2026-04-22 AI创业新闻

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC . According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. “SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol,” Check Point said. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory.

Since its emergence in July 2025, The Gentlemen has quickly established itself as one of the most prolific ransomware groups, claiming more than 320 victims on its data leak site. Operating under a classic double-extortion model, the group is versatile as it’s sophisticated, exhibiting capabilities to target Windows, Linux, NAS, and BSD systems with a Go-based locker as well as employing legitimate drivers and custom malicious tools to subvert defenses. Exactly how the threat actors obtain initial access is unclear, although evidence suggests that internet-facing services or compromised credentials are being abused to establish an initial foothold, followed by engaging in discovery, lateral movement, payload staging (i.e., Cobalt Strike, SystemBC, and the encryptor), defense evasion, and ransomware deployment. A notable aspect of the attacks is the abuse of Group Policy Objects (GPOs) to facilitate domain-wide compromise.

“By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets’ environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation,” security vendor Trend Micro noted in an analysis of the group’s tradecraft in September 2025. The latest findings from Check Point show that an affiliate of The Gentlemen RaaS deployed SystemBC on a compromised host, with the C2 server linked to the proxy malware commandeering hundreds of victims across the globe, including the U.S., the U.K., Germany, Australia, and Romania. While SystemBC has been used in ransomware operations as far back as 2020, the exact nature of the connection between the malware and The Gentlemen e-crime scheme remains unclear, such as whether it’s part of the attack playbook or if it’s something deployed by a specific affiliate for data exfiltration and remote access. “During lateral movement, the ransomware makes an attempt to blind Windows Defender on each reachable remote host by pushing a PowerShell script that disables real-time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls, all before deploying and executing the ransomware binary on that host,” Check Point said.

The ESXi variant incorporates fewer functionalities than the Windows variant, but is equipped to shut down virtual machines to enhance the effectiveness of the attack, adds persistence via crontab, and inhibits recovery before the ransomware binary is deployed. “Most ransomware groups make noise when they launch and then disappear. The Gentlemen are different,” Eli Smadja, group manager at Check Point Research, said in a statement shared with The Hacker News. “They’ve cracked the affiliate recruitment problem by offering a better deal than anyone else in the criminal ecosystem.

When we got inside one of their operator’s servers, we found over 1,570 compromised corporate networks that hadn’t even made the news yet. The real scale of this operation is significantly larger than what’s publicly known, and it’s still growing.” The findings come as Rapid7 highlighted the inner workings of another relatively new ransomware family called Kyber that surfaced in September 2025, targeting Windows and VMware ESXi infrastructures using encryptors developed in Rust and C++, respectively. “The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces,” the cybersecurity company said . “The Windows variant, written in Rust, includes a self-described ‘experimental’ feature for targeting Hyper-V.” “Kyber ransomware isn’t a masterpiece of complex code, but it is highly effective at causing destruction.

It reflects a shift toward specialization over sophistication.” According to data compiled by ZeroFox, at least 2,059 separate ransomware and digital extortion (R&DE) incidents have been observed in Q1 2026, with March accounting for no less than 747 incidents. The most active groups during the time period were Qilin (338), Akira (197), The Gentlemen (192), INC Ransom, and Cl0p. “Notably, North America-based victims accounted for approximately 20 percent of The Gentlemen’s attacks in Q3 2025, 2% in Q4 2025, and 13% in Q1 2026,” ZeroFox said . “This largely goes against typical regional targeting trends by other R&DE collectives, at least 50 percent of whose victims are North America-based.” The Shifting Velocity of Ransomware Attacks Cybersecurity company Halcyon, in its 2025 Ransomware Evolution Report , revealed that the threat continues to mature into something more disciplined and a business-driven criminal enterprise, even as ransomware attacks targeting the automotive industry more than doubled in 2025 , taking up 44% of all cyber incidents across the sector.

