2026-03-13 AI创业新闻

Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays

Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that’s written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem. The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian cybersecurity company ZenoX. What makes VENON notable is that it shares behaviors that are consistent with established banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote, specifically when it comes to features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism. The malware has not been attributed to any previously documented group or campaign.

However, an earlier version of the artifact, dating back to January 2026, has been found to expose full paths from the malware author’s development environment. The paths repeatedly reference a Windows machine username “byst4” (e.g., “C:\Users\byst4...”). “The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication,” ZenoX said . VENON is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL.

It’s suspected that the campaign leverages social engineering ploys like ClickFix to trick users into downloading a ZIP archive containing the payloads by means of a PowerShell script. Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, AMSI bypass, before actually initiating any malicious actions. It also reaches out to a Google Cloud Storage URL to retrieve a configuration, install a scheduled task, and establish a WebSocket connection to the command-and-control (C2) server. Also extracted from the DLL are two Visual Basic Script blocks that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application.

The components work by replacing the legitimate system shortcuts with tampered versions that redirect the victim to a web page under the threat actor’s control. The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the operator to restore the shortcuts to what they originally were to cover up the tracks. In all, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened to facilitate credential theft by serving fake overlays. The disclosure comes amid campaigns where threat actors are exploiting the ubiquity of WhatsApp in Brazil to distribute a worm named SORVEPOTEL via the messaging platform’s desktop web version.

The attack hinges on abusing previously authenticated chats to deliver malicious lures directly to victims, ultimately resulting in the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth. “A single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to draw a victim into a multi-stage chain that ultimately resulted in an Astaroth implant running fully in memory,” Blackpoint Cyber said . “The combination of local automation tooling, unsupervised browser drivers, and user-writable runtimes created an unusually permissive environment, allowing both the worm and the final payload to establish themselves with minimal friction.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163 . “Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take,” IBM X-Force researcher Golo Mühr said in a report shared with The Hacker News. Hive0163’s operations are driven by extortion through large-scale data exfiltration and ransomware. The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

In one ransomware attack observed by the company in early 2026, the threat actor was observed deploying Slopoly during the post-exploitation phase so as to maintain persistent access to the compromised server for more than a week. Slopoly’s discovery can be traced back to a PowerShell script that’s likely deployed into the “C:\ProgramData\Microsoft\Windows\Runtime" folder by means of a builder. Persistence is achieved by setting up a scheduled task called “Runtime Broker.” There are signs that the malware was developed with the help of an as-yet-undetermined large language model (LLM). This includes the presence of extensive comments, logging, error handling, and accurately named variables.

The comments also describe the script as a “Polymorphic C2 Persistence Client,” indicating that it’s part of a command-and-control (C2) framework. “However, the script does not possess any advanced techniques and can hardly be considered polymorphic, since it’s unable to modify its own code during execution,” Mühr noted. “The builder may, however, generate new clients with different randomized configuration values and function names, which is standard practice among malware builders.” The PowerShell script functions as a full-fledged backdoor that can beacon a heartbeat message containing system information to a C2 server every 30 seconds, poll for a new command every 50 seconds, execute it via “cmd.exe,” and relay the results back to the server. The exact nature of the commands run on the compromised network is currently unknown.

The attack in itself is said to have leveraged the ClickFix social engineering tactic to trick the victim into running a PowerShell command, which then downloads NodeSnake, a known malware attributed to Hive0163. A first-stage component, NodeSnake, is designed to run shell commands, establish persistence, and retrieve and launch a wider malware framework referred to as Interlock RAT. Hive0163 has a track record of employing ClickFix and malvertising for initial access. Another method the threat actor uses to establish a foothold is by relying on initial access brokers such as TA569 (aka SocGholish) and TAG-124 (aka KongTuke and LandUpdate808).

The framework has multiple implementations in PowerShell, PHP, C/C++, Java, and JavaScript to support both Windows and Linux. Like NodeSnake, it also communicates with a remote server to fetch commands that allow it to launch a SOCKS5 proxy tunnel, spawn a reverse shell on the infected machine, and deliver more payloads, such as Interlock ransomware and Slopoly. The emergence of Slopoly adds to a growing list of AI-assisted malware, which also includes VoidLink and PromptSpy , highlighting how bad actors are using the technology to accelerate malware development and scale their operations. “The introduction of AI-generated malware does not pose a new or sophisticated threat from a technical standpoint,” IBM X-Force said.

“It disproportionately enables threat actors by reducing the time an operator needs to develop and execute an attack.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

How to Scale Phishing Detection in Your SOC: 3 Steps for CISOs

Phishing has quietly turned into one of the hardest enterprise threats to expose early. Instead of crude lures and obvious payloads, modern campaigns rely on trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic that conceals malicious behavior from traditional detection layers. For CISOs, the priority is now clear: scale phishing detection in a way that helps the SOC uncover real risk before it becomes credential theft, business interruption, and board-level fallout. Why Scaling Phishing Detection Has Become a Priority for Modern SOCs For many security teams, phishing is no longer a single alert to investigate — it is a continuous stream of suspicious links, login attempts, and user-reported messages that must be validated quickly.

The problem is that most SOC workflows were never designed to handle this volume. Each investigation still requires time, context gathering, and manual validation, while attackers operate at machine speed. When phishing detection cannot scale, the consequences quickly reach the CISO’s desk: Stolen corporate identities: Attackers capture employee credentials and gain access to email, SaaS platforms, VPNs, and internal systems. Account takeover inside trusted environments: Once authenticated, attackers operate as legitimate users, bypassing many security controls.

Lateral movement through SaaS and cloud platforms: Compromised identities enable access to sensitive data, internal tools, and shared infrastructure. Delayed incident detection: By the time the SOC confirms malicious activity, the attacker may already be active inside the environment. Operational disruption and financial impact: Phishing-driven breaches can lead to fraud, data exposure, and business downtime. Regulatory and compliance consequences: Identity compromise and data access incidents often trigger reporting obligations and investigations.

For CISOs, the message is clear: phishing detection must operate at the same speed and scale as the attacks themselves, or the organization will always be reacting after the damage has begun. What a Scaled Phishing Defense Looks Like A SOC that can handle phishing at scale behaves very differently from one that cannot. Suspicious activity is validated quickly, investigation queues do not grow uncontrollably, and analysts spend less time researching indicators and more time acting on confirmed threats. Escalations are based on clear behavioral evidence rather than assumptions.

Identity-driven attacks are detected before they spread across SaaS platforms and internal systems. Earlier detection of credential theft and account takeover attempts Faster containment before phishing turns into a broader compromise Less analyst overload and fewer investigation bottlenecks Higher-quality escalations backed by real behavioral evidence Lower risk of disruption across email, SaaS, VPN, and cloud environments Reduced financial, operational, and regulatory exposure Stronger confidence in the SOC’s ability to stop attacks before business impact begins The Investigation Model Built for Modern Phishing: Three Changes CISOs Should Introduce Modern phishing attacks are built to exploit delay, limited visibility, and fragmented investigation workflows. To keep pace, SOC teams need a model that helps them validate suspicious activity faster, expose real phishing behavior safely, and uncover what traditional detection layers miss. The three steps below are becoming essential for CISOs who want phishing detection to scale with the threat.

Step #1: Safe Interaction. Stepping into the Phishing Trap Without Risk Many modern phishing attacks do not reveal their real purpose immediately. A suspicious link may load what looks like a harmless page, while the real attack begins only after a user clicks through several redirects or enters credentials. By the time the malicious behavior becomes visible, attackers may already have captured login details or active sessions.

This is why traditional investigation methods often struggle with modern phishing. Static analysis can surface useful indicators such as domain reputation or file metadata, but it rarely shows how the attack actually unfolds. Analysts must infer risk from fragmented signals, which slows decisions and leaves room for dangerous assumptions. Interactive sandbox analysis changes this dynamic.

