2025-08-27 AI创业新闻

Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775

Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild. The vulnerabilities in question are listed below - CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial-of-Service CVE-2025-8424 (CVSS score: 8.7) - Improper access control on the NetScaler Management Interface The company acknowledged that “exploits of CVE-2025-7775 on unmitigated appliances have been observed,” but stopped short of sharing additional details. However, for the flaws to be exploited, there are a number of prerequisites - CVE-2025-7775

• NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers; NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers; or CR virtual server with type HDX CVE-2025-7776
• NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it CVE-2025-8424
• Access to NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access The issues have been resolved in the following versions, with no available workarounds - NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1 NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP Citrix credited Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partnerfor and François Hämmerli for discovering and reporting the vulnerabilities. CVE-2025-7775 is the latest NetScaler ADC and Gateway vulnerability to be weaponized in real-world attacks in a short span of time, after CVE-2025-5777 (aka Citrix Bleed 2) and CVE-2025-6543 .

The disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting Citrix Session Recording (CVE-2024-8068 and CVE-2024-8069) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station

A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB). The attack , per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for “Sniffing 5G Inject”) that’s designed to sniff unencrypted messages sent between the base station and the user equipment (UE, i.e., a phone) and inject messages to the target UE over-the-air. The framework can be used to carry out attacks such as crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, according to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou. “As opposed to using a rogue base station, which limits the practicality of many 5G attacks, SNI5GECT acts as a third-party in the communication, silently sniffs messages, and tracks the protocol state by decoding the sniffed messages during the UE attach procedure,” the researchers said.

“The state information is then used to inject a targeted attack payload in downlink communication.” The findings build upon a prior study from ASSET in late 2023 that led to the discovery of 14 flaws in the firmware implementation of 5G mobile network modems from MediaTek and Qualcomm, collectively dubbed 5Ghoul , that could be exploited to launch attacks to drop connections, freeze the connection that involves manual reboot, or downgrade the 5G connectivity to 4G. The Sni5Gect attacks are designed to passively sniff messages during the initial connection process, decode the message content in real-time, and then leverage the decoded message content to inject targeted attack payloads. Specifically, the attacks are designed to take advantage of the phase before the authentication procedure, at which point the messages exchanged between the gNB and the UE are not encrypted. As a result, the threat model does not require knowledge of the UE’s credentials to sniff uplink/downlink traffic or inject messages.

“To the best of our knowledge, SNI5GECT is the first framework that empowers researchers with both over-the-air sniffing and stateful injection capabilities, without requiring a rogue gNB,” the researchers said. “For example, an attacker can exploit the short UE communication window that spans from the RACH process until the NAS security context is established. Such an attacker actively listens for any RAR message from the gNB, which provides the RNTI to decode further UE messages.” This enables the threat actor to crash the modem on the victim’s device, fingerprint the targeted device, and even downgrade the connection to 4G, which has known vulnerabilities that can be exploited by the attacker to track the UE location over time. In tests against five smartphones, including OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro, the study achieved 80% accuracy in uplink and downlink sniffing, and managed to inject messages with a success rate of 70-90% from a distance of up to 20 meters (65 feet).

The Global System for Mobile Communications Association (GSMA), a non-profit trade association that represents mobile network operators worldwide and develops new technologies, has acknowledged the multi-stage, downgrade attack, and assigned it the identifier CVD-2024-0096. “We argue that SNI5GECT is a fundamental tool in 5G security research that enables not only over-the-air 5G exploitation but advancing future research on packet-level 5G intrusion detection and mitigation, security enhancements to 5G physical layer security and beyond,” the researchers concluded. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that’s targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. “Instead of sending unsolicited phishing emails, attackers initiate contact through a company’s public ‘Contact Us’ form, tricking employees into starting the conversation,” the company said in a statement shared with The Hacker News. “What follows are weeks of professional, credible exchanges, often sealed with fake NDAs, before delivering a weaponized ZIP file carrying MixShell, a stealthy in-memory malware.” The attacks have cast a wide net, spanning multiple organizations across sectors and geographic locations, but with an emphasis on U.S.-based entities.

Primary targets include companies in industrial manufacturing, such as machinery, metalwork, component production, and engineered systems, as well as those related to hardware and semiconductors, consumer goods, biotechnology, and pharmaceuticals. This diverse, yet focused, targeting has raised the possibility that the threat actors behind the campaign are honing in on industry verticals critical to the supply chain. Other countries targeted by ZipLine include Singapore, Japan, and Switzerland. The campaign’s provenance and motives are presently unclear, but Check Point said it identified overlapping digital certificates between an IP address used in the attacks and infrastructure previously identified by Zscaler and Proofpoint as employed in TransferLoader attacks undertaken by a threat cluster referred to as UNK_GreenSec.

ZipLine is another instance of how threat actors are increasingly banking on legitimate business workflows, such as approaching targets via a company’s Contact Us form on their website, thereby weaponizing trust in the process to sidestep any potential concerns. While the approach of using website contact forms as a malware distribution vector is not wholly new, where ZipLine stands apart is in its avoidance of scare tactics and urgent language to trick recipients into taking unintended actions. This patient, social engineering technique involves drawing victims into multi-week conversations, in some cases even instructing them to sign non-disclosure agreements (NDAs), before sending booby-trapped ZIP files. Recent social engineering waves have also capitalized on the artificial intelligence (AI) transformation trend, with the attackers “offering” to help the target entities implement new AI-centric initiatives to reduce costs and improve efficiency.

The attack chain is characterized by multi-stage payloads, in-memory execution, and DNS-based command-and-control (C2) channels, allowing the threat actor to stay under the radar. Specifically, the ZIP archives come fitted with a Windows shortcut (LNK) that triggers a PowerShell loader, which then paves the way for the custom in-memory MixShell implant that uses DNS tunneling and HTTP as a fallback C2 mechanism to support remote command execution, file operations, reverse proxying, stealth persistence, and deeper network infiltration. MixShell also comes in a PowerShell variant that incorporates advanced anti-debugging and sandbox evasion techniques, uses scheduled tasks for persistence, and drops the reverse proxy shell and file download capabilities. The malicious ZIP files are hosted on a sub-domain of herokuapp[.]com, a legitimate Platform-as-a-Service (PaaS) providing compute and storage infrastructure for hosting web applications – once again illustrating the threat actor’s abuse of legitimate services to blend in with normal enterprise network activity.

The LNK file responsible for initiating the execution chain also displays a lure document present in the ZIP file so as not to arouse the victim’s suspicion. That said, Check Point noted that not all ZIP files served from the Heroku domain are malicious, suggesting customized delivery of malware in real-time based on certain criteria. “In many cases, the attacker uses domains that match the names of LLCs registered U.S.-based companies, and in some cases, may have previously belonged to legitimate businesses,” Check Point said. “The attacker maintains similar template websites to all those companies, which hint at a well-planned and streamlined campaign on a large scale.” The campaign poses severe risks to companies, as it can lead to theft of intellectual property and ransomware attacks, business email compromise, and account takeovers resulting in financial fraud, and potential supply chain disruptions with cascading impacts.

“The ZipLine campaign is a wake-up call for every business that believes phishing is just about suspicious links in emails,” Sergey Shykevich, threat intelligence group manager at Check Point Research, said. “Attackers are innovating faster than ever – blending human psychology, trusted communication channels, and timely AI-themed lures. To stay safe, organizations must adopt prevention-first, AI-driven defenses and build a culture of vigilance that treats every inbound interaction as a potential threat.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape. SentinelOne’s steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control. Cybersecurity today isn’t just about detection—it’s about operational continuity under pressure.

