2026-03-06 AI创业新闻

Preparing for the Quantum Era: Post-Quantum Cryptography Webinar for Security Leaders

Most organizations assume encrypted data is safe. But many attackers are already preparing for a future where today’s encryption can be broken. Instead of trying to decrypt information now, they are collecting encrypted data and storing it so it can be decrypted later using quantum computers. This tactic—known as “harvest now, decrypt later” —means sensitive data transmitted today could become readable years from now once quantum capabilities mature.

Security leaders who want to understand this risk and how to prepare can explore it in detail in the upcoming webinar on Post-Quantum Cryptography best practices , where experts will explain practical ways organizations can begin protecting data before quantum decryption becomes possible. Why Post-Quantum Cryptography Matters Quantum computing is advancing quickly, and most modern encryption algorithms, such as RSA and ECC, will not remain secure forever. For organizations that must keep data confidential for many years—financial records, intellectual property, government communications—waiting is not an option. A practical approach emerging today is hybrid cryptography , which combines traditional encryption with quantum-resistant algorithms like ML-KEM .

This allows organizations to strengthen security without disrupting existing systems. The Future-Ready Security webinar will explain how hybrid cryptography works in real environments and how organizations can begin transitioning to quantum-safe protections. Preparing for the Quantum Era Organizations preparing for quantum threats are focusing on a few key steps: Identify sensitive data that must remain protected long-term Understand where encryption is used across systems Begin adopting hybrid cryptography strategies Maintain visibility into cryptographic algorithms and compliance needs At the same time, security teams must still inspect encrypted traffic and enforce policies across their networks. Modern Zero Trust architectures play an important role in maintaining this control.

These strategies—and how platforms like Zscaler implement them—will be discussed during the live webinar session designed for IT, security, and networking leaders. What You’ll Learn in the Webinar This session will cover: The growing risk of “harvest now, decrypt later” attacks How ML-KEM hybrid encryption helps organizations transition safely How post-quantum traffic inspection enables policy enforcement at scale Best practices for protecting sensitive data in the quantum era Quantum computing will reshape cybersecurity. Organizations that begin preparing early will be better positioned to protect their most critical data. Join the webinar to learn how to build a practical, quantum-ready security strategy before the threat becomes urgent.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities

Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2026-20122 (CVSS score: 7.1) - An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system. CVE-2026-20128 (CVSS score: 5.5) - An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system.

Successful exploitation requires the attacker to have valid vManage credentials on the affected system. Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions - Earlier than Version 20.91 - Migrate to a fixed release. Version 20.9 - Fixed in 20.9.8.2 Version 20.11 - Fixed in 20.12.6.1 Version 20.12 - Fixed in 20.12.5.3 and 20.12.6.1 Version 20.13 - Fixed in 20.15.4.2 Version 20.14 - Fixed in 20.15.4.2 Version 20.15 - Fixed in 20.15.4.2 Version 20.16 - Fixed in 20.18.2.1 Version 20.18 - Fixed in 20.18.2.1 “In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only,” the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it.

In light of active exploitation, users are recommended to update to a fixed software release as soon as possible, and take steps to limit access from unsecured networks, secure the appliances behind a firewall, disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal, turn off network services like HTTP and FTP if not required, change the default administrator password, and monitor log traffic for any unexpected traffic to and from systems. The disclosure comes a week after the company said a critical security flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager ( CVE-2026-20127 , CVSS score: 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organizations. This week, Cisco also released updates to address two maximum-severity security vulnerabilities in Secure Firewall Management Center ( CVE-2026-20079 and CVE-2026-20131 , CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. Found this article interesting?

ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine & More

Some weeks in cybersecurity feel routine. This one doesn’t. Several new developments surfaced over the past few days, showing how quickly the threat landscape keeps shifting. Researchers uncovered fresh activity, security teams shared new findings, and a few unexpected moves from major tech companies also drew attention.

Together, these updates offer a useful snapshot of what is happening behind the scenes in the cyber world right now. From new tactics and campaigns to security and policy changes that could affect millions of users, there is a lot unfolding at once. Below is a quick roundup of the most notable stories making headlines this week. Phishing Campaign Deploys Multiple Malware Strains Ukraine Targeted by SHADOWSNIFF, SALATSTEALER, DEAFTICKK Malware The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a hacking campaign targeting Ukrainian government institutions using phishing emails containing a ZIP archive (or a link to a website vulnerable to cross-site scripting attacks) to distribute SHADOWSNIFF and SALATSTEALER information-stealing malware and a Go backdoor called DEAFTICKK.

The agency attributed the activity to a threat actor tracked as UAC-0252. The development comes as a suspected Russian espionage campaign is targeting Ukraine with two previously undocumented malware strains, BadPaw and MeowMeow , according to ClearSky. While the campaign is likely said to be the work of APT28, the cybersecurity company did not identify the targets of the campaign or say whether the attacks were successful. Fake RMM Service Spreads RAT via Phishing Threat Actor Masquerades as RMM Vendor to Distribute RAT A new malware-as-a-service (MaaS) dubbed TrustConnect (“trustconnectsoftware[.]com”) masqueraded as a legitimate remote monitoring and management (RMM) tool for $300 per month.

It’s assessed that the threat actor behind TrustConnect was also a prominent user of RedLine Stealer . According to email security firm Proofpoint , multiple threat actors have been observed distributing the malware via phishing emails as of January 27, 2026. The emails claim to be event invites or bid proposals, tricking recipients into clicking on links that lead to the download of bogus executables that install TrustConnect RAT. The RAT backdoors users’ machines and gives attackers full mouse and keyboard control, allowing them to record and stream the victim’s screen.

Some campaigns have also been observed delivering legitimate remote access software like ScreenConnect and LogMeIn Resolve alongside TrustConnect between January 31 and February 3, 2026. Customers who purchase the toolkit are granted access to a dashboard to remotely commandeer infected devices and generate branded installers containing the malware. After Proofpoint took steps to disrupt some of the malware’s infrastructure on February 17, 2026, the threat actor resurfaced with a rebranded version of the malware platform called DocConnect. “Disruptions to MaaS operations like RedLine, Lumma Stealer, and Rhadamanthys have created new opportunities for malware creators to fill gaps in the cybercrime market,” Proofpoint said.

“Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors.” The development comes amid skyrocketing abuse of legitimate RMM software in cyber attacks. Chrome Moves to Two-Week Release Cycle Google Revises Chrome Release Cycle Google has announced that new Chrome iterations will be released every two weeks, moving away from the current four-week release cycle. Since 2021, Google has been shipping major Chrome versions every four weeks, and since 2023, it has been delivering security updates every week for a reduced patch gap and improved quality. “The web platform is constantly advancing, and our goal is to ensure developers and users have immediate access to the latest performance improvements, fixes, and new capabilities,” Google said .