Other significant trends include attempts to impair security Endpoint Detection and Response (EDR) tools, use of the Bring Your Own Vulnerable Driver ( BYOVD ) attack technique to escalate privileges and disable security solutions, blurring of nation-state and criminal ransomware campaigns , and increased targeting of small and mid-sized organizations and operational technology (OT) environments. “Ransomware continued to grow as a durable, industrialized ecosystem built on specialization, shared infrastructure, and rapid regeneration rather than any single brand,” it said. “Law enforcement pressure and infrastructure seizures disrupted major operations, driving fragmentation, rebranding, and intensified competition across a more fluid landscape.” Ransomware operations are increasingly fast-moving, with dwell times collapsing from days to hours. About 69% of observed attack attempts have been found to be deliberately staged during nights and weekends to outpace defender response.

For instance, attacks involving Akira ransomware have demonstrated an unusual swiftness, rapidly escalating from initial foothold to full encryption within an hour in some cases without detection, highlighting a well-oiled attack engine designed to maximize impact. “Akira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators,” Halcyon said. “Defenders should treat Akira not as an opportunistic threat, but as a capable, persistent adversary that will exploit every available weakness to reach its objective.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters

Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them. The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed online globally. “Some of these vulnerabilities allow attackers to take full control of mission-critical devices connected via serial links,” the cybersecurity company said in a report shared with The Hacker News. Serial-to-IP converters are hardware devices that enable users to remotely access, control, and manage any serial device over an IP network or the internet by “bridging” legacy applications and industrial control systems (ICS) that operate over TCP/IP.

At a high level, as many as eight security flaws have been discovered in Lantronix products (EDS3000PS Series and EDS5000 Series) and 14 in Silex SD330-AC. These shortcomings fall under the following broad categories - Remote code execution - CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67041, CVE-2025-67034, CVE-2025-67035, CVE-2025-67036, CVE-2025-67037, and CVE-2025-67038 Client-side code execution - CVE-2026-32963 Denial-of-service (DoS) - CVE-2026-32961, CVE-2015-5621, CVE-2024-24487 Authentication bypass - CVE-2026-32960, CVE-2025-67039 Device takeover - FSCT-2025-0021 (no CVE assigned), CVE-2026-32965, CVE-2025-70082 Firmware tampering - CVE-2026-32958 Configuration tampering - CVE-2026-32962, CVE-2026-32964 Information disclosure - CVE-2026-32959 Arbitrary file upload - CVE-2026-32957 Successful exploitation of the aforementioned flaws could allow attackers to disrupt serial communications with field assets, conduct lateral movement, and tamper with sensor values or modify actuator behavior. In a hypothetical attack scenario, a threat actor could gain initial access to a remote facility through an internet-exposed edge device , such as an industrial router or firewall, and then weaponize BRIDGE:BREAK vulnerabilities to compromise the serial-to-IP converter, and alter serial data moving to or from the IP network. Lantronix and Silex have released security updates to address the identified issues - Lantronix EDS3000PS Series Lantronix EDS5000 Series Silex Besides applying patches, users are advised to replace default credentials, avoid using weak passwords, segment networks to prevent bad actors from reaching vulnerable serial-to-IP converters or using them as jumping-off points to other critical assets, and ensure the devices are not exposed to the internet.

“This research highlights weaknesses in serial-to-IP converters and the risks they can introduce in critical environments,” Forescout said. “As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023

A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. Angelo Martino , 41, of Land O’Lakes, Florida, teamed up with the operators of the BlackCat ransomware starting in April 2023 to assist the e-crime gang in extracting higher amounts as ransoms. “Working as a negotiator on behalf of five different ransomware victims, Martino provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission,” the U.S.

Department of Justice (DoJ) said in a Monday announcement. The information, which included the victims’ insurance policy limits and internal negotiation positions, maximized the ransoms they were required to pay. Martino was financially compensated in exchange for providing the details. Martino, who was charged last month, also admitted to collaborating with two other incident responders, Ryan Goldberg and Kevin Martin, to successfully deploy BlackCat ransomware against multiple victims in the U.S.

between April 2023 and November 2023. Martino and Martin worked for DigitalMint, while Goldberg was an incident response manager for cybersecurity company Sygnia. In one case, the defendants successfully extorted one victim for approximately $1.2 million in Bitcoin, and then split the illicit proceeds among themselves and laundered the funds through various means. In all, authorities seized $10 million of assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat.