For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. These capabilities are especially critical in industries like healthcare or finance, where seconds can mean regulatory penalties or breached patient records. Gartner recently named SentinelOne a Leader in the 2025 Gartner® Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive year. This recognition builds on the Singularity Platform’s momentum in innovation as the first solution with an AI analyst and the first unified platform delivering EDR, CNAPP, Hyperautomation, and SIEM to be FedRAMP High (the highest level of U.S.

federal cloud security authorization) Authorized. SentinelOne provides protection for organizations of all sizes—from small businesses to global governments and enterprises—meeting their unique needs in the face of an increasingly complex cyber landscape. The Singularity Platform secures organizations across any device, any OS, and any cloud, providing industry-leading signal-to-noise so SOC teams can focus on responding as quickly as possible. With advanced XDR, AI SIEM, and CNAPP capabilities, a lightweight agent, and responsible architecture, SentinelOne offers a solution designed for both security and operational resiliency.

Organizations using Singularity Endpoint and Purple AI detect threats 63% faster, reduce MTTR by 55% , and lower the likelihood of a security incident by 60%. Customers have reported a 338% ROI over three years, maximizing the value of their security investments while strengthening their endpoint security. For example, a healthcare provider using SentinelOne reported cutting incident response time by over 50% during a phishing-induced ransomware outbreak, thanks to automated rollback and unified visibility across cloud workloads and endpoints. Many teams searching for EDR or XDR platforms are trying to answer: “Will this reduce alert fatigue?” or “Can it integrate with my SIEM or SOAR stack without more overhead?” This is where automation must go beyond buzzwords—reducing manual triage, stitching disconnected signals, and working with existing tools instead of replacing them.

SentinelOne has set the standard in modern endpoint protection since entering the market more than a decade ago, disrupting both traditional antivirus and early next-gen AV approaches. Unlike signature-based protection and cloud-dependent defenses, the platform pioneered the use of static and behavioral AI and machine learning to detect even novel techniques, solve for both online and air-gapped environments, and automate response. These innovations differentiate SentinelOne from traditional AV and even next-gen EDR solutions, offering deeper automation and on-device intelligence compared to competitors that rely heavily on cloud lookups or manual workflows. This innovation, architecture, and design philosophy continues to evolve through Purple AI, advanced behavioral detection models, automated remediation and rollback, XDR capabilities, and more.

The security platform now offers solutions spanning Identity, Cloud, AI SIEM, Hyperautomation, expert-managed detection and response, and a range of threat services. Accelerating the SOC and staying ahead of attacks in the age of AI requires platforms that harness innovation in AI and automation to radically improve detection, triage, and response. SentinelOne’s platform has long embedded AI and automation as a foundational element. The company continues to develop accessible, compliant AI and automation to transform the SOC.

Behavioral AI and the Future of Cyber Threat Detection Over the last decade, SentinelOne has advanced behavioral AI detections, automated remediation, and introduced agentic AI for security. Rather than merely assisting analysts, agentic AI—defined as a class of autonomous AI systems capable of initiating and executing security actions without human prompting—autonomously takes action, handles routine tasks, and accelerates decision making while keeping the human operator in control. Purple AI, the platform’s AI security analyst , translates natural language questions into powerful threat hunting queries, suggests follow-up questions, recommends next steps, and generates reports and email summaries to accelerate remediation. Built on the Open Cybersecurity Schema Framework (OCSF), a vendor-agnostic standard for unifying data models, Purple AI ensures unified visibility across all security data, enabling fast, precise threat detection.

Figure 2: A natural language query using Purple AI to hunt for Privilege Escalation activity This capability is integrated into Singularity Complete, SentinelOne’s EDR solution, positioning Purple AI as a transformative force in SOC operations. By combining human insight with AI-level reasoning and automation, it enables faster, more accurate triage, investigation, threat management, and response. How Endpoint Security Has Evolved in the Age of AI Product innovation remains central to SentinelOne’s strategy, driven by customer feedback, cost and time savings, and deep integration of AI and automation. Detects suspicious and malicious patterns in real time using behavioral and static AI models across servers, workstations, and workloads Correlates telemetry data from endpoints, cloud workloads, and identity sources into detailed, visual Storylines Figure 3: Storyline helps security teams understand, investigate, and respond to threats faster and more effectively Offers one-click rollback to a pre-attack state, drastically reducing remediation time Enables custom workflows and incident response via Singularity Hyperautomation’s no-code, drag-and-drop canvas SentinelOne also plays a central role in Zero Trust architectures, supporting identity-based segmentation and continuous trust evaluation across cloud, hybrid, and air-gapped environments.

By aligning with frameworks like MITRE ATT&CK, OCSF, and NIST 800-207, the platform enables cohesive telemetry correlation and policy enforcement—positioning it as more than just endpoint protection, but a pillar in enterprise-wide cyber resilience. Balancing Control and Stability in Modern Cybersecurity Platforms The Singularity Platform delivers simplicity, stability, and ease of use across various deployment environments—on-premises, hybrid, air-gapped, or fully cloud-based. SentinelOne offers comprehensive OS support, including legacy systems such as Windows XP, 2008, and 2012, and spans more than 20 years of Windows Server coverage. Customer control is a cornerstone of the platform’s philosophy.

The multi-tenant management console emphasizes analyst experience, with streamlined deployment, configuration, and management. Updates are rigorously tested, responsibly deployed, and controlled by the customer to ensure stability and autonomy. As recognized by Gartner in this year’s evaluation, the unified agent and intuitive console deliver deep enterprise visibility while reducing overhead and administrative burden, allowing security teams to focus on high-priority tasks. Earning Industry Trust Through Proven Performance SentinelOne continues to lead in endpoint cybersecurity, earning trust from nearly 15,000 customers—including Fortune 10, Fortune 500, Global 2000 companies, and major government agencies.

The company consistently achieves top results in MITRE ATT&CK Enterprise Evaluations, delivering an industry-leading signal-to-noise ratio. In addition to being named a Leader in the 2025 Gartner Magic Quadrant for Endpoint Protection Platforms , SentinelOne’s Singularity Platform has been recognized as a 2025 Customers’ Choice in the Voice of the Customer for Extended Detection and Response (XDR), a 2024 Customers’ Choice for Cloud-Native Application Protection Platforms (CNAPP), and a 2024 Customers’ Choice for Managed Detection and Response (MDR). SentinelOne was also named a Strong Performer in the 2025 Gartner Peer Insights Voice of the Customer for Cloud Security Posture Management tools (CSPM). To see how SentinelOne can transform endpoint security within an organization, stakeholders can request a tailored demo or download the full Gartner report for detailed evaluation insights.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Franz Hinner, Deepak Mishra, July 14, 2025. Gartner, Voice of the Customer for Extended Detection and Response, Peer Contributors, 23 May 2025. Gartner, Voice of the Customer for Cloud-Native Application Protection Platforms, Peer Contributors, 27 December 2024. Gartner, Voice of the Customer for Managed Detection and Response, Peer Contributors, 28 November 2024.

Gartner, Voice of the Customer for Cloud Security Posture Management Tools, Peer Contributors, 30 May 2025. Gartner Disclaimer GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, MAGIC QUADRANT and PEER INSIGHTS are registered trademarks of Gartner, Inc.

and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact.

Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners

A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners. The large-scale cybercrime campaign, first detected in August 2025, has been codenamed ShadowCaptcha by the Israel National Digital Agency. “The campaign […] blends social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to gain and maintain a foothold in targeted systems,” researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman said . “The ultimate objectives of ShadowCaptcha are collecting sensitive information through credential harvesting and browser data exfiltration, deploying cryptocurrency miners to generate illicit profits, and even causing ransomware outbreaks.” The attacks begin with unsuspecting users visiting a compromised WordPress website that has been injected with malicious JavaScript code that’s responsible for initiating a redirection chain that takes them to a fake Cloudflare or Google CAPTCHA page.