The new release cycle will also apply to beta releases, starting with Chrome 153, which will arrive on September 8, 2026. TPMS Signals Allow Covert Vehicle Tracking Vehicle Tire Pressure Sensors Enable Silent Tracking Researchers at IMDEA Networks Institute have found that Tire Pressure Monitoring System (TPMS) sensors inside each car wheel broadcast unencrypted wireless signals containing persistent identifiers. While the feature is designed for vehicle safety, each sensor transmits a unique ID that does not change, allowing the same car to be recognized again and tracked over time. This, in turn, opens the door to a low-cost monitoring network that uses software-defined radio receivers near roads (at a distance of up to 40m from the car) and parking areas to collect TPMS messages from thousands of vehicles and build profiles of their movements over time.

“Malicious users could deploy passive receivers on large scales and track citizens without their knowledge. The advantage of such a system, over more traditional camera-based ones, is that no direct line-of-sight is needed with the TPMS sensors, and spectrum receivers could be placed in covert or hidden locations, making them harder to spot by victims,” the researchers warned . “Our results show that TPMS transmissions can be used to systematically infer potentially sensitive information such as the presence, type, weight, or driving pattern of the driver.” The disclosure adds to a growing body of research demonstrating how various components fitted into modern vehicles can become unintended conduits for surveillance and exploits. Telegram Emerges as Cybercrime Command Hub Telegram as an Operational Layer for Cybercrime A new analysis from CYFIRMA has pointed out how Telegram’s structure offers threat actors a way to extend their reach globally without the need for specialized tooling, enable frictionless onboarding of buyers and affiliates, support payment options, and facilitate audience growth.

The emergence of the platform has fundamentally changed the way cyber operations are coordinated, monetized, and publicized. “For financially motivated actors, Telegram functions as a scalable storefront and customer support hub,” the company said . “For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks.

In many cases, telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility.” AuraStealer Infrastructure Revealed New AuraStealer Malware Analyzed A new analysis of AuraStealer from Intrinsec has uncovered 48 command-and-control (C2) domain names linked to the stealer’s operations. The threat actor behind the malware has been found to use .shop and .cfd top-level domains, in addition to routing all traffic through Cloudflare as a reverse proxy to conceal the real server. AuraStealer first appeared on underground hacker forums in July 2025, shortly after the disruption of the Lumma Stealer as part of a law enforcement operation. It was advertised by a user named AuraCorp on the XSS forum.

It comes in two subscription packages: $295/month for Basic and $585/month for Advanced. One of the primary mechanisms through which the stealer is distributed is ClickFix . Malvertising Pushes New Atomic Stealer Variant Malvertising Campaign Drops Atomic Stealer A malvertising campaign is using bogus ads on Google Search results pages to redirect users looking for ways to free up macOS storage to fraudulent web pages hosted on Medium, Evernote, and Kimi AI to serve ClickFix -style instructions that drop a new variant of the Atomic Stealer called malext to steal a wide range of data from compromised macOS systems. The campaign uses more than 50 compromised Google Ads accounts that push “over 485 malicious landing pages, ultimately leading to a ClickFix attack that deployed a potentially new version of AMOS Stealer onto infected systems,” security researcher Gi7w0rm said .

Bots Hammer DRAM Pages for DDR5 Inventory Large-Scale Operation Submits Millions of Web Scraping Requests Targeting DRAM Product Pages A large-scale data gathering operation has submitted more than 10 million web scraping requests to hit DRAM product pages on e-commerce sites in an effort to find sellers carrying desirable DRAM stock. The bots have been found to check the stock of specific RAM kits every 6.5 seconds by using a technique called cache busting to ensure they get the most up-to-date information, DataDome said. “These bots aggressively target the entire supply chain, from consumer RAM to B2B industrial memory providers and raw hardware components like DIMM sockets,” the company said . “Scrapers attempt to avoid detection by adding cache-busting parameters to every request and calibrating their speed to stay just below volumetric alarm thresholds.

By rapidly snapping up the limited DDR5 memory inventory for profitable resale, these bots further deplete the consumer supply, effectively boxing out legitimate customers and driving market prices even higher.” Reddit Fined Over Children’s Data Handling U.K. ICO Fines Reddit £14.47M for Children’s Privacy Failures The U.K. Information Commissioner’s Office (ICO) has fined Reddit £14.47 million for unlawfully processing the personal information of children under the age of 13 and for failing to properly check the age of its users, thereby putting them at risk of being exposed to inappropriate and harmful content online. In July 2025, Reddit introduced age assurance measures that include age verification to access mature content and asking users to declare their age when opening an account.

Reddit said it would appeal the decision, stating it doesn’t require users to share information about their identities, regardless of age, to ensure users’ online privacy and safety. Samsung Restricts TV Data Collection in Texas Samsung TVs to Stop Collecting Texans’ Data Without Their Consent Texas Attorney General Ken Paxton announced that Samsung will no longer collect Automated Content Recognition ( ACR ) data without consumers’ express consent. The development comes in the wake of a lawsuit filed against the South Korean electronics giant for its data collection practices and over allegations that the collected ACR information could be used to serve targeted ads. “Additionally, it compels Samsung to promptly update its smart TVs and implement disclosures and consent screens that are clear and conspicuous to ensure that Texans can make an informed decision regarding whether their data is collected and how it’s used,” the Office of the Attorney General said .

Samsung has denied it spies on users. NATO Clears Consumer iPhones and iPads Apple iPhone and iPad Cleared for Classified NATO Use Apple iPhones and iPads have been approved to handle classified information in NATO networks. They are the first consumer-grade devices to be approved for NATO use without additional special software or settings. iPhone and iPad previously received approval to handle classified German government data on devices using native iOS and iPadOS security measures following a security evaluation conducted by Germany’s Federal Office for Information Security.

TikTok Rejects End-to-End Encryption for DMs TikTok Has No Plans to Encrypt Messages ByteDance’s TikTok said it has no plans to add end-to-end encryption (E2EE) to direct messages because it would prevent law enforcement and safety teams from reading messages if necessary. In a statement shared with the BBC, the company said it wanted to protect users, especially young people, from harm. Multi-Stage Phishing Attack Spreads Agent Tesla Phishing Campaign Delivers Agent Tesla A new phishing campaign using purchase order lures has leveraged a multi-stage attack chain to deliver Agent Tesla , allowing threat actors to harvest sensitive data, while taking steps to evade detection using techniques like obfuscation and in-memory execution. “From the initial obfuscated JSE loader to the reflective loading of .NET assemblies and process hollowing of legitimate Windows utilities, Agent Tesla is designed to stay invisible,” Fortinet FortiGuard Labs said .

