2026-01-30 AI创业新闻

Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries

A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast “unmanaged, publicly accessible layer of AI compute infrastructure” that spans 175,000 unique Ollama hosts across 130 countries. These systems, which span both cloud and residential networks across the world, operate outside the guardrails and monitoring systems that platform providers implement by default, the company said. The vast majority of the exposures are located in China, accounting for a little over 30%. The countries with the most infrastructure footprint include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.

“Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” researchers Gabriel Bernadett-Shapiro and Silas Cutler added . Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it’s possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns.

This, in turn, necessitates new approaches to distinguish between managed and unmanaged AI compute, the researchers said. Of the observed hosts, more than 48% advertise tool-calling capabilities via their API endpoints that, when queried, return metadata highlighting the functionalities they support. Tool calling (or function calling) is a capability that allows LLMs to interact with external systems, APIs, and databases, enabling them to augment their capabilities or retrieve real-time data. “Tool-calling capabilities fundamentally alter the threat model.

A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” the researchers noted. “When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.” The analysis has also identified hosts supporting various modalities that go beyond text, including reasoning and vision capabilities, with 201 hosts running uncensored prompt templates that remove safety guardrails. The exposed nature of these systems means they could be susceptible to LLMjacking , where a victim’s LLM infrastructure resources are abused by bad actors to their advantage, while the victim foots the bill. These could range from generating spam emails and disinformation campaigns to cryptocurrency mining and even reselling access to other criminal groups.

The risk is not theoretical. According to a report published by Pillar Security this week, threat actors are actively targeting exposed LLM service endpoints to monetize access to the AI infrastructure as part of an LLMjacking campaign dubbed Operation Bizarre Bazaar. The findings point to a criminal service that contains three components: systematically scanning the internet for exposed Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication, validating the endpoints by assessing response quality, and commercializing the access at discounted rates by advertising it on silver[.]inc, which operates as a Unified LLM API Gateway. “This end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution,” researchers Eilon Cohen and Ariel Fogel said.

The operation has been traced to a threat actor named Hecker (aka Sakuya and LiveGamer101). The decentralized nature of the exposed Ollama ecosystem, one that’s spread across cloud and residential environments, creates governance gaps, not to mention creates new avenues for prompt injections and proxying malicious traffic through victim infrastructure. “The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure,” the companies said. “For defenders, the key takeaway is that LLMs are increasingly deployed to the edge to translate instructions into actions.

As such, they must be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

This week’s updates show how small changes can create real problems. Not loud incidents, but quiet shifts that are easy to miss until they add up. The kind that affects systems people rely on every day. Many of the stories point to the same trend: familiar tools being used in unexpected ways.

Security controls are being worked on. Trusted platforms turning into weak spots. What looks routine on the surface often isn’t. There’s no single theme driving everything — just steady pressure across many fronts.

Access, data, money, and trust are all being tested at once, often without clear warning signs. This edition pulls together those signals in short form, so you can see what’s changing before it becomes harder to ignore. Major cybercrime forum takedown FBI Seizes RAMP Forum The U.S. Federal Bureau of Investigation (FBI) has seized the notorious RAMP cybercrime forum.

Visitors to the forum’s Tor site and its clearnet domain, ramp4u[.]io, are now greeted by a seizure banner that states the “action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.” On the XSS forum, RAMP’s current administrator Stallman confirmed the takedown, stating , “This event has destroyed years of my work to create the most free forum in the world, and although I hoped that this day would never come, in my heart I always knew it was possible.” RAMP was launched in July 2021 after both Exploit and XSS banned the promotion of ransomware operations. It was established by a user named Orange , who has since been outed as Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar). “Groups such as Nova and DragonForce are reportedly shifting activity toward Rehub, illustrating the underground’s ability to reconstitute quickly in alternative spaces,” Tammy Harper, senior threat intelligence researcher at Flare.io, said. “These transitions are often chaotic, opening new risks for threat actors: loss of reputation, escrow instability, operational exposure, and infiltration during the scramble to rebuild trust.” WhatsApp privacy claims challenged Lawsuit Claims Meta Can See WhatsApp Chats in Breach of Privacy A new lawsuit filed against Meta in the U.S.

has alleged the social media giant has made false claims about the privacy and security of WhatsApp. The lawsuit claims Meta and WhatsApp “store, analyze, and can access virtually all of WhatsApp users’ purportedly ‘private’ communications” and accuse the company of defrauding WhatsApp’s users. In a statement shared with Bloomberg, Meta called the lawsuit frivolous and said that the company “will pursue sanctions against plaintiffs’ counsel.” Will Cathcart, head of WhatsApp at Meta, said , “WhatsApp can’t read messages because the encryption keys are stored on your phone, and we don’t have access to them. This is a no-merit, headline-seeking lawsuit brought by the very same firm defending NSO after their spyware attacked journalists and government officials.” Complainants claim that WhatsApp has an internal team with unlimited access to encrypted communications, which can grant access to data requests.

These requests are sent to the Meta engineering team, which then grants access to a user’s messages, often without scrutiny, as the lawsuit laid out. These allegations go beyond scenarios where up to five recent messages are sent to WhatsApp for review when a user reports another user in an individual or group chat. The crux of the debate is whether WhatsApp’s security is a technical lock that can’t be picked, or a policy lock that employees can open. WhatsApp has stressed that the messages are private and that “any claims to the contrary are false.” Post-quantum shift accelerates CISA Publishes Guidance for PQC Adoption The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) has published an initial list of hardware and software product categories that support or are expected to support post-quantum cryptography (PQC) standards. The guidance covers cloud services, collaboration and web software, endpoint security, and networking hardware and software. The list aims to guide organizations in shaping their PQC migration strategies and evaluating future technological investments. “The advent of quantum computing poses a real and urgent threat to the confidentiality, integrity, and accessibility of sensitive data — especially systems that rely on public-key cryptography,” said Madhu Gottumukkala, Acting Director of CISA.

“To stay ahead of these emerging risks, organizations must prioritize the procurement of PQC-capable technologies. This product categories list will support organizations making that critical transition.” Government agencies and private sector firms are preparing for the threat posed by the advent of a cryptographically relevant quantum computer (CRQC), which the security community believes will be able to break open some forms of classical encryption. There are also concerns that threat actors could be harvesting encrypted data now in the hopes of accessing it once a quantum codebreaking machine is developed, a surveillance strategy known as harvest now, decrypt later ( HNDL ). Physical access systems exposed 20 Security Flaws in Dormakaba Access Control Systems More than 20 security vulnerabilities (from CVE-2025-59090 through CVE-2025-59109) discovered in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations.

The flaws included hard-coded credentials and encryption keys, weak passwords, a lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection. “These flaws let an attacker open arbitrary doors in numerous ways, reconfigure connected controllers and peripherals without prior authentication, and much more,” SEC Consult said . There is no evidence that the vulnerabilities were exploited in the wild. Fake hiring lures steal logins Recruitment-Themed Emails Lead to Credential Theft A new phishing campaign is leveraging fake recruitment-themed emails that impersonate well-known employers and staffing companies, claiming to offer easy jobs, fast interviews, and flexible work.

“The messages appear in multiple languages, including English, Spanish, Italian, and French, often tailored to the recipient’s location,” Bitdefender said . “Top targets include people in the U.S., the U.K., France, Italy, and Spain.” Clicking on a confirmation link in the message takes recipients to a fake page that harvests credentials, collects sensitive data, or redirects to malicious content. Trusted cloud domains abused New Campaign Exploits Vercel App Domains To Drop GoTo Resolve A novel campaign has exploited the trust associated with *.vercel.app domains to bypass email filters and deceive users with financially themed lures, such as overdue invoices and shipping documents, as part of a phishing campaign observed from November 2025 to January 2026. The activity, which also employs a Telegram-gated delivery mechanism designed to filter out security researchers and automated sandboxes, is designed to deliver a legitimate remote access tool called GoTo Resolve, per Cloudflare .

Details of the campaign were first documented by CyberArmor in June 2025. Cellular location precision reduced Apple Tests Limiting Precise Location From Cellular Networks in iOS With iOS 26.3, Apple is adding a new “limit precise location” setting that reduces the location data available to cellular networks to increase user privacy. “The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks,” Apple said . “With this setting turned on, some information made available to cellular networks is limited.