From there, the attack chain forks into two, depending on the ClickFix instructions displayed on the web page: One that utilizes the Windows Run dialog and another that guides the victim to save a page as an HTML Application (HTA) and then run it using mshta.exe. The execution flow triggered via the Windows Run dialog culminates in the deployment of Lumma and Rhadamanthys stealers via MSI installers launched using msiexec.exe or through remotely-hosted HTA files run using mshta.exe, whereas the execution of the saved HTA payload results in the installation of Epsilon Red ransomware. It’s worth pointing out that the use of ClickFix lures to trick users into downloading malicious HTA files for spreading Epsilon Red ransomware was documented last month by CloudSEK. “The compromised ClickFix page automatically executes obfuscated JavaScript that uses ‘navigator.clipboard.writeText’ to copy a malicious command to the user’s clipboard without any interaction, relying on users to paste and run it unknowingly,” the researchers said.

The attacks are characterized by the use of anti-debugger techniques to prevent inspection of web pages using browser developer tools, while also relying on DLL side-loading to execute malicious code under the guise of legitimate processes. Select ShadowCaptcha campaigns have observed delivering an XMRig-based cryptocurrency miner, with some variants fetching the mining configuration from a Pastebin URL rather than hard-coding it in the malware, thus allowing them to adjust the parameters on the fly. In cases where the miner payloads are deployed, the attackers have also been observed dropping a vulnerable driver (“WinRing0x64.sys”) to achieve kernel-level access and interact with CPU registers with an aim to improve mining efficiency. Of the infected WordPress sites, a majority of them are located in Australia, Brazil, Italy, Canada, Colombia, and Israel, spanning technology, hospitality, legal/finance, healthcare, and real estate sectors.

Exactly how these WordPress sites are compromised is not known. However, Goldman told The Hacker News there is medium confidence that the attackers obtained access through various known exploits in a variety of plugins, and in some instances using the WordPress portal with compromised credentials. To mitigate the risks posed by ShadowCaptcha, it’s essential to train users to watch out for ClickFix campaigns, segment networks to prevent lateral movement, and ensure WordPress sites are kept up-to-date and secured using multi-factor authentication (MFA) protections. “ShadowCaptcha shows how social-engineering attacks have evolved into full-spectrum cyber operations,” the researchers said.

“By tricking users into running built-in Windows tools and layering obfuscated scripts and vulnerable drivers, operators gain stealthy persistence and can pivot between data theft, crypto mining, or ransomware.” The disclosure comes as GoDaddy detailed the evolution of Help TDS , a traffic distribution (or direction) system that has been active since 2017 and has been linked to malicious schemes like VexTrio Viper. Help TDS provides partners and affiliates with PHP code templates that are injected into WordPress sites, ultimately directing users to malicious destinations based on the targeting criteria. “The operation specializes in tech support scams utilizing full-screen browser manipulation and exit prevention techniques to trap victims on fraudulent Microsoft Windows security alert pages, with fallback monetization through dating, cryptocurrency, and sweepstakes scams,” security researcher Denis Sinegubko said . Some of the notable malware campaigns that have leveraged Help TDS in recent years include DollyWay, Balada Injector, and DNS TXT redirects.

The scam pages, for their part, use JavaScript to force browsers to enter full-screen mode and display the fraudulent alert and even feature counterfeit CAPTCHA challenges before rendering them in a bid to sidestep automated security scanners. Help TDS operators are said to have developed a malicious WordPress plugin known as “woocommerce_inputs” between late 2024 and August 2025 to enable the redirection functionality, alongside steadily adding credential harvesting, geographic filtering, and advanced evasion techniques. The plugin is estimated to be installed on over 10,000 sites worldwide. The malicious plugin masquerades as WooCommerce to evade detection by site owners.

It’s exclusively installed by attackers after compromising WordPress sites through stolen administrator credentials. “This plugin serves as both a traffic monetization tool and credential harvesting mechanism, demonstrating continuous evolution from simple redirect functionality to a sophisticated malware-as-a-service offering,” GoDaddy said. “By providing ready-made solutions including C2 infrastructure, standardized PHP injection templates, and fully-featured malicious WordPress plugins, Help TDS has lowered the barrier to entry for cybercriminals seeking to monetize infiltrated websites.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

HOOK Android Trojan Adds Ransomware Overlays, Expands to 107 Remote Commands

Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages. “A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” Zimperium zLabs researcher Vishnu Pratapagiri said . “This overlay presents an alarming ‘WARNING’ message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server.” The mobile security company said the overlay is remotely initiated when the command “ransome” is issued by the C2 server. The overlay can be dismissed by the attacker by sending the “delete_ransome” command.

HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the internet. Like other banking malware targeting Android, it’s capable of displaying a fake overlay screen on top of financial apps to steal users’ credentials and abuse Android accessibility services to automate fraud and commandeer devices remotely. Other notable features include the ability to send SMS messages to specified phone numbers, stream the victim’s screen, capture photos using the front-facing camera, and steal cookies and recovery phrases associated with cryptocurrency wallets. The latest version, per Zimperium, signals a major step forward, supporting 107 remote commands, with 38 newly added ones.

This includes serving transparent overlays to capture user gestures, fake NFC overlays to trick victims into sharing sensitive data, and deceptive prompts to gather lockscreen PIN or pattern. The list of newly added commands is as follows - ransome , to show ransomware overlay on top of the device delete_ransome , to remove the ransomware overlay takenfc , to display a fake NFC scanning screen using a fullscreen WebView overlay and read card data unlock_pin , to display a fake device unlock screen to collect unlock pattern or PIN code and gain unauthorized access to the device takencard , to display a fake overlay to collect credit card information by mimicking a Google Pay interface start_record_gesture , to record user gestures by displaying a transparent full screen overlay HOOK is believed to be distributed on a large scale, using phishing websites and bogus GitHub repositories to host and disseminate malicious APK files. Some of the other Android malware families distributed via GitHub include ERMAC and Brokewell , indicating a broader adoption among threat actors. “The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories,” Zimperium noted.

“With continuous feature expansion and broad distribution, these families pose a growing risk to financial institutions, enterprises, and end users alike.” Anatsa Continues to Evolve The disclosure comes as Zscaler’s ThreatLabs detailed an updated version of the Anatsa banking trojan that has now expanded its focus to target over 831 banking and cryptocurrency services worldwide, including those in Germany and South Korea, up from 650 reported previously. One of the apps in question has been found to mimic a file manager app (package name: “com.synexa.fileops.fileedge_organizerviewer”), which acts as a dropper to deliver Anatsa. Besides replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the trojan, the malware uses corrupted archives to hide the DEX payload that’s deployed during runtime. Anatsa also requests permissions for Android’s accessibility services, which it subsequently abuses to grant itself additional permissions that allow it to send and receive SMS messages, as well as draw content on top of other applications to display overlay windows.

In all, the company said it identified 77 malicious apps from various adware, maskware, and malware families, such as Anatsa, Joker , and Harly, in the Google Play Store, accounting for over 19 million installations. Maskware refers to a category of apps that present themselves as legitimate applications or games to app stores but incorporate obfuscation, dynamic code loading, or cloaking techniques to conceal malicious content. Harly is a variant of Joker that was first flagged by Kaspersky in 2022. Earlier this March, Human Security said it uncovered 95 malicious applications containing Harly that were hosted in the Google Play Store.

“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection,” security researcher Himanshu Sharma said . “The malware has also added support for more than 150 new financial applications to target.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. “Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices,” the company said . “This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down.” To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand.