“Its extensive anti-analysis checks further ensure that it only reveals its true nature when it’s certain it isn’t being watched.” Attackers Abuse Infrastructure-Only .arpa Domain Phishing Attacks Exploit .arpa TLD With organizations taking steps to tighten their traditional email and web filters, new research from Infoblox has found a novel campaign where actors are abusing the .arpa top-level domain, a space strictly reserved for network infrastructure, to host malicious content and bypass standard blocklists. The development shows cybercriminals are finding “impossible” hiding spots within the internet’s core infrastructure to bypass security, the DNS threat intelligence firm said. Elsewhere, threat actors are also abusing LNK shortcut files and WebDAV to download malicious files on targets’ systems. “Because being able to remotely access things on the internet via File Explorer is a relatively unknown functionality to most people, WebDAV is an exploitable way to make people download files without going through a traditional web browser file download,” Cofense said .

Spoofed Email Chains Target LastPass Users LastPass Warns of New Phishing Campaign A new phishing campaign that commenced on March 1, 2026, is using lures related to unauthorized access to individuals’ accounts to trick recipients into visiting fake LastPass login pages to take control of their accounts. The attack takes advantage of the fact that many email clients, especially mobile, show only the display name, hiding the real sender address unless users expand it. “Attackers are forwarding fake email chains to make it appear as though another individual is trying to take unauthorized action on their LastPass account (i.e., export vault, full account recovery, new trusted device registered, etc.),” LastPass said . “Attackers use display name spoofing so that the name portion of the sender field is manipulated to impersonate LastPass, while the actual sending email address is unrelated.” Experts Warn Against Blind Trust in AI Coding Agents Why Relying Fully on an AI Coding Agent Isn’t a Good Idea With the emergence of tools like Claude Code Security , OX Security is urging users to resist the temptation to outsource judgment, architecture, and validation to a single artificial intelligence (AI) model.

“AI doesn’t invent fundamentally new code patterns,” it said . “It reproduces the most common ones it has seen before. That means it scales not only productivity, but also existing weaknesses in software engineering practice.” The cybersecurity company also warned that AI systems may be prone to false positives and may not reliably inform a user if an issue flagged in a single repository is actually exploitable in a complex and unique environment. A pipeline that relies on the same AI system for both writing and reviewing code is not ideal, it added.

LLMs Enable Automated Internet Deanonymization LLMs Are Good at Unmasking Pseudonymous Users at Scale A team of academics from Anthropic, ETH Zurich, and MATS Research has developed large language models (LLMs) that can deanonymize internet users based on past comments or other digital clues they leave behind. “Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, we implement a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives,” the researchers said . The method works even if targets use different pseudonyms across multiple platforms. The researchers said using their LLMs outperforms classical research methods, where digital footprints are examined manually by a human operator.

This, in turn, enables fully automated deanonymization attacks that can work on unstructured data at scale, while also reducing the cost and effort that goes into intelligence gathering. “Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered,” the researchers said. “The average online user has long operated under an implicit threat model where they have assumed pseudonymity provides adequate protection because targeted deanonymization would require extensive effort. LLMs invalidate this assumption.” That wraps up this week’s quick look at what has been happening across the cybersecurity landscape.

Each update on its own may seem small, but together they show how quickly things continue to change. New techniques appear, old tactics evolve, and security decisions from major companies can shift the wider ecosystem. For security teams, researchers, and anyone who follows the threat landscape, keeping track of these signals helps make sense of the bigger picture. Stay tuned for the next edition of the ThreatsDay Bulletin with more developments from the cyber world.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware

A suspected Iran-nexus threat actor has been attributed to a campaign targeting government officials in Iraq by impersonating the country’s Ministry of Foreign Affairs to deliver a set of never-before-seen malware. Zscaler ThreatLabz, which observed the activity in January 2026, is tracking the cluster under the name Dust Specter . The attacks, which manifest in the form of two different infection chains, culminate in the deployment of malware dubbed SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. “Dust Specter used randomly generated URI paths for command-and-control (C2) communication with checksum values appended to the URI paths to ensure that these requests originated from an actual infected system,” security researcher Sudeep Singh said .

“The C2 server also utilized geofencing techniques and User-Agent verification.” A notable aspect of the campaign is the compromise of the Iraqi government-related infrastructure to stage malicious payloads, not to mention the use of evasion techniques to delay execution and fly under the radar. The first attack sequence begins with a password-protected RAR archive, within which there exists a .NET dropper named SPLITDROP, which acts as a conduit for TWINTASK, a worker module, and TWINTALK, a C2 orchestrator. TWINTASK, for its part, is a malicious DLL (“libvlc.dll”) that’s sideloaded by the legitimate “vlc.exe” binary to periodically poll a file (“C:\ProgramData\PolGuid\in.txt”) every 15 seconds for new commands and run them using PowerShell. This also includes commands to establish persistence on the host via Windows Registry changes.

The script output and errors are captured in a separate text file (“C:\ProgramData\PolGuid\out.txt”). TWINTASK, upon first launch, is designed to execute another legitimate binary present in the extracted archive (“WingetUI.exe”), causing it to sideload the TWINTALK DLL (“hostfxr.dll”). Its primary goal is to reach out to the C2 server for new commands, coordinate tasks with TWINTASK, and exfiltrate the results back to the server. It supports the ability to write the command body from the C2 response to “in.txt,” as well as download and upload files.

“The C2 orchestrator works in parallel with the previously described worker module to implement a file-based polling mechanism used for code execution,” Singh said. “Upon execution, TWINTALK enters a beaconing loop and delays execution by a random interval before polling the C2 server for new commands.” The second attack chain represents an evolution of the first, consolidating all the functionality of TWINTASK and TWINTALK into a single binary dubbed GHOSTFORM. It makes use of in-memory PowerShell script execution to run commands retrieved from the C2 server, thereby eliminating the need for writing artifacts to disk. That’s not the only differentiating factor between the two attack chains.