As a result, they might be able to determine only a less precise location — for example, the neighborhood where your device is located, rather than a more precise location (such as a street address).” According to a new support document, iPhone models from supported network providers will offer the feature. The feature is expected to be available in Germany (Telekom), the U.K. (EE, BT), the U.S. (Boost Mobile), and Thailand (AIS, True).

It also requires iPhone Air, iPhone 16e, or iPad Pro (M5) Wi-Fi + Cellular. Legacy iOS support extended Apple Releases Updates for iOS 12 and iOS 15 In more Apple-related news, the iPhone maker has released security updates for iOS 12 and iOS 15 to extend the digital certificate required by features such as iMessage, FaceTime, and device activation to continue working after January 2027. The update is available in iOS 12.5.8 and iOS 15.8.6 . SEO poisoning-for-hire exposed Black Hat SEO Gets a Boost from Haxor A backlink marketplace has been discovered as a way to help customers get their malicious web pages ranked higher in search results.

The group refers to themselves as Haxor, a slang word for hackers, and their marketplace as HxSEO, or HaxorSEO. The threat actors have established their operations and marketplace on Telegram and WhatsApp. The marketplace allows fraudsters to purchase a backlink to a website of their choice, from a selection of legitimate domains already compromised by the group. These compromised domains are typically 15-20 years old and have a “trust” score associated with them to show how effective the purchased backlink would be for increasing search engine rankings.

Each legitimate website is compromised with a web shell that enables Haxor to upload a malicious backlink to the site. By buying and then inserting these links into their sites, threat actors can boost search rankings, drawing unsuspecting visitors to phishing pages designed to harvest their credentials or install malware. WordPress sites with plugin flaws and vulnerable php components are the target of these efforts. The operation offers backlinks for just $6 per listing.

The idea is that when users search for keywords like “financial logins” for specific banks, the HxSEO team’s manipulation ensures the compromised sites appear ahead of the legitimate page in the search results. “HxSEO stands out for its emphasis on unethical search engine optimization (SEO) techniques, selling a service that supports phishing campaigns by improving the perceived legitimacy of malicious pages,” Fortra said . HxSEO leverages a range of malicious tools along with unethical Search Engine Optimization (SEO) tactics to ensure malicious sites appear at the top of your search results, making compromised sites harder to spot and to lure more potential victims. They also specialize in illicit backlink sales for SEO poisoning.” The threat actors have been active since 2020.

Phishing hijacks ad accounts Meta Business Accounts Targeted in New Campaign Meta business accounts belonging to advertising agencies and social media managers have been targeted by a new campaign that’s designed to seize control of their accounts for follow-on malicious activities. The phishing attack begins with a message crafted to create urgency and concern, mimicking Meta’s branding to warn recipients of policy violations, intellectual property issues, or unusual activity, and instructing them to click on a fake link that’s engineered to harvest their credentials. “Once an account is compromised, the attacker: changes billing information, adding stolen or virtual cards, launches scam ads promoting fake crypto or investment platforms, [and] removes legitimate administrators, taking full control,” CyberArmor said . Kernel bug flagged as exploited CISA Adds Linux Kernel Flaw to KEV Catalog The U.S.

Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Linux kernel to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026. “Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function, which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system,” CISA said. The vulnerability , tracked as CVE-2018-14634 , has a CVSS score of 7.8. There are currently no reports of the flaws’ in-the-wild exploitation.

France pushes video sovereignty France Says Au Revoir to Meet, Teams, Zoom for Sovereign Video Platform The French government has announced plans to replace U.S. videoconferencing apps like Zoom, Microsoft Teams, Google Meet, Webex in favor of a homegrown alternative named Visio as part of efforts to improve security and strengthen its digital resilience. David Amiel, minister delegate for Civil Service and State Reform, said the country cannot risk having its scientific exchanges, sensitive data, and strategic innovations exposed to non-European actors. “Many government agencies currently use a wide variety of tools (Teams, Zoom, GoTo Meeting, or Webex), a situation that compromises data security, creates strategic dependencies on external infrastructure, leads to increased costs, and complicates cooperation between ministries,” the government said .

“The gradual implementation over the coming months of a unified solution, controlled by the state and based on French technologies, marks an important step in strengthening our digital resilience.” Student data tracking blocked Microsoft Ordered to Stop Tracking School Children Microsoft has been ordered to cease the use of tracking cookies in Microsoft 365 Education after the Austrian data protection authority (DSB) found that the company illegally installed cookies on the devices of a minor without consent. These cookies can be used to analyze user behavior, collect browser data, and serve targeted ads. It’s worth noting that German data protection authorities have already considered Microsoft 365 to fall short of GDPR requirements, Austrian non-profit none of your business (NOYB) said. Microsoft has four weeks to cease tracking the complainant.

Cross-border swatting ring busted Teens Suspected in Swatting Attacks Arrested in Hungary and Romania Hungarian and Romanian police have arrested four young suspects in connection with bomb threats, false emergency calls, and the misuse of personal data. The suspects include a 17-year-old Romanian national and three Hungarians aged 16, 18, and 20. As part of the operation, officials confiscated all their data storage devices, mobile phones, and computer equipment. The development comes in the aftermath of a probe that began in mid-July 2025 following a series of phone calls to law enforcement.

The suspects approached victims on Discord, obtained their phone numbers and personal details, and then used that information to place false emergency calls in their names. “The reports included threats to blow up educational and religious institutions and residential buildings, to kill various people, and to attack police units,” authorities said . “The reports required the intervention of a significant police force.” Latin America hit hardest LATAM Experiences Surge in Cyber Attacks in December 2025 According to data from Check Point, organizations experienced an average of 2,027 cyber attacks per organization per week in December 2025. “This represents a 1% month-over-month increase and a 9% year-over-year increase,” the company said .

“While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year.” APAC followed with 3,017 weekly attacks per organization (+2% year-over-year), while Africa averaged 2,752 attacks, representing a 10% decrease year-over-year. The education sector remained the most targeted industry in December, averaging 4,349 attacks per organization per week. The other prominent targeted sectors include governments, associations, telecommunications, and energy. Within Latin America, healthcare and medical organizations were the top targets.

Crypto laundering ring punished Chinese National Sentenced to Prison for Crypto Scam The U.S. Department of Justice (DoJ) announced that Chinese national Jingliang Su was sentenced today to 46 months in prison for his role in laundering more than $36.9 million from victims in a digital asset investment scam that was carried out from scam centers in Cambodia. Su has also been ordered to pay $26,867,242.44 in restitution. Su was part of an international criminal network that tricked U.S.

victims into transferring funds to accounts controlled by co-conspirators, who then laundered victim money through U.S. shell companies, international bank accounts, and digital asset wallets. Su pleaded guilty to the charges, along with four others, in June 2025. “This defendant and his co-conspirators scammed 174 Americans out of their hard-earned money,” said Assistant Attorney General A.

Tysen Duva of the Justice Department’s Criminal Division. “In the digital age, criminals have found new ways to weaponize the internet for fraud.” In all, eight co-conspirators have pleaded guilty so far, including Jose Somarriba and ShengSheng He. Major dark web operator convicted Empire Cybercrime Market Owner Pleads Guilty Raheim Hamilton (aka Sydney and Sydney), 30, of Suffolk, Virginia, has pleaded guilty in the U.S. to a federal drug conspiracy charge in connection with operating a dark web marketplace called Empire Market between 2018 and 2020, alongside Thomas Pavey (aka Dopenugget).

“During that time, the online market facilitated more than four million transactions between vendors and buyers valued at more than $430 million, making it one of the largest dark web marketplaces of its kind at the time,” the DoJ said . “The illegal products and services available on the site included controlled substances, compromised or stolen account credentials, stolen personally identifying information, counterfeit currency, and computer-hacking tools. Sales of controlled substances were the most prevalent activity, with net drug sales totaling nearly $375 million over the life of the site.” Hamilton agreed to forfeit certain ill-gotten proceeds, including about 1,230 bitcoin and 24.4 Ether, as well as three properties in Virginia. Pavey, 40, pleaded guilty last year to a federal drug conspiracy charge and admitted his role in creating and operating Empire Market.

