a geographical user interface that has search functions to browse through the information. The present Nexus Listener version is V3, meaning the tool has gone through significant changes.

Talos managed to get data from an unknown NEXUS Listener incident. It had API keys linked with Stripe, AI platforms such as Anthropic, OpenAI, and NVIDIA NIM, communication services such as Brevo and SendGrid, webhook secrets, Telegram bot tokens, GitLab, and GitHub tokens, app secrets, and database connection strings. 

Read more »
Privacy
AI Data Email alias Internet Privacy

Why Email Aliases Are Important for Every User


Email spam was once annoying in the digital world. Recently, email providers have improved overflowing inboxes, which were sometimes confused with distractions and unwanted mail, such as hyperbolic promotions and efforts to steal user data. 

But the problem has not disappeared completely, as users still face problems sometimes. To address the issue, user can use email aliases. 

About email alias 

Email alias is an alternative email address that allows you to get mails without sharing your address. The alias reroutes all incoming mails to your primary account.

Types of email aliases 

Plus addressing: For organizing mail efficiently, you are a + symbol and a category, you can also add rules to your mail and filter them by source. 

Provider aliases: Mainly used for organizations to have particular emails for sections, while all mails go to the same inbox. 

Masked/forwarding aliases: They are aimed at privacy. Users don't give their real email, instead, a random mail is generated, while the email is sent to your real inbox. This feature is available with services like Proton Mail. 

How it protects our privacy 

Email aliases are helpful for organizing inbox, and can be effective for contacting business. But the main benefit is protecting your privacy. 

There are several strategies to accomplish this, but the primary one is to minimize the amount of time your email is displayed online. Your aliases can be removed at any moment, but they will still be visible and used. The more aliases you use, the more difficult it is to identify your real core email address. 

Because it keeps your address hidden from spammers, marketers, and phishing efforts, you will have more privacy. It is also simpler to determine who has exploited your data. 

Giving email aliases in specific circumstances makes it simpler to find instances when they have been abused. Instead of having to deal with a ton of spam, you can remove an alias as soon as you discover someone is abusing it and start over.

Aliases can be helpful for privacy, but they are not a foolproof way to be safe online. They do not automatically encrypt emails, nor do they cease tracking cookies.

The case of Apple

Court filings revealed that Apple Hide My Email, a function intended to protect genuine email addresses, does not keep users anonymous from law enforcement, raising new concerns about privacy.

With the use of this feature, which is accessible to iCloud+ subscribers, users can create arbitrary email aliases so that websites and applications never see their primary address. Apple claims it doesn't read messages; they are just forwarded. However, recent US cases show a clear limit: Apple was able to connect those anonymous aliases to identifiable accounts in response to legitimate court demands

Read more »
Technology
AI ClawJacked Data OpenClaw Technology

Hackers Exploit OpenClaw Bug to Control AI Agent


Cybersecurity experts have discovered a high-severity flaw named “ClawJacked” in the famous AI agent OpenClaw that allowed a malicious site bruteforce access silently to a locally running instance and take control. 

Oasis Security found the issue and informed OpenClaw, a fix was then released in version 2026.2.26 on 26th February. 

About OpenClaw

OpenClaw is a self-hosted AI tool that became famous recently for allowing AI agents to autonomously execute commands, send texts, and handle tasks across multiple platforms. Oasis security said that the flaw is caused by the OpenClaw gateway service linking with the localhost and revealing a WebSocket interface. 

Attack tactic 

As cross-origin browser policies do not stop WebSocket connections to a localhost, a compromised website opened by an OpenClaw user can use Javascript to secretly open a connection to the local gateway and try verification without raising any alarms. 

To stop attacks, OpenClaw includes rate limiting. But the loopback address (127.0.0.1) is excused by default. Therefore, local CLI sessions are not accidentally locked out. 