Instead of guessing what a suspicious link or attachment might do, SOC teams can execute it in a controlled environment and interact with it exactly as a user would. Analysts can click through pages, follow redirect chains, submit test credentials, and observe how the phishing infrastructure behaves in real time, all without exposing the organization to risk. The difference between static and interactive investigation is significant: Static Analysis Interactive Analysis How it works Checks metadata, reputation, and surface signals Runs the link or file in a safe environment What the SOC sees Hashes, domains, basic page content Redirects, phishing pages, network activity, dropped files What it often misses Behavior that appears after clicks or credential input The full phishing flow as it unfolds Decision quality Based on signals and assumptions Based on visible behavior Investigation speed Slower, with more manual checks Faster, with quicker verdicts Risk to the business Higher chance of delay and missed phishing Earlier detection before users are exposed CISO outcome More backlog, more uncertainty, more exposure Faster response, clearer escalations, lower risk In the interactive analysis session below, an analyst uses ANY.RUN sandbox to reveal the full behavior of a Tycoon2FA phishing attack in just 55 seconds . The login form is hosted on Microsoft Azure Blob Storage , a legitimate service that makes the page harder to catch with static checks alone.

By safely interacting with the sample, the analyst uncovers the full attack chain and extracts actionable IOCs and TTPs for further detection. Check real phishing exposed in 55 seconds A malicious Tycoon2FA sample on a legitimate Microsoft Blob Storage domain, analyzed in 55 seconds inside ANY.RUN sandbox For CISOs, this means: Earlier detection of phishing campaigns before user exposure Faster decisions based on real behavioral evidence Actionable IOCs and TTPs for stronger downstream detection Lower risk of credential theft and account compromise Expose phishing attacks earlier with clear behavioral evidence and reduce the risk of identity-driven compromise across the business. Strengthen phishing detection Step #2: Automation. Scaling Phishing Investigations Without Scaling the Team Even with interactive analysis in place, most SOCs still face the same problem: volume .

Suspicious links, attachments, QR codes, and user-reported messages arrive constantly, and manual review does not scale. Automation helps solve this by executing suspicious artifacts in a controlled sandbox, collecting indicators, and returning an initial verdict in seconds. But modern phishing often includes CAPTCHAs, QR codes, multi-step redirects, and other interaction gates that break traditional automation. In those cases, analysts are forced to spend time clicking through pages, solving challenges, and trying to reach the real malicious content themselves.

This slows investigations and drains valuable analyst time. The stronger approach is automation combined with safe interactivity . In a sandbox like ANY.RUN , automated analysis can imitate real analyst behavior, interact with pages, solve challenges, and move through phishing flows automatically. Instead of stopping halfway through the attack chain or producing an inconclusive result, the sandbox continues execution until the full behavior becomes visible.

Phishing with a QR code analyzed inside ANY.RUN sandbox In 90% of cases, the verdict is available in under 60 seconds , giving SOC teams the speed they need to keep pace with phishing at scale. 55 seconds needed to reveal full attack chain, targeting enterprises For CISOs, this hybrid model delivers clear operational benefits: Higher investigation throughput without expanding SOC headcount Less manual work for analysts, reducing fatigue and burnout More accurate verdicts , even for phishing attacks designed to evade automation Step #3: SSL Decryption. Breaking the Illusion of Legitimate Traffic Modern phishing campaigns increasingly operate entirely inside encrypted HTTPS sessions . Login pages, redirect chains, credential harvesting forms, and token theft mechanisms are delivered through legitimate infrastructure and protected by valid SSL certificates.

To most monitoring systems, this traffic looks completely normal. This creates a dangerous illusion of trust. A connection to port 443, a secure login page, and a valid certificate often appear indistinguishable from legitimate business activity, even while credentials are being stolen inside the session. Traditional inspection methods struggle with this challenge.

Many tools can see the encrypted connection, but cannot reveal what actually happens inside it. As a result, confirming phishing often requires additional investigation steps, which slows response and increases the risk of credential compromise. An ordinary-looking page acts as the starting point for the phishing attack Automatic SSL decryption inside the sandbox removes this barrier. By extracting encryption keys directly from process memory during execution, ANY.RUN decrypts HTTPS traffic internally and exposes the full phishing behavior during analysis.

Redirect chains, credential capture mechanisms, and attacker infrastructure become immediately visible. As phishing increasingly hides behind encryption, the ability to analyze HTTPS traffic without delay becomes important for maintaining reliable detection at scale. Reduce exposure to phishing attacks in your company. Integrate ANY.RUN as part of your SOC’s triage & response.

Request access for your team Example: Detecting a Salty2FA Phishing Campaign Targeting Enterprises In this sandbox analysis session, a Salty2FA phishing attack that looks like routine HTTPS traffic is exposed inside ANY.RUN during the first run . With automatic SSL decryption , the sandbox reveals the malicious flow, triggers a Suricata rule , and produces a response-ready verdict in 40 seconds . See the full session here: Salty2FA Phishing Attack Analysis ANY.RUN sandbox provides connection details, showing HTTPS traffic For CISOs, this capability delivers critical security outcomes: Encrypted phishing is exposed before it turns into account takeover across core business platforms Stronger protection against MFA bypass, session hijacking, and identity-driven compromise hidden inside HTTPS traffic Faster, evidence-based confirmatio n during the first investigation, reducing escalation delays and analyst time spent on unclear cases Build a Phishing Investigation Model That Scales Modern phishing campaigns move quickly, hide behind trusted infrastructure, and increasingly rely on encrypted channels that make malicious activity appear legitimate. To keep pace, SOC teams need more than isolated tools; they need an investigation model designed to expose real phishing behavior early, handle growing volumes without overwhelming analysts, and reveal threats that hide inside encrypted traffic.

By combining safe interaction , automation , and SSL decryption , organizations can investigate suspicious activity faster, uncover hidden attack chains, and confirm malicious behavior with clear evidence during the first investigation. ANY.RUN’s solution improving SOC processes Many organizations have already adopted this approach, and CISOs report measurable operational improvements such as: 3× stronger SOC efficiency , giving CISOs more detection power without proportional team growth Up to 20% lower Tier 1 workload , easing analyst pressure and reducing operational strain 30% fewer escalations to Tier 2 , preserving senior expertise for the incidents that matter most 21 minutes cut from MTTR per case , helping contain phishing threats before impact spreads Earlier detection and clearer response , reducing breach exposure and business risk Cloud-based analysis with no hardware burden , lowering infrastructure costs and complexity Faster verdicts with less alert fatigue , improving speed and consistency across triage Quicker development of junior talent , helping teams build capability faster Strengthen your SOC with a phishing investigation model built for speed, visibility, and scale, reducing analyst overload, improving detection coverage, and lowering the business risk of delayed response. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week feels familiar in a slightly annoying way.

Old tricks are getting polished. New research shows how flimsy certain assumptions really are. A couple of things that make you stop mid-scroll and think, “wait… people are actually pulling this off?” There’s also the usual mix of strange corners of the ecosystem doing strange things — infrastructure behaving a little too professionally for comfort, tools showing up where they absolutely shouldn’t, and a few cases where the weakest link is still just… people clicking stuff they probably shouldn’t. Anyway.

If you’ve got five minutes and a mild curiosity about what attackers, researchers, and the broader internet gremlins were up to lately, this week’s ThreatsDay Bulletin on The Hacker News has the quick hits. Scroll on. OAuth consent abuse The Dangers of Malicious OAuth Applications Cloud security firm Wiz has warned of the dangers posed by malicious OAuth applications , highlighting how “consent fatigue” could open the door for attackers to gain access to a victim’s sensitive data by giving their malicious apps a legitimate-looking name. By accepting the permissions requested by a rogue OAuth application, the user is “adding” the attacker’s app into their company’s tenant.

“Once ‘Accept’ is clicked, the sign-in process is complete,” Wiz said . “But instead of going to a normal landing page, the access token is sent to the attacker’s Redirect URL. With that token, the attacker now has access to the user’s files or emails without ever needing to know their password.” The Google-owned company also said it detected a large-scale campaign active in early 2025 that involved 19 distinct OAuth applications impersonating well-known brands such as Adobe, DocuSign, and OneDrive, and targeted multiple organizations. Details of the activity were documented by Proofpoint in August 2025.

Messaging account takeover Russian Hackers Target Signal and WhatsApp Accounts Russian-linked hackers are trying to break into the Signal and WhatsApp accounts of government officials, journalists, and military personnel globally with an aim to get unauthorized access – not by breaking encryption, but by simply tricking people into handing over the security verification codes or PINs. “The most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes,” the Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) said . “The hackers can then use these codes to take over the user’s account. Another method used by the Russian actors takes advantage of the ‘linked devices’ function within Signal and WhatsApp.” It’s worth noting that a similar warning was issued by Germany last month.