He is currently awaiting sentencing. Darknet operator admits role Slovakian Man Pleads Guilty to Operating Darknet Market Alan Bill , 33, of Bratislava, has pleaded guilty to his involvement in a darknet market called Kingdom Market that sold drugs and stolen personal information between March 2021 and December 2023. Bill has also admitted to receiving cryptocurrency from a wallet associated with Kingdom, in addition to assisting with the creation of Kingdom’s forum pages on Reddit and Dread and having access to Kingdom usernames that made postings on behalf of Kingdom on social media accounts. As part of his plea agreement, Bill has agreed to forfeit five different types of coins in a cryptocurrency wallet, as well as the Kingdommarket[.]live and Kingdommarket[.]so domains, which have been shut down by authorities.

Bill is scheduled to be sentenced on May 5, 2026. “Bill was arrested December 15, 2023, at Newark Liberty International Airport after a customs inspection found two cellular telephones, a laptop, a thumb drive, and a hardware wallet used to store cryptocurrency private keys,” the DoJ said . “The electronics contained evidence of his involvement with Kingdom.” Android theft defenses expanded Google Announces New Anti-Theft Features for Android Google has announced an expanded set of Android theft-protection features that build upon existing protections like Theft Detection Lock and Offline Device Lock introduced in 2024 . The features are available for Android devices running Android 16+.

Chief among them are granular controls to enable or disable Failed Authentication Lock, which automatically locks the device’s screen after excessive failed authentication attempts. Other notable updates include extending Identity Check to cover all features and apps that use the Android Biometric Prompt, stronger protections against attempts to guess PIN, pattern, or password by increasing the lockout time after failed attempts, and adding an optional security question to initiate a Remote Lock so as to ensure that it’s being done by the real device owner. “These protections are designed to make Android devices harder targets for criminals before, during, and after a theft attempt,” Google said. AI-linked malware tooling spotted New Malware Delivering PureRAT Shows Signs of AI A PureRAT campaign has targeted job seekers using malicious ZIP archives either attached in emails or shared as links pointing to Dropbox that, when opened, leverage DLL side-loading to launch a batch script that’s responsible for executing the malware.

In a new analysis, Broadcom’s Symantec and Carbon Black Threat Hunter Team said there are signs these tools, including the batch script, have been authored using artificial intelligence (AI). “Multiple tools used by the attacker bear hallmarks of having been developed using AI, such as detailed comments and numbered steps in scripts, and instructions to the attacker in debug messages,” it said . “Virtually every step in the batch file has a detailed comment in Vietnamese.” It’s suspected that the threat actor behind the actor is based in Vietnam and is likely selling access to compromised organizations to other actors. UK–China cyber talks launched U.K.

and China Establish Cyber Dialogue The U.K. and China have established a forum called Cyber Dialogue to discuss cyber attacks for security officials from the two nations to manage threats to each other’s national security. The deal, according to Bloomberg , is a way to “improve communication, allow private discussion of deterrence measures and help prevent escalation.” The U.K. has previously called out Chinese threat actors for targeting its national infrastructure and government systems.

As recently as this week, The Telegraph reported that Chinese nation-state threat actors have hacked the mobile phones of senior U.K. government members since 2021. Poor OPSEC unmasks broker Who is r1z? Earlier this month, Jordanian national Feras Khalil Ahmad Albashiti pleaded guilty to charges of selling access to the networks of at least 50 companies through a cybercriminal forum.

Albashiti, who also went by the online aliases r1z, secr1z, and j0rd4n14n, is said to have made 1,600 posts across multiple forums, including XSS, Nulled, Altenen, RaidForums, BlackHatWorld, and Exploit. On LinkedIn, Albashiti described himself as an information technology architect and consultant, claiming experience in cyber threats, cloud, network, web, and penetration testing. The kicker? His LinkedIn profile URL was “linkedin[.]com/in/r1z.” “The actor’s website, sec-r1z.com, was created in 2009, and based on WHOIS information, also reveals personal details of Firas, including the same Gmail address, alongside additional details like address and phone number,” KELA said .

“The r1z case shows how initial access brokers monetize firewall exploits and enterprise access at scale, while the actor’s OPSEC failures leave long-term attribution trails that expose the ransomware supply chain.” Encryption flaw traps victims Flaw in Vibe-Coded Sicarii Ransomware Cybersecurity company Halcyon said it identified a critical flaw in the encryption process of Sicarii , a newly discovered ransomware strain, that makes data recovery impossible even if an impacted organization pays a ransom. “During execution, the malware regenerates a new RSA key pair locally, uses the newly generated key material for encryption, and then discards the private key,” the company said . “This per-execution key generation means encryption is not tied to a recoverable master key, leaving victims without a viable decryption path and making attacker-provided decryptors ineffective for affected systems.” It’s assessed with moderate confidence that the threat actors used AI-assisted tooling that may have led to the implementation error. Human-in-the-loop MFA bypass Live Phishing Panels Used in New Attacks Google-owned Mandiant said it’s tracking a fresh wave of voice-phishing attacks targeting single sign-on tools that are resulting in data theft and extortion attempts.

Multiple threat actors are said to be combining voice calls and custom phishing kits, including a group identifying itself as ShinyHunters, to obtain unauthorized access and enroll threat actor-controlled devices into victim multi-factor authentication (MFA) for persistent access. Upon gaining access, the threat actors have been found to pivot to SaaS environments to exfiltrate sensitive data. It’s unclear how many organizations have been impacted by the campaign. In a similar alert, Silent Push said SSO providers are being targeted by a massive identity-theft campaign across more than 100 high-value enterprises.

The activity leverages a new Live Phishing Panel that allows a human attacker to sit in the middle of a login session, intercept credentials, and gain persistent access. The hackers have set up fake domains targeting these companies, but it’s not known whether they have actually been targeted or whether their attempts to gain access to systems were successful. Some of the companies impacted include Crunchbase, SoundCloud, and Betterment , per Hudson Rock’s co-founder and CTO Alon Gal. “This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (‘vishing’) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups,” it noted .

React flaw fuels crypto-mining attacks React2Shell Exploited to Target Russian Firms Threat actors have exploited the recently disclosed security flaw in React Server Components (CVE-2025-55182 aka React2Shell ) to infect Russian companies with XMRig-based cryptominers, per BI.ZONE. Other payloads deployed as part of the attacks include botnets such as Kaiji and Rustobot , as well as the Sliver implant. Russian companies in the housing, finance, urban infrastructure and municipal services, aerospace, consumer digital services, chemical industry, construction, and production sectors have also been targeted by a suspected pro-Ukrainian threat group called PhantomCore that employs phishing containing ZIP attachments to deliver a PowerShell malware that’s similar to PhantomRemote . Malware flood hits open source Sonatype Flagged 454K Malware Packages in 2025 Supply chain security company Sonatype said it logged 454,600 open-source malware packages in 2025, taking the total number of known and blocked malware to over 1.233 million packages across npm, PyPI, Maven Central, NuGet, and Hugging Face.

The threat is compounded by AI agents confidently recommending nonexistent versions or malware-infected packages, exposing developers to new risks like slop squatting. “The evolution of open source malware crystallized, evolving from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” it said . “The next frontier of software supply chain attacks is not limited to package managers. AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards.” Ransomware ecosystem doubles Ransomware Attacks Climbed in 2025 A new analysis from Emsisoft revealed that ransomware groups had a massive year in 2025, claiming between 8,100 and 8,800 victims, significantly up from about 5,300 in 2023.

“As the number of victims has grown, so has the number of ransomware groups,” the company said . The number of active groups has surged from about 70 in 2023 to nearly 140 in 2025. Qilin, Akira, Cl0p, and Play emerged as some of the most active players in the landscape. “Law enforcement efforts are working—they are fragmenting major groups, forcing shutdowns, and creating instability at the top.

Yet this disruption has not translated into fewer victims,” Emsisoft said. “Instead, ransomware has become more decentralized, more competitive, and more resilient. As long as affiliates remain plentiful and social engineering remains effective, victim counts are likely to continue rising.” ATM malware ring charged U.S. Ramps Up Actions Against ATM Jackpotting Attacks The DoJ has announced charges against an additional 31 individuals accused of being involved in a massive ATM jackpotting scheme that resulted in the theft of millions of dollars.

The attacks involve the use of malware called Ploutus to hack into ATMs and force them to dispense cash. Between February 2024 and December 2025, the gang stole at least $5.4 million from at least 63 ATMs, most of which belonged to credit unions, the DoJ alleged. Many of the defendants charged in this Homeland Security Task Force operation are Venezuelan and Colombian nationals, including illegal alien Tren de Aragua (TdA) members, the DoJ said, adding 56 others have already been charged. “A large ring of criminal aliens allegedly engaged in a nationwide conspiracy to enrich themselves and the TdA terrorist organization by ripping off American citizens,” said Deputy Attorney General Todd Blanche.