OpenClaw brute-force to escape security 

Experts discovered that they could brute-force the OpenClaw management password at hundreds of attempts per second without any failed attempts being logged. When the correct password is guessed, the hacker can silently register as a verified device, because the gateway autonomously allows device pairings from localhost without needing user info. 

“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn't stand a chance,” Oasis said. 

The attacker can now directly interact with the AI platform by identifying connected nodes, stealing credentials, dumping credentials, and reading application logs with an authenticated session and admin access. 

Attacker privileges

According to Oasis, this might enable an attacker to give the agent instructions to perform arbitrary shell commands on paired nodes, exfiltrate files from linked devices, or scan chat history for important information. This would essentially result in a complete workstation compromise that is initiated from a browser tab. 

Oasis provided an example of this attack, demonstrating how the OpenClaw vulnerability could be exploited to steal confidential information. The problem was resolved within a day of Oasis reporting it to OpenClaw, along with technical information and proof-of-concept code.

Read more »
phishing
AppleChris APT Data malware MemFun phishing

Chinese Threat Actors Attack Southeast Asian Military Targets via Malware


A China-based cyber espionage campaign is targeting Southeast Asian military targets. The state-sponsored campaign started in 2020. 

Palo Alto Networks Unit 42 has been tracking the campaign under the name CL-STA-1087. Here, CL means cluster, and STA means state-backed motivation. 

According to security experts Yoav Zemah and Lior Rochberger, “The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”

About the campaign

The campaign shows traces commonly linked with APT campaigns, such as defense escape tactics, tailored delivery methods, custom payload deployment, and stable operational infrastructure to aid sustained access to hacked systems.

MemFun and AppleChris

Threat actors used tools such as backdoors called MemFun and AppleChris, and a credential harvester called Getpass. Experts found the hacking tools after finding malicious PowerShell execution that allowed the script to go into a sleep state and then make reverse shells to a hacker-controlled C2 server. Experts don't know about the exact initial access vector. 

About the attack sequence

The compromise sequence deploys AppleChris’ different versions across victim endpoints and moves laterally to avoid detection. Hackers were also found doing searches for joint military activities, detailed assessments of operational capabilities, and official meeting records. The experts said that the “attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems.”

MemFun and AppleChris are designed to access a shared Pastebin account that serves as a dead-drop resolver to retrieve the real C2 address in Base64-encoded format. An AppleChris version also depends on Dropbox to fetch the C2 details via the Pastebin approach, kept as a backup option. Installed via DLL hijacking, AppleChris contacts the C2 server to receive commands to perform drive enumeration and related tasks. 

According to Unit 42, “To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.”

Read more »
Technology
AI AI Malware Cloud Data Hive Technology

Experts Warn About AI-assisted Malwares Used For Extortion


AI-based Slopoly malware

Cybersecurity experts have disclosed info about a suspected AI-based malware named “Slopoly” used by threat actor Hive0163 for financial motives. 

IBM X-Force researcher Golo Mühr said, “Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” according to the Hacker News.

Hive0163 malware campaign 

Hive0163's attacks are motivated by extortion via large-scale data theft and ransomware. The gang is linked with various malicious tools like Interlock RAT, NodeSnake, Interlock ransomware, and Junk fiction loader. 

In a ransomware incident found in early 2026, the gang was found installing Slopoly during the post-exploit phase to build access to gain persistent access to the compromised server. 

Slopoly’s detection can be tracked back to PowerShell script that may be installed in the “C:\ProgramData\Microsoft\Windows\Runtime” folder via a builder. Persistence is made via a scheduled task called “Runtime Broker”. 

Experts believe that that malware was made with an LLM as it contains extensive comments, accurately named variables, error handling, and logging. 

There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables. 

The comments also describe the script as a "Polymorphic C2 Persistence Client," indicating that it's part of a command-and-control (C2) framework. 

According to Mühr, “The script does not possess any advanced techniques and can hardly be considered polymorphic, since it's unable to modify its own code during execution. The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.”