Martino has pleaded guilty to one count of conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He is scheduled to be sentenced on July 9, 2026, and faces a maximum penalty of 20 years in prison. Martin and Goldberg pleaded guilty to the crime in December 2025 and are expected to be sentenced later this month. Like Martino, both individuals could be awarded a jail term of up to 20 years.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva of the DoJ’s Criminal Division. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time

Security teams often present MTTR as an internal KPI. Leadership sees it differently: every hour a threat dwells inside the environment is an hour of potential data exfiltration, service disruption, regulatory exposure, and brand damage. The root cause of slow MTTR is almost never “not enough analysts.” It is almost always the same structural problem: threat intelligence that exists outside the workflow. Feeds that require manual lookup.

Reports that live in a shared drive. Enrichment that happens in a separate tab. Every handoff costs minutes; over the course of a workday, those minutes become hours. Mature SOCs have collapsed those handoffs.

Their intelligence is embedded in the workflow itself at the exact moment a decision needs to be made. Below are the five places where separation matters most. 1. Detection: Catching Threats Before They Become Incidents In many SOCs, detection begins only when an alert fires.

By that point, the attacker may already have a foothold, persistence, or worse. Mature SOCs shift this dynamic by extending their visibility beyond internal signals . With ANY.RUN Threat Intelligence Feeds , they continuously ingest fresh indicators from real-world attacks and match them against their own telemetry. This means suspicious infrastructure can be flagged even before it triggers traditional alerts.

The effect is subtle but powerful. Detection moves upstream. Instead of reacting to confirmed incidents, teams start catching activity in its early stages, when containment is faster and far less expensive. TI Feeds: data sources and benefits From a business perspective , this is where risk is quietly reduced.

The earlier a threat is identified, the less opportunity it has to evolve into a costly breach. 2. Triage: Turning Uncertainty into Instant Clarity If detection is about seeing, triage is about deciding. And this is where many SOCs lose momentum.

In less mature environments, triage often turns into a mini-investigation. Analysts pivot between tools, search for context, and escalate alerts “just in case.” The process becomes cautious, slow, and expensive in terms of human effort. Mature SOCs compress this step dramatically. Using ANY.RUN Threat Intelligence Lookup , they enrich indicators instantly, pulling in behavioral context from real malware executions.

Instead of guessing whether something is malicious, analysts immediately understand what it does and how serious it is. Decisions become faster, escalations more precise, and Tier 1 analysts handle far more on their own. For example, just look up a suspicious domain spotted in your perimeter and find out instantly that it belongs to MacSync stealer infrastructure: Domain lookup with a quick “malicious” verdict and IOCs What further accelerates this process is the AI-powered search inside TI Lookup. Instead of relying on precise syntax, complex filters, or deep familiarity with query parameters, analysts can describe what they are looking for and get it translated into structured queries, removing a layer of friction that traditionally slows down investigations.

This doesn’t just make experts faster; it makes less experienced analysts far more effective. The barrier to advanced search capabilities drops, and the time spent figuring out how to search is replaced by focusing on what the results mean. Decisions become faster, escalations more precise, and Tier 1 analysts handle far more on their own. For the business , this translates into efficiency that doesn’t require additional hiring.

The SOC simply becomes more capable with the same resources. Stop threats before they start to cost: integrate live TI . 3. Investigation: From Fragmented Clues to a Coherent Story Investigation is where time can stretch the most.

In many SOCs, it’s a process of stitching together fragments: logs from one system, reputation checks from another, behavioral guesses built on limited data. This fragmentation is expensive. Not just in minutes, but in cognitive load. Mature SOCs reduce that complexity by anchoring investigations in context-rich intelligence.

With ANY.RUN’s

threat intelligence ecosystem

indicators are not just labels. They are connected to real execution data, attack chains, and observable behaviors. Instead of reconstructing what might have happened, analysts can see what did happen. The investigation becomes less about searching and more about understanding.

This shift shortens analysis time and raises the overall quality of decisions. It also allows less experienced analysts to operate with greater confidence, which is often an overlooked advantage. From a business standpoint , faster and clearer investigations mean reduced dwell time, which directly limits the scale of potential damage. Built on real-time data from over 15,000 organizations and 600,000 analysts detonating live malware and phishing samples every day, this behavioral intelligence connects raw IOCs to actual attack execution, TTPs, and artifacts.