“These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts,” Signal said . Google warned last year that Signal’s widespread use among Ukrainian soldiers, politicians, and journalists had made it a frequent target for Russian espionage operations. Cloud breach via software flaws Threat Actors Exploit Flaws in Third-Party Software to Breach Cloud Google has revealed that threat actors are increasingly exploiting vulnerabilities in third-party software to breach cloud environments. “The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days,” the tech giant’s cloud division said .

“While software-based exploits increased, initial access by threat actors using misconfiguration, which accounted for 29.4% of incidents in the first half of 2025, dropped to 21% in H2 2025. Similarly, exposed sensitive UI or APIs continued a downward trend, falling from 11.8% in H1 to 4.9% in H2. This decline suggests that automated guardrails are making identity and configuration errors harder to exploit and that threat actors are being driven toward more sophisticated and costly vectors that specifically target software vulnerabilities to gain a foothold.” In most attacks investigated by Google, the actor’s objective was silent exfiltration of high volumes of data without immediate extortion and long-term persistence. Microcontroller debug bypass Breaking RH850’s Password Protection New research from Quarkslab has found that it’s possible to bypass the 16-byte password protection required for debug access on several variants of the RH850 microcontroller family using voltage fault injection in under one minute.

“Voltage glitching technique is performed by underpowering or overpowering the chip for a controlled amount of time to alter its behavior,” the security company said . “The crowbar attack is a specific type of voltage glitch where the power supply is shorted to the ground instead of injecting a specific voltage, using a MOSFET, for example.” Solar Spider suspects arrested 2 Nigerian Nationals Linked to Solar Spider Arrested in Greater Noida Two Nigerian nationals have been arrested by authorities in the Indian state of Uttar Pradesh for their alleged involvement in an e-crime operation known as Solar Spider . The suspects are believed to have been planning to siphon large amounts of money by leveraging security flaws in Indian cooperative banking systems. According to a report from The420.in, the individuals have been identified as Okechukwu Imeka and Chinedu Okafor.

The duo is suspected to be part of an international fraud syndicate involved in targeting financial institutions. Solar Spider has a history of targeting banking systems across India and the Middle East, often through spear-phishing campaigns. In a report published in July 2025, Tata Communications revealed that threat actors leverage their initial access to steal credentials, tamper with NEFT/RTGS transactions, and focus on Structured Financial Messaging System ( SFMS ) and Host-to-Host (H2H) infrastructures. The group is also known for deploying a sophisticated attack framework dubbed JSOutProx since at least 2019.

PlugX malware campaign Chinese Threat Actors Capitalize on Middle East Conflict Check Point has disclosed targeted campaigns against entities in Qatar using conflict-related content as lures to deliver malware families like PlugX and Cobalt Strike. The attack chain uses Windows shortcut (LNK) files contained within ZIP archives, which, when opened, cause it to download a next-stage payload from a compromised server. The payload then displays the decoy document while using DLL side-loading to deploy PlugX. The activity, detected on March 1, 2026, has been attributed to Mustang Panda (aka Camaro Dragon).

A second attack has been observed using a password-protected archive to execute a previously undocumented Rust loader that’s responsible for deploying Cobalt Strike using DLL side-loading. “This loader exploits DLL hijacking of nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well as a wave of attacks targeting the Philippines and Myanmar back in 2025,” Check Point said . While this attack is assessed as China-aligned, it has not been attributed to a specific threat actor.

“The attackers leveraged the ongoing war in the Middle East to make their lures more credible and engaging, demonstrating the ability to rapidly adapt to major developments and breaking news,” the company said. Teen DDoS kit sellers Poland Busts Teen Gang Selling DDoS Kits Polish police have referred seven suspected minor cybercriminals to family court over an alleged scheme to sell distributed denial-of-service (DDoS) kits online. The suspects, aged between 12 and 16 at the time of the alleged offenses, face charges related to selling DDoS tools as part of a profit-driven scheme designed to target popular websites, including auction and sales portals, IT domains, hosting services, and accommodation booking sites. “Using the tools they administer, popular websites such as auction and sales portals, IT domains, hosting services, and accommodation booking services were attacked,” Poland’s Central Bureau for Combating Cybercrime (CBZC) said .

Phishing-resistant Windows login Microsoft Entra Passkeys on Windows for Phishing-Resistant Sign-In Microsoft is rolling out passkey support for Microsoft Entra on Windows devices, adding phishing-resistant passwordless authentication via Windows Hello. “We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device-bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN),” Microsoft said . “It also expands passwordless authentication to Windows devices that aren’t Entra-joined or registered, helping organizations strengthen security and reduce reliance on passwords.” Sysmon built into Windows Native Sysmon Arrives in Windows 11 Microsoft has natively integrated System Monitor ( Sysmon ) functionality directly into Windows 11 and Windows Server 2025 as an optional built-in feature as of Windows 11’s March feature update ( KB5079473 ).

It’s disabled by default. The company announced the integration in November 2025. “You no longer need to package it dynamically; you can simply enable it programmatically via PowerShell ,” Nick Carroll, cyber incident response manager at Nightwing, said. “Coupled with Microsoft’s simultaneous announcement that Windows Intune will enable ‘hotpatching’ by default in May 2026, this drastically lowers the barrier to entry for deep endpoint visibility and represents a massive operational win for network defenders.” Canada phishing campaign New Phishing Campaign Targets Canada An active phishing campaign is targeting Canadian residents (and possibly present in other countries) using fraudulent domains impersonating trusted institutions, including the Government of British Columbia and Hydro-Québec, with the goal of collecting personal information and credit card details, Flare said .

The hosting infrastructure behind this campaign is linked to RouterHosting LLC (aka Cloudzy), a provider that was publicly accused in 2023 of supplying services to at least 17 state-sponsored hacking groups from countries including Iran, China, Russia, and North Korea. Private link safety in chats Meta Details Advanced Browsing Protection in Messenger Meta has detailed the workings of Advanced Browsing Protection ( ABP ) in Messenger, which protects the privacy of the links clicked on within chats while still warning people about malicious links. “In its standard setting, Safe Browsing uses on-device models to analyze malicious links shared in chats,” the company said . “But we’ve extended this further with an advanced setting called Advanced Browsing Protection (ABP) that leverages a continually updated watchlist of millions more potentially malicious websites.” ABP leverages an approach called private information retrieval (PIR) to implement a privacy-preserving “URL-matching” scheme between the client’s query and the server hosting the database, along with Oblivious HTTP, AMD SEV-SNP, and Path ORAM for added privacy guarantees.

BlackSanta EDR killer Campaign Targets HR Teams with BlackSanta EDR A sophisticated attack campaign targeting HR departments and job recruiters has combined social engineering with advanced evasion techniques to stealthily compromise systems by avoiding analysis environments and leveraging a specialized module designed to kill antivirus and endpoint detection software. The attack begins with a resume-themed ISO file delivered likely through spam or phishing emails, which then drops next-stage payloads, including a DLL that’s launched via DLL side-loading to gather basic system information, initiate communication with a remote server, run sandbox checks, employ geographic filtering to avoid running in restricted regions, and drop additional payloads, such as BlackSanta EDR that employs legitimate but vulnerable kernel drivers to impair system defenses, a known tactic referred to as Bring Your Own Vulnerable Driver (BYOVD). “Rather than functioning as a simple auxiliary payload, BlackSanta acts as a dedicated defense-neutralization module that programmatically identifies and interferes with protection and monitoring processes prior to the deployment of follow-on stages,” Aryaka said . “By targeting endpoint security engines alongside telemetry and logging agents, it directly reduces alert generation, limits behavioral logging, and weakens investigative visibility on compromised hosts.” It’s currently not known what the follow-on payloads are or how widespread the campaign is.

Phishing campaigns don’t just target HR teams, but also impersonate them in attacks. “Impersonating HR provides many benefits to threat actors. Tasks from HR are typically mandatory, so HR emails carry authority,” Cofense said . “Legitimate HR tasks can also have strict deadlines, which a threat actor can use to impose urgency.

