Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Software. Show all posts
Software
Android App Developers Apple Apps Google Google Play malware Software

Google Rolls Out Android Developer Verification to Curb Anonymous App Distribution

 



Google has formally begun rolling out a comprehensive verification framework for Android developers, a move aimed at tackling the persistent problem of malicious applications being distributed by actors who operate without revealing their identity. The company’s decision reflects growing concerns within the mobile ecosystem, where anonymity has often enabled bad actors to bypass accountability and circulate harmful software at scale.

This rollout comes in advance of a stricter compliance requirement that will first take effect in September across key markets including Brazil, Indonesia, Singapore, and Thailand. These regions are being used as initial enforcement zones before the policy is gradually expanded worldwide next year, signaling Google’s intent to standardize developer accountability across its global Android ecosystem.

Under the new system, developers who distribute Android applications outside of the official Google Play marketplace will now be required to register through the Android Developer Console and verify their identity credentials. This requirement is particularly substantial for developers who rely on alternative distribution methods such as direct APK sharing, enterprise deployment, or third-party app stores, as it introduces a layer of traceability that previously did not exist.

At the same time, Google clarified that developers already publishing applications through Google Play and who have completed existing identity verification processes may not need to take further action. In such cases, their applications are likely to already comply with the updated requirements, reducing friction for those operating within the official ecosystem.

Explaining how this change will affect end users, Matthew Forsythe, Director of Product Management for Android App Safety, emphasized that the vast majority of users will not notice any difference in their day-to-day app installation experience. Standard app downloads from trusted sources will continue to function as usual, ensuring that usability is not compromised for the general public.

However, the experience changes when a user attempts to install an application that has not been registered under the new verification system. In such cases, users will be required to proceed through more advanced installation pathways, such as Android Debug Bridge or similar technical workflows. These methods are typically used by developers and experienced users, which effectively limits exposure for less technical individuals.

This design introduces a deliberate separation between general users and advanced users. While everyday users are shielded from potentially unsafe applications, power users retain the flexibility to install software manually, albeit with additional steps that reinforce intentional decision-making.

To further support developers, Google is integrating visibility into its core development tools. Within the next two months, developers using Android Studio will be able to directly view whether their applications are registered under the new system at the time of generating signed App Bundles or APK files. This integration ensures that compliance status becomes part of the development workflow rather than a separate administrative task.

For developers who have already completed identity verification through the Play Console, Google will automatically register eligible applications under the new framework. This automation reduces operational overhead and ensures a smoother transition. However, in cases where applications cannot be automatically registered, developers will be required to complete a manual claim process to verify ownership and bring those apps into compliance.

In earlier guidance, Google also outlined how sideloading, the practice of installing apps from outside official stores, will function under this system. Advanced users will still be able to install unregistered APK files, but only after completing a multi-step verification process designed to confirm their intent.

This process includes an authentication step to verify the user’s decision, followed by a one-time waiting period of up to 24 hours. The delay is not arbitrary. It is specifically designed to disrupt scam scenarios in which attackers pressure users into quickly installing malicious applications before they have time to reconsider.

Forsythe explained that although this process is required only once for experienced users, it has been carefully structured to counter high-pressure social engineering tactics. By introducing friction into the installation process, the system aims to reduce the success rate of scams that rely on urgency and manipulation.

This development is part of a wider industry tendency toward tightening control over app ecosystems and improving user data protection. In a parallel move, Apple has recently updated its Developer Program License Agreement to impose stricter rules on how third-party wearable applications handle sensitive data such as live activity updates and notifications.

Under Apple’s revised policies, developers are explicitly prohibited from using forwarded data for purposes such as advertising, user profiling, training machine learning models, or tracking user location. These restrictions are intended to prevent misuse of real-time user data beyond its original functional purpose.

Additionally, developers are not allowed to share this forwarded information with other applications or devices, except for authorized accessories that are explicitly approved within Apple’s ecosystem. This ensures tighter control over how data flows between devices.

The updated agreement also introduces further limitations. Developers are barred from storing this data on external cloud servers, altering its meaning in ways that change the original content, or decrypting the information anywhere other than on the designated accessory device. These measures collectively aim to preserve data integrity and minimize the risk of misuse.

Taken together, this charts a new course across the technology industry toward stronger governance of developer behavior, application distribution, and data handling practices. As threats such as malware distribution, financial fraud, and data exploitation continue to evolve, platform providers are increasingly prioritizing transparency, accountability, and user protection in their security strategies.

Read more »
zero click
Artificial Intelligence BBC Hacking Software Technology zero click

AI Coding Platform Orchids Exposed to Zero-Click Hack in BBC Security Test

 


A BBC journalist has demonstrated an unresolved cybersecurity weakness in an artificial intelligence coding platform that is rapidly gaining users.

The tool, called Orchids, belongs to a new category often referred to as “vibe-coding.” These services allow individuals without programming training to create software by describing what they want in plain language. The system then writes and executes the code automatically. In recent months, platforms like this have surged in popularity and are frequently presented as examples of how AI could reshape professional work by making development faster and cheaper.

Yet the same automation that makes these tools attractive may also introduce new forms of exposure.

Orchids states that it has around one million users and says major technology companies such as Google, Uber, and Amazon use its services. It has also received strong ratings from software review groups, including App Bench. The company is headquartered in San Francisco, was founded in 2025, and publicly lists a team of fewer than ten employees. The BBC said it contacted the firm multiple times for comment but did not receive a response before publication.

The vulnerability was demonstrated by cybersecurity researcher Etizaz Mohsin, who has previously uncovered software flaws, including issues connected to surveillance tools such as Pegasus. Mohsin said he discovered the weakness in December 2025 while experimenting with AI-assisted coding. He reported attempting to alert Orchids through email, LinkedIn, and Discord over several weeks. According to the BBC, the company later replied that the warnings may have been overlooked due to a high volume of incoming messages.

To test the flaw, a BBC reporter installed the Orchids desktop application on a spare laptop and asked it to generate a simple computer game modeled on a news website. As the AI produced thousands of lines of code on screen, Mohsin exploited a security gap that allowed him to access the project remotely. He was able to view and modify the code without the journalist’s knowledge.

At one point, he inserted a short hidden instruction into the project. Soon after, a text file appeared on the reporter’s desktop stating that the system had been breached, and the device’s wallpaper changed to an image depicting an AI-themed hacker. The experiment showed that an outsider could potentially gain control of a machine running the software.

Such access could allow an attacker to install malicious programs, extract private corporate or financial information, review browsing activity, or activate cameras and microphones. Unlike many common cyberattacks, this method did not require the victim to click a link, download a file, or enter login details. Security professionals refer to this technique as a zero-click attack.

Mohsin said the rise of AI-driven coding assistants represents a shift in how software is built and managed, creating new categories of technical risk. He added that delegating broad system permissions to AI agents carries consequences that are not yet fully understood.

Although Mohsin said he has not identified the same flaw in other AI coding tools such as Claude Code, Cursor, Windsurf, or Lovable, cybersecurity academics urge caution. Kevin Curran, a professor at Ulster University, noted that software created without structured review and documentation may be more vulnerable under attack.

The discussion extends beyond coding platforms. AI agents designed to perform tasks directly on a user’s device are becoming more common. One recent example is Clawbot, also known as Moltbot or Open Claw, which can send messages or manage calendars with minimal human input and has reportedly been downloaded widely.