“The Justice Department’s Joint Task Force Vulcan will not stop until it completely dismantles and destroys TdA and other foreign terrorists that import chaos to America.” Blockchain-based C2 evasion DeadLock Ransomware Uses Smart Contracts to Evade Detection A ransomware strain called DeadLock , which was first detected in the wild in July 2025, has been observed using Polygon smart contracts for proxy server address rotation or distribution. While the exact initial access vectors used by the ransomware are not known, it drops an HTML file which acts as a wrapper for Session, an end-to-end encrypted and decentralized instant messenger. The HTML is used to facilitate direct communication between the DeadLock operator and the victim by sending and receiving messages from a server that acts as a middleware or proxy. “The most interesting part of this is how server addresses are retrieved and managed by DeadLock,” Group-IB noted , stating it “uncovered JS code within the HTML file that interacts with a smart contract over the Polygon network.” This list contains the available endpoints for interacting with the Polygon network or blockchain and obtaining the current proxy URL via the smart contract.

DeadLock also stands apart from traditional ransomware operations in that it lacks a data leak site to publicize the attacks. However, it uses AnyDesk as a remote management tool and leverages a previously unknown loader to exploit the Baidu Antivirus driver (“BdApiUtil.sys”) vulnerability (CVE-2024-51324) to conduct a bring your own vulnerable driver (BYOVD) attack and disable endpoint security solutions. According to Cisco Talos , it’s believed that the threat actor leverages the compromised valid accounts to gain access to the victim’s machine. Crypto laundering networks scale up Chinese Money Launderers Drive Illicit Crypto Economy In a report published this week, Chainalysis said Chinese-language money laundering networks (CMLNs) are dominating known crypto money laundering activity, processing an estimated 20% of illicit cryptocurrency funds over the past five years.

“CMLNs processed $16.1 billion in 2025 – approximately $44 million per day across 1,799+ active wallets,” the blockchain intelligence firm said . “The illicit on-chain money laundering ecosystem has grown dramatically in recent years, increasing from $10 billion in 2020 to over $82 billion in 2025.” These networks launder funds using a variety of mechanisms, including gambling platforms, money movement, and peer-to-peer (P2P) services that process fund transfers without know your customer (KYC) checks. CLMNs have also processed an estimated 10% of funds stolen in pig butchering scams, an increase coinciding with the decline in the use of centralized exchanges. This is complemented by the emergence of guarantee marketplaces like HuiOne and Xinbi that function primarily as marketing venues and escrow infrastructure for CMLNs.

“CMLNs’ advertising on these guarantee services offer a range of money laundering techniques with the primary goal of integrating illicit funds into the legitimate financial system,” Chainalysis said. SMS fraud hits Canadians Fraud Campaigns Target Canada Threat actors are impersonating government services and trusted national brands in Canada, often using lures related to traffic fines, tax refunds, airline bookings, and parcel delivery alerts in SMS messages and malicious ads to enable account takeovers and direct financial fraud by directing them to phishing landing pages. “A significant portion of the activity is aligned with the ‘PayTool’ phishing ecosystem, a known fraud framework that specializes in traffic violation and fine payment scams targeting Canadians through SMS-based social engineering,” CloudSEK said . Seen together, these stories show problems building slowly, not all at once.

The same gaps are being used again and again until they work. Most of this didn’t start this week. It’s growing, spreading, and getting easier for attackers to repeat. The full list helps show where things are heading before they become normal.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Survey of 100+ Energy Systems Reveals Critical OT Cybersecurity Gaps

A study by OMICRON has revealed widespread cybersecurity gaps in the operational technology (OT) networks of substations, power plants, and control centers worldwide. Drawing on data from more than 100 installations, the analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyber threats. The findings are based on several years of deploying OMICRON’s intrusion detection system (IDS) StationGuard in protection, automation, and control (PAC) systems. The technology, which monitors network traffic passively, has provided deep visibility into real-world OT environments.

The results underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures. Connection of an IDS in PAC systems (circles indicate mirror ports) StationGuard deployments, often carried out during security assessments, revealed vulnerabilities such as unpatched devices, insecure external connections, weak network segmentation, and incomplete asset inventories. In many cases, these security weaknesses were identified within the first 30 minutes of connecting to the network. Beyond security risks, the assessments also uncovered operational issues like VLAN misconfigurations, time synchronization errors, and network redundancy problems.

In addition to technical shortcomings, the findings point to organizational factors that contribute to these risks — including unclear responsibilities for OT security, limited resources, and departmental silos. These findings reflect a growing trend across the energy sector: IT and OT environments are converging rapidly, yet security measures often fail to keep pace. How are utilities adapting to these complex risks, and what gaps remain that could leave critical systems exposed? Why OT Networks Need Intrusion Detection The ability to detect security incidents is an integral part of most security frameworks and guidelines, including the NIST Cybersecurity Framework, IEC 62443, and the ISO 27000 standard series.

In substations, power plant control systems, and control centers, many devices operate without standard operating systems, making it impossible to install endpoint detection software. In such environments, detection capabilities must be implemented at the network level. OMICRON’s StationGuard deployments typically use network mirror ports or Ethernet TAPs to passively monitor communication. Besides detecting intrusions and cyber threats, the IDS technology provides key benefits, including: Visualization of network communication Identification of unnecessary services and risky network connections Automatic asset inventory creation Detection of device vulnerabilities based on this inventory Assessing Risks: Methodology Behind the Findings The report is based on years of IDS installations.

The first installation dates back to 2018. Since then, several hundred installations and security assessments have been conducted at substations, power plants, and control centers in dozens of countries. The findings are grouped into three categories: Technical security risks Organizational security issues Operational and functional problems In most cases, critical security and operational issues were detected within minutes of connecting the IDS to the network. Typically, sensors were connected to mirror ports on OT networks, often at gateways and other critical network entry points, to capture key communication flows.

In many substations, bay-level monitoring was not required, as multicast propagation made the traffic visible elsewhere in the network. Hidden Devices and Asset Blind Spots Accurate asset inventories are essential for securing complex energy systems. Creating and maintaining such directories manually is time-consuming and error-prone. To address this, OMICRON used both passive and active methods for automated asset discovery.

Passive asset identification relies on existing system configuration description (SCD) files, standardized under IEC 61850-6, which contain detailed device information. However, passive monitoring alone proved insufficient in many cases, as essential data such as firmware versions are not transmitted in normal PAC communication. Active querying of device information , on the other hand, leverages the MMS protocol to retrieve nameplate data such as device names, manufacturers, model numbers, firmware versions, and sometimes even hardware identifiers. This combination of passive and active techniques provided a comprehensive asset inventory across installations.

Example of device information retrievable via SCL and MMS active querying Which Technical Cybersecurity Risks Are Most Common? OMICRON’s analysis identified several recurring technical issues across energy OT networks: Vulnerable PAC devices: Many PAC devices were found to be operating with outdated firmware containing known vulnerabilities. A notable example is the CVE-2015-5374 vulnerability, which allows a denial-of-service attack on protective relays with a single UDP packet. Although patches have been available since 2015, numerous devices remain unpatched.

Similar vulnerabilities in GOOSE implementations and MMS protocol stacks pose additional risks. Risky external connections: In several installations, undocumented external TCP/IP connections were found, in some cases exceeding 50 persistent connections to external IP addresses in a single substation. Unnecessary insecure services: Common findings included unused Windows file sharing services (NetBIOS), IPv6 services, license management services running with elevated privileges, and unsecured PLC debugging functions. Weak network segmentation: Many facilities operated as a single large flat network, allowing unrestricted communication between hundreds of devices.

In some cases, even office IT networks were reachable from remote substations. Such architectures significantly increase the impact radius of cyber incidents. Unexpected devices: Untracked IP cameras, printers, and even automation devices frequently appeared on networks without being documented in asset inventories, creating serious blind spots for defenders. The Human Factor: Organizational Weaknesses in OT Security Beyond technical flaws, OMICRON also observed recurring organizational challenges that exacerbate cyber risk.