Some GHOSTFORM binaries have been found to embed a hard-coded Google Forms URL that’s automatically launched on the system’s default web browser once the malware begins execution. The form features content written in Arabic and masquerades as an official survey from Iraq’s Ministry of Foreign Affairs. Zscaler’s analysis of the TWINTALK and GHOSTFORM source code has also uncovered the presence of placeholder values, emojis, and Unicode text, suggesting that generative artificial intelligence (AI) tools may have been used to assist with the malware’s development. What’s more, the C2 domain associated with TWINTALK, “meetingapp[.]site,” is said to have been used by the Dust Specter actors in a July 2025 campaign to host a fake Cisco Webex meeting invitation page that instructs users to copy, paste, and run a PowerShell script to join the meeting.

The instructions mirror a tactic widely seen in ClickFix -style social engineering attacks. The PowerShell script, for its part, creates a directory on the host, and attempts to fetch an unspecified payload from the same domain and save it as an executable within the newly created directory. It also creates a scheduled task to run the malicious binary every two hours. Dust Specter’s connections to Iran are based on the fact that Iranian hacking groups have a history of developing custom lightweight .NET backdoors to achieve their goals.

The use of compromised Iraqi government infrastructure has been observed in past campaigns linked to threat actors like OilRig (aka APT34). “This campaign, attributed with medium-to-high confidence to Dust Specter, likely targeted government officials using convincing social engineering lures impersonating Iraq’s Ministry of Foreign Affairs,” Zscaler said. “The activity also reflects broader trends, including ClickFix-style techniques and the growing use of generative AI for malware development.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Where Multi-Factor Authentication Stops and Credential Abuse Starts

Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but coverage.

Enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace, MFA works well for cloud apps and federated sign-ins. But many Windows logons rely solely on Active Directory (AD) authentication paths that never trigger MFA prompts. To reduce credential-based compromise, security teams need to understand where Windows authentication happens outside their identity stack. Seven Windows authentication paths that attackers rely on 1.

Interactive Windows logon (local or domain joined) When a user signs in directly to a Windows workstation or server, authentication is typically handled by AD (via Kerberos or NTLM), not by a cloud IdP. In hybrid environments , even if Entra ID enforces MFA for cloud apps, traditional Windows logons to domain-joined systems are validated by on-prem domain controllers. Unless Windows Hello for Business, smart cards, or another integrated MFA mechanism is implemented, there’s no additional factor in that flow. If an attacker obtains a user’s password (or NTLM hash), they can authenticate to a domain-joined machine without triggering the MFA policies that protect software-as-a-service apps or federated single sign-on.

From the domain controller’s perspective, this is a standard authentication request. Tools like Specops Secure Access are key to limiting the risk of credential abuse in these scenarios. By enforcing MFA for Windows logon, as well as for VPN and Remote Desktop Protocol (RDP) connections, this tool makes it harder for attackers to gain unauthorized access to your network. This even extends to offline logins, which are secured with one-time passcode authentication.

Specops Secure Access

Direct RDP access that bypasses conditional access RDP is one of the most targeted access methods in Windows environments. Even when RDP is not exposed to the internet, attackers often reach it through lateral movement after initial compromise. A direct RDP session to a server doesn’t automatically pass through cloud-based MFA controls, which means the logon may rely solely on the underlying AD credential.
NTLM authentication NTLM is a legacy authentication protocol that, despite being deprecated in favor of the more secure Kerberos protocol, still exists for compatibility reasons. It is also a common attack vector because it supports techniques like pass-the-hash. In pass-the-hash attacks, the attacker does not need the plaintext password; instead, they use the NTLM hash to authenticate.

MFA does not help if the system accepts the hash as proof of identity. NTLM can also appear in internal authentication flows that organizations may not actively monitor; only an incident or an audit will surface it to security teams. 4. Kerberos ticket abuse Kerberos is the primary authentication protocol for AD.

Instead of stealing passwords directly, attackers steal Kerberos tickets from memory or generate forged tickets after compromising privileged accounts. This enables techniques such as: Pass-the-ticket Golden Ticket Silver Ticket These attacks allow long-term access and lateral movement and also reduce the need for repeated logons, which lowers the chance of detection. These attacks can persist even after password resets if the underlying compromise is not fully addressed. 5.

Local administrator accounts and credential reuse Organizations still rely on local administrator accounts for support tasks and system recovery. If local admin passwords are reused across endpoints, attackers can escalate one compromise into broad access. Local admin accounts usually authenticate directly to the endpoint bypassing MFA controls entirely. Entra ID conditional access policies do not apply.

This is one reason why credential dumping remains so effective in Windows environments. 6. Server Message Block (SMB) authentication and lateral movement SMB is used for file sharing and remote access to Windows resources. It’s also one of the most reliable lateral movement paths once an attacker has valid credentials.

Attackers commonly use SMB to access administrative shares such as C$ or to interact with systems remotely using valid credentials. If SMB authentication is treated as internal traffic, MFA is rarely enforced at this layer. If the attacker has valid credentials, they can use SMB to move between systems quickly. 7.

Service accounts that never trigger MFA Service accounts exist to run scheduled tasks, applications, integrations, and system services. They often have stable credentials, broad permissions, and long lifetimes. In many organizations, service account passwords do not expire and are rarely monitored. They are also difficult to protect with MFA because the authentication is automated.

Frequently, these accounts are used in legacy applications that cannot support modern authentication controls. This is one reason why attackers target helpdesk credentials and endpoint admin access early in an intrusion. How to close Windows authentication gaps Security teams should treat Windows authentication as its own security surface. There are several practical steps security teams can take that reduce exposure: 1.

Enforce stronger password policies in AD A strong password policy should enforce longer passphrases of 15 or more characters. Passphrases are easier for users to remember and harder for attackers to crack. Strong policies should also prevent password reuse and block weak patterns that attackers can guess. 2.

Block compromised passwords continuously Credential theft is not always the result of brute force attacks. Billions of passwords are already available in breach datasets for attackers to reuse in credential attacks . Blocking compromised passwords at the point of creation reduces the chance that users set credentials that attackers already have. 3.

Reduce exposure to legacy authentication protocols Where possible, organizations should restrict or eliminate NTLM authentication. Security teams should set themselves the goal of understanding where NTLM exists, reducing it where possible, and tightening controls where it cannot be removed. 4. Audit service accounts and reduce privilege creep Treat service accounts as high-risk identities.

Organizations should inventory them, reduce unnecessary privileges , rotate credentials, and remove accounts that are no longer needed. If a service account has domain-level permissions, the organization should assume it will be targeted. How Specops can help Strong password policies and proactive checks against known compromised credentials are two of the most effective ways to reduce the risk of credential-based attacks. Specops Password Policy helps by applying flexible password controls that go beyond what’s available natively in Microsoft.