Karolis Arbaciauskas, head of product at NordPass, warned that granting such systems unrestricted access to personal devices can expose users to serious risks. He advised running experimental AI tools on separate machines and using temporary accounts to limit potential damage.

Read more »
surveillance
Android Spyware Applications Cyber Security phishing Software surveillance

Is Spyware Secretly Hiding on Your Phone? How to Detect It, Remove It, and Prevent It

 



If your phone has started behaving in ways you cannot explain, such as draining power unusually fast, heating up during minimal use, crashing, or displaying unfamiliar apps, it may be more than a routine technical fault. In some cases, these irregularities signal the presence of spyware, a type of malicious software designed to quietly monitor users and extract personal information.

Spyware typically enters smartphones through deceptive mobile applications, phishing emails, malicious attachments, fraudulent text messages, manipulated social media links, or unauthorized physical access. These programs are often disguised as legitimate utilities or helpful tools. Once installed, they operate discreetly in the background, avoiding obvious detection.

Depending on the variant, spyware can log incoming and outgoing calls, capture SMS and MMS messages, monitor conversations on platforms such as Facebook and WhatsApp, and intercept Voice over IP communications. Some strains are capable of taking screenshots, activating cameras or microphones, tracking location through GPS, copying clipboard data, recording keystrokes, and harvesting login credentials or cryptocurrency wallet details. The stolen information is transmitted to external servers controlled by unknown operators.

Not all spyware functions the same way. Some applications focus on aggressive advertising tactics, overwhelming users with pop-ups, altering browser settings, and collecting browsing data for revenue generation. Broader mobile surveillance tools extract system-level data and financial credentials, often distributed through mass phishing campaigns. More intrusive software, frequently described as stalkerware, is designed to monitor specific individuals and has been widely associated with domestic abuse cases. At the highest level, intricately designed commercial surveillance platforms such as Pegasus have been deployed in targeted operations, although these tools are costly and rarely directed at the general public.

Applications marketed as parental supervision or employee productivity tools also require caution. While such software may have legitimate oversight purposes, its monitoring capabilities mirror those of spyware if misused or installed without informed consent.

Identifying spyware can be difficult because it is engineered to remain hidden. However, several warning indicators may appear. These include sudden battery drain, overheating, sluggish performance, unexplained crashes, random restarts, increased mobile data consumption, distorted calls, persistent pop-up advertisements, modified search engine settings, unfamiliar applications, difficulty shutting down the device, or unexpected subscription charges. Receiving suspicious messages that prompt downloads or permission changes may also signal targeting attempts. If a device has been out of your possession and returns with altered settings, tampering should be considered.

On Android devices, reviewing whether installation from unofficial sources has been enabled is critical, as this setting allows apps outside the Google Play Store to be installed. Users should also inspect special app access and administrative permissions for unfamiliar entries. Malicious programs often disguise themselves with neutral names such as system utilities. Although iPhones are generally more resistant without jailbreaking or exploited vulnerabilities, they are not immune. Failing to install firmware updates increases exposure to known security flaws.

If spyware is suspected, measured action is necessary. Begin by installing reputable mobile security software from verified vendors and running a comprehensive scan. Manually review installed applications and remove anything unfamiliar. Examine permission settings and revoke excessive access. On Android, restarting the device in Safe Mode temporarily disables third-party apps, which may assist in removal. Updating the operating system can also disrupt malicious processes. If the issue persists, a factory reset may be required. Important data should be securely backed up before proceeding, as this step erases all stored content. In rare instances, professional technical assistance or device replacement may be needed.

Long-term protection depends on consistent preventive practices. Maintain strict physical control over your phone and secure it with a strong password or biometric authentication. Configure automatic screen locking to reduce the risk of unauthorized access. Install operating system updates promptly, as they contain critical security patches. Download applications only from official app stores and review developer credibility, ratings, and permission requests carefully before installation. Enable built-in security scanners and avoid disabling system warnings. Regularly audit app permissions, especially for access to location, camera, microphone, contacts, and messages.

Remain cautious when interacting with links or attachments received through email, SMS, or social media, as phishing remains a primary delivery method for spyware. Avoid jailbreaking or rooting devices, since doing so weakens built-in protections and increases vulnerability. Activate multi-factor authentication on essential accounts such as email, banking, and cloud storage services, and monitor login activity for irregular access. Periodically review mobile data usage and billing statements for unexplained charges. Maintain encrypted backups so decisive action, including a factory reset, can be taken without permanent data loss.

No mobile device can be guaranteed completely immune from surveillance threats. However, informed digital habits, timely updates, disciplined permission management, and layered account security significantly reduce the likelihood of covert monitoring. In an era where smartphones store personal, financial, and professional data, vigilance remains the strongest defense.

Read more »
Windows
Avast malware PC Games pirated games Software Windows

Windows Malware Distributed Through Pirated Games Infects Over 400,000 Systems

 



A Windows-focused malware operation spreading through pirated PC games has potentially compromised more than 400,000 devices worldwide, according to research released by Cyderes. The company identified the threat as “RenEngine loader” and reported that roughly 30,000 affected users are located in the United States alone.

Investigators found the malicious code embedded inside cracked and repackaged versions of popular game franchises, including Far Cry, Need for Speed, FIFA, and Assassin’s Creed. The infected installers appear to function normally, allowing users to download and play the games. However, while the visible game content runs as expected, concealed code executes in parallel without the user’s awareness.

Researchers traced part of the operation to a legitimate launcher built on Ren'Py, an engine commonly used for visual novel-style games. The attackers embedded harmful components within this launcher framework. When executed, the launcher decompresses archived game files as intended, but at the same time initiates the hidden malware routine.

According to Cyderes, the campaign has been active since at least April of last year and remains ongoing. In October, the operators modified the malware to include an embedded telemetry URL. Each time the RenEngine loader runs, it connects to this address, allowing the attackers to log activity. Analysis of that telemetry endpoint enabled researchers to estimate overall infection levels, with the system recording between 4,000 and 10,000 visits per day.

Telemetry data indicates that the largest concentration of victims is located in India, the United States, and Brazil. The US accounts for approximately 30,000 of the infected systems identified through this tracking mechanism.

The loader’s primary function is to deliver additional malicious software onto compromised machines. In multiple cases, researchers observed it deploying a Windows-based information stealer known as ARC. This malware is designed to extract stored browser passwords, session cookies, cryptocurrency wallet information, autofill entries, clipboard data, and system configuration details.

Cyderes also reported observing alternative payloads delivered through the same loader infrastructure, including Rhadamanthys stealer, Async RAT, and XWorm. These programs are capable of credential theft and, in some cases, remote system control, enabling attackers to monitor activity or manipulate infected devices.

The investigation identified one distribution source, dodi-repacks[.]site, as hosting downloads containing the embedded malware. The domain has previously been associated with other malicious distribution activity.

Detection remains limited at the initial infection stage. Public scan results from Google’s VirusTotal platform indicate that, aside from Avast, AVG, and Cynet, most antivirus engines currently do not flag the loader component as malicious. This detection gap increases the likelihood that users may remain unaware of compromise.