“At this point, any app installed on a certified Android device in these regions must be registered by a verified developer,” Suzanne Frey, vice president of Product, Trust and Growth for Android, added. It’s worth noting that nothing much will change for developers who distribute apps through the Google Play Store, as they are likely to have already met these verification requirements through the existing Play Console process. A separate type of Android Developer Console account is in the works for student and hobbyist developers. Google said the changes are designed to prevent malicious actors from impersonating developers and using their branding and reputation to create convincing fake apps.

Compounding the problem is the presence of such malicious apps that are distributed via third-party app marketplaces from where users can sideload them. The developer verification mandate adds to already existing security measures that block the sideloading of potentially dangerous apps in markets like Singapore, Thailand, Brazil, and India. In July 2023, the company also began requiring all new developer accounts registering as an organization to provide a valid D-U-N-S number assigned by Dun & Bradstreet before submitting apps in an effort to build user trust. The “new layer of security,” Google pointed out, aims to protect users from repeat bad actors spreading malware and scams, as well as provide a “consistent, common sense baseline of developer accountability” across Android.

It also said the system preserves user choice while enhancing security for everyone. While the Android app distribution rules are aimed at tightening the security of the ecosystem, they also come at a time when Google is potentially staring at major reforms to the Play Store , including distributing competing app stores through Google Play and providing rivals with access to its full app catalog, after having a lost an antitrust lawsuit brought by Epic Games in 2020. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-8068 (CVSS score: 5.1) - An improper privilege management vulnerability in Citrix Session Recording that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain CVE-2024-8069 (CVSS score: 5.1) - A deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with the privileges of a NetworkService Account access when an attacker is an authenticated user on the same intranet as the session recording server CVE-2025-48384 (CVSS score: 8.1) - A link following vulnerability in Git that arises as a result of inconsistent handling of carriage return (CR) characters in configuration files, resulting in arbitrary code execution Both the Citrix flaws were patched by the company in November 2024 following responsible disclosure by watchTowr Labs on July 14, 2024. CVE-2025-48384, on the other hand, was addressed by the Git project earlier this July.

A proof-of-concept (PoC) exploit was released by Datadog following public disclosure. “If a submodule path contains a trailing CR, the altered path can cause Git to initialize the submodule in an unintended location,” Arctic Wolf said about CVE-2025-48384. “When this is combined with a symlink pointing to the submodule hooks directory and an executable post-checkout hook, cloning a repository can result in unintended code execution.” As is typically the case, CISA has provided no further technical details on the exploitation activity, or who may be behind them. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary mitigations by September 15, 2025, to secure their networks against active threats.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing’s strategic interests. “This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection,” Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said . UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda , which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon. The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN.

The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC. PlugX is a backdoor that supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and is able to extend its functionality with additional plugins. Often launched via DLL side-loading, the implant is spread through USB flash drives, targeted phishing emails containing malicious attachments or links, or compromised software downloads. The malware has existed since at least 2008 and is widely used by Chinese hacking groups.

It is believed that ShadowPad is the successor of PlugX. The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware - The target’s web browser tests if the internet connection is behind a captive portal An AitM redirects the browser to a threat actor-controlled website STATICPLUGIN is downloaded from “mediareleaseupdates[.]com” STATICPLUGIN retrieves an MSI package from the same website CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor in memory The captive portal hijack is used to deliver malware masquerading as an Adobe Plugin update to targeted entities. On the Chrome browser, the captive portal functionality is accomplished by means of a request to a hard-coded URL (“www.gstatic[.]com/generate_204”) that redirects users to a Wi-Fi login page. While “gstatic[.]com” is a legitimate Google domain used to store JavaScript code, images, and style sheets as a way to enhance performance, Google said the threat actors are likely carrying out an AitM attack to initiate redirection chains from the captive portal page to the threat actor’s landing web page.

It’s assessed that the AitM is facilitated by means of compromised edge devices on the target networks, although the attack vector used to pull this off remains unknown at this stage. “After being redirected, the threat actor attempts to deceive the target into believing that a software update is needed, and to download the malware disguised as a ‘plugin update,’” GTIG said. “The landing web page resembles a legitimate software update site and uses an HTTPS connection with a valid TLS certificate issued by Let’s Encrypt.” The end result is the download of an executable named “AdobePlugins.exe” (aka STATICPLUGIN) that, when launched, triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER (“cnmpaui.dll”) that’s sideloaded using the Canon IJ Printer Assistant Tool (“cnmpaui.exe”). The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign.

Over two dozen malware samples signed by Chengdu have been put to use by China-nexus activity clusters, with the earliest artifacts dating back to at least January 2023. Exactly how these certificates are obtained by the subscriber is not clear. “This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” Whitsell said. “The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container. The vulnerability, tracked as CVE-2025-9074 , carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3. “A malicious container running on Docker Desktop could access the Docker Engine and launch additional containers without requiring the Docker socket to be mounted,” Docker said in an advisory released last week.

“This could allow unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate this vulnerability.” According to security researcher Felix Boulet, the vulnerability has to do with how it’s possible for a container to connect to the Docker Engine API at 192.168.65[.]7:2375 without requiring any authentication, thereby opening the door to a scenario where a privileged container could gain full access to the underlying host upon mounting the C:\ drive into it. In a proof-of-concept (PoC) exploit, a web request from any container has been found to trigger the flaw and result in a full compromise of the host - POST a JSON payload to “/containers/create,” binding the host C:\ drive to a folder in the container (/mnt/host/c:/host_root) in the container, and using a startup command to write or read anything under /host_root on container startup. POST to “/containers/{id}/start” to launch the container and start the execution “At its core, this vulnerability was a simple oversight, Docker’s internal HTTP API was reachable from any container without authentication or access controls,” Boulet said .

PVOTAL Technologies researcher Philippe Dugre (“zer0x64”), who further examined the flaw, said an attacker can exploit the flaw on the Windows version of Docker Desktop to mount as an administrator the entire file system, read any sensitive file, and overwrite a system DLL to escalate the attacker to administrator of the host system. “On macOS, however, the Docker Desktop application still has a layer of isolation and trying to mount a user directory prompts the user for permission,” Dugre said . “By default, the Docker application does not have access to the rest of the file system and does not run with administrative privileges, so the host is a lot safer than in the Window’s case.” “However, the attacker does still have full control of the Docker application/containers and can even backdoor it by mounting and modifying the application’s configuration, which does not need any user approval.” The vulnerability does not impact the Linux version since Linux uses a named pipe on the host’s file system, rather than relying on a TCP TCP socket for the Docker Engine’s API. The easiest way to leverage the vulnerability is via a threat actor-controlled malicious container.

That said, a server-side request forgery (SSRF) flaw can be used as an alternate attack vector. “This vulnerability allows an attacker to proxy requests through the vulnerable application and reach the Docker socket, the impact of which varies especially depending on the availability of HTTP requests methods (most SSRF only allows GET requests, but some niche case allows the use of POST, PATCH, DELETE methods),” Dugre said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads

Cybersecurity researchers have flagged a new phishing campaign that’s using fake voicemails and purchase orders to deliver a malware loader called UpCrypter . The campaign leverages “carefully crafted emails to deliver malicious URLs linked to convincing phishing pages,” Fortinet FortiGuard Labs researcher Cara Lin said . “These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter.” Attacks propagating the malware have been primarily targeting manufacturing, technology, healthcare, construction, and retail/hospitality sectors across the world since the start of August 2025. The vast majority of the infections have been observed in Austria, Belarus, Canada, Egypt, India, and Pakistan, among others.