The result? MTTR drops dramatically because context is instant, automation is accurate, and decisions are confident. 4. Response: Acting at the Speed of Confidence Even when a threat is identified, response can lag.

Manual steps, inconsistent playbooks, and delays between decision and action all stretch MTTR. Mature SOCs treat response as something that should happen almost automatically once a threat is confirmed. By integrating ANY.RUN Threat Intelligence Feeds into SIEM and SOAR platforms, which ensure that known malicious indicators trigger immediate actions such as blocking or isolation. TI Feeds integrations and connectors There is a certain elegance to this.

The system reacts not with hesitation, but with certainty. The time between “we know this is bad” and “it’s contained” shrinks to seconds. For the business , this is where operational impact is minimized. Faster containment reduces downtime, protects critical assets, and keeps disruptions from cascading across systems.

1. Threat Hunting & Prevention: Learning Before It Hurts Again The final difference between mature and less mature SOCs lies in what happens between incidents. Reactive teams move from alert to alert, often encountering variations of the same attack without realizing it. There is little time or structure for proactive work.

Mature SOCs deliberately carve out that space. With ANY.RUN Threat Reports and continuously updated intelligence feeds, they track emerging campaigns, understand attacker techniques, and adapt their defenses in advance. Over time, this creates a compounding effect. The SOC doesn’t just respond faster.

It encounters fewer incidents to begin with. From a business perspective , this is where cybersecurity starts to feel less like firefighting and more like risk management. Fewer surprises, fewer disruptions, and a stronger overall security posture. Where the Time Really Goes What becomes clear across all five areas is that delays rarely come from a single dramatic failure.

They come from small, repeated inefficiencies. A missing piece of context here, an extra lookup there, a delayed decision somewhere in between. Individually, these moments seem minor. Together, they stretch MTTR far beyond what it should be.

Mature SOCs solve this not by speeding up people, but by redesigning how information flows. When ANY.RUN’s threat intelligence, incorporating TI Feeds, TI Lookup, and Threat Reports, is integrated into daily workflows; the need to search, verify, and cross-check is dramatically reduced. The work changes in nature. Analysts spend less time chasing data and more time making decisions.

Boost your SOC to maturity with behavioral threat intelligence. Cut MTTR & protect revenue. Contact ANY.RUN and choose your plan For leadership, the implications are straightforward but significant. Improving MTTR is not just a technical goal.

It is a business lever. Faster detection and response reduce the likelihood of major incidents, limit operational disruption, and improve the return on existing security investments. ANY.RUN Threat Intelligence supports this across every stage of SOC operations: It brings earlier visibility into threats; It accelerates decision-making during triage; It simplifies investigations with real behavioral context; It enables faster, automated response; It strengthens proactive defense through continuous insight. The result is not just a faster SOC, but a more resilient organization.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs

Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. “The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “As with previous iterations of NGate, the malicious code allows the attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments.” In addition, the malicious payload is capable of capturing the victim’s payment card PIN and exfiltrating it to the threat actor’s command-and-control (C2) server. NGate, also known as NFSkate, was first publicly documented by the Slovakian cybersecurity vendor in August 2024, detailing its ability to carry out relay attacks to siphon victims’ contactless payment data with an aim to conduct fraudulent transactions.

A year later, Dutch mobile security company ThreatFabric detailed a threat codenamed RatOn that used dropper apps impersonating adult-friendly versions of TikTok to deploy NGate to carry out NFC relay attacks . The latest version of NGate detected by ESET has primarily targeted users in Brazil, marking the first such campaign to single out the South American nation. The trojanized HandyPay application is distributed via websites masquerading as Rio de Prêmios, a lottery run by the Rio de Janeiro state lottery organization, and a Google Play Store listing page for a purported card protection app. The fake lottery website seeks to convince a user to tap a button to send a WhatsApp message to claim the prize money, at which point they are directed to likely download the poisoned version of the HandyPay app.