Users who suspect infection are advised to run updated security scans immediately. If concerns persist, Windows System Restore may help revert the device to a prior clean state. In cases where compromise cannot be confidently removed, a full operating system reinstallation may be necessary.

The findings reinforce a recurring cybersecurity risk: unauthorized software downloads frequently serve as a delivery channel for concealed malware capable of exposing personal data and granting attackers extended access to victim systems.

Read more »
World Leaks
Cyber Extortion Data Leaks malware RustyRocket Software World Leaks

Researchers Identify Previously Undocumented Malware Used in World Leaks Intrusions

 



Cybersecurity researchers have identified a newly developed malicious software tool being used by the extortion-focused cybercrime group World Leaks, marking a pivotal dent the group’s technical capabilities. According to findings published by the cybersecurity research division of Accenture, the malware has not been observed in prior investigations and appears to be custom-built for covert operations within victim networks. The researchers have designated the tool “RustyRocket” to distinguish it from previously documented malware families.

Analysts explain that RustyRocket functions as a long-term persistence mechanism. Instead of triggering immediate disruption, the malware is designed to quietly embed itself within compromised systems, allowing attackers to remain present for extended periods without raising alarms. This hidden presence enables threat actors to move through internal networks, quietly extract sensitive information, and route network traffic through compromised machines. Security experts involved in the research noted that the tool had operated unnoticed until its recent discovery, surfacing the challenges organizations face in detecting advanced covert threats.

Although World Leaks is commonly categorized as a ransomware group, its operations differ from traditional ransomware campaigns that encrypt files and demand payment for decryption keys. Rather than denying access to data, the group prioritizes unauthorized data collection. Victims are pressured with the threat of having confidential corporate and personal information publicly disclosed if payment demands are not met. This model places reputational damage, regulatory penalties, and legal exposure at the center of the extortion strategy.

The group has publicly claimed responsibility for attacks against large international corporations. In one widely reported incident, World Leaks alleged that a major global sportswear company declined to comply with extortion demands, after which a substantial volume of internal documents was released. As with many threat actor statements, independent verification of the full scope of such claims remains limited, underlining the importance of cautious attribution in cyber incident reporting.

From a technical perspective, RustyRocket is written in the Rust programming language and engineered to operate across both Microsoft Windows and Linux environments. This cross-platform design allows the malware to function in mixed enterprise infrastructures, increasing its usefulness to attackers. Researchers describe the tool as a combined data extraction and network proxy utility, capable of transferring stolen information through multiple layers of encrypted communication. By masking malicious traffic within normal network activity, the malware makes detection by conventional security tools comparatively more difficult.

The tool also incorporates an execution safeguard that requires attackers to supply a pre-encrypted configuration file at runtime. Without this configuration, the malware remains dormant. This feature complicates forensic analysis and reduces the likelihood that automated security systems will successfully analyze or neutralize the tool.

Investigators assess that World Leaks has been active since early 2025 and typically gains initial access through social engineering techniques, misuse of compromised credentials, or exploitation of externally exposed systems. Once inside a network, tools like RustyRocket enable attackers to quietly maintain their presence while systematically collecting data for later extortion.

Security specialists warn that RustyRocket reflects a broader turn in cybercriminal operations toward stealth-based, intelligence-gathering intrusions rather than overtly disruptive attacks. To reduce exposure, organizations are advised to closely monitor unusual outbound data transfers and enforce strict network segmentation. These measures can limit an attacker’s ability to move across systems and reduce the volume of data that can be silently extracted.

The rise of RustyRocket illustrates how extortion groups are increasingly investing in custom malware designed to evade traditional defenses, reinforcing the need for continuous security testing, proactive threat monitoring, and workforce preparedness to counter evolving attack methods.


Read more »
Software
cyber espionage Cyber Phishing Cyber Security Government Linux Kernel organisations Software

Dozens of Government and Infrastructure Networks Breached in Global Espionage Campaign



Security researchers have identified a previously undocumented cyber espionage group that infiltrated at least 70 government and critical infrastructure organizations across 37 countries within the past year. The same activity cluster also conducted wide-scale scanning and probing of government-related systems connected to 155 countries between November and December 2025, indicating a broad intelligence collection effort rather than isolated attacks.

The group is tracked as TGR-STA-1030, a temporary designation used for actors assessed to operate with state-backed intent. Investigators report evidence of activity dating back to January 2024. While no specific country has been publicly confirmed as the sponsor, technical indicators suggest an Asian operational footprint. These indicators include the services and tools used, language and configuration preferences, targeting patterns tied to regional interests, and working hours consistent with the GMT+8 time zone.


Who was targeted and what was taken

Confirmed victims include national law enforcement and border agencies, finance ministries, and departments responsible for trade, natural resources, and diplomatic affairs. In several intrusions, attackers maintained access for months. During these periods, sensitive data was taken from compromised email servers, including financial negotiations, contract material, banking information, and operational details linked to military or security functions.


How the intrusions worked

The initial entry point commonly involved phishing messages that led recipients to download files hosted on a legitimate cloud storage service. The downloaded archive contained a custom loader and a decoy file. The malware was engineered to avoid automated analysis by refusing to run unless specific environmental conditions were met, including a required screen resolution and the presence of the decoy file. It also checked for the presence of selected security products before proceeding.

Once active, the loader retrieved additional components disguised as image files from a public code repository. These components were used to deploy a well known command and control framework to manage compromised systems. The repository linked to this activity has since been taken down.

Beyond phishing, the group relied on known vulnerabilities in widely used enterprise and network software to gain initial access. There is no indication that previously unknown flaws were used. After entry, the attackers employed a mix of command and control tools, web shells for remote access, and tunneling utilities to move traffic through intermediary servers.

Researchers also observed a Linux kernel level implant that hides processes, files, and network activity by manipulating low level system functions. This tool concealed directories with a specific name to avoid detection. To mask their operations, the attackers rented infrastructure from legitimate hosting providers and routed traffic through additional relay servers.

Analysts assess that the campaign focuses on countries with active or emerging economic partnerships of interest to the attackers. The scale, persistence, and technical depth of these operations highlight ongoing risks to national security and essential public services, and reinforce the need for timely patching, email security controls, and continuous monitoring across government networks. 

Read more »
Youtube
Internet Routers LED Raspberry Pi Software Technology WiFi Youtube

Raspberry Pi Project Turns Wi-Fi Signals Into Visual Light Displays

 



Wireless communication surrounds people at all times, even though it cannot be seen. Signals from Wi-Fi routers, Bluetooth devices, and mobile networks constantly travel through homes and cities unless blocked by heavy shielding. A France-based digital artist has developed a way to visually represent this invisible activity using light and low-cost computing hardware.

The creator, Théo Champion, who is also known online as Rootkid, designed an installation called Spectrum Slit. The project captures radio activity from commonly used wireless frequency ranges and converts that data into a visual display. The system focuses specifically on the 2.4 GHz and 5 GHz bands, which are widely used for Wi-Fi connections and short-range wireless communication.

The artwork consists of 64 vertical LED filaments arranged in a straight line. Each filament represents a specific portion of the wireless spectrum. As radio signals are detected, their strength and density determine how brightly each filament lights up. Low signal activity results in faint and scattered illumination, while higher levels of wireless usage produce intense and concentrated light patterns.