Specops Password Policy Its Breached Password Protection feature continuously checks Active Directory passwords against a database of more than 5.4 billion exposed credentials, alerting you quickly if a user password is found to be at risk. If you’re interested in seeing how Specops can help your organization, speak to an expert or book a demo to see our solutions in action. Found this article interesting? This article is a contributed piece from one of our valued partners.

Accelerate your AI Initiatives

APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Cybersecurity researchers have disclosed details of a new Russian cyber campaign that has targeted Ukrainian entities with two previously undocumented malware families named BadPaw and MeowMeow . “The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim,” ClearSky said in a report published this week. In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.

The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28 , based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations. The starting point of the attack sequence is a phishing email sent from ukr[.]net, likely in an attempt to establish credibility and secure the trust of targeted victims. Present in the message is a link to a purported ZIP file, causing the user to be redirected to a URL that loads an “exceptionally small image,” effectively acting as a tracking pixel to signal the operators that the link was clicked. Once this step is complete, the victim is redirected to a secondary URL from where the archive is downloaded.

The ZIP file includes an HTML Application (HTA) that, once launched, drops a decoy document as a distraction mechanism, while it executes follow-on stages in the background. “The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing,” ClearSky said. “This lure is intended to maintain the veneer of legitimacy.” The HTA file also carries out checks to avoid running within sandbox environments. It does this by querying the Windows Registry key “KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate” to estimate the “age” of the operating system.

The malware is designed to abort execution if the system was installed less than ten days prior. Should the system meet the environment criteria, the malware locates the downloaded ZIP archive and extracts two files from it – a Visual Basic Script (VBScript) and a PNG image – and saves them to disk under different names. It also creates a scheduled task to execute the VBScript as a way of ensuring persistence on the infected system. The primary responsibility of the VBScript is to extract malicious code embedded within the PNG image, an obfuscated loader referred to as BadPaw that’s capable of contacting a command-and-control (C2) server to download additional components, including an executable named MeowMeow.

“Consistent with the ‘BadPaw’ tradecraft, if this file is executed independently of the full attack chain, it initiates a dummy code sequence,” the Israeli cybersecurity company explained. “This decoy execution displays a graphical user interface (GUI) featuring a picture of a cat, aligning with the visual theme of the initial image file from which the primary malware was extracted.” “When the ‘MeowMeow’ button within the decoy GUI is clicked, the application simply displays a ‘Meow Meow Meow’ message, performing no further malicious actions. This serves as a secondary functional decoy to mislead manual analysis.” The backdoor’s malicious code is activated only when it’s executed with a certain parameter (“-v”) that’s provided by the initial infection chain, and after checking that it’s running on an actual endpoint as opposed to a sandbox, and no forensic and monitoring tools like Wireshark, Procmon, Ollydbg, and Fiddler are running in the background. At its core, MeowMeow is equipped to remotely execute PowerShell commands on the compromised host and support file system operations, such as the ability to read, write, and delete data.

ClearSky said it identified Russian language strings in the source code, reinforcing the assessment that the activity is the work of a Russian-speaking threat actor. “The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase,” it said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks

Tycoon 2FA , one of the prominent phishing-as-a-service (PhaaS) toolkits that allowed cybercriminals to stage adversary-in-the-middle (AitM) credential harvesting attacks at scale, was dismantled by a coalition of law enforcement agencies and security companies. The subscription-based phishing kit , which first emerged in August 2023 , was described by Europol as one of the largest phishing operations worldwide. The kit was sold via Telegram and Signal for a starting price of $120 for 10 days or $350 for access to a web-based administration panel for a month. Tycoon 2FA’s primary developer is alleged to be Saad Fridi , who is said to be based in Pakistan.

The panel serves as a hub for configuring, tracking, and refining campaigns. It features pre‑built templates, attachment files for common lure formats, domain and hosting configuration, redirect logic, and victim tracking. Operators can also configure how the malicious content is delivered through attachments, as well as keep tabs on valid and invalid sign-in attempts. The captured information, such as credentials, multi-factor authentication (MFA) codes, and session cookies, can be downloaded directly within the panel or forwarded to Telegram for near‑real‑time monitoring.

“It enabled thousands of cybercriminals to covertly access email and cloud-based service accounts,” Europol said . “At scale, the platform generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations globally, including schools, hospitals, and public institutions.” As part of the coordinated effort, 330 domains that formed the backbone of the criminal service, including phishing pages and control panels, have been taken down. Characterizing Tycoon 2FA as “dangerous,” Intel 471 said the kit was linked to over 64,000 phishing incidents and tens of thousands of domains , generating tens of millions of phishing emails each month. According to Microsoft, which is tracking the operators of the service under the name Storm-1747, Tycoon 2FA became the most prolific platform observed by the company in 2025, prompting it to block more than 13 million malicious emails linked to the crimeware service in October 2025.

In total, Tycoon 2FA accounted for approximately 62% of all phishing attempts blocked by Microsoft as of mid-2025, including more than 30 million emails in a single month. The service has been linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers, the tech giant added . Tycoon 2FA Evolution Timeline (Source: Point Wild) Geographic analysis of victim log data by SpyCloud indicates that the U.S. had the largest concentration of identified victims (179,264), followed by the U.K.

(16,901), Canada (15,272), India (7,832), and France (6,823). “The overwhelming majority of targeted accounts were enterprise-managed or otherwise associated with paid domains, reinforcing the conclusion that Tycoon 2FA is primarily directed at business environments rather than individual consumer accounts,” the cybersecurity company said . Data from Proofpoint shows that Tycoon 2FA accounted for the highest volume AiTM phishing threats. The email security company said it observed over three million messages associated with the phishing kit in February 2026 alone.

Trend Micro, which was one of the private sector partners in the operation, noted that the PhaaS platform had approximately 2,000 users. Campaigns leveraging Tycoon 2FA have indiscriminately targeted almost all sectors, including education, healthcare, finance, non-profit, and government. Phishing emails sent from the kit reached over 500,000 organizations each month worldwide. “Tycoon 2FA’s platform enabled threat actors to impersonate trusted brands by mimicking sign-in pages for services like Microsoft 365, OneDrive, Outlook, SharePoint, and Gmail,” Microsoft said .

“It also allowed threat actors using its service to establish persistence and to access sensitive information even after passwords are reset, unless active sessions and tokens were explicitly revoked. This worked by intercepting session cookies generated during the authentication process, simultaneously capturing user credentials. The MFA codes were subsequently relayed through Tycoon 2FA’s proxy servers to the authenticating service.” The kit also employed techniques like keystroke monitoring, anti-bot screening, browser fingerprinting, heavy code obfuscation, self-hosted CAPTCHAs, custom JavaScript, and dynamic decoy pages to sidestep detection efforts. Another key aspect is the use of a broader mix of top-level domains (TLDs) and short-lived fully qualified domain names (FQDNs) to host the phishing infrastructure on Cloudflare.

