Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
Windows
AI Cloud Internet Microsoft PCs Technology Windows

Microsoft to end support for Windows 10, 400 million PCs will be impacted


Microsoft is ending software updates for Windows 10

From October 14, Microsoft will end its support for Windows 10, experts believe it will impact around 400 million computers, exposing them to cyber threats. People and groups worldwide are requesting that Microsoft extend its free support. 

According to recent research, 40.8% of desktop users still use Windows 10. This means around 600 million PCs worldwide use Windows 10. Soon, most of them will not receive software updates, security fixes, or technical assistance. 

400 million PCs will be impacted

Experts believe that these 400 million PCs will continue to work even after October 14th because hardware upgrades won’t be possible in such a short duration. 

“When support for Windows 8 ended in January 2016, only 3.7% of Windows users were still using it. Only 2.2% of Windows users were still using Windows 8.1 when support ended in January 2023,” PIRG said. PIGR has also called this move a “looming security disaster.”

What can Windows users do?

The permanent solution is to upgrade to Windows 11. But there are certain hardware requirements when you want to upgrade, and most users will not be able to upgrade as they will have to buy new PCs with compatible hardware. 

But Microsoft has offered few free options for personal users, if you use 1,000 Microsoft Rewards points. Users can also back up their data to the Windows Backup cloud service to get a free upgrade. If this impacts you, you can earn these points via Microsoft services such as Xbox games, store purchases, and Bing searches. But this will take time, and users don’t have it, unfortunately. 

The only viable option for users is to pay $30 (around Rs 2,650) for an Extended Security Updates (ESU) plan, but it will only work for one year.

According to PIGR, “Unless Microsoft changes course, users will face the choice between exposing themselves to cyberattacks or discarding their old computers and buying new ones. The solution is clear: Microsoft must extend free, automatic support.”

Read more »
Payroll Company
Data Breach Email Hackers HR MFA Microsoft Payroll Company

Payroll Hackers Target U.S. Universities, Microsoft Warns

 



Microsoft researchers have surfaced a new phishing campaign where cybercriminals are stealing university employees’ salaries by redirecting their payroll deposits to accounts under their control. The group behind the attacks has been named “Storm-2657” by Microsoft.

The hackers have been carrying out these attacks since March 2025, targeting staff at multiple U.S. universities and organizations that use third-party HR and payroll platforms, including Workday.

According to Microsoft’s report, at least 11 employee accounts across three universities were compromised and later used to send phishing emails to nearly 6,000 individuals in 25 universities. The scale of the attack suggests a coordinated attempt to infiltrate university payroll systems through deception and stolen credentials.


How the Attack Works

The attackers send phishing emails that appear to come from legitimate university sources or human resources departments. These emails often carry urgent subjects like “COVID-Like Case Reported — Check Your Contact Status” or “Faculty Compliance Notice – Classroom Misconduct Report.”

When recipients click on the embedded links, they are redirected to fake login pages designed to steal their login details and multifactor authentication (MFA) codes. With these details, the hackers gain full access to the victim’s Workday or HR accounts.

Once inside, the criminals create inbox rules that automatically delete emails from Workday, particularly notifications about payroll or bank account changes, ensuring victims remain unaware of any tampering. They also register their own devices for MFA, allowing them to retain access even if the victim later changes their password.

This enables the attackers to quietly change the employee’s bank account information, diverting salary payments into accounts they control.


Broader Pattern of Business Email Compromise

Experts classify this as a variant of Business Email Compromise (BEC), a fraud method where attackers infiltrate or impersonate legitimate business accounts to redirect payments or steal sensitive data.

According to the FBI’s 2024 Internet Crime Report, BEC scams caused over $2 billion in losses last year alone. Many victims include corporations, suppliers, and even schools that handle large financial transactions through wire transfers or automated clearing house (ACH) systems.

In one notable 2024 case, cybercriminals stole $60 million from a major carbon products supplier, while a Tennessee school district also lost millions through similar fraudulent transfers.


Microsoft and Workday Respond

Microsoft said it has alerted affected institutions and shared recommendations to contain the threat. The company advised organizations to adopt phishing-resistant MFA options, monitor for suspicious inbox rules, and require extra verification for any changes to payroll details.

A Workday spokesperson also encouraged clients to strengthen their MFA policies and implement additional review steps before processing sensitive updates like salary or banking information.


Protecting Employees and Institutions

Cybersecurity experts emphasize the importance of employee awareness and vigilant reporting. Staff should avoid clicking on unsolicited HR emails and instead confirm any urgent requests directly with their university’s payroll or IT department.

With education institutions increasingly targeted by financially motivated hackers, proactive defenses and real-time verification remain the most effective safeguards against salary diversion scams.



Read more »
Phishing Campaigns
AI Cloud Cyber Security GenAI Internet Microsoft Phishing Campaigns

Microsoft Stops Phishing Scam Which Used Gen-AI Codes to Fool Victims


AI: Boon or Curse?

AI code is in use across sectors for variety of tasks, particularly cybersecurity, and both threat actors and security teams have turned to LLMs for supporting their work. 

Security experts use AI to track and address to threats at scale as hackers are experimenting with AI to make phishing traps, create obfuscated codes, and make spoofed malicious payloads. 

Microsoft Threat Intelligence recently found and stopped a phishing campaign that allegedly used AI-generated code to cover payload within an SVG file. 

About the campaign 

The campaign used a small business email account to send self addressed mails with actual victims coveted in BCC fields, and the attachment looked like a PDF but consisted SVG script content. 

The SVG file consisted hidden elements that made it look like an original business dashboard, while a secretly embedded script changed business words into code that exposed a secret payload. Once opened, the file redirects users to a CAPTCHA gate, a standard social engineering tactical that leads to a scanned sign in page used to steal credentials. 

The hidden process combined business words and formulaic code patterns instead of cryptographic techniques. 

Security Copilot studied the file and listed markers in lines with LLM output. These things made the code look fancy on the surface, however, it made the experts think it was AI generated. 

Combating the threat

The experts used AI powered tools in Microsoft Defender for Office 375 to club together hints that were difficult for hackers to push under the rug. 

The AI tool flagged the rare self-addressed email trend , the unusual SVG file hidden as a PDF, the redirecting to a famous phishing site, the covert code within the file, and the detection tactics deployed on the phishing page. 

The incident was contained, and blocked without much effort, mainly targeting US based organizations, Microsoft, however, said that the attack show how threat actors are aggressively toying with AI to make believable tracks and sophisticated payloads.

Read more »
Microsoft Outlook security
Bug Fixes Cyber Attacks Microsoft Microsoft Outlook security

Microsoft Probes Outlook Bug Blocking Encrypted Emails Across Tenants

 

Microsoft is investigating a newly identified issue that prevents users of the classic Outlook client from opening encrypted emails sent by other organizations. 

The company confirmed the problem in a recently updated support document, noting that the bug affects customers across all Office release channels. 

According to Microsoft, users attempting to access such emails may encounter the error message: “Configuring your computer for Information Rights Management.” The glitch impacts OMEv2 (Office Message Encryption version 2) messages when sent across different tenants, creating disruptions for enterprise communication. 

Temporary workaround provided 

While the root cause is still under review, Microsoft has issued a temporary fix. Impacted organizations can either exclude external users from Conditional Access policies or enable cross-tenant settings that allow authentication tokens to be trusted between Entra tenants. 