Regardless of the method used, the app asks to be set as the default payment app following installation. Then, the victim is asked to enter the payment card PIN into the app and tap their card on the back of the NFC-enabled smartphone. As soon as this step is carried out, the malware abuses HandyPay to capture and relay the NFC card data to an attacker-controlled device, thereby allowing them to use the stolen information to make cash withdrawals from ATMs. The active campaign is assessed to have begun around November 2025.

The malicious version of HandyPay has never been made available on the Google Play Store, meaning attackers are using the aforementioned methods as delivery mechanisms to trick unsuspecting users into downloading them. HandyPay has since launched an internal investigation into the matter. ESET noted that the cheaper subscription prices for HandyPay may have caused the operators of the campaign to switch as opposed to sticking with existing turnkey solutions that cost north of $400 per month. “In addition to the price, HandyPay natively does not require any permissions, only to be made the default payment app, helping the threat actors avoid raising suspicion,” the company pointed out.

An analysis of the artifact has revealed the presence of emojis in debug and toast messages, highlighting the possible use of a large language model (LLM) to generate or modify the source code. While conclusive proof remains elusive, the development aligns with a broader trend of cybercriminals latching on to generative artificial intelligence (AI) to produce malware even with little to no technical expertise. “With the appearance of yet another NGate campaign on the scene, it can be plainly seen that NFC fraud is on the rise,” ESET said. “This time, instead of using an established solution such as NFCGate or a MaaS on offer, the threat actors decided to trojanize HandyPay, an application with existing NFC relay functionality.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks

The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn’t changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing from prior breach databases, password spraying against exposed services, or phishing campaigns — and use them to walk through the front door.

No exploits needed. Just a valid username and password. What makes this difficult to defend against is how unremarkable the initial access looks. A successful login from a legitimate credential doesn’t trigger the same alarms as a port scan or a malware callback.

The attacker looks like an employee. Once inside, they dump and crack additional passwords, reuse those credentials to move laterally, and expand their foothold across the environment. For ransomware crews, this chain leads to encryption and extortion within hours. For nation-state actors, the same entry point supports long-term persistence and intelligence gathering.

AI Is Accelerating What Already Works The fundamental attack pattern here hasn’t changed much. But what has changed is the speed and polish with which it gets executed. Attackers are leveraging AI to scale their operations by automating credential testing across larger target sets, writing custom tooling faster, and crafting phishing emails that are materially harder to distinguish from legitimate communications. This acceleration puts additional pressure on already-stretched defenders.

Breaches are unfolding faster, spreading further and touching more of the environment, from identity systems to cloud infrastructure to endpoints. IR teams built for a slower tempo of engagement are finding that their existing processes can’t keep pace. A Dynamic Approach to Incident Response This is where the way teams think about incident response matters as much as the technical controls they deploy. In SEC504, we teach the Dynamic Approach to Incident Response, or DAIR — a model designed to handle incidents of any size and shape more effectively than the traditional linear approach.

The classic model treats the process as a sequence: prepare, identify, contain, eradicate, recover, debrief. The problem isn’t the theory, it’s that real incidents don’t unfold in a straight line. New data surfaces during containment that changes what you thought the scope was. Evidence collected during eradication reveals attacker tactics you didn’t know about during initial detection.

The scope almost always grows — it rarely shrinks. DAIR accounts for this reality. After detecting and verifying an incident, response teams enter a loop: scoping the compromise, containing affected systems, eradicating the threat, and recovering operations. That loop repeats as new information emerges.

Consider a credential-based compromise where initial scoping identifies a single affected workstation. During containment, forensic analysis reveals a registry-based persistence mechanism. That finding sends the team back to scoping — now searching the entire enterprise for the same indicator on other systems. A confirmed attacker IP address uncovered during that sweep triggers another pass through containment and eradication.

Each cycle produces better intelligence, which feeds the next round of response actions. The response keeps cycling until the team and organizational decision-makers determine the incident is fully addressed. This is what separates DAIR from the traditional model: it treats the messy, iterative nature of real-world investigations as a feature of the process, not a deviation from it. Communication Comes First When multiple teams converge on an incident — spanning SOC analysts, cloud engineers, IR leads, and system administrators — maintaining alignment can be difficult.