Finally, regular HR tasks are expected by employees.” ZIP evasion technique Zombie ZIP Technique to Bypass Security Tools A new technique dubbed Zombie ZIP allows attackers to conceal payloads in specially crafted compressed files that can bypass security tools. “Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives,” the CERT Coordination Center (CERT/CC) said . “Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.” The vulnerability, tracked as CVE-2026-0866, has been codenamed Zombie Zip by researcher Christopher Aziz, who discovered it. The technique was demonstrated by Bombadil Systems security researcher Chris Aziz.

AI agent breaches platform McKinsey’s AI Platform Lili Hacked Researchers at autonomous offensive security startup CodeWall said their AI agent hacked McKinsey’s internal AI platform Lili and gained full read and write access to the chatbot platform in just two hours. This enabled access to the entire production database, including 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements, all in plaintext, along with 728,000 files containing confidential client data, 57,800 user accounts, and 95 system prompts controlling the AI’s behavior. The development is an indicator that agentic AI tools are becoming more effective for conducting cyber attacks. The agent said it found over 200 endpoints that were totally exposed, out of which 22 were unprotected.

One of these endpoints, which wrote user search queries to the database, suffered from an SQL injection that could have made it possible to access sensitive data and rewrite the system prompts silently. McKinsey has since addressed the problem. There is no evidence that the issue was exploited in the wild. Teams social engineering malware New A0Backdoor Linked to Teams Impersonation Campaign Hackers have contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor .

The modus operandi, which aligns with the playbook of Storm-1811 (aka STAC5777 or Blitz Brigantine), employs social engineering to gain the employee’s trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company’s IT staff and offering assistance with the problem. To obtain access to the target machine, the threat actor instructs the user to start a Quick Assist remote session, which is used to deploy a malicious toolset that includes digitally signed MSI packages, some of which were hosted on Microsoft cloud storage tied to personal accounts. The installers serve as a conduit for launching a DLL that, in turn, decrypts and runs shellcode responsible for running anti-analysis checks and dropping A0Backdoor, which establishes contact to a remote server using DNS tunnelling to receive commands. The activity has been active since at least August 2025 through late February 2026.

Industrialized disinformation network Doppelgänger Infrastructure Analyzed The Russian influence operation known as Doppelgänger has been described as industrialized and prioritizing infrastructure resilience, scalability, and operational continuity over short-term visibility. “Rather than functioning as a loose collection of spoofed websites or transient propaganda outlets, the network exhibits the hallmarks of a coordinated, professionally managed influence apparatus,” DomainTools said . “At its core, the ecosystem relies on systematic media brand impersonation executed at scale.” Campaigns mounted as part of the operation exhibit deliberate geographic micro-targeting across European Union member states and the U.S. Pentagon AI dispute Anthropic Sues Pentagon Over Supply Chain Risk Designation Anthropic has filed a lawsuit to block the Pentagon from placing it on a national security blocklist , stating the supply chain risk designation was unlawful and violated its free speech and due process rights.

The development comes after the Pentagon formally branded the artificial intelligence (AI) company a supply chain risk after it refused to remove guardrails against using its technology for autonomous weapons or domestic surveillance. In its own statement, Anthropic said “we had been having productive conversations with the Department of War over the last several days, both about ways we could serve the Department that adhere to our two narrow exceptions, and ways for us to ensure a smooth transition if that is not possible.” However, the Pentagon said there is no active negotiation happening with Anthropic. It also reiterated that the department “does not do and will not do domestic mass surveillance.” The development follows OpenAI’s own deal with the U.S. Department of Defense, with CEO Sam Altman stating the defense contract would include protections against the same red lines that Anthropic had insisted on.

The company has since amended its contract to ensure “the AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals.” Anthropic’s CEO Dario Amodei has called OpenAI’s messaging “safety theater” and “straight up lies.” GitHub SEO malware Deceptive GitHub Pages Distribute BoryptGrab Stealer A new information stealer campaign distributing BoryptGrab is leveraging a network of more than 100 public GitHub repositories that claim to offer software tools for free, using search engine optimization (SEO) keywords to lure victims. The multi-stage infection chain begins when a ZIP file is downloaded from a fake GitHub download page. BoryptGrab can harvest browser data, cryptocurrency wallet information, and system information.

It’s also capable of capturing screenshots, collecting common files, and extracting Telegram information, Discord tokens, and passwords. Also delivered as part of the attack is a backdoor called TunnesshClient that establishes a reverse SSH tunnel to communicate with the attacker and acts as a SOCKS5 proxy . The earliest ZIP file dates back to late 2025. Certain iterations of the campaign have been found to deliver Vidar Stealer or a Golang downloader dubbed HeaconLoad, which then downloads and runs additional payloads.

RAT campaign against India Transparent Tribe Targets Indian Government with RAT Malware The Pakistan-aligned threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian government entities to infect systems with a RAT that enables remote command execution, process monitoring and termination, remote program execution, file upload/download, file enumeration, screenshot capture, and live screen monitoring capabilities. “The campaign primarily relies on social engineering techniques, distributing a malicious ZIP archive disguised as examination-related documents to persuade recipients to interact with the files,” CYFIRMA said . “Upon extraction, the archive delivers deceptive shortcut files along with a macro-enabled PowerPoint add-in, which collectively initiate the infection chain. The threat actors employ multiple layers of obfuscation and redundant execution mechanisms to enhance the probability of successful compromise while reducing the likelihood of user suspicion.” Signed phishing malware Signed Malware Deploys RMM Backdoors Microsoft is warning of multiple phishing campaigns using workplace meeting lures, PDF attachments, and abuse of legitimate binaries to deliver signed malware.

The activity, observed in February 2026, has not been attributed to a specific threat actor or group. “Phishing emails directed users to download malicious executables masquerading as legitimate software,” the company said . “The files were digitally signed using an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Once executed, the applications installed remote monitoring and management (RMM) tools that enabled the attacker to establish persistent access on compromised systems.” Some of the deployed RMM tools include ScreenConnect, Tactical RMM, and MeshAgent.

The use of the TrustConnect branding was disclosed by Proofpoint last week. Furthermore, the deployment of multiple RMM frameworks within a single intrusion indicates a deliberate strategy to ensure continuous access and ensure operational resilience even if one access mechanism is detected or removed. “These campaigns demonstrate how familiar branding and trusted digital signatures can be abused to bypass user suspicion and gain an initial foothold in enterprise environments,” Microsoft added. TikTok allowed in Canada Canada Says TikTok Can Continue Operations in the Country Following a national security review of TikTok, Canada’s Minister of Industry, Mélanie Joly, said the company can keep its business operational.

“TikTok will implement enhanced protection for Canadians’ personal information, including new security gateways and privacy-enhancing technologies to control access to Canadian user data in order to reduce the risk of unauthorized or prohibited access,” the government said . “TikTok will implement enhanced protections for minors.” The development marks a complete 180 from a 2024 decision , when it was ordered to shut down its operations, citing unspecified “national security risks.” However, that order was paused in early 2025 . Vulnerabilities rise 12% Vulnerability Disclosures Surged by 12% in 2025 Flashpoint said it catalogued 44,509 vulnerability disclosures in 2025, a 12% increase year-over-year (YoY). Of those, 466 were confirmed as exploited in the wild.

Nearly 33%, or 14,593 vulnerabilities, had publicly available exploit code. Ransomware attacks also increased 53% YoY in 2025, with 8,835 total attacks recorded. The top RaaS groups by attack volume in 2025 were Qilin at 1,213 attacks, Akira at 1,044, Cl0p at 529, Safepay at 452, and Play at 395. Manufacturing was the most targeted industry with 1,564 attacks, followed by technology at 987 and healthcare at 905.

The U.S. accounted for approximately 53% of named victim organizations. Botnet exploiting 174 flaws RondoDox Botnet Expands to Support 174 Flaws The RondoDox DDoS botnet has been found to implement 174 different exploits between May 25, 2025, and February 16, 2026, peaking at 15,000 exploitation attempts in a single day between December 2025 and January 2026. It’s believed that the threat actors are using compromised residential IP addresses as hosting infrastructure.