The FQDNs often only last for 24 to 72 hours, with the rapid turnover a deliberate effort to complicate detection and prevent building reliable blocklists. Microsoft also attributed Tycoon 2FA’s success to closely mimicking legitimate authentication processes to stealthily intercept user credentials and session tokens. To make matters worse, Tycoon 2FA customers leveraged a technique called ATO Jumping, whereby a compromised email account is used to distribute Tycoon 2FA URLs and attempt further account takeover activities. “Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise,” Proofpoint noted.

Phishing kits like Tycoon are designed to be flexible so that it’s accessible to less technically savvy actors while still offering advanced capabilities for more experienced operators. “In 2025, 99% of organizations experienced account takeover attempts in 2025, and 67% experienced a successful account takeover,” Selena Larson, staff threat researcher at Proofpoint, said in a statement shared with The Hacker News. “Of these, 59% of the taken-over accounts had MFA enabled. While not all of these attacks were related to Tycoon MFA, this shows the impact of AiTM phishing on enterprises.” “These cyberattacks that enable full account takeovers can lead to disastrous impacts, including ransomware or the loss of sensitive data.

As threat actors continue to prioritize identity, gaining access to enterprise email accounts is often the first step in an attack chain that can have destructive consequences.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials

A joint law enforcement operation has dismantled LeakBase , one of the world’s largest online forums for cybercriminals to buy and sell stolen data and cybercrime tools. The LeakBase forum, per the U.S. Department of Justice (DoJ), had over 142,000 members and more than 215,000 messages between members as of December 2025. Those attempting to access the forum’s website (“ leakbase[.]la “) are now greeted with a seizure banner that says it was confiscated by the U.S.

Federal Bureau of Investigation (FBI) as part of an international law enforcement effort. “All forum content, including users’ accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes,” the banner reads. Available in English and accessible over the clearnet, LeakBase offered hacked databases , including hundreds of millions of account credentials and financial information such as credit and debit card numbers, banking account and routing information, usernames, and associated passwords that could be abused to facilitate account takeovers. According to a report published by Flare in April 2023, LeakBase explicitly prohibited users from peddling or publishing Russian databases, likely in an attempt to avoid scrutiny.

The forum has been active since June 2021. LeakBase is one of the aliases for Chucky, who also goes by the monikers Chuckies and Sqlrip across various underground forums. Per SOCRadar , the threat actor has a track record of sharing vast collections of databases, often containing sensitive information from global entities. What’s more, SpyCloud revealed early last month that the forum had been down for a few days and that Chucky was looking for a new hosting provider.

Some of the other known administrators and moderators of LeakBase include BloodyMery, OrderCheck, and TSR . As part of the disruption exercise codenamed Operation Leak that took place on March 3 and 4, 2026, authorities executed search warrants, made arrests, and conducted interviews in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. In a coordinated announcement, Europol said LeakBase specialized in the sale of stealer logs, which contain archives of credentials harvested through infostealer malware. The information could be weaponized to conduct account takeover, fraud, and other cyber intrusions.

The agency said around 100 enforcement actions were conducted across the world, including taking unspecified measures against 37 of the most active users of the platforms. “The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages, and IP logs for evidentiary purposes,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict

Cybersecurity researchers have warned of a surge in retaliatory hacktivist activity following the U.S.-Israel coordinated military campaign against Iran , codenamed Epic Fury and Roaring Lion. “The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2,” Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisian Maskers Cyber Force) on February 28, 2026. According to details shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes.

It leverages a hack-and-leak strategy combining DDoS attacks with data breaches to leak sensitive data and advance its geopolitical agenda. The group emerged in mid-2025. In all, a total of 149 hacktivist DDoS claims were recorded targeting 110 distinct organizations across 16 countries. The attacks were carried out by 12 different groups, including Keymous+ , DieNet , and NoName057(16) , which accounted for 74.6% of all activity.

Of these attacks, the vast majority, 107, were concentrated in the Middle East, disproportionately targeting public infrastructure and state-level targets. Europe was the target of 22.8% of the total global activity during the time period. Nearly 47.8% of all targeted organizations globally belonged to the government sector, followed by finance (11.9%) and telecommunications (6.7%) sectors. “The digital front is expanding alongside the physical one in the region, with hacktivist groups simultaneously targeting more nations in the Middle East than ever before,” Radware said.

“The distribution of attacks within the region was heavily concentrated in three specific nations: Kuwait, Israel, and Jordan, with Kuwait accounting for 28%, Israel for 27.1%, and Jordan for 21.5% of the total attack claims.” Besides Keymous+, DieNet, and NoName057(16), some of the other groups that have engaged in disruptive operations include Nation of Saviors (NOS), the Conquerors Electronic Army (CEA), Sylhet Gang, 313 Team, Handala Hack, APT Iran, the Cyber Islamic Resistance, Dark Storm Team, the FAD Team, Evil Markhors, and PalachPro, per data from Flashpoint, Palo Alto Networks Unit 42, and Radware. The current scope of cyber attacks is listed below - Pro-Russian hacktivist groups like Cardinal and Russian Legion claimed to have breached Israeli military networks, including its Iron Dome missile defense system. An active SMS phishing campaign has been observed using a rogue replica of the Israeli Home Front Command RedAlert application to deliver mobile surveillance and data-exfiltrating malware. “By manipulating victims into sideloading this malicious APK under the guise of an urgent wartime update, the adversaries successfully deploy a fully functional alert interface that masks an invasive surveillance engine designed to prey on a hyper-vigilant population,” CloudSEK said .

Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted the energy and digital infrastructure sectors in the Middle East, striking Saudi Aramco and an Amazon Web Services data center in the U.A.E. with an intent to “inflict maximum global economic pain as a counter-pressure to military losses,” Flashpoint said. Cotton Sandstorm (aka Haywire Kitten) revived its old cyber persona, Altoufan Team , claiming to have hacked websites in Bahrain. “This reflects the reactive nature of the actor’s campaigns and a high probability of their further involvement in intrusions across the Middle East amid the conflict,” Check Point said.