These include: Departmental boundaries between IT and OT teams Lack of dedicated OT security personnel Resource constraints are limiting the implementation of security controls In many organizations, IT departments remain responsible for OT security — a model that often struggles to address the unique requirements of energy infrastructure. When Operations Fail: Functional Risks in Substations The IDS deployments also revealed a range of operational problems unrelated to direct cyber threats but still affecting system reliability. The most common were: VLAN issues were by far the most frequent, often involving inconsistent VLAN tagging of GOOSE messages across the network. RTU and SCD mismatches led to broken communication between devices, preventing SCADA updates in several cases.

Time synchronization errors ranged from simple misconfigurations to devices operating with incorrect time zones or default timestamps. Network redundancy issues involving RSTP loops and misconfigured switch chips caused severe performance degradation in some installations. These operational weaknesses not only impact availability but can also amplify the consequences of cyber incidents. Functional monitoring related alert messages What Can Utilities Learn from These Findings?

The analysis of over 100 energy facilities highlights the urgent need for robust, purpose-built security solutions that are designed for the unique challenges of operational technology environments. With its deep protocol understanding and asset visibility, the StationGuard Solution provides security teams with the transparency and control needed to protect critical infrastructure. Its built-in allowlisting detects even subtle deviations from expected behavior, while its signature-based detection identifies known threats in real time. The system’s ability to monitor both IT and OT protocols — including IEC 104, MMS, GOOSE, and more — allows utilities to detect and respond to threats at every layer of their substation network.

Combined with features like automated asset inventories, role-based access control, and seamless integration into existing security workflows, StationGuard enables organizations to strengthen resilience without disrupting operations. To learn more about how StationGuard supports utilities in closing these critical security gaps, visit our website . StationGuard Solution Found this article interesting? This article is a contributed piece from one of our valued partners.

3 Decisions CISOs Need to Make to Prevent Downtime Risk in 2026

Beyond the direct impact of cyberattacks, enterprises suffer from a secondary but potentially even more costly risk: operational downtime, any amount of which translates into very real damage. That’s why for CISOs, it’s key to prioritize decisions that reduce dwell time and protect their company from risk. Three strategic steps you can take this year for better results:

Focus on today’s actual business security risks Any efficient SOC is powered by relevant data.

That’s what makes targeted, prioritized action against threats possible. Public or low-quality feeds may have been sufficient in the past, but in 2026, threat actors are more funded, coordinated, and dangerous than ever. Accurate and timely information is a deciding factor when counteracting them. It’s the lack of relevant data that doesn’t allow SOCs to maintain focus on the real risks relevant here and now.

Only continuously refreshed feeds sourced from active threat investigations can enable smart, proactive action. STIX/TAXII-compatible Threat Intelligence Feeds by ANY.RUN allows security teams to focus on threats targeting organizations today. Sourced from the latest manual investigations of malware and phishing done by 15K SOC teams и 600K analysts, this solution provides: Early threat detection: fresh, extensive data expands threat coverage for attack prevention. Mitigated risk of incidents: being informed about the most relevant malicious indicators minimizes the chance of incidents.

Stability in operations: destructive downtime is prevented, ensuring the company’s sustainability. TI Feeds deliver quantifiable results across SOC processes By delivering relevant intel to your SIEM, EDR\XDR, TIP, or NDR, TI Feeds expand threat coverage and offer actionable insights on attacks that have just happened to companies like yours. Result: Up to 58% more threats detected for a reduced chance of business disruption. TI Feeds drive early threat detection Expand coverage and identify up to 58% more threats in real time Integrate TI Feeds 2.

Shield analysts from false positives As a CISO, one of the most effective things you can do to mitigate burnout and improve SOC performance has more to do with analysts’ daily operations rather than overall management. Analysts show better results when they can stay focused on real threats and actually do the job that matters. But false positives, duplicates, and other noise in threat data drain them. It slows down response and increases the risk of missed incidents.

Unlike other feeds with largely outdated and unfiltered indicators, ANY.RUN’s TI Feeds deliver verified intel with near-zero false positive rates and real-time updates. IPs, domains, and hashes are validated and 99% unique. TI Feeds promote early detection with fresh indicators available via API/SDK and STIX/TAXII integrations Integrating TI Feeds into your stacks means: Taking resource-efficient action against threats for breach mitigation Avoiding workflow disruptions and costly escalations Achieving better SOC team performance, morale, and impact Result: Higher productivity across SOC analyst Tiers with 30% fewer Tier 1 to Tier 2 escalations. Protect your brand by mitigating downtime risk in 2026 Request access to TI Feeds 3.

Shorten the gap between knowing and doing
Mature SOCs move from detection to response fast. This requires
context: something that’s missing from ordinary threat intelligence. Without sufficient insights into malicious behavior, the investigation across multiple resources takes too much time and energy, heightening the chance of operational downtime. How TI Feeds benefit SOCs across tiers TI Feeds address the gap between alert and action.

With behavioral context sourced from real sandbox analyses done globally by 15K+ security teams, it shortens MTTD & MTTR, helping businesses: Reduce breach impact at scale by enriching indicators with real-world attacker behavior from active campaigns. Prevent incident escalation caused by uncertainty and slow validation during early investigation stages. Maintain operational continuity by accelerating investigations before attacks affect core business processes. Result: 21 min faster Mean Time to Respond and lower incident response costs.

Conclusion Prioritizing relevant threat intelligence, filling operational gaps, and improving the entire workflow from triage to response directly impacts performance rates across SOCs. For CISOs, this translated into a clear priority: take targeted action to reduce dwell time by empowering analysts with actionable, relevant, and unique threat intelligence feeds, enabling fast and confident decision-making. Prioritize actionable threat intelligence Enable faster response and reduce MTTR by 21 minutes Reach out for full access Found this article interesting? This article is a contributed piece from one of our valued partners.

SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE). The list of vulnerabilities is as follows - CVE-2025-40536 (CVSS score: 8.1) - A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality CVE-2025-40537 (CVSS score: 7.5) - A hard-coded credentials vulnerability that could allow access to administrative functions using the “client” user account CVE-2025-40551 (CVSS score: 9.8) - An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine CVE-2025-40552 (CVSS score: 9.8) - An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods CVE-2025-40553 (CVSS score: 9.8) - An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine CVE-2025-40554 (CVSS score: 9.8) - An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1 . “Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution,” Rapid7 said .

“RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.” While CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they could also be leveraged to obtain RCE and achieve the same impact as the other two RCE deserialization vulnerabilities, the cybersecurity company added. In recent years, SolarWinds has released fixes to resolve several flaws in its Web Help Desk software, including CVE-2024-28986 , CVE-2024-28987 , CVE-2024-28988, and CVE-2025-26399 . It’s worth noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in turn, is a patch bypass of CVE-2024-28986. In late 2024, the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. In a post explaining CVE-2025-40551, Horizon3.ai’s Sebree described it as yet another deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. To achieve RCE, an attacker needs to carry out the following series of actions - Establish a valid session and extract key values Create a LoginPref component Set the state of the LoginPref component to allow us to access the file upload Use the JSONRPC bridge to create some malicious Java objects behind the scenes Trigger these malicious Java objects With flaws in Web Help Desk having been weaponized in the past, it’s essential that customers move quickly to update to the latest version of the help desk and IT service management platform. Found this article interesting?

Google Disrupts IPIDEA — One of the World’s Largest Residential Proxy Networks

Google on Wednesday announced that it worked together with other partners to disrupt IPIDEA, which it described as one of the largest residential proxy networks in the world. To that end, the company said it took legal action to take down dozens of domains used to control devices and proxy traffic through them. As of writing, IPIDEA’s website (“www.ipidea.io”) is no longer accessible. It advertised itself as the “world’s leading provider of IP proxy” with more than 6.1 million daily updated IP addresses and 69,000 daily new IP addresses.

“Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes,” John Hultquist, Google Threat Intelligence Group’s (GTIG) chief analyst, said in a statement shared with The Hacker News. “By routing traffic through a person’s home internet connection, attackers can hide in plain sight while infiltrating corporate environments. By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.” Google said that, as recently as this month, IPIDEA’s proxy infrastructure has been leveraged by more than 550 individual threat groups with varying motivations, such as cybercrime, espionage, advanced persistent threat (APTs), information operations, from across the world, including China, North Korea, Iran, and Russia. These activities ranged from access to victim SaaS environments, on-premises infrastructure, and password spray attacks.