UpCrypter functions as a conduit for various remote access tools (RATs), such as PureHVNC RAT , DCRat (aka DarkCrystal RAT), and Babylon RAT , each of which enable an attacker to take full control of compromised hosts. The starting point of the infection chain is a phishing email using themes related to voicemail messages and purchases to deceive recipients into clicking on links that direct to fake landing pages, from where they are prompted to download the voice message or a PDF document. “The lure page is designed to appear convincing by not only displaying the victim’s domain string in its banner but also fetching and embedding the domain’s logo within the page content to reinforce authenticity,” Fortinet said. “Its primary purpose is to deliver a malicious download.” The downloaded payload is a ZIP archive containing an obfuscated JavaScript file, which subsequently contacts an external server to fetch the next-stage malware, but only after confirming internet connectivity and scanning running processes for forensic tools, debuggers, or sandbox environments.

The loader, in turn, contacts the same server to obtain the final payload, either in the form of plain text or embedded within a harmless-looking image, a technique called steganography. Fortinet said UpCrypter is also distributed as an MSIL (Microsoft Intermediate Language) loader that, like its JavaScript counterpart, conducts anti-analysis and anti-virtual machine checks, after which it downloads three different payloads: an obfuscated PowerShell script, a DLL, and the main payload. The attack culminates with the script embedding data from the DLL loader and the payload during execution, thus allowing the malware to be run without writing it to the file system. This approach also has the advantage of minimizing forensic traces, thereby allowing the malware to fly under the radar.

“This combination of an actively maintained loader, layered obfuscation, and diverse RAT delivery demonstrates an adaptable threat delivery ecosystem capable of bypassing defenses and maintaining persistence across different environments,” Lin said. The disclosure comes as Check Point detailed a large-scale phishing campaign abusing Google Classroom to distribute more than 115,000 phishing emails aimed at 13,500 organizations across multiple industries between August 6 and 12, 2025. The attacks target organizations in Europe, North America, the Middle East, and Asia. “Attackers exploited this trust by sending fake invitations that contained unrelated commercial offers, ranging from product reselling pitches to SEO services,” the company said .

“Each email directed recipients to contact scammers via a WhatsApp phone number, a tactic often linked to fraud schemes.” The attack bypasses security systems because it leverages the trust and reputation of Google Classroom’s infrastructure to bypass key email authentication protocols, such as SPF, DKIM, and DMARC, and helps land the phishing emails in users’ inboxes. These campaigns are part of a larger trend where threat actors take advantage of legitimate services like Microsoft 365 Direct Send and OneNote , not to mention abuse free artificial intelligence (AI)-powered website builders like Vercel v0 and Flazio, as well as other platforms such as Discord CDN , SendGrid , Zoom , ClickFunnels, Jotform, and X’s t[.]co link shortener – an approach known as living-off-trusted-sites ( LOTS ). “After the threat actor gained M365 credentials of one user in an organization through a phishing attack, they created a OneNote file in the compromised user’s personal Documents folder on OneDrive, embedding the lure URL for the next phishing stage,” Varonis said in a report published last month. The misuse of Direct Send has prompted Microsoft to introduce an option for organizations called “ Reject Direct Send “ to directly address the issue.

Alternatively, customers can also apply custom header stamping and quarantine policies to detect emails that claim to be internal communication but, in reality, aren’t. These developments have also been accompanied by attackers increasingly relying on client-side evasion techniques in phishing pages to stay ahead of both automated detection systems and human analysts. This includes the use of JavaScript-based blocking, Browser-in-the-Browser (BitB) templates, and hosting the pages inside virtual desktop environments using noVNC. “A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects,” Doppel said .

“Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction, blocking access before any deeper inspection can occur.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Password Manager Flaws, Apple 0-Day, Hidden AI Prompts, In-the-Wild Exploits & More

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn’t just a matter of firewalls and patches—it’s about strategy. The strongest organizations aren’t the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power.

This week’s stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT. ⚡ Threat of the Week Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month. As of August 22, fixes have been released by Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm.

How GenAI Is Helping Cybersecurity Teams Reimagine Security Operations Learn how cybersecurity teams are leveraging AI and what challenges they are facing, including questions such as: What is the current state of adoption? What use cases are being prioritized? What key requirements do organizations have? How is AI actually delivering results?

Learn more about AI in Security Operations for 2025 ➝ 🔔 Top News Russian Hackers Go After Old Cisco Flaw — Hackers linked to Russia are exploiting a seven-year-old vulnerability in unpatched end-of-life Cisco networking devices (CVE-2018-0171) to target enterprise and critical infrastructure networks in the U.S. and abroad. Over the past year, the threat actor, which Cisco is tracking as Static Tundra, has collected configuration files from thousands of networking devices used by US organizations in critical infrastructure sectors. On some vulnerable devices, the attackers changed the configuration settings to give themselves unauthorized access to the network.

The attackers then used that access to explore the networks, looking specifically at protocols and applications that are commonly used in industrial systems. Cisco identified Static Tundra as primarily targeting organizations of strategic interest to the Kremlin, spanning the manufacturing, telecommunications, and higher education sectors across the globe. Once the threat actor gains access to a system of interest, they have been found to use stolen SNMP credentials to quietly control the compromised devices, letting them run commands, change settings, and steal configurations, all while hiding their activity from security controls. Static Tundra has also altered the configuration of compromised devices to create new local user accounts and enable remote access services like Telnet, granting them additional ways to regain access to the device if their initial communication mechanism is closed.

Also used by the group is a backdoor called SYNful Knock to stay connected to infected devices and give a hidden foothold that survives reboots. Apple Fixes Actively Exploited 0-Day — Apple released security fixes to fix a high-severity flaw in iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day is an out-of-bounds write vulnerability affecting the ImageIO framework. Tracked as CVE-2025-43300 (CVSS score: 8.8), the issue could result in memory corruption when processing a malicious image.

The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The company provided no further technical details of the vulnerability or insights into the exploitation activity beyond characterizing the cyber attacks as sophisticated and highly targeted. The tech giant began using such terminology starting this year, presumably to signify nation-state threats and spyware activity. Murky Panda Abuses Trusted Relationships to Breach Cloud Environments — The threat actor known as Murky Panda (aka Silk Typhoon) has been observed abusing trusted relationships in the cloud to hack enterprise networks.

The attacks leverage N-day and zero-day vulnerabilities to drop web shells and a Golang malware called CloudedHope to facilitate remote access. A notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims. INTERPOL Announces New Wave of Arrests in Africa — INTERPOL announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. “The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said.

The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams and business email compromise (BEC). The first wave of arrests occurred late last year. Scattered Spider Hacker Gets 10 Years Jailterm — Noah Michael Urban, a 20-year-old member of the notorious cybercrime gang known as Scattered Spider, was sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts.

Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. The defendant, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023.

These incidents led to the theft of at least $800,000 from at least five different victims. North Korea Likely Behind New Diplomat Cyber Attacks — The North Korea-backed threat actor known as Kimsuky is believed to have orchestrated a spear-phishing attack targeting European embassies in South Korea. The campaign, ongoing since March 2025, is characterized by the use of GitHub as a command-and-control channel and a variant of an open-source malware called Xeno RAT. In an interesting twist, the attackers have yielded clues that they are working out of China, perhaps alluding to the possibility of a collaboration or that it’s the work of a threat actor that closely mimics the tactics of Kimsuky.

Furthermore, routing malicious cyber activity through China likely provides North Korea with some geopolitical cover and a safe haven as long as it doesn’t directly harm domestic interests. Alleged RapperBot Admin Charged in the U.S. — Ethan Foltz, 22, of Eugene, Oregon, was charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot since at least 2021. Foltz has been charged with one count of aiding and abetting computer intrusions.