Data gathered by Nozomi Networks shows that the Iranian state-sponsored hacking group known as UNC1549 (aka GalaxyGato, Nimbus Manticore, or Subtle Snail) was the fourth most active actor in the second half of 2025, focusing its attacks on defense, aerospace, telecommunications, and regional government entities to advance the nation’s geopolitical priorities. Major Iranian cryptocurrency exchanges have remained operational but announced operational adjustments , either suspending or batching withdrawals, and issuing risk guidance urging users to prepare for possible connectivity disruption. “What we’re seeing in Iran is not clear evidence of mass capital flight, but rather a market managing volatility under constrained connectivity and regulatory intervention,” said Ari Redbord, Global Head of Policy at TRM Labs. “For years, Iran has operated a shadow economy that, in part, has used crypto to evade sanctions, including through sophisticated offshore infrastructure.

What we’re seeing now – under the strain of war, connectivity shutdowns, and volatile markets – is a real-time stress test of that infrastructure and the regime’s ability to leverage it.” Sophos said it “observed a surge in hacktivist activity, but not an escalation in risk,” primarily from pro-Iran personas, including Handala Hack team and APT Iran in the form of DDoS attacks, website defacements, and unverified claims of compromises involving Israeli infrastructure. The U.K. National Cyber Security Centre (NCSC) alerted organizations to a heightened risk of Iranian cyber attacks, urging them to strengthen their cybersecurity posture to better respond to DDoS attacks , phishing activity , and ICS Targeting . In a post shared on LinkedIn, Cynthia Kaiser, ransomware research center SVP at Halcyon and former Deputy Assistant Director with the Federal Bureau of Investigation’s Cyber Division, said Iran has a track record of using cyber operations to retaliate against “perceived political slights,” adding these activities have increasingly incorporated ransomware.

“Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries,” Kaiser added . “That’s because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact.” Cybersecurity company SentinelOne has also assessed with high confidence that organizations in Israel, the U.S., and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors. “Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption, and psychological impact operations to advance strategic objectives,” Nozomi Networks said .

“In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities, and private industry far beyond the immediate conflict zone.” To counter the risk posed by the kinetic conflict, organizations are advised to activate continuous monitoring to reflect escalated threat activity, update threat intelligence signatures, reduce external attack surface, conduct comprehensive exposure reviews of connected assets, validate proper segmentation between information technology and operational technology networks, and ensure proper isolation of IoT devices. “In past conflicts, Tehran’s cyber actors have aligned their activity with broader strategic objectives that increase pressure and visibility at targets, including energy, critical infrastructure, finance, telecommunications, and healthcare,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement shared with The Hacker News. “Iranian adversaries have continued to evolve their tradecraft, expanding beyond traditional intrusions into cloud and identity-focused operations, which positions them to act rapidly across hybrid enterprise environments with increased scale and impact.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Google said it identified a “new and powerful” exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It’s not effective against the latest version of iOS. The findings were first reported by WIRED.

“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,” according to GTIG. “The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.” The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December. It’s currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S.

government. “Coruna is one of the most significant examples we’ve observed of sophisticated spyware-grade capabilities proliferating from commercial surveillance vendors into the hands of nation-state actors and ultimately mass-scale criminal operations,” iVerify said . The mobile security vendor said the use of the sophisticated exploit framework marks the first observed mass exploitation against iOS devices, indicating that spyware attacks are shifting from being highly targeted to broad deployment. Google said it first captured parts of an iOS exploit chain used by a customer of an unnamed surveillance company early last year, with the exploits integrated into a never-before-seen JavaScript framework.

The framework is designed to fingerprint the device to determine if it’s real and gather details, including the specific iPhone model and iOS software version it is running. The framework then loads the appropriate WebKit remote code execution (RCE) exploit based on the fingerprint data, followed by executing a pointer authentication code (PAC) bypass. The exploit in question relates to CVE-2024-23222 , a type confusion bug in WebKit that was patched by Apple in January 2024 with iOS 17.3 and iPadOS 17.3 and iOS 16.7.5 and iPadOS 16.7.5. Fast forward to July 2025, the same JavaScript framework was detected on the domain “cdn.uacounter[.]com,” which was loaded as a hidden iFrame on compromised Ukrainian websites.

This included websites catering to industrial equipment, retail tools, local services, and e-commerce. A suspected Russian espionage group named UNC6353 is assessed to be behind the campaign. What’s interesting about the activity was that the framework was delivered only to certain iPhone users from a specific geolocation. The exploits deployed as part of the framework consisted of CVE-2024-23222, CVE-2022-48503 , and CVE-2023-43000 , the last of which is a use-after-free flaw in WebKit.

It’s worth noting that CVE-2023-43000 was addressed by Apple in iOS 16.6 and iPadOS 16.6, released in July 2023. However, the security release notes were updated to include an entry for the vulnerability only on November 11, 2025. The third time the JavaScript framework was detected in the wild was in December 2025. A cluster of fake Chinese websites, most of them related to finance, were found to drop the iOS exploit kit after instructing users to visit them from an iPhone or iPad for a better user experience.

The activity is attributed to a threat cluster tracked as UNC6691. Once these websites are accessed via an iOS device, a hidden iFrame is injected to deliver the Coruna exploit kit containing CVE-2024-23222. The exploit delivery, in this case, was not constrained by any geolocation criteria. Further analysis of the threat actor’s infrastructure led to the discovery of a debug version of the exploit kit, along with various samples covering five full iOS exploit chains.

A total of 23 exploits spanning versions from iOS 13 to iOS 17.2.1 have been identified. Some of the CVEs exploited by the kit and the corresponding iOS versions they targeted are listed below - Neutron - CVE-2020-27932 (versions 13.x) Dynamo - CVE-2020-27950 (versions 13.x) buffout - CVE-2021-30952 (versions 13 → 15.1.1) jacurutu - CVE-2022-48503 (versions 15.2 → 15.5) IronLoader - CVE-2023-32409 (versions 16.0 → 16.3.116.4.0) Photon - CVE-2023-32434 (versions 14.5 → 15.7.6) Gallium - CVE-2023-38606 (versions 14.x) Parallax - CVE-2023-41974 (versions 16.4 → 16.7) terrorbird - CVE-2023-43000 (versions 16.2 → 16.5.1) cassowary - CVE-2024-23222 (versions 16.6 → 17.2.1) Sparrow - CVE-2024-23225 (versions 17.0 → 17.3) Rocket - CVE-2024-23296 (versions 17.1 → 17.4) “Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of Operation Triangulation ,” Google said. “The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities.” In June 2023, the Russian government claimed the campaign was the work of the U.S. National Security Agency, accusing it of hacking “several thousand” Apple devices belonging to domestic subscribers and foreign diplomats as part of a “reconnaissance operation.” UNC6691 has been observed weaponizing the exploit to deliver a stager binary codenamed PlasmaLoader (aka PLASMAGRID) that’s designed to decode QR codes from images and run additional modules retrieved from an external server, allowing it to exfiltrate cryptocurrency wallets or sensitive information from various apps like Base, Bitget Wallet, Exodus, and MetaMask, among others.