The PowerShell script works as a backdoor comprising system details to a C2 server. There has been a rise in AI-assisted malware in recent times. Slopoly, PromptSpy, and VoidLink show how hackers are using the tool to speed up malware creation and expand their operations. 

IBM X-Force says the “introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint. It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.”

Read more »
Network
Cloud Cyber Security Data FortiGate Network

Hackers Exploit FortiGate Devices to Hack Networks and Credentials


Exploiting network points to hack victims 

Cybersecurity experts have warned about a new campaign where hackers are exploiting FortiGate Next-Gen Firewall (NGFW) devices as entry points to hack target networks. 

The campaign involves abusing the recently revealed security flaws or weak password to take out configuration files. The activity has singled out class linked to government, healthcare, and managed service providers. 

Attack tactic 

According to experts, “FortiGate network appliances have considerable access to the environments they were installed to protect. In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”

"This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device,” the experts added. 

Misconfigurations opening doors for hackers 

But the experts noticed that this access could be compromised by hackers who hack into FortiGate devices via flaws or misconfigurations.

In one attack, the hackers breached a FortiGate appliance last year in November to make a new local admin account “support” and built four new firewall policies that let the account to travel across all zones without any limitations. 

The hacker then routinely checked device access. “Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne reported. 

How was the account used?

After this, hacker leveraged the service account to verify the target's environment and put rogue workstations in the AD for further access. Following this, network scanning started and the breach was found, and lateral movement was stopped. 

The contents of the NTDS.dit file and SYSTEM registry hive were exfiltrated to an external server ("172.67.196[.]232") over port 443 by the Java malware, which was triggered via DLL side-loading.

SentinelOne said that “While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment.”

Read more »
Technlogy
AI Cloud Data GenAI Microsoft phishing Technlogy

Microsoft Report Reveals Hackers Exploit AI In Cyberattacks


According to Microsoft, hackers are increasingly using AI in their work to increase attacks, scale cyberattack activity, and limit technical barriers throughout all aspects of a cyberattack. 

Microsoft’s new Threat Intelligence report reveals that threat actors are using genAI tools for various tasks, such as phishing, surveillance, malware building, infrastructure development, and post-hack activity. 

About the report

In various incidents, AI helps to create phishing emails, summarize stolen information, debug malware, translate content, and configure infrastructure. “Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” the report said. 

"For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions,’ warns Microsoft.

AI in cyberattacks 

Microsoft found different hacking gangs using AI in their cyberattacks, such as North Korean hackers known as Coral Sleet (Storm-1877) and Jasper Sleet (Storm-0287), who use the AI in their remote IT worker scams. 

The AI helps to make realistic identities, communications, and resumes to get a job in Western companies and have access once hired. Microsoft also explained how AI is being exploited in malware development and infrastructure creation. Threat actors are using AI coding tools to create and refine malicious code, fix errors, and send malware components to different programming languages. 

The impact

A few malware experiments showed traces of AI-enabled malware that create scripts or configure behaviour at runtime. Microsoft found Coral Sleet using AI to make fake company sites, manage infrastructure, and troubleshoot their installations. 

When security analysts try to stop the use of AI in these attacks, Microsoft says hackers are using jailbreaking techniques to trick AI into creating malicious code or content. 

Besides generative AI use, the report revealed that hackers experiment with agentic AI to do tasks autonomously. The AI is mainly used for decision-making currently. As IT worker campaigns depend on the exploitation of authentic access, experts have advised organizations to address these attacks as insider risks. 

Read more »
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
Technology
Bitcoin Blockchain Cloud Crypto Data Technology

Too Much Data Regulation Can Create Security Risks


Bitcoin transactions are transparent by design, they work as a pseudonym where operations are visible but identity is hidden. But the increasing amount of identity-based data around users is affecting the transparency into a personal security threat. 

The problem 

The increasing regulatory data collection is now mixing with bitcoin’s on-chain transparency, making a trove of identity linked data that hackers can abuse for forced, real-world attacks. 