The company recommends the second option as the simpler solution. Administrators can enable cross-tenant access by navigating to the “Inbound access settings – Default settings” page in the Microsoft Entra admin center, selecting “Trust settings,” and then enabling “Trust multifactor authentication from Microsoft Entra tenants.” 

Microsoft cautioned, however, that this workaround only ensures encrypted emails sent from an organization can be opened by others. 

To access encrypted messages received from a different tenant, the sending organization must also apply the same configuration. Ongoing investigation The Outlook and Purview teams are currently working on a permanent resolution. 

Microsoft has assured customers that updates will be shared once more information is available. 

This is the latest in a string of Outlook-related bugs addressed by Redmond (a global headquarter of Microsoft) this year. 

In June, the company resolved a crash affecting the classic Outlook client when opening or composing emails. Later, in August, it mitigated an Exchange Online issue that blocked mobile users relying on Hybrid Modern Authentication. 

With encrypted communications becoming central to enterprise security, a swift resolution will be crucial to ensure seamless cross-tenant collaboration.
Read more »
New York Times
Critical Data Data Breach Data Leaks data security Data Stolen DevOps Leak Source Code Mercedes Benz Microsoft New York Times

DevOps data breaches expose Microsoft, Schneider Electric, Mercedes-Benz, and New York Times

 

Source code forms the backbone of every digital enterprise, and platforms such as GitHub and Atlassian are trusted to safeguard this critical data. Yet, organizations must remember that under the Shared Responsibility Model, users retain accountability for the security of their data. Even the smallest mistake can trigger a devastating cascade, from large-scale leaks of proprietary code to stolen credentials and severe reputational and financial consequences. 

Recent breaches across industries highlight how valuable DevOps environments have become to cybercriminals. Companies as diverse as Mercedes-Benz, The New York Times, and Schneider Electric have all suffered from security lapses, showing that innovation without adequate protection leaves no organization immune. The growing threat landscape underscores the scale of the problem, with cyberattacks occurring roughly every 39 seconds worldwide. IBM has observed a 56% increase in active ransomware groups, while Cybersecurity Ventures predicts that cybercrime costs will rise from $10.5 trillion in 2025 to more than $15 trillion by 2029. The CISO’s Guide to DevOps Threats further identifies technology, fintech, and media as the sectors most at risk, with 59% of ransomware activity concentrated in the United States. Data breaches typically ripple beyond the initial target, affecting partners, customers, and supply chains. 

The ransomware group HellCat has demonstrated how exposed credentials can become a doorway to widespread damage. By exploiting stolen Atlassian Jira logins, they infiltrated global enterprises including Schneider Electric, Orange Group, Telefonica, Jaguar Land Rover, and Ascom. Schneider Electric alone had 40GB of data stolen in 2024, including user records, email addresses, and sensitive project information, with a ransom demand of $125,000. Telefonica was breached twice in 2025, losing over 100GB of internal documents and communications. Similar compromises at Jaguar Land Rover and Ascom revealed thousands of employee records and sensitive corporate data, illustrating how poor credential management fuels recurring attacks. 

Mismanaged access tokens also pose severe risks. Mercedes-Benz faced exposure when an employee accidentally embedded a GitHub token in a public repository, potentially granting attackers access to confidential assets like API keys and database credentials. Threat actors have also weaponized GitHub itself, using trojanized proof-of-concept code and malicious npm dependencies to exfiltrate hundreds of thousands of WordPress credentials and cloud keys. Even unexpected groups, such as fans of Disney’s discontinued Club Penguin, exploited exposed Confluence logins to access corporate files and developer resources. The New York Times confirmed that leaked credentials on a third-party code platform exposed 270GB of internal data, though it reported no operational disruption. 

The cumulative impact of these incidents is staggering, with terabytes of stolen data, millions of records exposed, and reputational harm that far exceeds immediate costs. As regulatory penalties intensify and compliance standards grow stricter, the financial fallout of DevOps data breaches is likely to escalate further, leaving organizations with little choice but to prioritize security at the core of their operations.
Read more »
Privacy
Amazon Cloud Data cloud data security Data Privacy data sovereignty Google Cloud Microsoft Privacy

CLOUD Act Extends US Jurisdiction Over Global Cloud Data Across Microsoft, Google, and Amazon

 

That Frankfurt data center storing your business files or the Singapore server holding your personal photos may not be as secure from U.S. oversight as you think. If the provider is Microsoft, Amazon, Google, or another U.S.-based tech giant, physical geography does little to shield information once American authorities seek access. The Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in March 2018, gives U.S. law enforcement broad authority to demand data from American companies no matter where that information is located. Many organizations and individuals who once assumed that hosting data in Europe or Asia provided protection from U.S. jurisdiction now face an overlooked vulnerability.  

The law applies to every major cloud provider headquartered in the United States, including Microsoft, Amazon, Google, Apple, Meta, and Salesforce. This means data hosted in Microsoft’s European facilities, Google’s Asian networks, or Amazon’s servers in regions worldwide can be accessed through proper legal orders. An organization running Office 365 in London or an individual storing iCloud photos in Berlin could have their data obtained by U.S. investigators with little visibility into the process. Even companies promoting themselves as “foreign hosted” may not be immune if they have American subsidiaries or offices. Jurisdiction extends to entities connected to the United States, meaning that promises of sovereignty can be undercut by corporate structure. 

The framework obligates companies to comply quickly with data requests, leaving limited room for delay. Providers may challenge orders if they conflict with local privacy protections, but the proceedings typically occur without the knowledge of the customer whose data is involved. As a result, users may never know their information has been disclosed, since notification is not required. This dynamic has raised significant concerns about transparency, privacy, and the balance of international legal obligations. 

There are alternatives for those seeking stronger guarantees of independence. Providers such as Hetzner in Germany, OVHcloud in France, and Proton in Switzerland operate strictly under European laws and maintain distance from U.S. corporate ties. These companies cannot be compelled to share data with American authorities unless they enter into agreements that extend jurisdiction. However, relying on such providers can involve trade-offs, such as limited integration with mainstream platforms or reduced global reach. Some U.S. firms have responded by offering “sovereign cloud regions” managed locally, but questions remain about whether ultimate control still rests with the parent corporation and therefore remains vulnerable to U.S. legal demands. 

The implications are clear: the choice of cloud provider is not only a technical or financial decision but a geopolitical one. In a world where information represents both power and liability, each upload is effectively a decision about which country’s laws govern your digital life. For businesses and individuals alike, data location may matter less than corporate origin, and the CLOUD Act ensures that U.S. jurisdiction extends far beyond its borders.
Read more »
Ransom Demands
Azure Cloud Cloud Attacks Cloud Security Cyber Security Data Theft Microsoft Microsoft Azure Ransom Demands

Microsoft Warns Storm-0501 Shifts to Cloud-Based Encryption, Data Theft, and Extortion

 

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. 

Storm-0501 has been active since at least 2021, when it first used the Sabbath ransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (RaaS) tools, deploying encryptors from groups such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. 

In its latest report, Microsoft highlights that Storm-0501 is now conducting attacks entirely in the cloud. Unlike conventional ransomware campaigns that spread malware across endpoints and then negotiate for decryption, the new approach leverages cloud-native tools to quickly exfiltrate large volumes of data, wipe storage backups, and encrypt files within the cloud itself. This strategy both accelerates the attack and reduces reliance on detectable malware deployment, making it more difficult for defenders to identify the threat in time. 