Most organizations aren’t perfectly aligned across those functions before an incident hits. What you can control is how well you communicate once the response is underway. Communication is the single most important factor here in effective incident response. It determines whether scoping data reaches the right people, whether containment actions are coordinated or contradictory, and whether decision-makers have accurate information to guide priorities.

Beyond communication, consistent practice and rehearsal are essential. And the technical capabilities of your team still matter enormously. As AI becomes increasingly part of the defensive toolkit, it takes sharp practitioners to configure and direct those capabilities effectively. Building Skills That Matter The organizations that handle identity-based attacks well are the ones that invested in their people before the incident started.

They’ve trained their teams on how attackers actually operate — not just in theory, but through hands-on practice against the same tools and techniques used in real compromises. Executing the DAIR response loop effectively requires practitioners who understand both sides of the engagement: how attackers gain access, move laterally, and persist — and how to investigate the evidence they leave behind at each stage. This June, I will be teaching SEC504: Hacker Tools, Techniques, and Incident Handling at SANS Chicago 2026. The course covers the full attack lifecycle — from initial credential compromise through lateral movement and persistence — alongside the incident response skills needed to detect, contain, and eradicate threats using the DAIR model.

For practitioners who want to sharpen both their offensive understanding and their defensive response capabilities, this is where to start. Register for SANS Chicago 2026 here . Note : This article has been expertly written and contributed by Jon Gorenflo, SANS Instructor, SEC504: Hacker Tools, Techniques, and Incident Handling Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution

Cybersecurity researchers have discovered a vulnerability in Google’s agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution. The flaw, since patched, combines Antigravity’s permitted file-creation capabilities with an insufficient input sanitization in Antigravity’s native file-searching tool, find_by_name, to bypass the program’s Strict Mode , a restrictive security configuration that limits network access, prevents out-of-workspace writes, and ensures all commands are being run within a sandbox context . “By injecting the -X (exec-batch) flag through the Pattern parameter [in the find_by_name tool], an attacker can force fd to execute arbitrary binaries against workspace files,” Pillar Security researcher Dan Lisichkin said in an analysis. “Combined with Antigravity’s ability to create files as a permitted action, this enables a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands.” The attack takes advantage of the fact that the find_by_name tool call is executed before any of the constraints associated with Strict Mode are enforced and is instead interpreted as a native tool invocation, leading to arbitrary code execution.

While the Pattern parameter is designed to accept a filename search pattern to trigger a file and directory search using fd through find_by_name, it’s undermined by a lack of strict validation, passing the input directly to the underlying fd command. An attacker could, therefore, leverage this behavior to stage a malicious file and inject malicious commands into the Pattern parameter to trigger the execution of the payload. “The critical flag here is -X (exec-batch). When passed to fd, this flag executes a specified binary against each matched file,” Pillar explained.

“By crafting a Pattern value of -Xsh, an attacker causes fd to pass matched files to sh for execution as shell scripts.” Alternatively, the attack can be initiated via an indirect prompt injection without having to compromise a user’s account. In this approach, an unsuspecting user pulls a seemingly harmless file from an untrusted source that contains hidden attacker-controlled comments instructing the artificial intelligence (AI) agent to stage and trigger the exploit. Following responsible disclosure on January 7, 2026, Google addressed the shortcoming as of February 28. “Tools designed for constrained operations become attack vectors when their inputs are not strictly validated,” Lisichkin said.

“The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content.” The findings coincide with the discovery of a number of now-patched security flaws in various AI-powered tools - Anthropic Claude Code Security Review, Google run-gemini-cli (formerly Gemini CLI Action), and GitHub Copilot Agent have been found vulnerable to prompt injection via GitHub comments, allowing an attacker to turn pull request (PR) titles, issue bodies, and issue comments into attack vectors for API key and token theft. The prompt injection attack has been codenamed Comment and Control , as it weaponizes an AI agent’s elevated access and its ability to process untrusted user input to execute malicious instructions. “The pattern likely applies to any AI agent that ingests untrusted GitHub data and has access to execution tools in the same runtime as production secrets – and beyond GitHub Actions, to any agent that processes untrusted input with access to tools and secrets: Slack bots, Jira agents, email agents, deployment automation,” security researcher Aonan Guan said. “The injection surface changes, but the pattern is the same.” Another vulnerability in Claude Code, discovered by Cisco , is capable of poisoning the coding agent’s memory and maintaining persistence across every project and every session, even after a system reboot.