What makes data a target? 

Physical attacks against cryptocurrency holders are on the rise due to a number of factors, including social engineering, frequent major data breaches, KYC requirements, and regulatory data collection. 

These occurrences, which are frequently referred to as "wrench attacks," entail coercion to gain private keys or force transactions by threats or physical violence. With France emerging as a focus point, this movement is highlighting a weakness in the industry's regulation.

Threats has become the rule rather than the exception, with at least 47.2% of cases involving verified torture or physical assault and 51.5% including firearms. There were 19 fatal occurrences, which resulted in 24 deaths overall and a 6.2% fatality rate. 2025 was the most violent year on record in terms of recorded cases, but analysts warn that the actual number of occurrences is probably greater because of underreporting. All numbers are based on cases that were publicly available at the time of reporting.

What are the risks?

The risk profile for Bitcoin holders is very harsh. Transactions are irreversible once private keys are turned over under duress. Chargebacks, account freezes, and institutional recovery procedures are nonexistent. When coupled with actual compulsion, the protocol's famed finality becomes a liability. 

France serves as an example of how rapidly this risk might increase. In France, there were twenty bitcoin-related physical attacks in 2025, compared to a total of just four between 2017 and 2024. Eight more cases had already been reported by early February 2026, indicating that the rise is continuing rather than leveling down. Europe now accounts for around 40% of all events worldwide, up from about 22% in 2024.

Read more »
US
Cyber Attacks Data Internet Iran Israel US

Threat Actors Hit Iranian Sites and Apps After the US-Israel Strike


A series of cyber attacks happened last week during the U.S- Israel attack on targets throughout Iran. 

The cyberattacks included hijacking the various news sites to show messages and also hacking BadeSaba, a religious calendar application over 5 million downloads, which showed messages warning users “It’s time for reckoning” and telling armed forces to give up and quit. 

The U.S Cyber Command spokesperson didn't comment on the issue. 

Internet connectivity in Iran has dropped significantly at 0706 GMT, with minimum connectivity remaining, according to Kentik’s director of internet analysis. It was a smart move to launch a cyberattack on BadeSaba as pro-government people use it and are more religious, said Hamid Kashfi, a security expert and founder of DarkCell, a cybersecurity firm. 

Cyberattacks also hit various Iranian military targets and government services to restrict a coordinated Iranian response, according to the Jerusalem Post. Reuters hasn't verified the claims yet. Sophos director of threat intelligence said that “As Iran considers its options, ‌the likelihood increases that proxy groups and hacktivists may take action, including cyberattacks, against Israeli and U.S.-affiliated military, commercial, or civilian targets,” said Rafe Pilling, the director of threat intelligence with cybersecurity firm.”

These cyber operations may include old data breaches reported as new, vain efforts to breach interne-exposed industrial systems, and may also redirect offensive cyber operations. 

Cynthia Kaiser, a senior vice president at the anti-ransomware company Halcyon and a former top FBI cyber official, stated that activity has escalated in the Middle East. 

According to Kaiser, the company has also received calls to action from well-known pro-Iranian cyber personalities who have previously carried out ransomware attacks, hack-and-leak operations, and distributed denial-of-service (DDoS) attacks, which overload internet services and make them unavailable. He stated, "CrowdStrike is already seeing activity consistent with Iranian-aligned threat actors and hacktivist groups conducting reconnaissance and initiating DDoS attacks.”

Experts also believe that state-sponsored Iranian hacking gangs already launched “wiper “ attacks that remove data on Israeli targets before the strikes. 

Apart from a brief disruption of services in Tirana, the capital of Albania, there was little indication of the disruptive cyberattacks frequently mentioned during discussions about Iran's digital capabilities in June following the U.S. strike on Iranian nuclear targets, according to media sources.