Recent cases show the group compromising multiple Active Directory domains and Entra tenants by exploiting weaknesses in Microsoft Defender configurations. Using stolen Directory Synchronization Accounts, Storm-0501 enumerated roles, users, and Azure resources with reconnaissance tools such as AzureHound. The attackers then identified a Global Administrator account without multifactor authentication, reset its password, and seized administrative control. With these elevated privileges, they maintained persistence by adding their own federated domains, which allowed them to impersonate users and bypass MFA entirely. 

From there, the attackers escalated further inside Azure by abusing the Microsoft.Authorization/elevateAccess/action capability, granting themselves Owner-level roles and taking complete control of the target’s cloud infrastructure. Once entrenched, they began disabling defenses and siphoning sensitive data from Azure Storage accounts. In many cases, they attempted to delete snapshots, restore points, Recovery Services vaults, and even entire storage accounts to prevent recovery. When these deletions failed, they created new Key Vaults and customer-managed keys to encrypt the data, effectively locking companies out unless a ransom was paid. 

The final stage of the attack involved contacting victims directly through Microsoft Teams accounts that had already been compromised, delivering ransom notes and threats. Microsoft warns that this shift illustrates how ransomware operations may increasingly migrate away from on-premises encryption as defenses improve, moving instead toward cloud-native extortion techniques. The report also includes guidance for detection, including Microsoft Defender XDR hunting queries, to help organizations identify the tactics used by Storm-0501.
Read more »
Technology
Cryptographic Transformation cyber resilience Digital Trust Encryption Standards Microsoft Post Quantum Cryptography Quantum Safe Program Quantum Security Technology

Microsoft Boosts Digital Trust through Post Quantum Cryptography

 


A comprehensive roadmap has been unveiled by Microsoft to enable it to future-proof its security infrastructure, marking a decisive step toward securing the company's products and services with quantum-safe protection by 2033 — two years ahead of the target set by the United States and other governments. 

Moreover, this announcement underscores Microsoft's commitment to preparing for the imminent arrival of quantum computing, which threatens to outpace and undermine the current standards of cryptography in the near future. It is planned that Microsoft's core products and services will begin to be enhanced with quantum-safe capabilities as early as 2029, followed by a gradual transition into default implementation by the following years. 

A new roadmap outlined by Mark Russinovich, Chief Technology Officer for Microsoft Azure, and Michal Braverman-Blumenstyk, Chief Technology Officer for Microsoft's security division, builds upon Microsoft's quantum-safe program introduced in 2023 and builds upon the company's current roadmap. An integral part of this phased approach is a modular framework developed to ensure resilience in the face of cyberattacks from adversaries who possess quantum computers capable of breaking existing encryption models. 

The announcement marks a significant milestone in the race toward post-quantum security worldwide. Microsoft has formally announced its Quantum-Safe Program Strategy. The strategy is designed to make the company's ecosystem ready to deal with the disruptive potential of quantum computing by taking a security-first approach from the very beginning. There are profound stakes involved in this initiative, and it is because of this that this initiative is taking place.

Over the course of the last few decades, modern encryption algorithms have ensured the protection of everything from personal credentials and private communications to financial and critical infrastructure across the globe, but as quantum machines become increasingly powerful, these protections may be compromised, compromising society's trust in the confidentiality and integrity of digital systems that society relies on. 

As Microsoft's roadmap emphasizes its commitment to leading the shift towards a quantum-resilient future, it seeks to address this looming risk well in advance, underlining its commitment to this effort. Even though quantum computing has been hailed as an exciting technological advancement, it is also one of the most significant cryptographic challenges people have encountered during the modern era. This reality Microsoft acknowledges through its ongoing efforts in making the move towards "progress toward next-generation cryptography."

As part of the comprehensive update published by Microsoft Azure's Chief Technology Officer Mark Russinovich and Microsoft's security division's Chief Technology Officer Michal Braverman-Blumenstyk, the company emphasized that quantum systems have the potential to render obsolete the widely used public-key cryptography people are currently using. 

Although Microsoft has already laid the groundwork for a quantum-safe ecosystem, it stressed that it has already begun building resilient security foundations to anticipate and minimize the risks associated with this next wave of computing power. The company has been working on quantum security for quite some time; its pursuit of quantum-safe security dates back to 2014 when early research was conducted into quantum algorithms and quantum cryptography. 

By the end of 2018, the company had begun experimenting with PQC implementations that were confirmed, and in its latest project, it has successfully established a VPN tunnel that is protected by PQC between its Redmond, Washington headquarters and Scotland's underwater data center, Project Natick. 

As Microsoft has grown over the years, it has also taken a strong role in shaping the industry standards, contributing to the development of the Open Quantum Safe project, led the integration workstream of the NIST NCCoE Post-Quantum project, and contributed its FrodoKEM system to ISO standardization as well. It was for these reasons that the company has launched the Quantum Safe Program (QSP), unveiled by Executive Vice President Charlie Bell as part of its long-term vision of helping customers, partners, and the company's own ecosystem make a secure transition into the quantum age. 

As part of the program, a full transition will be completed by 2033, with an early adoption beginning in 2029, aligned with global directives from CISA, NIST, OMB, and CNSSP-15. The strategy, which is based on a phased approach, is structured around three core priorities - the secure deployment of Microsoft's own infrastructure and supply chain, the development of tools that enable crypto-agility for customers and partners, and the advancement of global standards and research. 

The first step in implementing PQC will be to embed PQC into foundational cryptographic libraries such as SymCrypt, with the ML-KEM and ML-DSA already available for testing on Windows Insider builds and Linux APIs, along with hybrid TLS key exchange enabled via SymCrypt-OpenSSL to counter the threat of "harvest now, decrypt later". As the next phase progresses, PQC integration will expand to include authentication, signing, Windows, Azure, Microsoft 365, Artificial Intelligence systems, and networking services as well. 

The shift from quantum to post-quantum cryptography is not simply a switch, but a multiyear transformation that requires early, coordinated action to avoid a disruptive, last-minute scramble that Microsoft demonstrates by combining years of research, standards collaboration, and staged implementation. It has been set up for the company to set an ambitious internal deadline in order to ensure its core services are quantum-ready by 2029. 

In fact, this is a much more aggressive timeline than most governments have set for the transition. It should be noted that according to the UK Government's National Cyber Security Centre (NCSC), critical sectors should aim to move to post-quantum cryptography (PQC) by the year 2035 in order to ensure their cybersecurity. 

There has been some discussion about this proactive stance recently, and Mark Russinovich, Chief Technology Officer of Microsoft Azure, and Michal Braverman-Blumenstyk, Corporate Vice President and Chief Technology Officer of Microsoft Security, have emphasized the fact that, although the possibility of large-scale quantum computing is quite distant, people must begin preparing now. 

They reported that the transition to PQC was not merely a matter of flipping a switch, but a multi-year transformation that requires early planning and coordination in order to prevent a scramble to become effective later on. Rather than just addressing the quantum threat, Microsoft views the transition as an opportunity for companies to safeguard their systems by modernizing their outdated systems, implementing stronger cryptographic standards, and implementing the crypto-agility practice as a fundamental security practice. 

Essentially, the Quantum Safe Program is anchored by its three core pillars - updating Microsoft's own ecosystems, supporting partners, customers, and advancing global research and standards - and illustrates the importance of preparing industries for the quantum age by combining resilience with modernization.