In an analysis published earlier this month, Synthient revealed that the threat actors behind the AISURU/Kimwolf botnet were abusing security flaws in residential proxy services like IPIDEA to relay malicious commands to susceptible Internet of Things (IoT) devices behind a firewall within local networks to propagate the malware. The malware that turns consumer devices into proxy endpoints is stealthily bundled within apps and games pre-installed on off-brand Android TV streaming boxes. This forces the infected device to relay malicious traffic and participate in distributed denial-of-service (DDoS) attacks. IPIDEA is also said to have released standalone apps, marketed directly to people looking to make “easy cash” by blatantly advertising they’ll pay consumers to install the app and allow it to use their “unused bandwidth.” While residential proxy networks offer the ability to route traffic through IP addresses owned by internet service providers (ISPs), this can also provide the perfect cover for bad actors looking to mask the origin of their malicious activity.

“To do this, residential proxy network operators need code running on consumer devices to enroll them into the network as exit nodes,” GTIG explained. “These devices are either pre-loaded with proxy software or are joined to the proxy network when users unknowingly download trojanized applications with embedded proxy code. Some users may knowingly install this software on their devices, lured by the promise of ‘monetizing’ their spare bandwidth.” The tech giant’s threat intelligence team said IPIDEA has become notorious for its role in facilitating a number of botnets, including the China -based BADBOX 2.0 . In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China for allegedly operating the botnet and its associated residential proxy infrastructure.

It also pointed out that the proxy applications from IPIDEA not only routed traffic through the exit node device, but also sent traffic to the device with the goal of compromising it, posing severe risks to consumers whose devices may have knowingly or unknowingly joined the proxy network. The proxy network that powers IPIDEA is not a monolithic entity. Rather, it’s a collection of multiple well-known residential proxy brands under its control - Ipidea (ipidea[.]io) 360 Proxy (360proxy[.]com) 922 Proxy (922proxy[.]com) ABC Proxy (abcproxy[.]com) Cherry Proxy (cherryproxy[.]com) Door VPN (doorvpn[.]com) Galleon VPN (galleonvpn[.]com) IP 2 World (ip2world[.]com) Luna Proxy (lunaproxy[.]com) PIA S5 Proxy (piaproxy[.]com) PY Proxy (pyproxy[.]com) Radish VPN (radishvpn[.]com) Tab Proxy (tabproxy[.]com) “The same actors that control these brands also control several domains related to Software Development Kits (SDKs) for residential proxies,” Google said. “These SDKs are not meant to be installed or executed as standalone applications, rather they are meant to be embedded into existing applications.” These SDKs are marketed to third-party developers as a way to monetize their Android, Windows, iOS, and WebOS applications.

Developers who integrate the SDKs into their apps are paid by IPIDEA on a per-download basis. This, in turn, transforms a device that installs these apps into a node for the proxy network, while simultaneously providing the advertised functionality. The names of the SDKs controlled by the IPIDEA actors are listed below - Castar SDK (castarsdk[.]com) Earn SDK (earnsdk[.]io) Hex SDK (hexsdk[.]com) Packet SDK (packetsdk[.]com) The SDKs have significant overlaps in their command-and-control (C2) infrastructure and code structure. They follow a two-tier C2 system where the infected devices contact a Tier One server to retrieve a set of Tier Two nodes to connect to.

The application then initiates communication with the Tier Two server to periodically poll for payloads to proxy through the device. Google’s analysis found that there are about 7,400 Tier Two servers. Besides proxy services, the IPIDEA actors have been found to control domains that offer free Virtual Private Network (VPN) tools, which are also engineered to join the proxy network as an exit node incorporating either the Hex or Packet SDK. The names of the VPN services are as follows - Galleon VPN (galleonvpn[.]com) Radish VPN (radishvpn[.]com Aman VPN (defunct) In addition, GTIG said it identified 3,075 unique Windows binaries that have sent a request to at least one Tier One domain, some of which masqueraded as OneDriveSync and Windows Update.

These trojanized Windows applications were not distributed by the IPIDEA actors directly. As many as 600 Android applications (spanning utilities, games, and content) from multiple download sources have been flagged for containing code connecting to Tier One C2 domains by using the monetization SDKs to enable the proxy behavior. In a statement shared with The Wall Street Journal, a spokesperson for the Chinese company said it had engaged in “relatively aggressive market expansion strategies” and “conducted promotional activities in inappropriate venues (e.g., hacker forums),” and it has “explicitly opposed any form of illegal or abusive conduct.” To counter the threat, Google said it has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. For certified Android devices, the system will automatically remove these malicious applications and block any future attempts to install them.

“While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification are challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications,” Google said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake Moltbot AI Coding Assistant on VS Code Marketplace Drops Malware

Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts. The extension, named “ClawdBot Agent - AI Coding Assistant” (“clawdbot.clawdbot-agent”), has since been taken down by Microsoft. It was published by a user named “clawdbot” on January 27, 2026. Moltbot has taken off in a big way, crossing more than 85,000 stars on GitHub as of writing.

The open-source project, created by Austrian developer Peter Steinberger, allows users to run a personal AI assistant powered by a large language model (LLM) locally on their own devices and interact with it over already established communication platforms like WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, and WebChat. The most important aspect to note here is that Moltbot does not have a legitimate VS Code extension, meaning the threat actors behind the activity capitalized on the rising popularity of the tool to trick unsuspecting developers into installing it. The malicious extension is designed such that it’s automatically executed every time the integrated development environment (IDE) is launched, stealthily retrieving a file named “config.json” from an external server (“clawdbot.getintwopc[.]site”) to execute a binary named “Code.exe” that deploys a legitimate remote desktop program like ConnectWise ScreenConnect. The application then connects to the URL “meeting.bulletmailer[.]net:8041,” granting the attacker persistent remote access to the compromised host.

“The attackers set up their own ScreenConnect relay server, generated a pre-configured client installer, and distributed it through the VS Code extension,” Aikido researcher Charlie Eriksen said. “When victims install the extension, they get a fully functional ScreenConnect client that immediately phones home to the attacker’s infrastructure.” What’s more, the extension incorporates a fallback mechanism that retrieves a DLL listed in “config.json” and sideloads it to obtain the same payload from Dropbox. The DLL (“DWrite.dll”), written in Rust, ensures that the ScreenConnect client is delivered even if the command-and-control (C2) infrastructure becomes inaccessible. “Deeper payload analysis suggests the attacker anticipated failures, and several delivery methods don’t work reliably,” Eriksen told The Hacker News, “That said, it appears that ‘code.exe’ loads ‘DWrite.dll’ [using DLL side-loading], and when both are in the same directory, the malicious DLL would likely be loaded by default.” This is not the only backup mechanism incorporated into the extension for payload delivery.

The fake Moltbot extension also embeds hard-coded URLs to get the executable and the DLL to be sideloaded. A second alternative method involves using a batch script to obtain the payloads from a different domain (“darkgptprivate[.]com”). The Security Risks with Moltbot The disclosure comes as security researcher and Dvuln founder Jamieson O’Reilly found hundreds of unauthenticated Moltbot instances online due to a “classic” reverse proxy misconfiguration, exposing configuration data, API keys, OAuth credentials, and conversation histories from private chats to unauthorized parties. The issue stems from a combination of Moltbot auto-approving “local” connections and deployments behind reverse proxies causing internet connections to be treated as local – and therefore trusted and automatically approved for unauthenticated access.

“The real problem is that Clawdbot agents have agency,” O’Reilly explained . “They can send messages on behalf of users across Telegram, Slack, Discord, Signal, and WhatsApp. They can execute tools and run commands.” This, in turn, opens the door to a scenario where an attacker can impersonate the operator to their contacts, inject messages into ongoing conversations, modify agent responses, and exfiltrate sensitive data without their knowledge. More critically, an attacker could distribute a backdoored Moltbot “skill” via MoltHub (formerly ClawdHub) to stage supply chain attacks and siphon sensitive data.

Intruder, in a similar analysis, said it has observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities , and compromised instances across multiple cloud providers. “The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration,” Benjamin Marr, security engineer at Intruder, said in a statement. “Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, and no sandboxing of untrusted plugins.” Users who are running Clawdbot with default configurations are recommended to audit their configuration , revoke all connected service integrations, review exposed credentials, implement network controls, and monitor for signs of compromise.