According to Champion, quiet network conditions create a subtle glow that reflects the constant but minimal background noise present in urban environments. As wireless traffic increases, the LEDs become brighter and more saturated, forming dense visual bands that indicate heavy digital activity.

A video shared on YouTube shows the construction process and the final output of the installation inside Champion’s Paris apartment. The footage demonstrates a noticeable increase in brightness during evening hours, when nearby residents return home and connect phones, laptops, and other devices to their networks.

Champion explained in an interview that his work is driven by a desire to draw attention to technologies people often ignore, despite their significant influence on daily life. By transforming technical systems into physical experiences, he aims to encourage viewers to reflect on the infrastructure shaping modern society and to appreciate the engineering behind it.

The installation required both time and financial investment. Champion built the system using a HackRF One software-defined radio connected to a Raspberry Pi. The radio device captures surrounding wireless signals, while the Raspberry Pi processes the data and controls the lighting behavior. The software was written in Python, but other components, including the metal enclosure and custom circuit boards, had to be professionally manufactured.

He estimates that development involved several weeks of experimentation, followed by a dedicated build phase. The total cost of materials and fabrication was approximately $1,000.

Champion has indicated that Spectrum Slit may be publicly exhibited in the future. He is also known for creating other technology-focused artworks, including interactive installations that explore data privacy, artificial intelligence, and digital systems. He has stated that producing additional units of Spectrum Slit could be possible if requested.

Read more »
Software
GitHub malware PyStoreRAT Remote Access Trojan Software

PyStoreRAT Campaign Uses Fake GitHub Projects to Target OSINT and IT Professionals

 


Cybersecurity researchers have identified a previously undocumented malware operation that leverages GitHub to distribute a threat known as PyStoreRAT. The campaign primarily targets individuals working in information technology, cybersecurity, and open-source intelligence research, exploiting their reliance on open-source tools.

The findings were published by Morphisec Threat Labs, which described the operation as a coordinated and deliberate effort rather than random malware distribution. The attackers focused on blending into legitimate developer activity, making the threat difficult to detect during its early stages.

PyStoreRAT functions as a Remote Access Trojan, a type of malware that enables attackers to maintain hidden and persistent access to an infected system. Once deployed, it can gather detailed system information, execute commands remotely, and act as a delivery mechanism for additional malicious software.

According to the research, the attackers began by reviving dormant GitHub accounts that had shown no activity for extended periods. These accounts were then used to upload software projects that appeared polished, functional, and credible. Many of the repositories were created with the help of artificial intelligence, allowing them to closely resemble genuine open-source tools.

The fake projects included OSINT utilities, decentralized finance trading bots, and AI-based applications such as chatbot wrappers. Several of these repositories gained visibility and user trust, with some rising through GitHub’s trending rankings. Only after achieving engagement did the attackers introduce subtle updates that quietly embedded the PyStoreRAT backdoor under the guise of routine maintenance.

Once active, PyStoreRAT demonstrates a high degree of adaptability. Morphisec researchers found that it profiles infected systems and can deploy additional payloads, including known data-stealing malware families and Python-based loaders. The malware also modifies its execution behavior when it detects certain endpoint protection products, reducing its exposure to security monitoring.

The threat is not limited to a single delivery method. PyStoreRAT can propagate through removable storage devices such as USB drives and continuously retrieves updated components from its operators. Its command-and-control infrastructure relies on a rotating network of servers, allowing attackers to issue new instructions quickly while complicating takedown efforts.

Researchers also identified non-English language elements within the malware code, including Russian-language terms. While this does not confirm attribution, Morphisec noted that the level of planning and operational maturity places the campaign well beyond low-effort GitHub-based malware activity.

GitHub has removed the majority of the malicious repositories linked to the campaign, though a small number were still accessible at the time of analysis. Security experts stress that developers and researchers should remain cautious when downloading tools, carefully review code changes, and avoid running projects that cannot be independently verified.

Morphisec concluded that the campaign surfaces a vastly growing trend, where attackers combine AI-generated content, social engineering, and resilient cloud infrastructure to bypass traditional security defenses, making awareness and verification more critical than ever.



Read more »
Software
China Cyber Attacks Cyberespionage Digital Supply Chain Risk DNS Hacking PlushDaemon hackers Software

PlushDaemon Group Reroutes Software Updates to Deploy Espionage Tools

 



A cyberespionage group known in security research circles as PlushDaemon has been carrying out a long-running operation in which they take advantage of software update systems to secretly install their own tools on targeted computers. According to new analysis by ESET, this group has been active for several years and has repeatedly improved its techniques. Their operations have reached both individuals and organizations across multiple regions, including areas in East Asia, the United States, and Oceania. Victims have included universities, companies that manufacture electronics, and even a major automotive facility located in Cambodia. ESET’s data suggests that this shift toward manipulating software updates has been a consistent part of PlushDaemon’s strategy since at least 2019, which indicates the group has found this method to be reliable and efficient.

The attackers begin by attempting to take control of the network equipment that people rely on for internet connectivity, such as routers or similar devices. They usually exploit security weaknesses that are already publicly known or take advantage of administrators who have left weak passwords unchanged. Once the attackers get access to these devices, they install a custom-built implant researchers call EdgeStepper. This implant is written in the Go programming language and compiled in a format that works comfortably on Linux-based router systems. After deployment, EdgeStepper operates quietly in the background, monitoring how the device handles internet traffic.

What makes this implant dangerous is its ability to interfere with DNS queries. DNS is the system that helps computers find the correct server whenever a user tries to reach a domain name. EdgeStepper watches these requests and checks whether a particular domain is involved in delivering software updates. If EdgeStepper recognizes an update-related domain, it interferes and redirects the request to a server controlled by PlushDaemon. The victim sees no warning sign because the update process appears completely normal. However, instead of downloading a legitimate update from the software provider, the victim unknowingly receives a malicious file from the attackers’ infrastructure.

This deceptive update carries the first stage of a layered malware chain. The initial file is a Windows component known as LittleDaemon. It is intentionally disguised as a DLL file to convince the system that it is a harmless library file. Once LittleDaemon runs, it connects to one of the attacker-controlled nodes and downloads the next stage, known as DaemonicLogistics. This second-stage tool is decrypted and executed directly in memory, which makes it more difficult for traditional security products to spot because it avoids writing visible files to disk. DaemonicLogistics is essentially the bridge that loads the final and most important payload.

The last payload is the group’s advanced backdoor, SlowStepper. This backdoor has been documented in earlier incidents, including a case in which users of a South Korean VPN service unknowingly received a trojanized installer from what appeared to be the vendor’s official site. SlowStepper gives the attackers broad access to a compromised machine. It can gather system information, execute various commands, browse and manipulate files, and activate additional spyware tools. Many of these tools are written in Python and are designed to steal browser data, capture keystrokes, and extract stored credentials, giving PlushDaemon a detailed picture of the victim’s activity.

ESET researchers also examined the group’s interference with update traffic for Sogou Pinyin, which is one of the most widely used Chinese input software products. While this example helps illustrate the group’s behavior, the researchers observed similar hijacking patterns affecting other software products as well. This means PlushDaemon is not focused on one specific application but is instead targeting any update system they can manipulate through the network devices they have compromised. Because their technique relies on controlling the network path rather than exploiting a flaw inside the software itself, the group’s approach could be applied to targets anywhere in the world.