The company is announcing a phased roadmap that will see accelerating adoption of quantum-safe standards across its core infrastructure, starting as early as 2026. Signing and networking services are slated to be the first areas of its infrastructure that will be upgraded. By 2027, Microsoft intends to extend these safeguards to Windows, Azure, Microsoft 365, data platforms, artificial intelligence services, and networking. 

In order to protect its digital ecosystem, quantum-ready safeguards will be embedded into the backbone of the company's digital ecosystem. In order to lay the groundwork for this to happen, post quantum algorithms were already incorporated into foundational components like SymCrypt, which serves as the foundation for security for many Microsoft products and services. Over the next five years, additional capabilities are expected to be gradually introduced. 

During the preparation process for the company, a comprehensive inventory was conducted across the organisation to identify potential risks associated with its assets. This was a similar process taken by federal agencies as well, followed by a collaborative effort with industry leaders in order to resolve vulnerabilities, strengthen quantum resilience, and advance hardware and firmware innovation. 

Announcing its roadmap as aligned with international standards, Microsoft has confirmed it is on track to meet the most stringent government requirements, including those outlined in the Committee on National Security Systems Policy (CNSSP-15) for government security systems. According to that mandate, every new cryptographically protected product and service that is designed to support U.S. national security systems, as well as operations and partners of the Defense Department, should begin using the Commercial National Security Algorithm Suite 2.0 as soon as possible in January 2027. 

There is a need for Microsoft to act fast when it comes to preparing for a quantum future. It is imperative that the entire digital ecosystem act as well. As individuals and businesses across industries transition to post-quantum cryptography, they must be aware that it is not simply about complying with looming deadlines, but more importantly, about maintaining trust, continuity, and resilience in a rapidly evolving threat environment. 

The benefits of implementing proactive measures in crypto-agility, system modernization, and collaborative research can go far beyond quantum resistance, helping to strengthen defenses against current and emerging cyberattacks, providing businesses with a competitive edge as well as reducing disruption risk. By aligning with the highest standards of digital trust and security, businesses will be able to gain a competitive advantage as well. 

Moreover, governments are also able to utilize this momentum as a means of developing unified policies, advocating for the adoption of interoperable standards, and fostering global cooperation on quantum-safe innovation. To take this next step, people must be willing to share responsibility; as quantum technology advances, they must come together to secure the digital world's foundations as well. Preparation now is crucial for enterprises to turn what is often framed as an looming challenge into an opportunity to transform, innovate, and build resilience not just today, but for generations to come.
Read more »
ToolShell
Canada CSE Cyber Attacks Employee Data Microsoft ToolShell

Canada’s Parliament Probes Data Breach Linked to Microsoft Flaws

 




Canada’s House of Commons has launched an investigation after a cyberattack potentially exposed sensitive staff data, raising questions about whether recently discovered Microsoft vulnerabilities played a role.

According to national media reports, an internal email to parliamentary employees revealed that attackers managed to enter a database containing staff information. The data included names, work emails, job titles, office locations, and details about computers and mobile devices connected to the House of Commons network.

The House of Commons and Canada’s Communications Security Establishment (CSE) are now examining the incident. In a public statement, CSE emphasized that attributing a cyberattack is complex and requires time, resources, and caution before drawing conclusions. In the meantime, staff have been urged to remain alert to suspicious messages or unusual activity.


Possible Link to Microsoft Vulnerabilities

Although officials have not confirmed the exact flaw that was exploited, the mention of a “recent Microsoft vulnerability” has led to speculation. In recent weeks, Canada’s Cyber Centre issued warnings about two critical Microsoft security issues:

  • CVE-2025-53770 (“ToolShell”): A flaw in Microsoft SharePoint servers that has been actively exploited since July. It allows attackers to gain unauthorized access and has been linked to incidents involving government networks and organizations worldwide.
  • CVE-2025-53786: A high-risk bug in Microsoft Exchange that can help attackers move through both cloud and on-premises systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an emergency order for federal agencies to fix this vulnerability after warning of its potential to cause complete system compromises.


Security researchers, including the monitoring platform Shadowserver, have noted that thousands of systems remain unpatched against these flaws, with hundreds of vulnerable servers still running in Canada.


Global Exploitation of ToolShell

The ToolShell vulnerability in particular has been tied to attacks on multiple high-profile organizations, including U.S. government agencies and European institutions. Reports indicate that both state-sponsored groups and cybercriminal gangs have taken advantage of the flaw in recent months, underlining its severity.


Why Updates Matter

Cybersecurity experts consistently stress the importance of keeping systems updated with the latest patches. Unpatched vulnerabilities provide attackers with open doors into critical infrastructure, government bodies, and private organizations. This latest incident underscores how quickly attackers can move to exploit weaknesses once they are made public.


What Happens Next

For now, the House of Commons and CSE are continuing their investigation, and no final determination has been made about the vulnerability used in the breach. However, the case highlights the ongoing risks posed by unpatched software and the need for constant vigilance by organizations and individuals alike.



Read more »
Technology
AI Chatbot ChatGPT Cloud Google Google Drive Internet Microsoft Technology

How ChatGPT prompt can allow cybercriminals to steal your Google Drive data


Chatbots and other AI tools have made life easier for threat actors. A recent incident highlighted how ChatGPT can be exploited to obtain API keys and other sensitive data from cloud platforms.

Prompt injection attacks leads to cloud access

Experts have discovered a new prompt injection attack that can turn ChatGPT into a hacker’s best friend in data thefts. Known as AgentFlayer, the exploit uses a single document to hide “secret” prompt instructions that target OpenAI’s chatbot. An attacker can share what appears to be a harmless document with victims through Google Drive, without any clicks.

Zero-click threat: AgentFlayer

AgentFlayer is a “zero-click” threat as it abuses a vulnerability in Connectors, for instance, a ChatGPT feature that connects the assistant to other applications, websites, and services. OpenAI suggests that Connectors supports a few of the world’s most widely used platforms. This includes cloud storage platforms such as Microsoft OneDrive and Google Drive.

Experts used Google Drive to expose the threats possible from chatbots and hidden prompts. 

GoogleDoc used for injecting prompt

The malicious document has a 300-word hidden malicious prompt. The text is size one, formatted in white to hide it from human readers but visible to the chatbot.

The prompt used to showcase AgentFlayer’s attacks prompts ChatGPT to find the victim’s Google Drive for API keys, link them to a tailored URL, and an external server. When the malicious document is shared, the attack is launched. The threat actor gets the hidden API keys when the target uses ChatGPT (the Connectors feature has to be enabled).

Othe cloud platforms at risk too

AgentFlayer is not a bug that only affects the Google Cloud. “As with any indirect prompt injection attack, we need a way into the LLM's context. And luckily for us, people upload untrusted documents into their ChatGPT all the time. This is usually done to summarize files or data, or leverage the LLM to ask specific questions about the document’s content instead of parsing through the entire thing by themselves,” said expert Tamir Ishay Sharbat from Zenity Labs.

“OpenAI is already aware of the vulnerability and has mitigations in place. But unfortunately, these mitigations aren’t enough. Even safe-looking URLs can be used for malicious purposes. If a URL is considered safe, you can be sure an attacker will find a creative way to take advantage of it,” Zenith Labs said in the report.