Update 1Password , Hudson Rock , and Token Security have also raised potential dangers arising from using Moltbot, stating its “deep, unapologetic access” to sensitive enterprise systems on unmanaged personal devices outside of the security perimeter can become “high-impact control points” when they are misconfigured. Token Security said 22% of its customers have employees actively using Clawdbot within their organizations, adding that the platform’s lack of sandboxing and its use of plaintext for storing “memories” and credentials make it an attractive target for attackers looking to steal sensitive corporate data. “If an attacker compromises the same machine you run MoltBot on, they do not need to do anything fancy,” 1Password said. “Modern infostealers scrape common directories and exfiltrate anything that looks like credentials, tokens, session logs, or developer config.

If your agent stores in plain-text API keys, webhook tokens, transcripts, and long-term memory in known locations, an infostealer can grab the whole thing in seconds.” Hudson Rock also noted that it’s “seeing specific adaptations in major malware-as-a-service (MaaS) families” like RedLine, Lumma, and Vidar to target these directory structures for information theft. “For infostealers, this data is unique. It isn’t just about stealing a password; it is about Cognitive Context Theft,” it said. “The threat is not just exfiltration; it is Agent Hijacking.

If an attacker gains write access (e.g., via a RAT deployed alongside the stealer), they can engage in ‘Memory Poisoning.’” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Russian ELECTRUM Tied to December 2025 Cyber Attack on Polish Power Grid

The “coordinated” cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM . Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs). “The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites,” Dragos said . “While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.” It’s worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard).

KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services. Beyond initial access, the threat actor performs reconnaissance and persistence activities over extended periods of time as part of efforts to burrow deep into target OT environments and keep a low profile, signaling a careful preparatory phase that precedes actions executed by ELECTRUM targeting the industrial control systems. “Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performs ICS-specific actions that manipulate control systems or disrupt physical processes,” Dragos said . “These actions have included both manual interactions with operator interfaces and the deployment of purpose-built ICS malware, depending on the operational requirements and objectives.” Put differently, the two clusters have clear separation of roles and responsibilities, enabling flexibility in execution and facilitating sustained OT-focused intrusions when conditions are favourable.

As recently as July 2025, KAMACITE is said to have engaged in scanning activity against industrial devices located in the U.S. Although no follow-on OT disruptions have been publicly reported to date, this highlights an operational model that is not geographically constrained and facilitates early-stage access identification and positioning. “KAMACITE’s access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align,” it explained. “This division of labor enables flexibility in execution and allows OT impact to remain an option, even when it is not immediately exercised.

This extends risk beyond discrete incidents and into prolonged periods of latent exposure.” Dragos said the Poland attack targeted systems that facilitate communication and control between grid operators and DER assets, including assets that enable network connectivity, allowing the adversary to successfully disrupt operations at about 30 distributed generation sites. The threat actors are assessed to have breached Remote Terminal Units (RTUs) and communication infrastructure at the affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The findings indicate that the attackers possess a deep understanding of electrical grid infrastructure, allowing them to disable communications equipment, including some OT devices. That said, the full scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it’s unclear if the threat actor attempted to issue operational commands to this equipment or focused solely on disabling communications.

The Poland attack is also assessed to be more opportunistic and rushed than a precisely planned operation, allowing the hackers to take advantage of the unauthorized access to inflict as much damage as possible by wiping Windows-based devices to impede recovery, resetting configurations, or attempting to permanently brick equipment. The majority of the equipment is targeted at grid safety and stability monitoring, per Dragos. “This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation,” it added. “The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site moved what could have been seen as a pre-positioning attempt by the adversary into an attack.” Found this article interesting?

Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution. The weaknesses, discovered by the JFrog Security Research team, are listed below - CVE-2026-1470 (CVSS score: 9.9) - An eval injection vulnerability that could allow an authenticated user to bypass the Expression sandbox mechanism and achieve full remote code execution on n8n’s main node by passing specially crafted JavaScript code CVE-2026-0863 (CVSS score: 8.5) - An eval injection vulnerability that could allow an authenticated user to bypass n8n’s python-task-executor sandbox restrictions and run arbitrary Python code on the underlying operating system Shachar Menashe, JFrog’s vice president of security research, told The Hacker news that one of the reasons for CVE-2026-1470’s high CVSS score despite requiring authentication is that “any user of n8n can exploit this issue and gain a complete takeover of the entire n8n instance, so that makes it a bit more dangerous.” Successful exploitation of the flaws could permit an attacker to hijack an entire n8n instance, including under scenarios where it’s operating under “internal” execution mode. In its documentation, n8n notes that using internal mode in production environments can pose a security risk, urging users to switch to external mode to ensure proper isolation between n8n and task runner processes. “As n8n spans an entire organization to automate AI workflows, it holds the keys to core tools, functions, and data from infrastructure, including LLM APIs, sales data, and internal IAM systems, among others,” JFrog said in a statement shared with The Hacker News.

“This results in escapes giving a hacker an effective “skeleton key” to the entire corporation.” To address the flaws, users are advised to update to the following versions - CVE-2026-1470

1.123.17, 2.4.5, or 2.5.1 CVE-2026-0863
1.123.14, 2.3.5, or 2.4.2 The development comes merely weeks after Cyera Research Labs detailed a maximum-severity security flaw in n8n ( CVE-2026-21858 aka Ni8mare) that allows an unauthenticated remote attacker to gain complete control over susceptible instances. As of January 27, 2026, more than 39,000 n8n instances remain susceptible to the flaw, per data from the Shadowserver Foundation. “These vulnerabilities highlight how difficult it is to safely sandbox dynamic, high‑level languages such as JavaScript and Python,” researcher Nathan Nehorai said. “Even with multiple validation layers, deny lists, and AST‑based controls in place, subtle language features and runtime behaviors can be leveraged to bypass security assumptions.” “In this case, deprecated or rarely used constructs, combined with interpreter changes and exception handling behavior, were enough to break out of otherwise restrictive sandboxes and achieve remote code execution.” Found this article interesting?

From Triage to Threat Hunts: How AI Accelerates SecOps

If you work in security operations, the concept of the AI SOC agent is likely familiar. Early narratives promised total autonomy. Vendors seized on the idea of the “Autonomous SOC” and suggested a future where algorithms replaced analysts. That future has not arrived.

We have not seen mass layoffs or empty security operations centers. We have instead seen the emergence of a practical reality. The deployment of AI in the SOC has not removed the human element. It has instead redefined how they are spending their time.

We now understand that the value of AI is not in replacing the operator. It is in solving the math problem of defense. Infrastructure complexity scales exponentially while headcount scales linearly. This mismatch previously forced teams to make statistical compromises and sample alerts rather than solving them.

Agentic AI corrects this imbalance. It decouples investigation capacity from human availability and fundamentally alters the daily workflow of the security operations team. Redefining Triage and Investigation: Automated Context at Scale Alert triage currently functions as a filter. SOC analysts review basic telemetry to decide if an alert warrants a full investigation.

This manual gatekeeping creates a bottleneck where low-fidelity signals are ignored to preserve bandwidth. Now imagine if an alert that comes in as low severity and is pushed down the priority queue ends up being a real threat. This is where missed alerts lead to breaches. Agentic AI changes triage by adding a machine layer that investigates every alert, regardless of severity, with human-level accuracy before it reaches the analyst.

It pulls disjointed telemetry from EDR, identity, email, cloud, SaaS, and network tools into a unified context. The system performs the initial analysis and correlation and redetermines the severity, instantly pushing that low-severity alert to the top. This enables the analyst to concentrate on detecting malicious actors concealed within the noise. The human operator no longer spends time gathering IP reputation or verifying user locations.

Their role shifts to reviewing the verdict provided by the system. This ensures that 100% of alerts receive a full investigation as soon as they arrive. Zero dwell time for every alert. The forced tradeoff of ignoring low-fidelity signals disappears because the cost of investigation is significantly lower with AI SOC agents.

Impact on Detection Engineering: Visualizing the Noise Effective detection engineering requires feedback loops that manual SOCs struggle to provide. Analysts often close false positives without detailed documentation, which leaves detection engineers blind to which rules generate the most operational waste. An AI-driven architecture creates a structured feedback loop for detection logic . Because the system investigates every alert, it aggregates data on which rules consistently produce false positives.

It identifies specific detection logic that requires tuning and provides the evidence needed to modify it. This visibility allows engineers to surgically prune noisy alerts. They can retire or adjust low-value rules based on empirical data rather than anecdotal complaints. The SOC becomes cleaner over time as the AI highlights exactly where the noise lives.