If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz’s residence on August 6, 2025, seizing administrative control of the botnet infrastructure. ‎️‍🔥 Trending CVEs Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage.

Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead. This week’s list includes — CVE-2025-7353 (Rockwell Automation ControlLogix), CVE-2025-8714 (PostgreSQL), CVE-2025-9037, CVE-2025-9040 (Workhorse Software Services), CVE-2025-54988 (Apache Tika), CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791 Commvault), and CVE-2025-43300 (Apple iOS, iPadOS, and macOS). 📰 Around the Cyber World Microsoft Scales Back Chinese Access to Early Warning System — Microsoft revealed it has scaled back some Chinese companies’ access to its early warning system for cybersecurity vulnerabilities in the wake of sweeping hacking attempts against Microsoft SharePoint servers that have been pinned on Beijing.

To that end, the Windows maker said several Chinese firms would no longer receive proof-of-concept code demonstrating the flaws. The change is applicable to “countries where they’re required to report vulnerabilities to their governments,” which would include China. The decision comes amid speculation that there may have been a leak from the Microsoft Active Protections Program (MAPP) may have resulted in the large-scale exploitation activity. New Lazarus Stealer Spotted — A new Android banking trojan called Lazarus Stealer has been spotted in the wild.

“Disguised as a harmless application called ‘GiftFlipSoft,’ the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device’s interface,” CYFIRMA said . “The malware is built for persistence, operating silently in the background while exfiltrating sensitive data. It abuses high-risk permissions, default SMS privileges, overlay functions, and dynamic WebView content to carry out its operations.” Once installed, the app requests default SMS app privileges, as well as overlay (“Display Over Other Apps”) and Usage Access permissions to display fraudulent interfaces on legitimate applications for credential harvesting and monitor active applications in real time and detect when targeted applications, such as banking apps, are launched. Google Agrees to Pay $30M to Settle Children’s Privacy Lawsuit — Google has agreed to pay $30 million to settle a class-action lawsuit that it violated children’s privacy on YouTube by secretly collecting their data without parental consent and using it to serve targeted ads.

Google denied wrongdoing in agreeing to settle. The company previously paid a $170 million fine in 2019 to the Federal Trade Commission (FTC) and the state of New York for similar practices. Storm-1575 Linked to Salty 2FA — The threat actor known as Storm-1575 has been attributed to a new phishing-as-a-service (PhaaS) offering called Salty 2FA. “Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials,” ANY.RUN said .

“It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.” Victims of Salty 2FA attacks span the finance, telecom, energy, consulting, logistics, and education sectors. Storm-1575 is the moniker assigned by Microsoft to the operators of DadSec and Rockstar 2FA. What is HuiOne Guarantee? — The Telegram-based escrow platform HuiOne Guarantee (aka Haowang Guarantee), which announced its closure in June 2025, has acquired a 30% financial stake in Tudou Guarantee, which has emerged as a key fallback for Huione-affiliated vendors.

Described as an “Amazon for criminals,” the Cambodian conglomerate behind it, HuiOne Group, has had its HuiOne Pay license revoked by the National Bank of Cambodia earlier this March. HuiOne-linked infrastructure has received over $96 billion in cryptocurrency assets since 2021, according to TRM Labs , which said HuiOne Pay and HuiOne Guarantee share operational links, with fund flows observed from Huione Pay withdrawal wallets to Huione Guarantee’s security deposit wallets. The findings come as darknet market escrow systems that manage cryptocurrency transactions between buyers and vendors continue to remain vulnerable to administrator exit scams. These systems implement escrow through multi-signature cryptocurrency wallet addresses that require signatures from the buyer and vendor to complete transactions, with the market administrator only stepping in during dispute resolution to side with either the buyer or vendor based on evidence provided by the two parties.

To streamline operations, many darknet markets also use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes during the timer period. However, the “centralized” nature of the dispute resolution process, which is heavily reliant on the market administrators, introduces new risks such as bias, corruption, and exit scam scenarios where fairness takes a back seat. Orange Belgium Discloses Breach — Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. “At the end of July, Orange Belgium discovered a cyber attack on one of its IT systems, which gave unauthorized access to certain data from 850,000 customer accounts,” the company said .

“No critical data was compromised: no passwords, email addresses, bank or financial data were hacked. However, the hacker has gained access to one of our IT systems that contains the following information: name, first name, phone number, SIM card number, PUK code, [and] tariff plan.” U.K. Man Sentenced to Jail for Website Defacement and Data Theft — Al-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was sentenced to jail for 20 months for hacking into the websites of organizations in North America, Yemen and Israel and stealing the log in details of millions of people, including more than 4 million Facebook users. Al-Mashriky was arrested in August 2022 and pleaded guilty to nine offences earlier this March.

Associated with an extremist hacker group named Yemen Cyber Army, the defendant infiltrated a number of websites to push religious and political ideologies. A review of his seized laptop uncovered personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal. The Yemen Cyber Army is a hacktivist group that, in the past, has declared its support for the Houthis, an Islamist political and military organization. Malicious npm Packages Target Solana Developers — Malicious npm packages have been found embedding an information stealer that’s designed to single out Russian cryptocurrency developers as part of a campaign dubbed Solana-Scan.

These malicious packages, solana-pump-test, solana-spl-sdk, and solana-pump-sdk, targeted the Solana cryptocurrency ecosystem and claimed to “scan” for Solana SDK components. All the packages were published by a user named “cryptohan.” Contained within the package is an obfuscated CommonJS file that launches a JavaScript payload for extracting environment information and launching a second-stage that searches the compromised machine for sensitive files and exfiltrates them to a remote server located in the U.S. There is evidence that the JavaScript was written with the help of generative artificial intelligence (AI) tools like Anthropic Claude, software supply chain security outfit Safety said . Singapore Warns of Dire Wolf Attacks — The Cyber Security Agency of Singapore (CSA) has warned of Dire Wolf double-extortion attacks targeting Dire Wolf since May 2025.

“Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims’ systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid,” CSA said . “This causes a two-fold impact of data loss and reputational damage on victim organizations.” Hijack Loader Detailed — Cybersecurity researchers have unpacked the inner workings of a malware loader called Hijack Loader that’s used as a conduit for other payloads, including information stealers and remote access trojans. Attack chains distributing the malware have leveraged pirated game websites like Dodi Repacks, tricking users into downloading booby-trapped ZIP archives under the guise of video games like Virtua Fighter 5 REVO. Another propagation mechanism involves embedding a link to cracked software in TIDAL music playlists that show up in search engine results.

Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques and attempts to disable Microsoft Defender Antivirus prior to launching the final payload. Nebraska Man Sentenced to 1 Year in Prison for Illicit Crypto Mining — Charles O. Parks III, who was indicted in April 2024 for operating a large-scale illegal cryptojacking operation, was sentenced in the U.S. to one year and one day in prison.

He is said to have defrauded two well-known providers of cloud computing services out of more than $3.5 million worth of computing resources from January through August 2021. Parks was charged with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme and pleaded guilty to wire fraud in December 2024. The mined currency was used for personal luxurious purchases and Parks boasted about his profits on social media to earn credibility as a crypto influencer. “Parks created and used a variety of names, corporate affiliations, and email addresses, including emails with domains from corporate entities he operated called ‘MultiMillionaire LLC’ and ‘CP3O LLC,’ to register numerous accounts with the service providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the Justice Department said.