Read more »
Technology
AI App Store ChatGPT DeepSeek-R1 Microsoft Technology

DeepSeek Under Investigation Leading to App Store Withdrawals

 


As one of the world's leading AI players, DeepSeek, a chatbot application developed by the Chinese government, has been a formidable force in the artificial intelligence arena since it emerged in January 2025, launching at the top of the app store charts and reshaping conversations in the technology and investment industries. After initially being hailed as a potential "ChatGPT killer" by industry observers, the platform has been the subject of intense scrutiny since its meteoric rise. 

The DeepSeek platform is positioned in the centre of app store removals, cross-border security investigations, and measured enterprise adoption by August 2025. In other words, we are at the intersection of technological advances, infrastructure challenges, and geopolitical issues that may shape the next phase of the evolution of artificial intelligence in the years ahead. 

A significant regulatory development has occurred in South Korea, with the Personal Information Protection Commission confirming that DeepSeek temporarily suspended the download of its chatbot applications while working with local authorities to address privacy concerns and issues regarding DeepSeek's data assets. On Saturday, the South Korean version of Apple's App Store, as well as Google Play in South Korea, were taken down from their respective platforms, following an agreement with the company to enhance its privacy protection measures before they were relaunched.

It has been emphasised that, although existing mobile users and personal computer users are not affected, officials are urging caution on behalf of the commission; Nam Seok, director of the investigation division, has advised users to remove the app or to refrain from sharing personal information until the issues have been addressed. 

An investigation by Microsoft's security team has revealed that individuals reportedly linked to DeepSeek have been transferring substantial amounts of data using OpenAI's application programming interface (API), which is a core channel for developers and enterprises to integrate OpenAI technology into their products and services. Having become OpenAI's biggest shareholder, Microsoft flagged this unusual activity, triggering a review internally. 

There has been a meteoric rise by DeepSeek in recent days, and the Chinese artificial intelligence startup has emerged as an increasingly prominent competitor to established U.S. companies, including ChatGPT and Claude, whose AI assistant is currently more popular than ChatGPT. On Monday, as a result of a plunge in technology sector stock prices on Monday, the AI assistant surged to overtake ChatGPT in the U.S. App Store downloads. 

There has been growing international scrutiny surrounding the DeepSeek R1 chatbot, which has recently been removed from Apple’s App Store and Google Play in South Korea amid mounting international scrutiny. This follows an admission by the Hangzhou-based company that it did not comply with the laws regulating personal data privacy.

As DeepSeek’s R1 chatbot is lauded as having advanced capabilities at a fraction of its Western competitors’ cost, its data handling practices are being questioned sharply as well. Particularly, how user information is stored on secure servers in the People’s Republic of China has been criticised by the US and others. The Personal Information Protection Commission of South Korea confirmed that the app had been removed from the local app stores at 6 p.m. on Monday. 

In a statement released on Saturday morning (900 GMT), the commission said it had suspended the service due to violations of domestic data protection laws. Existing users can continue using the service, but the commission has urged the public not to provide personal information until the investigation is completed.

According to the PIPC, DeepSeek must make substantial changes so that it can meet Korean privacy standards. A shortcoming that DeepSeek has acknowledged is this. In addition, data security professor Youm Heung-youl, from Soonchunhyang University, further noted that despite the company's privacy policies relating to European markets and other markets, the same policy does not exist for South Korean users, who are subject to a different localised framework. 

In response to an inquiry by Italy's data protection authority, the company has taken steps to ensure the app takes the appropriate precautions with regard to the data that it collects, the sources from which it obtains it, its intended use, legal justifications, and its storage in China. 

While it is unclear to what extent DeepSeek initiated the removal or whether the app store operators took an active role in the process, the development follows the company's announcement last month of its R1 reasoning model, an open-source alternative to ChatGPT, positioned as an alternative to ChatGPT for more cost-effectiveness. 

Government concerns over data privacy have been heightened by the model's rapid success, which led to similar inquiries in Ireland and Italy as well as a cautionary directive from the United States Navy indicating that DeepSeek AI cannot be used because of its origin and operation, posing security and ethical risks. The controversy revolves around the handling and storage of user data at the centre of this controversy.

It has been reported that all user information, including chat histories and other personal information of users, has been transferred to China and stored on servers there. A more privacy-conscious version of DeepSeek's model may be run locally on a desktop computer, though the performance of this offline version is significantly slower than the cloud-connected version that can be accessed on Apple and Android phones. 

DeepSeek's data practices have drawn escalating regulatory attention across a wide range of jurisdictions, including the United States. According to the privacy policies of the company, personal data, including user requests and uploaded files, is stored on servers located in China, which the company also claims it does not store in the U.S. 

As Ulrich Kamp stated in his statement, DeepSeek has not provided credible assurances that data belonging to Germans will be protected to the same extent as data belonging to European Union citizens. He also pointed out that Chinese authorities have access to personal data held by domestic companies with extensive access rights. 

It was Kamp's office's request in May for DeepSeek to either meet EU data transfer requirements or voluntarily withdraw its app, but the company did not do so. The controversy follows DeepSeek's January debut when it said that it had created an AI model that rivalled the ones of other American companies like OpenAI, but at a fraction of the cost. 

Over the past few years, the app has been banned in Italy due to concerns about transparency, as well as restricted access to government devices in the Netherlands, Belgium, and Spain, and the consumer rights organisation OCU has called for an official investigation into the matter. After reports from Reuters alleging DeepSeek's involvement in China's military and intelligence activities, lawmakers are preparing legislation that will prohibit federal agencies from using artificial intelligence models developed by Chinese companies. 

According to the Italian data protection authority, the Guarantor for the Protection of Personal Data, Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence have been requested to provide detailed information concerning the collection and processing of their data. A regulator has requested clarification about which personal data is collected, where the data originates, what the legal basis is for processing, and whether it is stored on Chinese servers. 

There are also other inquiries peopl would like to make regarding the training methodologies used for DeepSeek's artificial intelligence models, such as whether web scraping is involved, and how both registered as well as unregistered users are informed of this data collection. DeepSeek has 20 days to reply to these inquiries. 

As Forrester analysts have warned, the app has been widely adopted — it has been downloaded millions of times, which means that large amounts of potentially sensitive information are being uploaded and processed as a result. Based on DeepSeek's own privacy policy, the company has noted that it may collect user input, audio prompts, uploaded files, feedback, chat histories, and other content for training purposes, and may share these details with law enforcement officials or public authorities as needed. 

Although DeepSeek's models remain freely accessible throughout the world, despite regulatory bans and investigations intensifying in China, developers continue to download, adapt, and deploy them, sometimes independent of the official app or Chinese infrastructure, regardless of the official ban. The technology has become increasingly important in industry analysis, not just as an isolated threat, but as part of a broader shift toward a hardware-efficient, open-weight AI architecture, a trend which has been influenced by players such as Mistral, OpenHermes, and Elon Musk's Grok initiative, among many others.

To join the open-weight reasoning movement, OpenAI has released two open-weight reasoning models, GPTT-OSS-120B and GPTT-OSS-20B, which have been deployed within their infrastructure. During the rapid evolution of the artificial intelligence market, the question is no longer whether open-source AI can compete with existing incumbents—in fact, it already has. 

It is much more pressing to decide who will define the governance frameworks that will earn the trust of the public at a time when artificial intelligence, infrastructure control, and national sovereignty are converging at unprecedented rates. Despite the growing complexity of regulating advanced artificial intelligence in an interconnected, highly competitive global market, the ongoing scrutiny surrounding DeepSeek underscores the importance of governing advanced artificial intelligence. 