Accelerating Threat Hunting: Hypothesis-Driven Defense Threat hunting is often limited by the technical barrier of query languages. Analysts must translate a hypothesis into complex syntax like SPL or KQL. This friction reduces the frequency of proactive hunts. AI removes this syntax barrier.

It enables natural language interaction with security data. An analyst can ask semantic questions about the environment. A query such as “show me all lateral movement attempts from unmanaged devices in the last 24 hours” translates instantly into the necessary database queries. This capability democratizes threat hunting.

Senior analysts can execute complex hypotheses faster. Junior analysts can participate in hunting operations without needing years of query language experience. The focus remains on the investigative theory rather than the mechanics of data retrieval. Why Organizations Choose Prophet Security What we’ve found from Prophet Security customers is that successful deployment of Agentic AI in a live environment hinges on several critical standards: Depth, Accuracy, Transparency, Adaptability, and Workflow Integration.

These are the foundational pillars essential for human operators to trust the AI system’s judgment and operationalize it. Without excelling in these areas, AI adoption will falter, as the human team will lack confidence in its verdicts. Depth requires the system to replicate the cognitive workflow of a Tier 1-3 analyst. Basic automation checks a file hash and stops.

Agentic AI must go further. It must pivot across identity providers, EDR, and network logs to build a complete picture. It must understand the nuance of internal business logic to investigate with the same breadth and rigor as a human expert. Accuracy is the measure of utility.

The system must reliably distinguish between benign administrative tasks and genuine threats. High fidelity ensures that analysts can rely on the system’s verdicts without constant re-verification. Not surprisingly, depth of investigation and accuracy go hand-in-hand. Prophet Security’s accuracy is consistently above 98%, including where it counts the most: identifying true positives.

Transparency and explainability are the ultimate test of trust. AI builds trust by providing transparency into its operations, detailing the queries run against data sources, the specific data retrieved, and the logical conclusions drawn. Prophet Security enforces a “Glass Box” standard that meticulously documents and exposes every query, data point, and logic step used to determine whether the alert is a true positive or benign. Adaptability refers to how well the AI system ingests feedback and guidance, and other organizational-specific context to improve its accuracy.

The AI system should effectively mold around your environment and its unique security needs and risk tolerance. Prophet Security has built a Guidance system that enables a human-on-the-loop model where analysts provide feedback and organizational context to customize the AI’s investigation and response logic to their needs. Workflow Integration is crucial. Tools must not only integrate with your existing technology stack but also seamlessly fit into your current security operations workflows.

A solution that demands a complete overhaul of existing systems or clashes with your established security tool implementation will be unusable from the start. Prophet Security understands this necessity, as the platform was developed by former SOC analysts from leading firms like Mandiant, Red Canary, and Expel. We’ve prioritized integration quality to ensure a seamless experience and immediate value for every security team. To learn more about Prophet Security and see why teams trust Prophet AI to triage, investigate, and respond to all of their alerts, request a demo today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709 , carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system. “In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” vm2 maintainer Patrik Simek said . “This allows attackers to escape the sandbox and run arbitrary code.” vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

The newly discovered flaw stems from the library’s improper sanitization of Promise handlers , which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries. “The critical insight is that async functions in JavaScript return globalPromise objects, not localPromise objects. Since globalPromise.prototype.then and globalPromise.prototype.catch are not properly sanitized (unlike localPromise),” Endor Labs researchers Peyton Kennedy and Cris Staicu said . While CVE-2026-22709 has been addressed in vm2 version 3.10.2, it’s the latest in a steady stream of sandbox escapes that have plagued the library in recent years.

This includes CVE-2022-36067 , CVE-2023-29017 , CVE-2023-29199, CVE-2023-30547 , CVE-2023-32314 , CVE-2023-37466 , and CVE-2023-37903 . The discovery of CVE-2023-37903 in July 2023 also led Simek to announce that the project was being discontinued . However, these references have since been removed from the latest README file available on its GitHub repository after the project was resurrected late last year. The Security page has also been updated as of October 2025 to mention that vm2 3.x versions are being actively maintained.

However, vm2’s maintainer has also acknowledged that new bypasses will likely be discovered in the future, urging users to make sure that they keep the library up to date and consider other robust alternatives, such as isolated-vm , for stronger isolation guarantees. “Instead of relying on the problematic vm model, the successor to vm2, isolated-vm relies on V8’s native Isolate interface, which offers a more solid foundation, but even then, the maintainers of vm2 stress the importance of isolation and actually recommend Docker with logical separation between components,” Semgrep said . In light of the criticality of the flaw, users are recommended to update to the most recent version ( 3.10.3 ), which comes with fixes for additional sandbox escapes. Found this article interesting?

Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints. The activity has been attributed to Mustang Panda (aka Earth Preta, Fireant, HoneyMyte, Polaris, and Twill Typhoon) with the intrusions primarily directed against government entities located across campaigns across Myanmar, Mongolia, Malaysia, and Russia. Kaspersky, which disclosed details of the updated malware, said it’s deployed as a secondary backdoor along with PlugX and LuminousMoth infections. “COOLCLIENT was typically delivered alongside encrypted loader files containing encrypted configuration data, shellcode, and in-memory next-stage DLL modules,” the Russian cybersecurity company said .

“These modules relied on DLL side-loading as their primary execution method, which required a legitimate signed executable to load a malicious DLL.” Between 2021 and 2025, Mustang Panda is said to have leveraged signed binaries from various software products, including Bitdefender (“qutppy.exe”), VLC Media Player (“vlc.exe” renamed as “googleupdate.exe”), Ulead PhotoImpact (“olreg.exe”), and Sangfor (“sang.exe”) for this purpose. Campaigns observed in 2024 and 2025 have been found to abuse legitimate software developed by Sangfor, with one such wave targeting Pakistan and Myanmar using it to deliver a COOLCLIENT variant that drops and executes a previously unseen rootkit. COOLCLIENT was first documented by Sophos in November 2022 in a report detailing the widespread use of DLL side-loading by China-based APT groups. A subsequent analysis from Trend Micro officially attributed the backdoor to Mustang Panda and highlighted its ability to read/delete files, as well as monitor the clipboard and active windows.

The malware has also been put to use in attacks targeting multiple telecom operators in a single Asian country in a long-running espionage campaign that may have commenced in 2021, Broadcom’s Symantec and Carbon Black Threat Hunter Team revealed in June 2024. COOLCLIENT is designed for collecting system and user information, such as keystrokes, clipboard contents, files, and HTTP proxy credentials from the host’s HTTP traffic packets based on instructions sent from a command-and-control (C2) server over TCP. It can also set up a reverse tunnel or proxy, and receive and execute additional plugins in memory. Some of the supported plugins are listed below - ServiceMgrS.dll, a service management plugin to oversee all services on the victim host FileMgrS.dll, a file management plugin to enumerate, create, move, read, compress, search, or delete files and folders RemoteShellS.dll, a remote shell plugin that spawns a “cmd.exe” process to allow the operator to issue commands and capture the resulting output Mustang Panda has also been observed deploying three different stealer programs in order to extract saved login credentials from Google Chrome, Microsoft Edge, and other Chromium-based browsers.

In at least one case, the adversary ran a cURL command to exfiltrate the Mozilla Firefox browser cookie file (“cookies.sqlite”) to Google Drive. These stealers, detected in attacks against the government sector in Myanmar, Malaysia, and Thailand, are suspected to be used as part of broader post-exploitation efforts. Furthermore, the attacks are characterized by the use of a known malware called TONESHELL (aka TOnePipeShell), which has been employed with varying levels of capabilities to establish persistence and drop additional payloads like QReverse , a remote access trojan with remote shell, file management, screenshot capture, and information gathering features, and a USB worm codenamed TONEDISK . Kaspersky’s analysis of the browser credential stealer has also uncovered code-level similarities with a cookie stealer used by LuminousMoth, suggesting some level of tool sharing between the two clusters.

On top of that, Mustang Panda has been identified as using batch and PowerShell scripts to gather system information, conduct document theft activities, and steal browser login data. “With capabilities such as keylogging, clipboard monitoring, proxy credential theft, document exfiltration, browser credential harvesting, and large-scale file theft, HoneyMyte’s campaigns appear to go far beyond traditional espionage goals like document theft and persistence,” the company said. “These tools indicate a shift toward the active surveillance of user activity that includes capturing keystrokes, collecting clipboard data, and harvesting proxy credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.