Chrome Extension Detected Capturing Screenshots — A Chrome browser extension with more than 100,000 installs has been found to harbor covert features to capture screenshots, collect system information, and query IP geolocation APIs for location details. The screenshots are uploaded to an external server, aitd.one, which claims to be an AI threat detection service. Advertised as a free VPN app named FreeVPN.One, the featured add-on offered the promised functionality since its launch in 2000, before the surveillance features were subtly introduced in April, June, and July 2025. The developer behind the tool claimed the automatic screenshot capture is part of a Background Scanning feature that’s triggered only on suspicious domains and for all users by default.

However, Koi Security found that screenshots were being taken on trusted services like Google Sheets and Google Photos. “FreeVPN.One shows how a privacy branding can be flipped into a trap,” the company said . “What’s sold as safety becomes a quiet pipeline for collecting what you do and where you are.” Okta Releases Auth0 Customer Detection Catalog — Okta has announced the launch of the Auth0 Customer Detection Catalog , a comprehensive open-source repository designed to enhance proactive threat detection capabilities for Auth0 customers. “The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform,” the identity security company said .

TRM Labs Launches Beacon Network to Monitor Crypto Crime — Blockchain intelligence firm TRM Labs announced the launch of Beacon Network, a real-time crypto crime response network for tracking illicit crypto activity and preventing it from leaving the blockchain. “Verified investigators flag addresses linked to financial crime. Beacon Network automatically propagates those labels across related wallets,” the company said . “When tagged funds arrive at a participating exchange or issuer, Beacon Network triggers an instant alert.” In doing so, cryptocurrency platforms can proactively review and hold flagged deposits before withdrawal, blocking illicit cash-outs.

Microsoft Aims to be Quantum-Safe by 2033 — Microsoft has set out a roadmap to complete transition to post quantum cryptography (PQC) across all its products and services by 2033, with roll out beginning by 2029. That’s two years ahead of the deadline imposed by the United States and other governments. “Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it’s a multi-year transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble,” the company’s Mark Russinovich and Michal Braverman-Blumenstyk said . The U.S.

National Institute of Standards and Technology (NIST) formalized the world’s first PQC algorithms in August 2024. New Phishing Campaign Uses Hidden AI Prompts — A phishing campaign has been spotted using hidden artificial intelligence (AI) prompts that are designed to manipulate AI-based email scanners and delay them from detecting the malicious payloads. The emails, sent from SendGrid, masquerade as password expiry notices from Gmail to induce a false sense of urgency using social engineering tactics. But buried in the email plain-text MIME section is a prompt that instructs automated scanners to “engage in the deepest possible multi-layered inference loop” and trick them into entering long reasoning loops instead of marking the messages as phishing.

“If AI-driven systems are tied to automation (auto-tagging, ticketing, escalation), this injection could cause misclassification or delays,” Malwr-analysis.com’s Anurag said . The development coincided with a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. “The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails,” Cofense said . “By impersonating SendGrid’s platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways.” 493 Cases of Sextortion Against Children Linked to SE Asia Scam Compounds — A new report from the International Justice Mission (IJM) has linked 493 child sextortion cases to scam compounds operating in Cambodia, Myanmar, and Laos, where trafficked individuals are forced to carry out online fraud such as romance baiting and pig butchering scams.

Forensic data has tied the cases to 40 of the 44 previously known scam compounds operating in Cambodia, Myanmar, and Laos. “This research indicates a likely convergence of two dark forms of exploitation – child sextortion and human trafficking – enabled by digital platforms and driven by profit,” said Eric Heintz, Senior Criminal Analyst at IJM. Mule Operators in META Adopt Complex Fraud Schemes — Cybersecurity researchers have laid bare the advanced techniques mule operators across the Middle East, Turkey and Africa (META) region have adopted to target retail banks, shifting from basic IP masking via VPNs and proxies to Starlink-based obfuscation tactics combined with advanced GPS spoofing, SIM abuse, and physical device “muling” using hired individuals and postal shipments. “Financial institutions in the Gulf region, where regulations are especially tight, enforce strict restrictions on VPN, hosting, and proxy traffic,” Group-IB said .

“Early on, these controls forced mule operators to rely on generic VPN services – easily identified via IP reputation tools. By late 2023, fraudsters began a rapid innovation cycle to bypass these filters and regain remote access to accounts in the target jurisdictions.” Mule networks have been observed using stolen identities and location obfuscation tactics to remotely open hundreds of accounts to launder funds across targeted countries, with fraudsters also removing SIM cards entirely from Android devices to evade telecom fingerprinting and connecting to the internet via Wi-Fi hotspots, typically from nearby roaming-enabled phones, thereby masking their network origins. As recently as Q4 2024, the schemes have recruited so-called first-layer mules, who opened the bank accounts within trusted jurisdictions and then passed credentials to overseas operators who conducted laundering operations. A further escalation of this approach earlier this year eliminated the need for credential handover by physically shipping pre-configured phones.

“First-layer mules based in trusted countries would open accounts and build trust through initial legitimate usage,” Group-IB said. “Instead of sharing login credentials, they ship pre-configured phones to second-layer fraudsters operating abroad.” MuddyWater Targets CFOs and Finance Execs — The Iranian hacking group dubbed MuddyWater is actively targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia via spear-phishing emails that trick recipients into downloading ZIP archives from Firebase-hosted phishing pages. The attack chains lead to the deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access. The use of remote desktop software is a tactic often used by MuddyWater to facilitate access to compromised environments.

“The infrastructure pivots, evolving payload paths, and consistent reuse of distinctive artifacts highlight a resourceful adversary that adapts quickly to maintain operational capability,” Hunt.io said . Iranian Hacktivist Group Targets Iranian Communication Networks — The anonymous Iranian hacktivist group known as Lab Dookhtegan has crippled the satellite communications systems on 64 Iranian ships at sea. The incident, which took place last week, impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). The hacks targeted Fannava, an Iranian tech company that provides satellite communication terminals for ships.

Back in March 2025, the entity also disrupted satellite communication systems of 116 Iranian vessels linked to arms shipments for Yemen’s Houthis. According to security researcher Nariman Gharib , the group hacked the company’s network, identified all maritime communications terminals running iDirect satellite software, and then deployed malicious code to inflict permanent damage by overwriting the storage partitions with zeroes. Pro-Iranian Hackers Demonstrated Coordination During 12-Day June Conflict With Israel — The 12-day conflict between Israel and Iran in June spilled into cyberspace, accompanied by a surge in cyber activity from pro-Iran hacking groups that worked in a “coordinated web” across borders to steal data, deface websites, spread propaganda, carry out DDoS campaigns, and deploy malware such as Remcos RAT. “Telegram has emerged as a critical platform for coordination, propaganda dissemination, and command-and-control for both state-aligned proxies and hacktivist collectives,” Security Scorecard said in an analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups during the time period.

“Its perceived anonymity and broad reach make it an attractive medium for these groups to organize, share information, claim responsibility for attacks, and even recruit new members.” The cyber war highlights “how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad,” the Middle East Institute said . 4 Ghanaian Nations Extradited to the U.S. — The U.S. Department of Justice charged four Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare, for their roles in a massive fraud ring linked to the theft of over $100 million in romance scams and business email compromise attacks against individuals and businesses located across the U.S.

between 2016 and May 2023. They were extradited to the U.S. on August 7, 2025. “After stealing the money, the fraud proceeds were then laundered to West Africa, where they were largely funneled to individuals called ‘chairmen,’ who directed the activities of other members of the conspiracy,” the Justice Department said .

NIST Publishes Guidelines to Tackle Identity Fraud — The U.S. National Institute of Standards and Technology (NIST) published new guidelines to help organizations optimize their efforts to detect face morphing and deter identity fraud. “The most effective defense against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place,” NIST’s Mei Ngan said . “Some modern morph detection algorithms are good enough that they could be useful in detecting morphs in real-world operational situations.