“The operators of RondoDox have been using a shotgun approach, where they send multiple exploits to the same endpoint, hoping for one to work,” Bitsight said . Of the 174 different vulnerabilities, 15 have a public proof-of-concept (PoC), but no CVE, and 11 do not have PoC code at all. RondoDox is notable for its fast addition of recently disclosed vulnerabilities, in some cases incorporating the PoC even before the CVE was published (e.g., CVE-2025-62593 ). Memory-only keylogger attack VIP Keylogger Campaign Detected Phishing emails bearing purchase order lures are being used to distribute an executable within RAR archives.

Once launched, the binary extracts and runs VIP Keylogger in memory without touching the disk. “This keylogger captures either browser cookies, logins, credit card details, autofills, visited URLs, downloads, or top sites from the appropriate files in each of the application’s designated folders,” K7 Labs said . It’s also capable of targeting a wide range of web browsers, stealing the email accounts from Outlook, Foxmail, Thunderbird, and Postbox, and collecting Discord tokens. Cloudflare-shielded phishing Microsoft 365 Credential Harvesting Campaign Abuses Cloudflare A new Microsoft 365 credential harvesting campaign has been observed abusing Cloudflare’s services to delay detection and risk profiling.

The gatekeeping is designed to ensure the visitor is a real target and not a security scanner or bot. “The campaign implemented multiple anti-detection techniques, including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects,” DomainTools said . Some of the stuff in this week’s list feels a little too practical. Not big flashy hacks — just simple tricks used in the right place at the right time.

The kind of things that make defenders sigh because… yeah, that’ll probably work. There’s also a bit of the usual theme: tools and features doing exactly what they were designed to do… just not for the people who built them. Add some creative thinking, and suddenly normal workflows start looking like attack paths. Anyway — quick reads, strange ideas, and a few reminders that security problems rarely disappear… they just change shape.

Scroll on. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Attackers Don’t Just Send Phishing Emails. They Weaponize Your SOC’s Workload

The most dangerous phishing campaigns aren’t just designed to fool employees. Many are designed to exhaust the analysts investigating them. When a phishing investigation takes 12 hours instead of five minutes, the outcome can shift from a contained incident to a breach. For years, the cybersecurity industry has focused on the front door of phishing defense: employee training, email gateways that filter known threats, and reporting programs that encourage users to flag suspicious messages.

Far less attention has been paid to what happens after a report is filed, and how attackers exploit the investigation process that follows. Alert fatigue in Security Operations Centers isn’t just an operational inconvenience . It can become an attack surface. SOC teams increasingly report phishing campaigns that appear designed not only to compromise targets but also to overwhelm the analysts responsible for investigating them.

This shifts how organizations should think about phishing defense. The vulnerability isn’t just the employee who clicks. It’s also the analyst who can’t keep up with the queue. When investigations that should close in minutes stretch to 3, 6, or 12 hours because of queue congestion, the window for attacker success widens dramatically.

When Phishing Volume Becomes a Weapon Phishing is often treated as a series of independent threats. One message. One potential victim. One investigation.

Attackers operating at scale think in terms of systems, not individual messages. A SOC is one of those systems, and it has finite capacity and predictable failure modes. Consider a phishing campaign targeting a large enterprise. The attacker sends thousands of messages.

Most are low-sophistication lures that email gateways or trained employees will likely catch. These messages flood the SOC with reports and alerts. Analysts begin triaging, working through a queue that grows faster than they can clear it. Buried in that volume are a few carefully crafted spear-phishing messages targeting individuals with access to critical systems.

These messages are the real payload. The flood is not just a numbers game. It is effectively a denial-of-service attack against the SOC’s attention, sometimes referred to as an Informational Denial-of-Service (IDoS). This pattern is not purely theoretical.

Red team exercises and incident reports have documented adversaries who time high-volume phishing campaigns to coincide with targeted spear-phishing attempts. The commodity wave creates noise. The targeted message hides inside it. The Predictable Failure Mode This tactic works because SOC phishing triage tends to follow a predictable pattern across organizations.

When phishing report volume spikes, most SOCs respond in predictable ways. Analysts begin triaging faster, spending less time per submission. Investigation depth decreases. Industry research shows 66% of SOC teams cannot keep up with incoming alerts .

The focus shifts from thorough investigation to clearing the queue. Managers may deprioritize phishing reports relative to alerts from other detection systems, assuming user-submitted reports are lower fidelity. Each response is rational on its own. Together, they create the conditions an attacker needs.

SOC managers observe a consistent pattern during high-volume periods: decision quality drops as workload increases. Analysts begin anchoring on superficial indicators. Messages that “look like” previously benign submissions receive less scrutiny. Novel indicators of compromise may be overlooked when they appear in a crowded queue rather than in isolation.

The attacker’s advantage compounds because the most dangerous messages are specifically designed to exploit these shortcuts. A spear-phishing email targeting the CFO’s executive assistant doesn’t arrive looking dramatically different from everything else in the queue. It’s crafted to resemble the category of messages that analysts, under pressure, have learned to move past quickly — a vendor communication, a document-sharing notification, a routine business process email. The Economics Behind the Attack The economics of this dynamic heavily favor the attacker.

Generating thousands of commodity phishing emails costs almost nothing, especially with generative AI lowering the production barrier further. But each of those emails, once reported by an employee, costs the defending organization real analyst time and cognitive bandwidth. This creates an asymmetry that traditional SOC models have no good answer for: Attacker cost per decoy email: near zero. Template-based generation, commodity infrastructure, automated delivery.

Defender cost per reported email: minutes of skilled analyst time for even a cursory review. Hours if the investigation is thorough. Attacker cost for the real payload: moderate — these are the carefully researched, individually crafted messages designed for specific targets. Defender cost of missing the payload: potentially catastrophic — credential compromise, lateral movement, data exfiltration, ransomware deployment.

The defender is forced to investigate everything because the cost of missing a real threat is so high. The attacker knows this and uses it to drain investigative resources before the real attack arrives. It’s an attrition strategy applied to human attention rather than system availability. This asymmetry has only worsened as organizations have scaled up phishing awareness programs.

More trained employees means more reports. More reports means more queue pressure. More queue pressure means less attention per investigation. The very success of security awareness training has, paradoxically, expanded the attack surface that adversaries exploit.

The Real Problem is Decision Speed Most security tools respond to this challenge by throwing more alerts at people — additional detection layers, more threat feeds, extra scoring systems. More data without better decision processes only compounds the overload. The fundamental issue isn’t that SOCs lack information about suspicious emails. It’s that they lack the ability to turn that information into clear, confident decisions at the speed the threat environment demands.

The organizations breaking out of this cycle are reframing phishing triage not as an email analysis problem but as a “decision precision” problem. The goal isn’t to generate more signals about a suspicious message. It’s to deliver a decision-ready investigation — a complete, reasoned verdict that tells the analyst exactly what was found, what it means, and what should happen next — so that no one has to guess. This distinction matters because guessing is exactly what overwhelmed analysts are forced to do.

When the queue is deep and investigation time is compressed, analysts make judgment calls based on incomplete analysis. Sometimes they’re right. Sometimes they’re not. And the attacker’s entire strategy depends on those moments when they’re not.

Decision-ready investigation changes the equation. Instead of presenting analysts with raw indicators and expecting them to assemble a conclusion under time pressure, the system delivers a synthesized assessment with clear reasoning. The analyst’s role shifts from doing the investigation to reviewing the investigation — a fundamentally different cognitive task that scales far more effectively under volume. Why Rule-Based Automation Doesn’t Solve This The obvious response is automation, and most SOCs have implemented some version of it.

Auto-closing reports from whitelisted senders. Deduplicating identical submissions. Applying basic reputation checks to filter known-safe domains. These measures help with baseline volume but fail against the specific threat model described above — and in some cases, they make it worse.

Rule-based filters create predictable blind spots. If an attacker knows (or can infer) that an organization auto-closes reports from domains with established reputation, they can compromise or spoof those domains. If deduplication logic groups messages by subject line or sender, an attacker can vary these superficially while maintaining the same malicious payload. There’s also the trust problem.

Security teams are rightfully skeptical of “black box” automation that renders verdicts without showing its work. When an automated system closes a phishing report, and no one can explain exactly why, confidence erodes. Analysts second-guess the automation, re-investigate cases it already handled, or override its decisions reflexively. The efficiency gains evaporate, and the organization ends up with the worst of both worlds: automation it’s paying for and manual processes it can’t abandon.