Read more »
Ransomware
Cloud Corporate Cyber Attacks Data Ransomware

Iron Man Data Breach Only Impacted Marketing Resources


Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries. 

About the breach 

The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials. 

Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials. 

The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks. 

History 

In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom. 

The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place.

If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents. 

What is the impact?

Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems. 

Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

Read more »
surveillance
AI Cyber Crime Data espionage spying surveillance

Palo Alto Pulls Back from Linking China to Spying Campaign


Palo Alto Network pulls back

According to two people familiar with the situation, Palo Alto Networks (PANW.O), which opens a new tab, decided against linking China to a global cyberespionage effort that the company revealed last week out of fear that Beijing would retaliate against the cybersecurity business or its clients. 

The reason 

According to the sources, after Reuters first reported last month that Palo Alto was one of roughly 15 U.S. and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds, Palo Alto's findings that China was linked to the widespread hacking spree were scaled back.

According to the two individuals, a draft report from Palo Alto's Unit 42, the company's threat intelligence division, said that the prolific hackers, known as "TGR-STA-1030," were associated with Beijing. 

About the report 

The report was released on Thursday of last week. Instead, a more vague description of the hacking group as a "state-aligned group that operates out of Asia" was included in the final report. Advanced attacks are notoriously hard to attribute, and cybersecurity specialists frequently argue about who should be held accountable for digital incursions. Palo Alto executives ordered the adjustment because they were worried about the software prohibition and suspected that it would lead to retaliation from Chinese authorities against the company's employees in China or its customers abroad.

China's reply 

The Chinese Embassy in Washington stated that it is against "any kind of cyberattack." Assigning hacks was described as "a complex technical issue" and it was anticipated that "relevant parties will adopt a professional and responsible attitude, basing their characterization of cyber incidents on sufficient evidence, rather than unfounded speculation and accusations'." 

In early 2025, Palo Alto discovered the hacker collective TGR-STA-1030, the report says, opening a new tab. Palo Alto called the extensive operation "The Shadow Campaigns." It claimed that the spies successfully infiltrated government and vital infrastructure institutions in 37 countries and carried out surveillance against almost every nation on the planet.

After reviewing Palo Alto's study, outside experts claimed to have observed comparable activity that they linked to Chinese state-sponsored espionage activities.





Read more »
Vulnerabilities and Exploits
AI Bug Cloud Data Vulnerabilities and Exploits

Exposed Training Opens the Gap for Crypto Mining in Cloud Enviornments


Purposely flawed training apps are largely used for security education, product demonstrations, and internal testing. Tools like bWAPP, OWASP Juice Shop, and DVWA are built to be unsafe by default, making them useful to learn how common attack tactics work in controlled scenarios. 

The problem is not the applications but how they are used in real-world cloud environments. 

Penetra Labs studied how training and demo apps are being deployed throughout cloud infrastructures and found a recurring pattern: apps made for isolated lab use were mostly found revealed to the public internet, operating within active cloud profiles, and linked to cloud agents with larger access than needed. 

Deployment Patterns analysis 

Pentera Labs found that these apps were often used with default settings, extra permissive cloud roles, and minimal isolation. The research found that alot of these compromised training environments were linked to active cloud agents and escalated roles, allowing attackers to infiltrate the vulnerable apps themselves and also tap into the customer’s larger cloud infrastructure. 

In the contexts, just one exposed training app can work as initial foothold. Once the threat actors are able to exploit linked cloud agents and escalated roles, they are accessible to the original host or application. But they can also interact with different resources in the same cloud environment, raising the scope and potential impact of the compromise. 

As part of the investigation, Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP.

Proof of active exploitation 

The investigation revealed that the exposed training environments weren't just improperly set up. Pentera Labs found unmistakable proof that attackers were actively taking advantage of this vulnerability in the wild. 

About 20% of cases in the larger dataset of training applications that were made public were discovered to have malicious actor-deployed artifacts, such as webshells, persistence mechanisms, and crypto-mining activity. These artifacts showed that exposed systems had already been compromised and were still being abused. 