The research report includes extensive technical information on every component uncovered in this campaign and offers indicators of compromise for defenders, including associated files, domains, and IP addresses. These findings suggest how imperative it is that a routine process like installing updates can become a highly effective attack vector when network infrastructure is tampered with. The case also reinforces the importance of securing routers and keeping administrator credentials strong, since a compromised device at the network level allows attackers to alter traffic without the user noticing any warning signs.




Read more »
surveillance
CSAM Denmark EU Privacy Regulation Software surveillance

Danish Developer’s Website Sparks EU Debate on Online Privacy and Child Protection

 



In August, a 30-year-old developer from Aalborg, identified only as Joachim, built a platform called Fight Chat Control to oppose a proposed European Union regulation aimed at tackling the spread of child sexual abuse material (CSAM) online. The EU bill seeks to give law enforcement agencies new tools to identify and remove illegal content, but critics argue it would compromise encrypted communication and pave the way for mass surveillance.

Joachim’s website allows visitors to automatically generate and send emails to European officials expressing concerns about the proposal. What began as a weekend project has now evolved into a continent-wide campaign, with members of the European Parliament and national representatives receiving hundreds of emails daily. Some offices in Brussels have even reported difficulties managing the flood of messages, which has disrupted regular communication with advocacy groups and policymakers.

The campaign’s influence has extended beyond Brussels. In Denmark, a petition supported by Fight Chat Control gained more than 50,000 signatures, qualifying it for parliamentary discussion. Similar debates have surfaced across Europe, with lawmakers in countries such as Ireland and Poland referencing the controversy in national assemblies. Joachim said his website has drawn over 2.5 million visitors, though he declined to disclose his full name or employer to avoid associating his workplace with the initiative.

While privacy advocates applaud the campaign for sparking public awareness, others believe the mass email tactic undermines productive dialogue. Some lawmakers described the influx of identical messages as “one-sided communication,” limiting space for constructive debate. Child rights organisations, including Eurochild, have also voiced frustration, saying their outreach to officials has been drowned out by the surge of citizen emails.

Meanwhile, the European Union continues to deliberate the CSAM regulation. The European Commission first proposed the law in 2022, arguing that stronger detection measures are vital as online privacy technologies expand and artificial intelligence generates increasingly realistic harmful content. Denmark, which currently holds the rotating presidency of the EU Council, has introduced a revised version of the bill and hopes to secure support at an upcoming ministerial meeting in Luxembourg.

Danish Justice Minister Peter Hummelgaard maintains that the new draft is more balanced than the initial proposal, stating that content scanning would only be used as a last resort. However, several EU member states remain cautious, citing privacy concerns and the potential misuse of surveillance powers.

As European nations prepare to vote, the controversy continues to reflect a broader struggle: finding a balance between protecting children from online exploitation and safeguarding citizens’ right to digital privacy.



Read more »
Technology
Compliance Cryptography Data PQC Quantum computing Software Technology

Why Businesses Must Act Now to Prepare for a Quantum-Safe Future

 



As technology advances, quantum computing is no longer a distant concept — it is steadily becoming a real-world capability. While this next-generation innovation promises breakthroughs in fields like medicine and materials science, it also poses a serious threat to cybersecurity. The encryption systems that currently protect global digital infrastructure may not withstand the computing power quantum technology will one day unleash.

Data is now the most valuable strategic resource for any organization. Every financial transaction, business operation, and communication depends on encryption to stay secure. However, once quantum computers reach full capability, they could break the mathematical foundations of most existing encryption systems, exposing sensitive data on a global scale.


The urgency of post-quantum security

Post-Quantum Cryptography (PQC) refers to encryption methods designed to remain secure even against quantum computers. Transitioning to PQC will not be an overnight task. It demands re-engineering of applications, operating systems, and infrastructure that rely on traditional cryptography. Businesses must begin preparing now, because once the threat materializes, it will be too late to react effectively.

Experts warn that quantum computing will likely follow the same trajectory as artificial intelligence. Initially, the technology will be accessible only to a few institutions. Over time, as more companies and researchers enter the field, the technology will become cheaper and widely available including to cybercriminals. Preparing early is the only viable defense.


Governments are setting the pace

Several governments and standard-setting bodies have already started addressing the challenge. The United Kingdom’s National Cyber Security Centre (NCSC) has urged organizations to adopt quantum-resistant encryption by 2035. The European Union has launched its Quantum Europe Strategy to coordinate member states toward unified standards. Meanwhile, the U.S. National Institute of Standards and Technology (NIST) has finalized its first set of post-quantum encryption algorithms, which serve as a global reference point for organizations looking to begin their transition.

As these efforts gain momentum, businesses must stay informed about emerging regulations and standards. Compliance will require foresight, investment, and close monitoring of how different jurisdictions adapt their cybersecurity frameworks.

To handle the technical and organizational scale of this shift, companies can establish internal Centers of Excellence (CoEs) dedicated to post-quantum readiness. These teams bring together leaders from across departments: IT, compliance, legal, product development, and procurement to map vulnerabilities, identify dependencies, and coordinate upgrades.

The CoE model also supports employee training, helping close skill gaps in quantum-related technologies. By testing new encryption algorithms, auditing existing infrastructure, and maintaining company-wide communication, a CoE ensures that no critical process is overlooked.


Industry action has already begun

Leading technology providers have started adopting quantum-safe practices. For example, Red Hat’s Enterprise Linux 10 is among the first operating systems to integrate PQC support, while Kubernetes has begun enabling hybrid encryption methods that combine traditional and quantum-safe algorithms. These developments set a precedent for the rest of the industry, signaling that the shift to PQC is not a theoretical concern but an ongoing transformation.


The time to prepare is now

Transitioning to a quantum-safe infrastructure will take years, involving system audits, software redesigns, and new cryptographic standards. Organizations that begin planning today will be better equipped to protect their data, meet upcoming regulatory demands, and maintain customer trust in the digital economy.

Quantum computing will redefine the boundaries of cybersecurity. The only question is whether organizations will be ready when that day arrives.


Read more »
Software
FBI financial transactions Fraud phantom hacker Privacy schemes Software

FBI Warns Against Screen Sharing Amid Rise in “Phantom Hacker” Scam

 



The Federal Bureau of Investigation (FBI) has issued an urgent alert about a fast-spreading scam in which cybercriminals gain access to victims’ devices through screen-sharing features, allowing them to steal money directly from bank accounts.

Known as the “phantom hacker” scheme, the fraud begins with a phone call or message that appears to come from a legitimate bank or support service. The caller warns that the user’s account has been compromised and offers to “help” by transferring funds to a secure location. In reality, the transfer moves the victim’s money straight to the attacker’s account.

Traditionally, these scams relied on tricking users into installing remote-access software, but the FBI now reports a troubling shift. Scammers are increasingly exploiting tools already built into smartphones, specifically screen-sharing options available in widely used communication apps.

One such example involves WhatsApp, a messaging service used by over three billion people worldwide. The app recently introduced a screen-sharing feature during video calls, designed for legitimate collaboration. However, this function also allows the person on the other end of the call to see everything displayed on a user’s screen, including sensitive details such as login credentials and banking information.