More fundamentally, static rules can’t adapt to the dynamic relationship between attack patterns and SOC behavior. The attacker’s strategy isn’t static. It continuously evolves based on what works. A defensive system built on fixed rules is playing a static game against a dynamic adversary.

Specialized Investigation Agents, Not Black Boxes The emerging approach to adversarial phishing defense looks less like a single automated tool and more like a coordinated team of specialized experts — each focused on a specific dimension of the investigation and each capable of explaining exactly what it found and why it matters. In practice, this means agentic AI architectures where distinct analytical agents handle different parts of a phishing investigation simultaneously. One agent verifies sender authenticity — checking SPF, DKIM, and DMARC records, analyzing domain registration history, and evaluating whether the sending infrastructure matches the claimed identity. Another examines the message itself, analyzing linguistic patterns, tone inconsistencies, and social engineering indicators that suggest manipulation rather than legitimate communication.

A third correlates the report with endpoint telemetry, determining whether the recipient’s device has exhibited any behavioral anomalies that might indicate a payload has already executed. These agents don’t operate independently and disappear into a verdict. They produce transparent, auditable reasoning — a clear chain of evidence showing which indicators were evaluated, what was found, and how those findings contributed to the final assessment. When the system determines a message is benign, it shows why.

When it flags a message as malicious, it presents the specific evidence. When signals conflict, it explains the ambiguity and escalates with full context. This transparency is what separates decision-ready investigation from black box automation. An analyst reviewing an AI-generated investigation can see the logic, challenge the reasoning, and build calibrated trust in the system over time.

That trust is what ultimately allows organizations to let the system handle routine verdicts autonomously — not blind faith in an opaque algorithm, but earned confidence in a process that shows its work. The Five-Minute Reality The practical impact of this approach comes down to time — specifically, the difference between the 3-to-12-hour investigation timelines that characterize most manual SOC phishing workflows and the sub-five-minute resolution that decision-ready AI triage enables. This gap is not only an efficiency metric. It directly affects security outcomes.

In 12 hours, a compromised credential can be used for lateral movement, privilege escalation, and data staging. In five minutes, the same credential gets revoked before the attacker establishes persistence. A “non-event.” The same phishing email produces radically different consequences depending entirely on how fast the investigating organization reaches a confident decision. When cognitive AI handles initial investigation, every submission gets the same rigorous, multi-dimensional analysis regardless of queue depth or time of day.

The commodity phishing flood designed to exhaust analysts gets absorbed by a system that doesn’t fatigue. The carefully crafted spear-phish designed to blend in during high-volume periods receives the same thorough investigation as every other submission, with cross-submission pattern detection that might flag it precisely because of its relationship to the surrounding volume. The human analysts, the experienced, skilled professionals that every SOC depends on, shift from reactive queue processing to the work that genuinely requires human judgment: investigating confirmed incidents, hunting for threats that haven’t triggered alerts, and making strategic decisions about defensive posture. Measuring SOC Resilience Organizations that adopt this framing need metrics that reflect it.

Traditional SOC metrics, such as mean time to acknowledge, mean time to close, and tickets processed per analyst, measure operational efficiency. They don’t measure resilience against adversarial exploitation. Metrics that capture defensive resilience against weaponized volume include: Investigation quality consistency under load. Does analytical depth remain constant as report volume increases, or does it degrade?

Tracking investigation thoroughness across volume quartiles reveals whether the SOC’s phishing triage is exploitable under pressure. Decision latency. How quickly does the triage system move from alert receipt to confident verdict? The gap between 12 hours and 5 minutes isn’t an incremental improvement; it’s a categorical change in attacker opportunity.

Escalation accuracy at volume. When the queue is heavy, are the right cases being escalated to human analysts? Rising false negative rates during high-volume periods indicate exactly the vulnerability attackers target. Decision transparency rate.

What percentage of automated verdicts include complete, auditable reasoning? Black box resolutions that can’t be explained are resolutions that can’t be trusted, and untrusted automation gets overridden, negating its value. Proactiveness. How close to the point of impact are threats being identified?

Changing the Defensive Equation The attacker’s advantage in weaponizing SOC workload depends on a specific assumption: that increasing phishing volume reliably degrades defensive quality. If that assumption holds, the strategy is highly effective and nearly free to execute. If it doesn’t — if investigative quality and speed remain constant regardless of volume — the entire approach collapses. The commodity phishing flood no longer provides cover because every message receives the same analytical rigor in the same five-minute window.

The carefully crafted spear-phish no longer benefits from a rushed analyst because no analyst is rushing. The asymmetry flips: the attacker spent resources generating noise that achieved nothing, while the defender’s capacity for genuine threat detection remained intact. The strategic value of decision-ready AI triage is not just efficiency. It removes a failure mode that attackers have learned to exploit.

It turns a predictable vulnerability into a defensive strength, making the SOC’s phishing workflow resilient against the very tactic designed to break it. The phishing report button stays. Employees keep reporting. But the investigation engine behind that button no longer offers attackers a lever to pull.

Conifers.ai’s CognitiveSOC platform uses agentic AI to deliver decision-ready phishing investigations in minutes, not hours. Learn more about how the Conifers platform is designed to reduce the alert-fatigue conditions attackers often exploit. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit . The vulnerability, tracked as CVE-2023-43010 , relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was addressed with improved handling. “This fix associated with the Coruna exploit kit was shipped in iOS 17.2 on December 11th, 2023,” Apple said in an advisory.

“This update brings that fix to devices that cannot update to the latest iOS version.” Fixes for CVE-2023-43010 were originally released by Apple in the following versions - iOS 17.2 and iPadOS 17.2 macOS Sonoma 14.2 Safari 17.2 The latest round of fixes brings it to older versions of iOS and iPadOS - iOS 15.8.7 and iPadOS 15.8.7

• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) iOS 16.7.15 and iPadOS 16.7.15
• iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation What’s more, iOS 15.8.7 and iPadOS 15.8.7 incorporate patches for three more vulnerabilities associated with the Coruna exploit kit - CVE-2023-43000 (Originally fixed in iOS 16.6, released on July 24, 2023) - A use-after-free issue in WebKit that could lead to memory corruption when processing maliciously crafted web content. CVE-2023-41974 (Originally fixed in iOS 17, released on September 18, 2023) - A use-after-free issue in the kernel that could allow an app to execute arbitrary code with kernel privileges. CVE-2024-23222 (Originally fixed in iOS 17.3, released on January 22, 2024) - A type confusion issue in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. Details of Coruna emerged earlier this month after Google said the exploit kit features 23 exploits across five chains designed to target iPhone models running iOS versions between 13.0 and 17.2.1.

iVerify, which is tracking the malware framework that uses the exploit kit under the name CryptoWaters, said it has similarities to previous frameworks developed by threat actors affiliated with the U.S. government The development comes amid speculation that Coruna was likely designed by U.S. military contractor L3Harris and that it may have been passed to Russian exploit broker Operation Zero by Peter Williams, a former general manager at the company who was sentenced to more than seven years in prison last month for selling several exploits in exchange for money. An interesting aspect of Coruna is the use of two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign dubbed Operation Triangulation targeting users in Russia in 2023.

Kaspersky told The Hacker News that it’s possible for any sufficiently skilled team to come up with their own exploits, given that both the flaws have publicly available implementations. “Despite our extensive research, we are unable to attribute Operation Triangulation to any known APT group or exploit development company,” Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in an email. “To be precise: neither Google nor iVerify in their published research claims that Coruna reuses Triangulation’s code. What they identify is that two exploits in Coruna — Photon and Gallium — target the same vulnerabilities.

That’s an important distinction. In our opinion, attribution cannot be based solely on the fact of exploitation of these vulnerabilities.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have discovered half-a-dozen new Android malware families that come with capabilities to steal data from compromised devices and conduct financial fraud. The Android malware range from traditional banking trojans like PixRevolution , TaxiSpy RAT , BeatBanker , Mirax , and Oblivion RAT to full-fledged remote administration tools such as SURXRAT . PixRevolution, according to Zimperium, targets Brazil’s Pix instant payment platform , hijacking victims’ money transfers in real-time to route them to the threat actors instead of the intended payee. “This new strain of malware operates stealthily within the device until the moment the victim initiates a Pix transfer,” security researcher Aazim Yaswant said .