The existence of persistence tools and active crypto-mining indicates that exposed training programs are already being widely exploited in addition to being discoverable.

Read more »
Solar Winds
Cloud Cyber Security Data RCE Solar Winds

SolarWinds Web Help Desk Compromised for RCE Multi Stage


SolarWinds compromised 

The threat actors used internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and then proceed laterally across the organization's network to other high-value assets, according to Microsoft's disclosure of a multi-stage attack. 

However, it is unclear if the activity used a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8) or recently revealed vulnerabilities (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), according to the Microsoft Defender Security Research Team.

"Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold," the company said in the report. 

About the exploit

CVE-2025-40551 and CVE-2025-26399 both relate to untrusted data deserialization vulnerabilities that could result in remote code execution, and CVE-2025-400536 is a security control bypass vulnerability that might enable an unauthenticated attacker to access some restricted functionality.

Citing proof of active exploitation in the field, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its list of known exploited vulnerabilities (KEVs) last week. By February 6, 2026, agencies of the Federal Civilian Executive Branch (FCEB) were required to implement the solutions for the defect. 

The impact 

The successful exploitation of the exposed SolarWinds WHD instance in the attacks that Microsoft discovered gave the attackers the ability to execute arbitrary commands within the WHD application environment and accomplish unauthenticated remote code execution.

Microsoft claimed that in at least one instance, the threat actors used a DCSync attack, in which they impersonated a Domain Controller (DC) and asked an Active Directory (AD) database for password hashes and other private data. 

What can users do?

Users are recommended to update WHD instances, identify and eliminate any unauthorized RMM tools, rotate admin and service accounts, and isolate vulnerable workstations to minimize the breach in order to combat the attack. 

"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the creator of Windows stated.

Read more »
Ukraine
Cloud Data Starlink Technology Ukraine

Ukraine Increases Control Over Starlink Terminals


New Starlink verification system 

Ukraine has launched a new authentication system for Starlink satellite internet terminals used by the public and the military after verifying that Russia state sponsored hackers have started using the technology to attack drones. 

The government has also introduced a compulsory “whitelist” for Starlink terminals, where only authenticated and registered devices will work in Ukraine. All other terminals used will be removed, as per the statement from Mykhailo Fedorov, country's recently appointed defense chief. 

Why the new move?

Kyiv claims that Russian unmanned aerial vehicles are now being commanded in real time using Starlink links, making them more difficult to detect, jam, or shoot down. This action is intended to counteract these threats. "It is challenging to intercept Russian drones that are equipped with Starlink," Fedorov stated earlier this week. "They can be controlled by operators over long distances in real time, will not be affected by electronic warfare, and fly at low altitudes." The Ministry of Defense is implementing the whitelist in collaboration with SpaceX, the company that runs the constellation of low-Earth orbit satellites for Starlink.

The step is presently the only technological way to stop Russia from abusing the system, Fedorov revealed Wednesday, adding that citizens have already started registering their terminals. "The government has taken this forced action to save Ukrainian lives and safeguard our energy infrastructure," he stated. 

How will it impact other sectors?

Businesses will be able to validate devices online using Ukraine's e-government services, while citizens will be able to register their terminals at local government offices under the new system. According to Ukraine's Ministry of Defense, military units will be exempt from disclosing account information and will utilize a different secure registration method.

Using Starlink connectivity, Ukraine discovered a Russian drone operating over Ukrainian territory at the end of January. After then, Kyiv got in touch with SpaceX to resolve the problem, albeit the specifics of the emergency procedures were not made public. Army, a Ukrainian military outletSetting a maximum speed at which Starlink terminals can operate was one step, according to Inform, which cited an initial cap of about 75 kilometers per hour. According to the study, Russian strike drones usually fly faster than that, making it impossible for operators to manage them in real time.