Although WhatsApp notifies users to only share their screens with trusted contacts, attackers often use social engineering to bypass suspicion. The FBI notes that fraudsters frequently begin with a normal phone call before requesting to continue the conversation over WhatsApp, claiming that it offers greater security. Once the victim joins the call and enables screen sharing, scammers can observe financial transactions in real time without ever needing to install malicious software.

Experts emphasize that encryption, while essential for privacy, also prevents WhatsApp or any external authority from monitoring these fraudulent activities. The FBI therefore urges users to remain cautious and to never share their screen, banking details, or verification codes during unsolicited calls.

Cybersecurity professionals advise that individuals should hang up immediately if asked to join a video call or screen-sharing session by anyone claiming to represent a bank or technology company. Instead, contact the organization directly through verified customer-care numbers or official websites. Reporting suspicious incidents can also help prevent future cases.

The scale of financial fraud has reached alarming levels in the United States. According to new findings from the Aspen Institute, scams now cost American households over $158 billion annually, prompting calls for a national strategy to combat organized online crime. More than 80 leaders from public and private sectors have urged the creation of a National Task Force on Fraud and Scam Prevention to coordinate efforts between government bodies and financial institutions.

This rise in screen-sharing scams highlights the growing sophistication of cybercriminals, who are increasingly using everyday digital tools for exploitation. As technology advances, experts stress that public vigilance, real-time verification, and responsible digital habits remain the strongest defenses against emerging threats.



Read more »
Software
API Keys AWS Cyber Attacks Salesloft Software

Salesloft Integration Breach Exposes Salesforce Customer Data


 

A recent cyber incident has brought to light how one weak link in software integrations can expose sensitive business information. Salesloft, a sales automation platform, confirmed that attackers exploited its Drift chat integration with Salesforce to steal tokens that granted access to customer environments.

Between August 8 and August 18, 2025, threat actors obtained OAuth and refresh tokens connected to the Drift–Salesforce integration. These tokens work like digital keys, allowing connected apps to access Salesforce data without repeatedly asking for passwords. Once stolen, the tokens were used to log into Salesforce accounts and extract confidential data.

According to Salesloft, the attackers specifically searched for credentials such as Amazon Web Services (AWS) keys, Snowflake access tokens, and internal passwords. The company said the breach only impacted customers who used the Drift–Salesforce connection, while other integrations were unaffected. As a precaution, all tokens for this integration were revoked, forcing customers to reauthenticate before continuing use.

Google’s Threat Intelligence team, which is monitoring the attackers under the name UNC6395, reported that the group issued queries inside Salesforce to collect sensitive details hidden in support cases. These included login credentials, API keys, and cloud access tokens. Investigators noted that while the attackers tried to cover their tracks by deleting query jobs, the activity still appears in Salesforce logs.

To disguise their operations, the hackers used anonymizing tools like Tor and commercial hosting services. Google also identified user-agent strings and IP addresses linked to the attack, which organizations can use to check their logs for signs of compromise.

Security experts are urging affected administrators to rotate credentials immediately, review Salesforce logs for unusual queries, and search for leaked secrets by scanning for terms such as “AKIA” (used in AWS keys), “Snowflake,” “password,” or “secret.” They also recommend tightening access controls on third-party apps, limiting token permissions, and shortening session times to reduce future risk.

While some extortion groups have publicly claimed responsibility for the attack, Google stated there is no clear evidence tying them to this breach. The investigation is still ongoing, and attribution remains uncertain.

This incident underlines the broader risks of SaaS integrations. Connected apps are often given high levels of access to critical business platforms. If those credentials are compromised, attackers can bypass normal login protections and move deeper into company systems. As businesses continue relying on cloud applications, stronger governance of integrations and closer monitoring of token use are becoming essential.




Read more »
Zero Day
Cyber Security EDR elastic PoC Software Zero Day

Elastic Denies Serious Security Flaw in Its Defend Software

 



Elastic, the company known for its enterprise search and security products, has pushed back against recent claims of a serious vulnerability in its Defend endpoint detection and response (EDR) tool.

The controversy began after a small cybersecurity group, AshES Cybersecurity, published a blog post on August 16. In their write-up, they said they had discovered a “zero-day” bug, a term used to describe flaws that are unknown to the software maker and therefore left unpatched. According to AshES, the issue was a remote code execution (RCE) vulnerability in Elastic Defend’s kernel driver called elastic-endpoint-driver.sys. They suggested that an attacker could exploit this flaw to avoid being monitored by the EDR system, run malicious code, and even maintain long-term access to a computer.

To support their claims, the researcher from AshES described using a custom-built driver in a controlled test to trigger the flaw. However, the group did not provide Elastic with a full proof-of-concept (PoC) — the technical demonstration usually required to verify a security bug.

Elastic quickly responded with a detailed statement. Its internal Security Engineering team said they carried out a “thorough investigation” but were unable to find any evidence that the vulnerability exists. They also noted that AshES had sent in multiple reports but that none contained sufficient detail to recreate the alleged exploit. Elastic stressed that without reproducible proof, such claims cannot be confirmed.

The company also pointed out that AshES declined to share the PoC directly with Elastic or its bug bounty team. Instead, the researchers chose to publish their findings publicly, which runs counter to the practice of coordinated disclosure: a process where researchers privately alert a company first, allowing time to investigate and fix issues before public release.

Elastic reaffirmed that it takes all security reports seriously and highlighted its long-standing bug bounty program, which has been in place since 2017. Through this program, the company has paid more than $600,000 to independent researchers who responsibly report real, verifiable vulnerabilities.

At this stage, the alleged zero-day flaw remains unconfirmed, and Elastic maintains that no evidence supports the existence of the supposed bug.


Read more »
Software
Cyber Attacks Cyberhackers Cybersecurity CyberThreat Infrastructure PyPI python Software

Hackers Deploy Lookalike PyPI Platform to Lure Python Developers


The Python Package Index (PyPI) website is being used to launch sophisticated phishing campaigns targeting Python developers, highlighting the ongoing threats that open-source ecosystems face. The phishing campaign is utilising a counterfeit version of the website to target Python developers. 

In an official advisory issued earlier this week by the Python Software Foundation (PSF), attackers have warned developers against defrauding them of their login credentials by using the official PyPI domain for their phishing campaign. 

Despite the fact that PyPI's core infrastructure has not been compromised, the threat actors are distributing deceptive emails directing recipients to a fake website that closely resembles the official repository of PyPI. Because PyPI is the central repository for publishing and installing third-party Python libraries, this campaign poses a significant threat to developers' accounts as well as to the entire software supply chain as a whole.

In addition to using subtle visual deception, social engineering techniques are also used by attackers to craft phishing emails that appear convincingly legitimate to unsuspecting recipients of the emails. A subject line of the email normally reads "[PyPI] Email verification." These emails are typically sent to addresses harvested from the Python Package Index metadata of packages. 

A noteworthy aspect of the spam emails is that they are coming from email addresses using the domain @pypj.org, a nearly identical spoof of the official @pypi.org domain—only one character in the spoof differs, where the legitimate “i” is replaced by a lowercase “j”. 

To verify the authenticity of the email address, developers are asked to click a link provided in the email that directs them to a fake website that is meticulously designed to emulate the authentic PyPI interface in every way possible. This phishing site takes the victims’ passwords and forwards them to PyPI's official website in a particularly deceptive way, effectively logging them in and masking the fact that they have been cheated, which leaves many unaware of the security breach.