The attack essentially utilizes a software supply chain attack as an initial access vector to launch a malicious payload that can tamper with the model’s memory files for malicious purposes (e.g., framing insecure practices as necessary architectural requirements) and appends a shell alias to the user’s shell configuration. AI code editor Cursor has been found susceptible to a critical living-off-the-land (LotL) vulnerability chain dubbed NomShub that makes it possible for a malicious repository to clandestinely hijack a developer’s machine by leveraging a mix of indirect prompt injection, a command parser sandbox escape via shell builtins like export and cd, and Cursor’s built-in remote tunnel, granting the attacker persistent, undetected shell access simply upon opening the repository in the IDE. Once persistent access is obtained, the attacker can connect to the machine without triggering the prompt injection again or raising any security alerts. Because Cursor is a legitimate binary that’s signed and notarized, the adversary has unfettered access to the underlying host, gaining full file system access and command execution capabilities.

“A human attacker would need to chain together multiple exploits and maintain persistent access,” Straiker researchers Karpagarajan Vikkii and Amanda Rousseau said. “The AI agent does this autonomously, following the injected instructions as if they were legitimate development tasks.” A novel attack called ToolJack has been found to allow a local attacker to manipulate an AI agent’s perception of its environment and corrupts the tool’s ground truth to produce unintended downstream effects, including poisoned data, fabricated business intelligence, and bogus recommendations. “Where MCP Tool Shadowing poisons tool descriptions to influence agent behavior across servers and ConfusedPilot contaminates a RAG retrieval pool, ToolJack operates as a real-time infrastructure attack on the communication conduit itself,” Preamble researcher Jeremy McHugh said. “It does not wait for the agent to organically encounter poisoned data.

It synthesizes a fabricated reality mid-execution, demonstrating that compromising the protocol boundary yields control over the agent’s entire perception.” Severe indirect prompt injection vulnerabilities have been identified in Microsoft Copilot Studio (aka ShareLeak or CVE-2026-21520, CVSS score: 7.5) and Salesforce Agentforce (aka PipeLeak ) that could enable attackers to exfiltrate sensitive data through an external SharePoint form or a simple lead from a form submission, respectively. “The attack exploits the lack of input sanitization and inadequate separation between system instructions and user-supplied data,” Capsule Security researcher Bar Kaduri said about CVE-2026-21520. PipeLeak is similar to ForcedLeak in that the system processes public-facing lead form inputs as trusted instructions, thus allowing an attacker to embed malicious prompts that override the agent’s intended behavior. A trio of vulnerabilities have been identified in Claude that, when chained together in an attack codenamed Claudy Day , allow an attacker to silently hijack a user’s chat session and exfiltrate sensitive data with a single click.

The attack pipeline requires no additional integrations, tools, or Model Context Protocol (MCP) servers. The attack works by embedding hidden instructions in a crafted Claude URL (“claude[.]ai/new?q=…”), encapsulating it in an open redirect on claude[.]com to make it appear legitimate, and then running it as a benign-looking Google ad that, when clicked, triggers the attack by silently redirecting the victim to the crafted “claude[.]ai/new?q=…” URL containing the invisible prompt injection. “Combined with Google Ads, which validates URLs by hostname, this allowed an attacker to place a search ad displaying a trusted claude.com URL that, when clicked, silently redirected the victim to the injection URL. Not a phishing email.

A Google search result, indistinguishable from the real thing,” Oasis Security said. In research published last week, Manifold Security also revealed how a Claude-powered GitHub Actions workflow (“claude-code-action”) can be tricked into approving and merging a pull request containing malicious code with just two Git configuration commands by spoofing a trusted developer’s identity. At its core, the attack entails setting Git’s user.name and user.email properties to those of a well-known developer (in this case, AI researcher Andrej Karpathy). This metadata trickery becomes a problem when an AI system treats it as a signal of trust.