Read more »
Youtube
AI ChatGPT Cloud Data GenAI Technology Youtube

YouTube's New GenAI Feature in Tools Coming Soon


Youtube is planning something new for its platform and content creators in 2026. The company plans to integrate AI into its existing and new tools. The CEO said that content creators will be able to use GenAI for shorts. While we don't know much about the feature yet, it looks like OpenAI’s Sora app where users make videos of themselves via prompt. 

What will be new in 2026? 

“This year you'll be able to create a Short using your own likeness, produce games with a simple text prompt, and experiment with music “ said CEO Neal Mohan. All these apps will be AI-powered which many creators may not like. Many users prefer non-AI content. CEO Neil Mohan has addressed these concerns and said that “throughout this evolution, AI will remain a tool for expression, not a replacement.”

But the CEO didn't provide other details about these new AI capabilities. It is not clear how this will help the creators and the music experimentation work. 

That's not all, though.

Additionally, YouTube will introduce new formats for shorts. According to Mohan, Shorts would let users to share images in the same way as Instagram Reels does. Direct sharing of these will occur on the subscribers' feed. 

In 2026, YouTube will likewise concentrate on the biggest displays it can be accessed on, which are televisions. According to Mohan, the business will soon introduce "more than 10 specialized YouTube TV plans spanning sports, entertainment, and news, all designed to give subscribers more control," along with "fully customizable multiview.”

Why new feature?

Mohan noted that the creator economy is another area of concern. According to YouTube's CEO, video producers will discover new revenue streams this year. The suggestions made include fan funding elements like jewelry and gifts, which will be included in addition to the current Super Chat, as well as shopping and brand bargains made possible by YouTube. 

YouTube's new venture

The business also hopes to grow YouTube Shopping, an affiliate program that lets content producers sell goods directly in their videos, shorts, and live streams. The business stated that it will implement in-app checkout in 2026, enabling users to make purchases without ever leaving the site.


Read more »
I fy
AI Cloud Cyber Crime Data espionage I fy

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends


Infy group's new attack tactic 

An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide its operations. The group also made a new C2 infrastructure while there was a wave of internet shutdown imposed earlier this year. The gang stopped configuring its C2 servers on January 8 when experts started monitoring Infy. 

In reaction to previous protests, Iranian authorities implemented a nationwide internet shutdown on this day, which probably indicates that even government-affiliated cyber units did not have the internet. 

About the campaign 

The new activity was spotted on 26 January 2026 while the gang was setting up its new C2 servers, one day prior to the Iranian government’s internet restrictions. This suggests that the threat actor may be state-sponsored and supported by Iran. 

Infy is one of the many state-sponsored hacking gangs working out of Iran infamous for sabotage, spying, and influence campaigns coordinated with Tehran’s strategic goals. However, it also has a reputation for being the oldest and less famous gangs staying under the radar and not getting caught, working secretly since 2004 via “laser-focused” campaigns aimed at people for espionage.

The use of modified versions of Foudre and Tonnerre, the latter of which used a Telegram bot probably for data collection and command issuance, were among the new tradecraft linked to the threat actor that SafeBreach revealed in a report released in December 2025. Tornado is the codename for the most recent version of Tonnerre (version 50).

The report also revealed that threat actors replaced the C2 infrastructure for all variants of Tonnerre and Foudre and also released Tornado variant 51 that employs both Telegram and HTTP for C2.

It generates C2 domain names using two distinct techniques: a new DGA algorithm initially, followed by fixed names utilizing blockchain data de-obfuscation. We believe that this novel method offers more flexibility in C2 domain name registration without requiring an upgrade to the Tornado version.

Experts believe that Infy also abused a 1-day security bug in WinRAR to extract the Tornado payload on an infected host to increase the effectiveness of its attacks. The RAR archives were sent to the Virus Total platform from India and Germany in December 2025. This means the two countries may have been victims. 



Read more »
Subscribe to: Comments (Atom)