As a result, PyPI maintainers have urged all users who have interacted with the fraudulent email to change their passwords as soon as possible and to review their "Security History" in order to look for unauthorised access signs. 

Among the many examples of targeted deception within the developer ecosystem, threat actors have not only impersonated trusted platforms such as PyPI but also expanded their phishing campaigns to include developers of Firefox add-ons as part of a broader pattern of targeted deception. As part of the PyPI-focused attacks, developers are required to verify their email addresses by clicking on a link that takes them to a fake PyPI site that has an interface that is nearly identical to the legitimate PyPI site.

One of the most insidious aspects of this scam is the ability of the hacker to harvest login credentials and transmit them directly to PyPI's real site, thereby seamlessly logging in victims and concealing the breach. This clever redirection often leaves developers unaware that their credentials were compromised due to this clever redirection. 

There have been several reports this week about phishing campaigns targeting Firefox extension developers, including a parallel phishing campaign that has been launched to target Firefox extension developers as well. The PyPI team has advised any affected users to change their passwords immediately and check the Security History section for any signs of unauthorised access. 

Despite the fact that these emails falsely claim to originate from Mozilla or its Add-ons platform (AMO), they are instructing recipients to update their account details to maintain access to developer features. Upon closer examination, however, it is evident that these messages are not sophisticated at all: some of them are sent from generic Gmail accounts, and sometimes the word "Mozilla" is even misspelt, missing one letter from the “l” on some occasions. 

As a result of these warnings, the exploitation of platform trust remains one of the most powerful ways in which developers can compromise their accounts across a wide range of ecosystems. As social engineering threats have increased across the software supply chain, the Python Software Foundation (PSF) and other ecosystem stewards continue to face increasingly sophisticated phishing and malware attacks regularly. 

The PyPI Foundation has introduced a new feature known as Project Archival, which allows PyPI publishers to formally archive their projects, signalling to users that they will not be receiving any further updates shortly. In March 2024, PyPI was forced to temporarily suspend new user registrations as well as the creation of new projects due to a malware campaign in which hundreds of malicious packages disguised as legitimate tools were uploaded. 

These efforts were soon tested by PyPI. A response to the issue has been issued by PyPI, which has urged users to be vigilant by inspecting browser URLs carefully before logging in to their accounts and not clicking links from suspicious emails. It's interesting to note that similar attacks have also been aimed at the NPM registry recently. This time, however, they are using typosquatted domains-npnjs[.]com instead of npmjs[.]com-to send credential-stealing email verification messages to the registry. 

Several npm packages were compromised as a result of that campaign, which were then weaponised to deliver malware dubbed Scavenger Stealer. With this malicious payload, sensitive data could be extracted from browsers, system information could be captured, and it could be exfiltrated through a WebSocket connection in order for it to be exfiltrated. 

It has been documented that similar threats have been encountered across GitHub and other developer platforms, using a combination of typosquatting, impersonation, and reverse proxy phishing techniques. It is important to note that these attacks, despite appearing to be so simple to execute, are meant to compromise accounts that maintain widely used packages, which poses a systemic security risk. 

For best results, security experts suggest that users verify domain names, use browser extensions that flag suspicious URLs, and use password managers with auto-fill that only allow for trusted domains in order to reduce the possibility of exposure. There has been an increase in phishing and typosquatting campaigns targeting software registries like PyPI, npm, and GitHub, which is indicative of a larger and more serious trend in exploiting developer trust by hacking. 

In light of these incidents, developers, maintainers, and platform providers must establish enhanced security hygiene measures. Even though open-source ecosystems continue to serve as the foundation for modern software infrastructure, it is clear that the consequences of compromised developer accounts are no longer limited to individual projects. They are now threatening the integrity of the global software supply chain as a whole. 

Developers must take proactive measures in light of this shifting landscape by treating unexpected account verification requests with scepticism, verifying domain identity character by character, and implementing multi-layered security safeguards such as two-factor authentication and password managers that are security-conscious. 

A push is also being made for platform operators to accelerate investment in the detection of threats, communication transparency, and education of their users. Ultimately, the community will be able to defend itself against these low-tech, but highly impactful, attacks by recognising deception before it can cause damage. 

The sophistication of threat actors is allowing them to exploit familiarity and automation to their advantage, making security the first principle to be put forward across the development ecosystem to ensure resilience to attacks.

Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
Software
Businesses Cyber Attacks Finance Healthcare Online Safety organisations Software

Don’t Wait for a Cyberattack to Find Out You’re Not Ready

 



In today’s digital age, any company that uses the internet is at risk of being targeted by cybercriminals. While outdated software and unpatched systems are often blamed for these risks, a less obvious but equally serious problem is the false belief that buying security tools automatically means a company is well-protected.

Many businesses think they’re cyber resilient simply because they’ve invested in security tools or passed an audit. But overconfidence without real testing can create blind spots leaving companies exposed to attacks that could lead to data loss, financial damage, or reputational harm.


Confidence vs. Reality

Recent years have seen a rise in cyberattacks, especially in sectors like finance, healthcare, and manufacturing. These industries are prime targets because they handle valuable and sensitive information. A report by Bain & Company found that while 43% of business leaders felt confident in their cybersecurity efforts, only 24% were actually following industry best practices.

Why this mismatch? It often comes down to outdated evaluation methods, overreliance on tools, poor communication between technical teams and leadership, and a natural human tendency to feel “safe” once something has been checked off a list.


Warning Signs of Overconfidence

Here are five red flags that a company may be overestimating its cybersecurity readiness:

1. No Real-World Testing - If an organization has never run a simulated attack, like a red team exercise or breach test, it may not know where its weaknesses are.

2. Rare or Outdated Risk Reviews - Cyber risks change constantly. Companies that rely on yearly or outdated assessments may be missing new threats.

3. Mistaking Compliance for Security - Following regulations is important, but it doesn’t mean a system is secure. Compliance is only a baseline.

4. No Stress Test for Recovery Plans - Businesses need to test their recovery strategies under pressure. If these plans haven’t been tested, they may fail when it matters most.

5. Thinking Cybersecurity Is Only an IT Job - True resilience requires coordination across departments. If only IT is involved, the response to an incident will likely be incomplete.


Building Stronger Defenses

To improve cyber resilience, companies should:

• Test and monitor security systems regularly, not just once.

• Train employees to recognize threats like phishing, which remains a common cause of breaches.

• Link cybersecurity to overall business planning, so that recovery strategies are realistic and fast.

• Work with outside experts when needed to identify hidden vulnerabilities and improve defenses.


If a company hasn’t tested its cybersecurity defenses in the past six months, it likely isn’t as prepared as it thinks. Confidence alone won’t stop a cyberattack but real testing and ongoing improvement can.