“What distinguishes this threat from conventional banking trojans is its fundamental design: a human or AI agent operator is actively engaged on the remote end, observing the victim’s phone screen instantaneously, poised to act at the precise moment of transaction.” The Android malware propagates via fake Google Play Store app listing pages for apps like Expedia, Sicredi, and Correios to trick users into installing the malicious dropper APK files. Once installed, the apps urge users to enable accessibility services to realize their goals. It also connects to an external server over TCP on port 9000 to send periodic heartbeat messages containing device information and activate real-time screen capture using Android’s MediaProjection API. The main functionality of PixRevolution, though, is the monitoring of the victim’s screen and serving a fake overlay as soon as a victim enters the desired amount and the Pix key of the recipient to initiate the payment.

At that point, the trojan shows a fake WebView overlay that says “Aguarde…” (meaning “wait” in Portuguese/Spanish), while, in the background, it edits the Pix key with that of the attacker’s to complete the funds transfer. In the final stage, the overlay is removed, and the victim is displayed a “transfer complete” confirmation screen in the Pix app. “From the victim’s perspective, nothing unusual happened,” Yaswant said. “The app briefly showed a loading indicator, something that occurs routinely during legitimate banking operations.

The transfer was confirmed successfully. The amount they intended to send was deducted from their account.” “It is only later, sometimes much later, that the victim discovers the money went to the wrong account. And because Pix transfers are instant and final, recovery is extraordinarily difficult.” Brazilian users have also become the target of another Android‑based malware campaign called BeatBanker, which spreads primarily through phishing attacks via a website disguised as the Google Play Store. BeatBanker gets its name from the use of an unusual persistence mechanism that involves playing an almost inaudible audio file, a 5-second recording featuring Chinese words, on a loop to prevent it from being terminated.

Besides incorporating runtime checks for emulated or analysis environments, the malware monitors battery temperature and percentage, and verifies whether the user is using the device to start or stop the Monero miner as required. It uses Google’s Firebase Cloud Messaging (FCM) for command‑and‑control (C2). “To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banking trojan capable of completely hijacking the device and spoofing screens, among other things,” Kaspersky said . “When the user tries to make a USDT transaction, BeatBanker creates overlay pages for Binance and Trust Wallet, covertly replacing the destination address with the threat actor’s transfer address.” The banking module also monitors web browsers like Chrome, Edge, Firefox, Brave, Opera, DuckDuckGo, Dolphin Browser, and sBrowser to URLs accessed by the victim.

In addition, it supports the ability to receive a long list of commands from the server to collect personal information and gain complete control of the device. Recent iterations of the campaign have been found to drop BTMOB RAT instead of the banking module. It provides operators with comprehensive remote control, persistent access, and surveillance over compromised devices. BTMOB is assessed to be an evolution of CraxsRAT, CypherRAT , and SpySolr families, all of which have been linked to a Syrian threat actor who goes by the online alias EVLF .

“We also saw the distribution and sale of leaked BTMOB source code on some dark web forums,” the Russian security vendor said. “This may suggest that the creator of BeatBanker acquired BTMOB from its original author or the source of the leak and is utilizing it as the final payload.” TaxiSpy RAT, similar to PixRevolution, abuses Android’s accessibility service and MediaProjection APIs to collect SMS messages, contacts, call logs, clipboard contents, installed apps list, notifications, lock screen PINs, and keystrokes, as well as target Russian banking, cryptocurrency, and government apps by serving overlays to conduct credential theft. The malware combines traditional banking trojan functionality with full RAT capabilities, enabling threat actors to gather sensitive data and execute commands sent via Firebase push messages. Several TaxiSpy samples have been discovered by both CYFIRMA and Zimperium, indicating active efforts on the part of attackers to evade signature-based detection and blacklist defenses.

“The malware leverages advanced evasion techniques, such as native library encryption, rolling XOR string obfuscation, and real-time VNC-like remote control via WebSocket,” CYFIRMA said . “Its design allows comprehensive device surveillance, including SMS, call logs, contacts, notifications, and banking app monitoring, highlighting its financially motivated and region-specific focus.” Another Android banking trojan of note is Mirax , which has been advertised by a threat actor named Mirax Bot as a private malware-as-a-service (MaaS) offering for a monthly price of $2,500 for a full version or $1,750 for a light variant. Mirax claims to offer banking overlays, information gathering (e.g., keystrokes, SMS, lock patterns), and a SOCKS5 proxy to route malicious traffic through compromised devices. Mirax is not the only Android MaaS offering detected in recent months.

A new Android remote access trojan called Oblivion is being sold for around $300 per month (or $1,900 per year and $2,200 for lifetime access) and claims to bypass detection and security features on devices from major manufacturers. Once installed, the malware employs an automated permission-granting mechanism that requires no interaction from the victim. This approach, per the seller, works across MIUI / HyperOS (Xiaomi), One UI (Samsung), ColorOS (OPPO), MagicOS (Honor), and OxygenOS (OnePlus). “What sets it apart isn’t any single feature.

It’s the combination: automated permission bypass, hidden remote control, deep persistence, and a point-and-click builder that puts all of it within reach of would-be hackers with even the most minimal level of technical skill,” Certos said . “Google has made progressive restrictions on accessibility service abuse a priority across successive Android versions. A tool that credibly bypasses those protections on the latest release – and does so across devices from Samsung, Xiaomi, OPPO, and others – represents a genuine challenge to platform-level defenses.” Also commercially distributed through a Telegram-based MaaS ecosystem is an Android malware family called SURXRAT , which is assessed to be an improved version of Arsink . The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based C2 infrastructure to commandeer infected devices.

The malware is marketed on a Telegram channel managed by an Indonesian threat actor. What’s notable about some of the new samples is the presence of a large language model (LLM) component, indicating that the threat actors behind the malware are experimenting with artificial intelligence (AI) capabilities, along with traditional surveillance. That said, the download of the LLM module is triggered only when specific gaming applications are active on the victim’s device, or when it receives alternative target package names dynamically from the server - Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) Free Fire x JUJUTSU KAISEN (com.dts.freefireth) Select SURXRAT samples also incorporate a ransomware-style screen locker module that makes it possible for a remote operator to hijack control of a victim’s device and deny access by displaying a full-screen lock message until a payment is made. “This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities,” Cyble said.

“The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Flags Actively Exploited n8n RCE Bug as 24,700 Instances Remain Exposed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting n8n to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-68613 (CVSS score: 9.9), concerns a case of expression injection that leads to remote code execution. The security shortcoming was patched by n8n in December 2025 in versions 1.120.4, 1.121.1, and 1.122.0.

CVE-2025-68613 is the first n8n vulnerability to be placed in the KEV catalog. “N8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution,” CISA said. According to the maintainers of the workflow automation platform, the vulnerability could be weaponized by an authenticated attacker to execute arbitrary code with the privileges of the n8n process. Successful exploitation of the flaw could result in a complete compromise of the instance, enabling the attacker to access sensitive data, modify workflows, or execute system-level operations.

There are currently no details on how the vulnerability is being exploited in the wild. Data from the Shadowserver Foundation shows that there are more than 24,700 unpatched instances exposed online, with more than 12,300 of them located in North America and 7,800 in Europe as of early February 2026. The addition of CVE-2025-68613 comes as Pillar Security disclosed two critical flaws in n8n, one of which – CVE-2026-27577 (CVSS score: 9.4) – has been classified as “additional exploits” discovered in the workflow expression evaluation system following CVE-2025-68613. Federal Civilian Executive Branch (FCEB) agencies have been ordered to patch their n8n instances by March 25, 2026, as mandated by a Binding Operational Directive (BOD 22-01) issued in November 2021.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Trick Perplexity’s Comet AI Browser Into Phishing Scam in Under Four Minutes

Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps. The attack, at its core, takes advantage of AI browsers’ tendency to reason their actions and use it against the model itself to lower their security guardrails, Guardio said in a report shared with The Hacker News ahead of publication. “The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way. Well, ‘narrating’ is quite an understatement - It blabbers, and way too much!,” security researcher Shaked Chen said.