As a disruptive technological breakthrough evolved, it became a geopolitical and regulatory hot-button, demonstrating how privacy, security, and data sovereignty have now become a major issue in the race against artificial intelligence. Policymakers will find this case extremely significant because it emphasizes the need for coherent international frameworks that can address cross-border data governance and balance innovation with accountability, as well as addressing cross-border data governance. 

Whether it is enterprises or individuals, it serves to remind them that despite the benefits of cutting-edge AI tools, they come with inherent risks, risks that need to be carefully evaluated before they are adopted. A significant part of the future will be the blurring of the boundaries between local oversight and global accessibility as AI models become increasingly lightweight, hardware-efficient, and widely deployable. 

As a result, trust will not be primarily dependent on technological capability, but also on transparency, verifiable safeguards, and the willingness of developers to adhere to ethical and legal standards in the markets they are trying to serve in this environment. It is clear from the ongoing scrutiny surrounding DeepSeek that in a highly competitive global market, regulating advanced artificial intelligence is becoming increasingly complicated as it becomes increasingly interconnected. 

The initial breakthrough in technology has evolved into a geopolitical and regulatory flashpoint, demonstrating how questions of privacy, security, and data sovereignty have become a crucial element in the race toward artificial intelligence. It is clear from this case that policymakers have a pressing need for international frameworks that can address cross-border data governance and balance innovation with accountability. 

For enterprises and individuals alike, the case serves as a reminder that embracing cutting-edge artificial intelligence tools comes with inherent risks and that the risks must be carefully weighed before adoption can be made. It will become increasingly difficult to distinguish between local oversight and global accessibility as AI models become more open-minded, hardware-efficient, and widely deployable as they become more open-hearted, hardware-efficient, and widely deployable. 

In such a situation, trust will not be solely based on technological capabilities, but also on transparency, verifiable safeguards, as well as the willingness of developers to operate within the ethical and legal guidelines of the market in which they seek to compete.
Read more »
Windows
Artificial Intelligence DevilsTongue Internet malware Microsoft Spyware surveillance Windows

DevilsTongue Spyware Attacking Windows System, Linked to Saudi Arabia, Hungary


Cybersecurity experts have discovered a new infrastructure suspected to be used by spyware company Candiru to target computers via Windows malware.

DevilsTongue spyware targets Windows systems

The research by Recorded Future’s Insikt Group disclosed eight different operational clusters associated with the spyware, which is termed as DevilsTongue. Five are highly active, including clusters linked to Hungary and Saudi Arabia. 

About Candiru’ spyware

According to the report, the “infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.” While a few clusters directly handle their victim-facing infrastructure, others follow an intermediary infrastructure layers approach or through the Tor network, which allows threat actors to use the dark web.

Additionally, experts discovered another cluster linked to Indonesia that seemed to be active until November 2024. Experts couldn’t assess whether the two extra clusters linked with Azerbaijan are still active.

Mode of operation

Mercenary spyware such as DevilsTongue is infamous worldwide, known for use in serious crimes and counterterrorism operations. However, it also poses various legal, privacy, and safety risks to targets, their companies, and even the reporter, according to Recorded Future.

Windows itself has termed the spyware Devil's Tongue. There is not much reporting on its deployment techniques, but the leaked materials suggest it can be delivered via malicious links, man-in-the-middle attacks, physical access to a Windows device, and weaponized files. DevilsTongue has been installed via both threat actor-controlled URLs that are found in spearphishing emails and via strategic website attacks known as ‘watering hole,’ which exploit bugs in the web browser.

Insikt Group has also found a new agent inside Candiru’s network that is suspected to have been released during the time when Candiru’s assets were acquired by Integrity Partners, a US-based investment fund. Experts believe that a different company might have been involved in the acquisition.

How to stay safe?

In the short term, experts from Recorded Future advise defenders to “implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices.” In the long term, organizations are advised to invest in robust risk assessments to create effective policies.

Read more »
Multifactor
AI vulnerabilities CISO Cyber Security CyberThreat Google IT Departments market trends MFA Microsoft Multifactor

Market Trends Reveal Urgent Emerging Cybersecurity Requirements

 


During an era of unprecedented digital acceleration and hyperconnectivity, cybersecurity is no longer the sole responsibility of IT departments — it has now become a crucial strategic pillar for businesses of all sizes in an age of hyperconnectivity. 

Recent market trends are signalling an urgent need for a recalibration of cybersecurity priorities, as sophisticated cyber threats are on the rise, regulations are being tightened, and cloud-native technologies are on the rise. Increasingly, businesses and governments are realising that security is no longer merely a technical protection, but rather a foundational component of trust, resilience, and long-term growth. 

There is a growing need in the cybersecurity market for proactive, adaptable, and intelligence-driven defences as a result of the evolving threat landscape and expanding attack surfaces. There is no doubt that the market is speaking louder through investment shifts, vendor realignment, and customer demand, which is why modern cybersecurity must move in lockstep with innovation — otherwise it may turn out to be a costly vulnerability. 

Increasingly, organisations are finding that they are having trouble coping with the speed at which technological innovation and business transformation are taking place. Throughout the year 2025, chief information security officers (CISOs) will be faced with a critical situation where they must defend their organisations not only from evolving threats but also demonstrate that their security programs can be of tangible business value. 

Based on emerging insights, cybersecurity leaders are increasingly focused on ensuring that resilience is embedded at all levels — organisational, team-based, and individual — as a means of maintaining performance and operational continuity when adversity occurs. Based on recent industry trends, nine core capabilities seem to be the most important ones to address this mandate, ranging from how organisations can foster cross-functional collaborations and prevent analyst burnout, as well as how they should ensure teams are educated, aligned, and flexible. 

Keeping a balance between enabling digital transformation and maintaining cyber resilience has become one of the most important challenges of the modern security mandate. If organisations succeed in this endeavour, resilience must be built into their cybersecurity strategy from the beginning, not just as an afterthought. 

Threat actors have evolved from ideology-driven disruptions to monetisation-focused attacks in the age of cybercrime, which has grown into a multi-trillion-dollar industry. They have moved from spam and botnets to crypto mining and now ransomware-as-a-service. In light of the rapid increase in threat sophistication, organisations are being forced to rethink traditional cybersecurity paradigms in an attempt to stay competitive. 

A Chief Information Security Officer (CISO), an IT security leader, or a Managed Service Provider (MSP) who is starting a new role needs to be clear about the objective within the first 100 days of taking on a new role. In order to prevent as many attacks as possible, create friction for cybercriminals, and maintain internal alignment without disrupting IT operations, the most effective method has been to start with prevention. 

One of the most significant characteristics of modern attacks is that up to 90% of them take advantage of macros in Office to deliver remote access tools or malicious payloads. Disabling these macros, often with minimal disruption to business, can reduce exposure to these threats immediately. It is also becoming more common for organisations to adopt applications allowlisting to only allow explicitly approved applications, to block not only malware but also abused legitimate tools, such as TeamViewer and GoToAssist, automatically. 

A behavioural-level control like RingfencingTM also adds a layer of protection to this, preventing allowed applications from executing unauthorised actions and mitigating exploit-based threats such as Follina through the use of behaviour-level controls such as RingfencingTM. Collectively, these proactive controls reflect an important shift towards threat prevention and operational resilience as well. 