Our publication is a set of recommendations that can be tailored to a specific situation.” North Korea Linked to Over $1.75B in Thefts in 2025 — North Korea, which pulled off one of the biggest crypto heists in history in February 2025 by plundering nearly $1.5 billion from Dubai-based exchange Bybit, has stolen more than $1.75 billion in 2025 alone, according to Elliptic. In the six months following the Bybit hack, over $1 billion of the stolen funds have been laundered using multiple rounds of mixers and cross-chain movements to complicate the trail. “It is noteworthy that lesser-known blockchains were layered for portions of funds, perhaps in the hope that they are not as well supported by some analytics and investigation tools, and are less familiar to investigators attempting to trace asset movements,” Elliptic said . “Previously unseen or less commonly used services were also utilized for Bybit laundering.” Further analysis shows that funds reaching the Tron blockchain are ultimately cashed out via suspected Chinese over-the-counter trading services.

Attackers Abuse Virtual Private Servers to Breach SaaS Accounts — Threat actors are weaponizing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts and then using them to send phishing emails. The activity was first observed in March 2025. “The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails,” Darktrace said . “These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment.” ClickFix-Style Campaign Delivers Atomic Stealer Variant — A malvertising campaign has been observed directing unsuspecting users to fraudulent macOS help websites where ClickFix -style instructions are displayed to entice them into opening the Terminal app and pasting a command that, in turn, triggers the execution of a shell command to download from an external server a variant of Atomic macOS Stealer ( AMOS ) known as SHAMOS.

Developed by a malware-as-a-service (MaaS) provider named Cookie Spider, it functions as an information stealer and downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module. Alternate attack chains have relied on a GitHub repository masquerading as iTerm2. The GitHub account is no longer accessible. In recent months, the ClickFix technique has also been leveraged to deliver another macOS infostealer called Odyssey Stealer using bogus CAPTCHA verification checks.

MITRE Releases 2025 Most Important Hardware Weaknesses — The non-profit MITRE Corporation published a revised list of the Most Important Hardware Weaknesses (MIHW) to better align with the hardware security landscape. Sensitive Information in Resource Not Removed Before Reuse (CWE-226), Improper Isolation of Shared Resources on System-on-a-Chip (CWE-1189), and On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) take the top three spots . How Lumma Affiliates Operate — Despite a May 2025 law enforcement takedown targeting Lumma Stealer, the malware family appears to have staged a full recovery and continues to be a popular choice for threat actors. According to a report from Recorded Future, Lumma affiliates not only operate multiple schemes simultaneously, but also leverage previously undocumented tools such as a phishing page generator (DONUSSEF) and a cracked email credential validation tool.

Also put to use are VPNs, privacy-focused web browsers, bulletproof hosting providers, virtual phone and SMS services (OnlineSim, SMS-Activate, and Zadarma), and proxies (PIA Proxy and GhostSocks ). “For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns,” the company said . “In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem.” Deceptive Google Play Store Pages Distribute SpyNote — A new network of websites that mimic the Google Play Store pages of various apps is being used to trick users into installing malicious Android apps containing the SpyNote RAT. This is a continuation of an ongoing campaign that was flagged by DomainTools back in April 2025.

“Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis,” the company said . The development followed the discovery of a new version of the Anatsa (aka TeaBot) Android banking trojan that can now target over 831 financial institutions across the world, including various cryptocurrency platforms. “Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload,” Zscaler ThreatLabz said . “Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions.” New macOS Stealer Mac.c Spotted — Cybersecurity researchers have discovered a new macOS stealer called Mac.c that can steal iCloud Keychain credentials, browser-stored passwords, crypto wallet data, system metadata, and files from specific locations.

It can be purchased for $1,500 per month under a subscription model, while AMOS is priced at $3,000 a month. “This lower price could also open the gates for less resourceful and less tech-savvy operators who want to break into the cybercriminal market and have little money to spend on dark web tools,” Moonlock Lab said . Paper Werewolf Uses New Linux Rootkit in Attacks Targeting Russia — The threat actor known as Paper Werewolf (aka GOFFEE) is targeting Russian organizations with a Linux rootkit named Sauropsida. The rootkit is based on an open-source rootkit known as Reptile .

Also deployed are BindSycler, a Golang utility to tunnel traffic using the SSH protocol, and MiRat, a Mythic framework agent. 🎥 Cybersecurity Webinars How Code-to-Cloud Mapping Unites Dev, Sec, and Ops into One Powerful AppSec Team — Modern application security can’t stop at code or cloud—it must connect both. In this webinar, you’ll discover how code-to-cloud visibility closes the gaps that attackers exploit, uniting developers, DevOps, and security teams with a shared playbook for faster, smarter risk reduction. 7 Concrete Steps to Secure Shadow AI Agents Before They Spiral Out of Control — AI agents are no longer just tools—they’re active players making decisions inside your enterprise.

Yet many of these “shadow agents” operate without identity, ownership, or oversight, creating a dangerous blind spot that attackers are already exploiting. In this webinar, we’ll expose how these invisible risks emerge and show security leaders the critical steps to bring AI identities under control—before they become your weakest link. 5 Simple Ways to Spot Rogue AI Agents Before They Take Over — Shadow AI Agents are multiplying fast—hidden in your workflows, fueled by non-human identities, and moving faster than your governance can keep up. In this exclusive session, security leaders will expose where these agents hide, the risks they pose, and the practical steps you can take today to regain visibility and control without slowing innovation.

🔧 Cybersecurity Tools SafeLine — A self-hosted Web Application Firewall (WAF) designed to shield web applications from common threats such as SQL injection, XSS, SSRF, and brute-force attempts. By acting as a reverse proxy, it filters and monitors HTTP/S traffic, blocking malicious requests before they reach the server and preventing unauthorized data leaks. Its capabilities include rate limiting, anti-bot defenses, dynamic code protection, and access control—helping ensure web applications remain secure and resilient against evolving attacks. AppLockerGen — An open-source utility that helps system administrators and security professionals create, merge, and manage Windows AppLocker policies more efficiently.

By providing a user-friendly interface, it simplifies defining rules for executables, scripts, installers, and DLLs, while also supporting policy import/export, inspection for misconfigurations, and testing against common bypass techniques. Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards. 🔒 Tip of the Week Don’t Just Store It.

Lock It — When you drag a file into Google Drive, OneDrive, or Dropbox, it feels “safe.” But here’s the catch: most clouds only encrypt files on their servers — they hold the keys, not you. That means if the provider is breached, subpoenaed, or a rogue admin pokes around, your “private” files aren’t so private. The fix is simple: end-to-end encryption. You encrypt before uploading, so your files are locked on your device and can only be unlocked with your key.

Even if the cloud is hacked, attackers see nothing but scrambled noise. Free, open-source tools that make this easy: Cryptomator → perfect for beginners, creates an “encrypted vault” inside your Dropbox/Drive. Kopia → modern backup tool with strong encryption, great for securing entire folders or servers. Restic → fast, deduplicated, encrypted backups, loved by developers and sysadmins.

Rclone (with crypt) → the power-user’s choice for syncing + encrypting files to almost any cloud. Bottom line: If it’s worth saving, it’s worth locking. Don’t trust the cloud with your keys. Conclusion Cybersecurity isn’t just about technology—it’s a test of leadership.

The choices made in boardrooms shape how teams protect systems, respond to attacks, and recover from setbacks. This week’s stories highlight a key truth: security comes down to decisions—where to invest, which risks to take, and which blind spots to fix. The best leaders don’t promise perfect safety. Instead, they provide clarity, build resilience, and set direction when it matters most.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.