“This is what we call

Agentic Blabbering

the AI Browser exposing what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe.” By intercepting this traffic between the browser and the AI services running on the vendor’s servers and feeding it as input to a Generative Adversarial Network ( GAN ), Guardio said it was able to make Perplexity’s Comet AI browser fall victim to a phishing scam in under four minutes. The research builds on prior techniques like VibeScamming and Scamlexity , which found that vibe-coding platforms and AI browsers could be coaxed into generating scam pages or carrying out malicious actions via hidden prompt injections. In other words, with the AI agent handling the tasks without constant human supervision, there arises a shift in the attack surface wherein a scam no longer has to deceive a user. Rather, it aims to trick the AI model itself.

“If you can observe what the agent flags as suspicious, hesitates on, and more importantly, what it thinks and blabbers about the page, you can use that as a training signal,” Chen explained. “The scam evolves until the AI Browser reliably walks into the trap another AI set for it.” The idea, in a nutshell, is to build a “scamming machine” that iteratively optimizes and regenerates a phishing page until the agentic browser stops complaining and proceeds to carry out the threat actor’s bidding, such as entering a victim’s credentials on a bogus web page designed for carrying out a refund scam. What makes this attack interesting and dangerous is that once the fraudster iterates on a web page until it works against a specific AI browser, it works on all users who rely on the same agent. Put differently, the target has shifted from the human user to the AI browser.

“This reveals the unfortunate near future we are facing: scams will not just be launched and adjusted in the wild, they will be trained offline, against the exact model millions rely on, until they work flawlessly on first contact,” Guardio said. “Because when your AI Browser explains why it stopped, it teaches attackers how to bypass it.” The disclosure comes as Trail of Bits demonstrated four prompt injection techniques against the Comet browser to extract users’ private information from services like Gmail by exploiting the browser’s AI assistant and exfiltrating the data to an attacker’s server when the user asks to summarize a web page under their control. Last week, Zenity Labs also detailed two zero-click attacks affecting Perplexity’s Comet that use indirect prompt injection seeded within meeting invites to exfiltrate local files to an external server (aka PerplexedComet ) or hijack a user’s 1Password account if the password manager extension is installed and unlocked. The issues, collectively codenamed PerplexedBrowser, have since been addressed by the AI company.

This is achieved by means of a prompt injection technique referred to as intent collision, which occurs “when the agent merges a benign user request with attacker-controlled instructions from untrusted web data into a single execution plan, without a reliable way to distinguish between the two,” security researcher Stav Cohen said. Prompt injection attacks remain a fundamental security challenge for large language models (LLMs) and for integrating them into organizational workflows, largely because completely eliminating these vulnerabilities may not be feasible. In December 2025, OpenAI noted that such weaknesses are “unlikely to ever” be fully resolved in agentic browsers, although the associated risks could be reduced through automated attack discovery, adversarial training, and new system-level safeguards. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials

Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution. The vulnerabilities are listed below - CVE-2026-27577 (CVSS score: 9.4) - Expression sandbox escape leading to remote code execution (RCE) CVE-2026-27493 (CVSS score: 9.5) - Unauthenticated expression evaluation via n8n’s Form nodes “CVE-2026-27577 is a sandbox escape in the expression compiler: a missing case in the AST rewriter lets process slip through untransformed, giving any authenticated expression full RCE,” Pillar Security researcher Eilon Cohen, who discovered and reported the issues, said in a report shared with The Hacker News. The cybersecurity company described CVE-2026-27493 as a “double-evaluation bug” in n8n’s Form nodes that could be abused for expression injection by taking advantage of the fact that the form endpoints are public by design and require neither authentication nor an n8n account. All it takes for successful exploitation is to leverage a public “Contact Us” form to execute arbitrary shell commands by simply providing a payload as input into the Name field.

In an advisory released late last month, n8n said CVE-2026-27577 could be weaponized by an authenticated user with permission to create or modify workflows to trigger unintended system command execution on the host running n8n via crafted expressions in workflow parameters. N8n also noted that CVE-2026-27493, when chained with an expression sandbox escape like CVE-2026-27577, could “escalate to remote code execution on the n8n host.” Both vulnerabilities affect the self-hosted and cloud deployments of n8n - < 1.123.22, >= 2.0.0 < 2.9.3, and >= 2.10.0 < 2.10.1 - Fixed in versions 2.10.1, 2.9.3, and 1.123.22 If immediate patching of CVE-2026-27577 is not an option, users are advised to limit workflow creation and editing permissions to fully trusted users and deploy n8n in a hardened environment with restricted operating system privileges and network access. As for CVE-2026-27493, n8n recommends the following mitigations - Review the usage of form nodes manually for the above-mentioned preconditions. Disable the Form node by adding n8n-nodes-base.form to the NODES_EXCLUDE environment variable.

Disable the Form Trigger node by adding n8n-nodes-base.formTrigger to the NODES_EXCLUDE environment variable. “These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures,” the maintainers cautioned. Pillar Security said an attacker could exploit these flaws to read the N8N_ENCRYPTION_KEY environment variable and use it to decrypt every credential stored in n8n’s database, including AWS keys, database passwords, OAuth tokens, and API keys. N8n versions 2.10.1, 2.9.3, and 1.123.22 also resolve two more critical vulnerabilities that could also be abused to achieve arbitrary code execution - CVE-2026-27495 (CVSS score: 9.4) - An authenticated user with permission to create or modify workflows could exploit a code injection vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary.

CVE-2026-27497 (CVSS score: 9.4) - An authenticated user with permission to create or modify workflows could leverage the Merge node’s SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. Besides limiting workflow creation and editing permissions to trusted users, n8n has outlined the workarounds below for each flaw - CVE-2026-27495

• Use external runner mode (N8N_RUNNERS_MODE=external) to limit the blast radius. CVE-2026-27497
• Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable. While n8n makes no mention of any of these vulnerabilities being exploited in the wild, users are advised to keep their installations up-to-date for optimal protection.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Meta Disables 150K Accounts Linked to Southeast Asia Scam Centers in Global Crackdown

Meta on Wednesday said it disabled over 150,000 accounts associated with scam centers in Southeast Asia as part of a coordinated effort in partnership with authorities from Thailand, the U.S., the U.K., Canada, Korea, Japan, Singapore, the Philippines, Australia, New Zealand, and Indonesia. The effort also led to 21 arrests made by the Royal Thai Police, the company said. The action builds upon a pilot initiative in December 2025 that resulted in Meta removing 59,000 accounts, Pages, and Groups from its platforms and six arrest warrants. “ Online scams have become significantly more sophisticated and industrialized in recent years, with criminal networks often based in Southeast Asia in countries like Cambodia, Myanmar, and Laos running what amount to full-scale business operations,” Meta said in a statement.

“These operations cause real harm – they upend lives, destroy trust, and are deliberately designed to avoid detection and disruption.” In tandem, Meta said it’s announcing a number of new tools to protect people when scam-related red flags are detected - New warnings on Facebook when users receive suspicious accounts. Alerting users when they receive suspicious WhatsApp device linking requests by tricking them into scanning a QR code that would link the scammer’s device to their account. Expanded advanced scam detection on Messenger that prompts users to share recent chat messages for an AI scam review when a conversation with a new contact exhibits common scam patterns like suspicious job offers. The social media giant said it removed over 159 million scam ads for violating its policies in 2025, and that it took down 10.9 million accounts on Facebook and Instagram associated with criminal scam centers.

In addition, the company has announced plans to expand advertiser verification in an attempt to bolster transparency and curtail efforts by bad actors to misrepresent advertiser identity. The development comes as the U.K. government launched a new Online Crime Centre to combat cybercrime, including those fueled by the rise of scam compounds operating across Southeast Asia, West Africa, Eastern Europe, India, and China, by bringing together specialists from the government, police, intelligence agencies, banks, mobile networks, and major technology firms. The disruption unit is expected to commence operations next month.

It’s part of the government’s new Fraud Strategy 2026 to 2029 , which also outlines plans to deploy artificial intelligence (AI) to flag emerging fraud patterns, stop suspicious bank transfers faster, and use “scam-baiting chatbots” to deceive fraudsters and gather intelligence. “Backed by over £30 million in funding, the centre will identify the accounts, websites and phone numbers that organised crime groups rely on, and shut them down at scale – blocking scam texts, freezing criminal accounts, removing scam social media accounts and disrupting operations at source,” the U.K. government said . Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.