In the face of the emergence of generative AI that is deeply embedded within enterprise workflows, a new frontier of cybersecurity has emerged — one that extends well beyond conventional systems into the interaction between employees and artificial intelligence models. What was once considered speculative risks is now becoming a matter of urgency for organisations. 

In recent years, organisations have begun to recognise how important it is to secure how employees interact with artificial intelligence services from both external and internal sources, and have implemented a growing number of solutions designed to monitor and prompt activity, assess data sensitivity, and enforce usage policies. 

In order to maintain regulatory compliance in increasingly AI-aided environments, these controls are crucial for protecting proprietary information as well as for maintaining regulatory compliance. It is also crucial to secure the AI systems that organisations build, including the training datasets they use, the model outputs they use, and the decision logic they use, as well as the systems that they build. Emerging threats, such as prompt injection attacks and model manipulation, emphasise the need for visibility and control tailored specifically to artificial intelligence. 

Due to the impact of AI applications on security, a new class of AI application security tools has been developed, which leads to the establishment of AI system protection as a core discipline of cybersecurity, and raises it to the same level as the security of traditional infrastructures. Increasingly, organisations are adapting to an increasingly perimeterless digital environment, making the need to strengthen basic security controls non-negotiable. 

The multi-factor authentication (MFA) approach is at the forefront of remote access defence as it offers the ability to secure accounts spanning Microsoft 365, Google Workspace, domain registrars, and remote administration tools. MFA offers these accounts a crucial level of security. The use of multi-factor authentication reduces the likelihood that unauthorised access could occur even if credentials have been compromised. It is also vital that least-privilege principles be enforced. 

Despite the fact that attackers can easily install ransomware without administrative privileges, stripping local admin privileges prevents them from disabling security controls and escalating privileges. It has been recommended that users should be given elevated access to specific applications through dedicated tools rather than being given it to an entire group of users. 

In regard to data security, the use of full-disk encryption, such as BitLocker, is essential for preventing unauthorised access to virtual hard disks and tampering. As well as reducing exposure further, the use of granular permissions to access data is also crucial, ensuring that only information pertinent to their function is accessed by users and applications. 

As an example, it is important to limit tools like SSH clients to log files and restrict sensitive financial data to financial roles that do not have access to it. In addition, USB devices should be blocked by default, with a narrowly defined exception for encrypted, sanctioned drives, since they are a common vector for malware and data theft. 

The ability to monitor file activity in real time across endpoints, cloud platforms like OneDrive, and removable media has become increasingly important to the success of any comprehensive security program. This visibility can assist in proactive monitoring and enhance incident response by providing a detailed understanding of data interactions, as well as improving incident response. 

There is a strong possibility that the cybersecurity landscape will become even more complex in the future as digital ecosystems expand, adversaries refine their tactics, and companies pursue accelerated innovation, thereby increasing the complexity of the landscape. As a response, security leaders need to go beyond conventional defensive approaches and create a culture of vigilance, accountability, and adaptability that extends across entire organisations. 

Organisations will need to invest in specialised talent, cross-functional collaboration, and continuous security validation in order to deal with the convergence of IT, AI, cloud, and operational technologies. As well, with a growing number of regulatory scrutiny and stakeholder expectations, cybersecurity is now measured not just by its capability to block threats, but also by how it enables secure growth, safeguards the reputation of its users, and ensures that digital trust is maintained.

A cybersecurity strategy that integrates security seamlessly into business objectives rather than as a barrier will provide organizations with the best chance of navigating the next wave of risk and resilience in an increasingly volatile threat environment by integrating it seamlessly into business objectives. In 2025 and beyond, cybersecurity leadership will be defined by staying proactive, intelligent, and resilient as market forces continue to change the landscape of risk.
Read more »
Windows
Banking Credential Theft Coyote Cybeattacks CyberCrime malware Microsoft RAT Trojon UIA UL Elements Windows

Emerging Threat Uses Windows Tools to Facilitate Banking Credential Theft


An alarming development that underscores how financial cybercrime is evolving is a Windows-based banking trojan dubbed Coyote. It has been observed for the first time that a malware strain leveraging the Microsoft UI Automation (UIA) framework for stealthy extraction of sensitive user data has emerged. It was developed in 2024 by Kaspersky, and it is specifically targeted at Brazilian users. Through its advanced capabilities, Coyote can log keystrokes, record screenshots, and use deceptive overlays on banking login pages that are designed to fool users into providing their information to the malware. 


A security researcher at Akamai has reported that in the latest variant, the legitimate Microsoft UIA component, which is designed to provide accessibility to desktop UI elements for those with disabilities, is exploited to retrieve credentials from websites linked to 75 financial institutions and cryptocurrency platforms via a phishing attack. A novel abuse of an accessibility tool demonstrates that threat actors are becoming increasingly sophisticated in their attempts to circumvent traditional security measures and compromise digital financial ecosystems. 

The Coyote virus first appeared in Latin American cybersecurity in February 2024 and has since been a persistent and damaging threat across the region. Coyote, a banking trojan, was originally used to steal financial information from unsuspecting users by using traditional methods, such as keylogging and phishing overlays. 

Despite being classified as a banking trojan, its distribution mechanism is based on the popular Squirrel installer, a feature which is also the inspiration for its name, a reference to the coyote-squirrel relationship, which is a predator-prey relationship. It was not long ago that Coyote began targeting Brazilian businesses, with the intent of deploying an information-stealing Remote Access Trojan (RAT) in their networks in an effort to steal information. 

After the malware was discovered, cybersecurity researchers began to discover critical insight into its behaviour as soon as it became apparent. The Fortinet company released a comprehensive technical report in January 2025 that detailed Coyote's attack chain, including the methods used to propagate the attack and the techniques used to infiltrate the system. In the evolution of Coyote from conventional credential theft to sophisticated abuse of legitimate accessibility frameworks, one can see a common theme in modern malware development—a trend in which native system utilities are retooled to facilitate covert surveillance and data theft. 

Through innovation and stealth, Coyote is proving to be an excellent example of how regionally focused threats can rapidly escalate into globally significant risks through the use of innovation and stealth. The Coyote malware has evolved significantly in its attack methodology since its previous appearance in 2015, which has prompted cybersecurity professionals to have new concerns. 

Since December 2024, Akamai researchers have been following Coyote closely, and they have found out that earlier versions of the malware have mainly relied on keylogging and phishing overlays to steal login credentials from users of 75 targeted banking and cryptocurrency websites. However, users had to access financial applications outside of traditional web browsers in order for these methods to work, meaning that browser-based sessions largely remained safe. 

In contrast, Coyote's newest version, which was released earlier this year, demonstrates a markedly higher level of sophistication. Using Microsoft's UI Automation framework (UIA), Coyote can now detect and analyse banking and crypto exchange websites that are open directly within browsers by utilising its Microsoft UI Automation framework. As a result of this enhancement, malware is now able to identify financial activity more accurately and extract sensitive information even from less vulnerable sessions, significantly increasing the scope and impact of the malware. 

With stealth and precision, the Coyote malware activates on a victim's computer as soon as the program they are infected with—typically through the widely used Squirrel installer—is executed on their system. As soon as the malware has been installed, it runs silently in the background, gathering fundamental system details as well as continuously monitoring all active programs and windows. One of the primary objectives of this malware is to detect interactions with cryptocurrency platforms or banking services.