“The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond,” GTIG added. “The implant embeds a custom domain generation algorithm (DGA) using the string ‘lazarus’ as a seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as a TLD. The attackers use Google’s public DNS resolver to validate if the domains are active.” A notable aspect of Coruna is that it skips execution on devices in Lockdown Mode , or if the user is in private browsing.

To counter the threat, iPhone users are advised to keep their devices up to date, and enable Lockdown Mode for enhanced security. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New RFP Template for AI Usage Control and AI Governance

As AI becomes the central engine for enterprise productivity, security leaders are finally getting the green light — and the budget — to secure it. But there’s a quiet crisis unfolding in the boardroom: many organizations know they need “AI Governance,” but they have no idea what they are actually looking for. The CISO’s Dilemma: You Have the AI Budget, but Do You Have the Requirements? As AI becomes the central engine for enterprise productivity, security leaders are finally getting the green light—and the budget—to secure it.

But there’s a quiet crisis unfolding in the boardroom: many organizations know they need “AI Governance,” but they have no idea what they are actually looking for. Without a structured way to evaluate the exploding market of AI Usage Control (AUC) solutions, teams risk “investing” in legacy tools that were never built for the age of agentic workflows and shadow browser extensions. A new RFP Guide for Evaluating AI Usage Control and AI Governance Solutions has been released to solve this exact problem. It’s not just a checklist; it’s a technical framework designed to help security architects and CISOs move from vague “AI security” goals to specific, measurable project criteria.

Stop Fighting App Proliferation; Start Governing Interactions The conventional wisdom says that to secure AI, you need to catalog every application your employees touch. This is a losing battle. The RFP Guide argues for a counterintuitive shift: AI security isn’t an “app” problem; it’s an interaction problem. If you focus on the app, you’re always playing catch-up with the 500+ new GPT-based tools launched every week.

If you focus on the interaction (i.e., the moment a prompt is typed or a file is uploaded) you gain control that is tool-agnostic. The benefit for you: By using this RFP to demand “interaction-level inspection,” you stop being a bottleneck for innovation and start being a guardian of data, regardless of which “Shadow AI” tool your marketing team just discovered. Why Your Current Security Stack is Failing the AI Test Many vendors claim they “do AI security” as a checkbox feature within their CASB or SSE. The RFP Guide helps you see through this marketing.

Most legacy tools rely on network-layer visibility, which is blind to what happens inside a browser-side panel or an encrypted IDE plugin. The Guide forces vendors to answer the hard questions: Can you detect AI usage in Incognito mode? Do you support “AI-native” browsers like Atlas, Dia, or Comet? Can you distinguish between a corporate identity and a personal one in the same session?

The benefit for you: This structured approach prevents “feature-wash” by forcing vendors to prove they can operate at the point of interaction without requiring heavy endpoint agents or disruptive network changes. The 8 Pillars of a Mature AI Governance Project The RFP Template provides a technical grading system across eight critical domains to ensure your chosen solution is future-proof: Section What You’re Actually Testing

AI Discovery & Coverage Visibility across browsers, SaaS, extensions, and IDEs. 2.

Contextual Awareness Does the tool understand who is asking and why ? 3. Policy Governance Can you block PII but allow benign summaries? 4.

Real-Time Enforcement Stopping a leak before the “Enter” key is hit. 5. Auditability Providing “compliance-ready” reports for the board. 6.

Architecture Fit Can it be deployed in hours without breaking the network? 7. Deployment & Management Ensuring the tool isn’t a burden on your IT staff. 8.

Vendor Futureproofing Readiness for autonomous, agent-driven workflows. Governance Isn’t a Policy Document. It’s Enforceable, Measurable Controls. The goal of this RFP isn’t just to gather data; it’s to grade it.

The Guide includes a response format that requires vendors to provide more than just a “Yes/No.” Rather, they must describe the how and provide references. This level of structure takes the guesswork out of procurement. Instead of a subjective “feeling” about a vendor, you get a score-based comparison of how they handle real-world risks like prompt injections and unmanaged BYOD environments. Your Next Step: Define Your Requirements Before the Market Defines Them for You Use the RFP Guide for Evaluating AI Usage Control Solutions to take the lead.

It will help you standardize your evaluation, accelerate your research, and ultimately enable safe AI adoption that scales with the business. Download the RFP Guide and Template Here to start building your AI governance framework today. Found this article interesting? This article is a contributed piece from one of our valued partners.

Fake Laravel Packages on Packagist Deploy RAT on Windows, macOS, and Linux

Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that’s functional on Windows, macOS, and Linux systems. The names of the packages are listed below - nhattuanbl/lara-helper (37 Downloads) nhattuanbl/simple-queue (29 Downloads) nhattuanbl/lara-swagger (49 Downloads) According to Socket, the package “nhattuanbl/lara-swagger” does not directly embed malicious code, lists “nhattuanbl/lara-helper” as a Composer dependency , causing it to install the RAT. The packages are still available for download from the PHP package registry. Both lara-helper and simple-queue have been found to contain a PHP file named “src/helper.php,” which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names.

“Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands – giving the operator full remote access to the host,” security researcher Kush Pandya said. This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP’s stream_socket_client() . The list of supported commands is below - ping , to send a heartbeat automatically every 60 seconds info , to send system reconnaissance data to the C2 server cmd , to run a shell command powershell , to run a PowerShell command run , to run a shell command in the background screenshot , to capture the screen using imagegrabscreen() download , to read a file from disk upload , to a file on disk and grant it read, write, and execute permissions to all users stop , to the socket, and exit “For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru,” Pandya said.

‘This makes it resilient to common PHP hardening configurations.” While the C2 server is currently non-responsive, the RAT is configured such that it retries the connection every 15 seconds in a persistent loop, making it a security risk. Users who have installed the packages are advised to assume compromise, remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server. Besides the aforementioned three packages, the threat actor behind the operation has published three other libraries (“nhattuanbl/lara-media,” “nhattuanbl/snooze,” and “nhattuanbl/syslog”) that are clean, likely in an effort to build credibility and trick users into installing the malicious ones. “Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT.

The threat actor has full remote shell access, can read and write arbitrary files, and receives an ongoing system profile for each connected host,” Socket said. “Because activation happens at application boot (via service provider) or class autoloads (via simple-queue), the RAT runs in the same process as the web application with the same filesystem permissions and environment variables, including database credentials, API keys, and .env contents.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.