Read more »
Software
CEN CoinDCX cryptocurrency CyberCrime Cybersecurity CyberThreat ETH Cyber Attacks Software

CoinDCX Suffers Rs 380 Crore Crypto Theft Linked to Insider Involvement

 


An important development underlining the growing threat of insider cybercrime has occurred in Bengaluru, when police arrested a software engineer who was suspected of committing a massive cryptocurrency heist that defrauded CoinDCX of approximately Rs 379 crore. Agarwal, a 30-year-old resident of Carmelaram and originally from Haridwar, Uttarakhand, was arrested on July 26 by the Whitefield CEN Crime Police, and is currently being held in custody. An investigation conducted by 

The Times of India prompted by a formal complaint from Neblio Technologies, the parent company of CoinDCX, led to the identification of Agarwal. As a consequence of the breach, which was reportedly made possible by Agarwal's login credentials, hackers were able to exploit confidential financial protocols within the exchange's infrastructure, prompting the exchange to investigate the potential for internal access vulnerabilities as a whole. 

There was a serious breach on July 19, when CoinDCX's internal monitoring systems flagged unusual activity within CoinDCX's digital infrastructure, which began to reveal the complex nature of the breach. According to Hardeep Singh's First Information Report that was submitted by CoinDCX on July 22, the attackers initially performed a seemingly benign 1USDT test transaction at 2:37 a.m., in an effort to test the security of the CoinDCX network.

It was followed shortly afterward by an unauthorized transfer worth $44 million, which was carried out by a high-value individual. As a means of evading detection and hindering recovery efforts, the stolen cryptocurrency was routed via a web of digital wallets, which significantly impeded traceability of the stolen cryptocurrency. 

Upon a subsequent investigation, authorities discovered signs that the company had been compromised internally, which led to the arrest of CoinDCX employee Rahul Agarwal. According to sources close to the investigation, Agarwal has been using a company-issued laptop to freelance without official authorization-a practice that has allegedly paid him about 15 lakh rupees in the last year alone. 

As suspected by investigators, Agarwal may have facilitated the high-profile heist by utilizing his internal access as a tool to facilitate a collaboration with external threat actors. With the progression of the investigation, an increasingly intricate narrative developed about the circumstances surrounding the breach. According to the senior police officials quoted in the Deccan Herald, Rahul Agarwal may have been a victim of a job-task fraud scam. 

A job-task fraud scheme involves cybercriminals offering payment in return for seemingly harmless tasks online, such as writing Google reviews. As soon as Agarwal started carrying out these tasks on his personal laptop, the perpetrators coerced him into switching to his company-issued device after he had initially used his personal laptop to do so. 

According to reports, the attackers obtained access to CoinDCX's internal systems as well as its digital asset wallets through this action, which he did not realize. A formal complaint was filed on July 22, after Hardeep Singh, the Vice President of Public Policy and Government Affairs of Neblio Technologies Pvt Ltd, CoinDCX's parent company, submitted a letter of complaint. This led the Whitefield Cyber, Economic, and Narcotics (CEN) Crime Police to issue a First Information Report.

A report was filed by Singh on July 19 at 2:37 a.m. regarding the infiltration of his company's wallet by unknown actors, resulting in an initiation of USDT - a stablecoin pegged to the dollar – 1 USDT. In the course of further investigation at 9:40 a.m the next morning, it was discovered that a significant volume of cryptocurrency had been sucked into six personal wallets that had not been identified by any of the parties, confirming the severity and scale of the attack. 

As a consequence of a sophisticated cyberattack that took place on July 19, CoinDCX suffered a major security breach, which resulted in the theft of approximately $44.2 million in cryptocurrency assets. A total of 155,000 SOL (Solana) and 4,400 ETH (Ethereum) funds were compromised, as initially identified by blockchain monitoring firms such as Cyvers via on-chain analysis, but there are no reports that customer wallets were affected by this breach. 

The stolen assets were actually withdrawn from an internal operating wallet which was used by the exchange to maintain liquidity and facilitate seamless transactions between various crypto trading pairs, much in the same way that banks hold reserve funds. A well-coordinated and rapid laundering operation was executed by the attackers, who transferred the stolen assets across several blockchain networks using a well-known cryptocurrency mixer tool called Tornado Cash to mask the source of the funds and obscure the trail.

CoinDCX confirmed that all its customers' funds remain safe and untouched, while the wallet affected was strictly for internal use. As a result of the incident, the company has covered the entire loss from its corporate treasury and provided an $11 million bounty in support of white-hat hackers who can assist in tracing and recovering the stolen funds by helping to locate and recover the stolen funds. 

There is no need to stress that the breach did not occur as a result of a vulnerability in CoinDCX's blockchain, rather it was caused by a compromise in CoinDCX's infrastructure. A cybersecurity expert explained that, although the blockchain (the "vault") still remains secure, the attacker exploited weaknesses in the software and infrastructure that the exchange used to interact with blockchain networks, known as the "lock on the vault's door."

CoinDCX has responded by strengthening its security protocols and partnering with leading cybersecurity firms to conduct a comprehensive forensic examination. In the event of CoinDCX's breach, it serves as a stark example of the critical security gaps that exist not only within the blockchain technology itself, but also within the infrastructure surrounding the technology that makes it possible for the technology to work. 

In spite of the fact that the core blockchain systems remained intact and no retail investor funds were compromised as a result of this incident, it highlighted the weaknesses that existed in the operational processes, access controls, and backend systems that connect the platform with the blockchain. As a matter of fact, this incident does not indicate that cryptocurrencies are necessarily dangerous. 

However, it does emphasize the fundamental truth of cybersecurity: even the most robust technologies are only as safe as the systems and individuals who manage them. Since the cryptocurrency ecosystem in India continues to flourish, it is evident that comprehensive regulatory frameworks, rigorous auditing protocols, and consumer protection measures are urgently needed in order to ensure the growth of the industry. 

The crypto exchanges operating in the country must also prioritize the use of advanced threat detection systems and proactive security infrastructures in order to avoid similar breaches and to maintain the trust of the digital asset market. There is more to this incident than just a cybersecurity lapse in India; it is a defining moment for the Indian cryptocurrency ecosystem as it navigates its way through scaling, security, and trust challenges. 

It should be noted that CoinDCX’s breach is more than an isolated incident, and that it reveals a number of systemic vulnerabilities within the crypto platforms that affect how internal access is managed, cybersecurity protocols are enforced, and operational infrastructure is safeguarded. Considering the scale and ease with which threat actors were able to exploit a single compromised user, this theft should serve as an alarm for the entire industry. 

In addition to technical safeguards, this incident also raises questions about internal risk management, accountability among employees, and unchecked use of company resources for external engagements, going beyond technical safeguards. By exploiting backend systems rather than blockchains themselves, it highlights the urgent need for an end-to-end infrastructure hardening, establishing clear boundaries between production environments and user-accessible systems that are accessible by the public. 

A new layer of complication has been added to the laundering of assets via privacy-oriented tools such as Tornado Cash, thus emphasizing the need for advanced forensic capabilities to trace and recover stolen digital funds within a global context. Considering the future of the Indian crypto industry, there must be a shift from reactive security to proactive resilience. As part of this effort, robust audit trails, mandatory cybersecurity training for employees, and real-time threat monitoring will be implemented. 

Regulators also play a vital role in this regard, enforcing stronger compliance standards while fostering the adoption of industry best practices by platforms. A commendable commitment to user confidence was demonstrated by CoinDCX’s quick actions to cover the losses and strengthen its infrastructure. It is necessary to understand that in order for the digital asset industry to mature, it must not view this incident as an anomaly, but as a critical inflection point that calls for long-term structural improvements if India is to remain competitive and sustainable over the next decade.
Read more »
Subscribe to: Comments (Atom)