If Coyote detects such activity, it utilises the UI Automation framework (UIA) to programmatically read the content displayed on the screen, bypassing traditional input-based detection mechanisms. Furthermore, the malware is capable of extracting web addresses directly from browser tabs or the address bar, cross-referenced to a predefined list of financial institutions and crypto exchanges that are targeted. This further elevates the malware's threat profile. 

Upon finding a match, the tool initiates a credential harvesting operation that is aimed at capturing credentials such as login information and wallet information. As of right now, Coyote appears to have a geographic focus on Brazilian users, targeting companies like Banco do Brasil, Santander, as well as global platforms like Binance, as well. 

Although it is unlikely that this regional concentration will remain static for long, threat actors often launch malware campaigns in limited geographies for the purpose of testing them out before attempting to spread their campaign to a broader audience. Among the latest versions of Coyote malware, there is an impressive combination of technical refinement and operational stealth that sets it apart from typical financial Trojans in terms of performance.

It is particularly noteworthy that it utilises Microsoft's UI Automation framework to look directly at application window content to be able to steal sensitive information without having to rely on visible URLs or browser titles. There are no longer any traditional techniques for this variant that rely on keylogging or phishing overlays, but rather rely on UI-level reconnaissance that allows it to identify and engage with targeted Brazilian cryptocurrency and banking platforms with remarkable subtlety. Further increasing its evasiveness is its ability to operate offline. 

By doing so, it can gather and scan data without requiring a connection to the command-and-control (C2) server. In order to initiate an attack sequence, the malware first profiles the infected system, obtaining information such as the name of the device, the operating system version, and the credentials of the user. As a result, Coyote scans the titles of active windows in an attempt to find financial platforms that are well-known. 

If no direct match is found, Coyote escalates its efforts by parsing the visual user interface elements via the UIA interface, resulting in critical data such as URLs and tab labels that are crucial for the application. As soon as the application detects a target, it uses an array of credential harvesting techniques, which include token interception and direct access to usernames and passwords.

Although the current campaign remains focused in Brazil, the fact that Coyote can operate undetected at the user interface layer and that it uses native Windows APIs poses a serious and scalable threat to businesses across the globe. Considering its offline functionality, small network footprint, and ability to evade standard security solutions, it is a potent reminder that legitimate system tools can be repurposed to quietly undermine digital defences complex cybersecurity landscape that is getting ever more complex. 

Cybersecurity is rapidly evolving, and it is becoming increasingly apparent to us that the dynamic between threat actors and defenders has become more of a high-stakes game, where innovation can change the balance quite rapidly between the two sides. A case study such as the Coyote malware underscores the fact that even system components which appear harmless, such as Microsoft's UI Automation (UIA) framework, can be exploited to achieve malicious objectives. 

Although UIA was created to enhance accessibility and usability, the abuse of the tool by advanced malware proves the inherent risks associated with native tools that are trusted. The objective of security researchers is to give defenders a better understanding of the inner workings and methods employed by Coyote, so they can detect, mitigate, and respond more effectively to such stealthy intrusions. 

It is important to note that the exploitation of UIA as an attack vector is not simply a tactic that is used for a single attack-it signals a shift in adversarial strategy that emphasises invisibility and manipulation of systems. Organisations must strengthen their security posture by observing how legitimate technologies may be repurposed as a means to commit cybercrime, as well as staying vigilant against threats that blur the line between utility and vulnerability. 

There is no question that the advent of Coyote malware marked a turning point in the evolution of cyber threats. It underscores the growing abuse of legitimate system tools for malicious purposes as well. Using Microsoft's UI Automation framework (UIA), an accessibility feature which was created to support users with disabilities, Coyote illustrates to us that trusted functionality could be repurposed to steal information from systems by silently infiltrating them. 

The malware operations of this company, which are currently focused on Brazilian financial institutions and crypto exchanges, represent the emerging trend toward stealth-driven malware campaigns that target specific regions of the globe. A call to action has been issued to defenders by this evolution, as traditional security tools that are based on network-based detection or signature matching may not be up to the task of combating threats that operate entirely within the user interface layer and do not require the use of command-and-control communications. 

Consequently, organisations have to develop more nuanced strategies to keep their data secure, such as behavioural monitoring, heuristic analysis, and visibility of native API usage. As a further precaution, maintaining strict controls over software distribution methods, such as Squirrel installers, is also a great way to prevent the spread of early-stage infections. By adopting a silent, system-native approach, Coyote reflects a change in the cyber threat landscape, shifting away from overt, disruptive attacks to covert, credential-stealing surveillance. 

Coyote utilizes low-noise approaches to achieve maximum data exfiltration, often as part of long-term campaigns, in order to evade detection, resulting in maximum data exfiltration. This demonstrates the sophistication of modern malware and the urgent need for adaptive cybersecurity frameworks to cope with these threats. In addition to exploiting UIA, it is also likely that it will result in more widespread abuse of accessibility features that have traditionally been overlooked in security planning, and which may eventually become a major security concern.

As threat actors continue to refine their approaches, companies need to be vigilant, rethink what constitutes potential attack surfaces, and take measures to detect threats as soon as possible. Coyote is an example of malware that requires a combination of stronger tools, as well as a deeper understanding of the way even helpful technology can be turned into a security liability quickly if it is misused.
Read more »
Windows
Coyote Data Theft malware Microsoft UIA Windows

New Coyote Malware Variant Exploits Windows Accessibility Tool for Data Theft

 




A recently observed version of the banking malware known as Coyote has begun using a lesser-known Windows feature, originally designed to help users with disabilities, to gather sensitive information from infected systems. This marks the first confirmed use of Microsoft’s UI Automation (UIA) framework by malware for this purpose in real-world attacks.

The UI Automation framework is part of Windows’ accessibility system. It allows assistive tools, such as screen readers, to interact with software by analyzing and controlling user interface (UI) elements, like buttons, text boxes, and navigation bars. Unfortunately, this same capability is now being turned into a tool for cybercrime.


What is the malware doing?

According to recent findings from cybersecurity researchers, this new Coyote variant targets online banking and cryptocurrency exchange platforms by monitoring user activity on the infected device. When a person accesses a banking or crypto website through a browser, the malware scans the visible elements of the application’s interface using UIA. It checks things like the tab names and address bar to figure out which website is open.

If the malware recognizes a target website based on a preset list of 75 financial services, it continues tracking activity. This list includes major banks and crypto platforms, with a focus on Brazilian users.

If the browser window title doesn’t give away the website, the malware digs deeper. It uses UIA to scan through nested elements in the browser, such as open tabs or address bars, to extract URLs. These URLs are then compared to its list of targets. While current evidence shows this technique is being used mainly for tracking, researchers have also demonstrated that it could be used to steal login credentials in the future.


Why is this alarming?

This form of cyberattack bypasses many traditional security tools like antivirus programs or endpoint detection systems, making it harder to detect. The concern grows when you consider that accessibility tools are supposed to help people with disabilities not become a pathway for cybercriminals.

The potential abuse of accessibility features is not limited to Windows. On Android, similar tactics have long been used by malicious apps, prompting developers to build stricter safeguards. Experts believe it may now be time for Microsoft to take similar steps to limit misuse of its accessibility systems.

While no official comment has been made regarding new protections, the discovery highlights how tools built for good can be misused if not properly secured. For now, the best defense remains being careful, both from users and from developers of operating systems and applications.



Read more »
Subscribe to: Posts (Atom)