An attacker could exploit this unverified metadata to deceive the AI agent into executing unintended actions. “On the first submission, Claude flagged the PR for manual review, noting that author reputation alone wasn’t sufficient justification,” researchers Ax Sharma and Oleksandr Yaremchuk said. “Reopening and resubmitting the same PR led to its approval. The AI overrode its own better judgment on retry.

This non-determinism is the point. You cannot build a security control on a system that changes its mind.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class. CVE-2024-27199 (CVSS score: 7.3) - A relative path traversal vulnerability in JetBrains TeamCity that could allow an attacker to perform limited admin actions.

CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user’s Staging Sync Server to upload arbitrary data to path relative locations. CVE-2025-32975 (CVSS score: 10.0) - An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) that could allow an attacker to impersonate legitimate users without valid credentials. CVE-2025-48700 (CVSS score: 6.1) - A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to execute arbitrary JavaScript within the user’s session, resulting in unauthorized access to sensitive information. CVE-2026-20122 (CVSS score: 5.4) - An incorrect use of privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager that could allow an attacker to upload and overwrite arbitrary files on the affected system and gain vmanage user privileges.

CVE-2026-20128 (CVSS score: 7.5) - A storing passwords in a recoverable format vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user. CVE-2026-20133 (CVSS score: 6.5) - An exposure of sensitive information to an unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager that could allow remote attackers to view sensitive information on affected systems. It’s worth noting that CISA added CVE-2024-27198 , another flaw impacting on-premise versions of JetBrains TeamCity, to the KEV catalog in March 2024. It’s not known at this stage if both vulnerabilities are being exploited together and if the activity is the work of the same threat actor.

The exploitation of CVE-2023-27351, on the other hand, was attributed to Lace Tempest in April 2023 in connection with attacks delivering Cl0p and LockBit ransomware families. As for CVE-2025-32975 , Arctic Wolf said it observed unknown threat actors weaponizing the bug to target unpatched SMA systems as late last month, although the exact end goals of the campaign remain unknown. According to the Computer Emergency Response Team of Ukraine (CERT-UA), a threat actor known as UAC-0233 has exploited two vulnerabilities in ZCS (CVE-2025-48700 and CVE-2025-66376) in attacks aimed at Ukrainian entities since September 2025, allowing it to execute arbitrary code without requiring any user interaction. CVE-2025-66376 was added to the CISA KEV catalog in mid-March 2026.

“Upon successful compromise, the attackers gained access to mailbox contents, including correspondence compiled into a TGZ archive, multi-factor authentication backup codes, application passwords, and the global address book,” CERT-UA noted in its H2 2025 report published earlier this month. “This activity is tracked under identifier UAC-0250.” Cisco, for its part, also said it became aware of the exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. The company has yet to revise its advisory to reflect the in-the-wild abuse of CVE-2026-20133. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been recommended to address the three Cisco vulnerabilities by April 23, 2026, and the rest by May 4, 2026.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving framework for large language models and multimodal models.

The official GitHub project has been forked over 5,500 times and starred 26,100 times. According to the CERT Coordination Center (CERT/CC), the vulnerability impacts the reranking endpoint “/v1/rerank,” allowing an attacker to achieve arbitrary code execution in the context of the SGLang service by means of a specially crafted GPT-Generated Unified Format ( GGUF ) model file. “An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection ( SSTI ) payload with a trigger phrase to activate the vulnerable code path,” CERT/CC said in an advisory released today. “The victim then downloads and loads the model in SGLang, and when a request hits the “/v1/rerank” endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server.

This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.” Per security researcher Stuart Beck, who discovered and reported the flaw , the underlying issue stems from the use of jinja2.Environment() without sandboxing instead of ImmutableSandboxedEnvironment. This, in turn, enables a malicious model to execute arbitrary Python code on the inference server. The entire sequence of actions is as follows - An attacker creates a GGUF model file with a malicious tokenizer.chat_template containing a Jinja2 SSTI payload The template includes the Qwen3 reranker trigger phrase to activate the vulnerable code path in “entrypoints/openai/serving_rerank.py” Victim downloads and loads the model in SGLang from sources like Hugging Face When a request hits the “/v1/rerank” endpoint, SGLang reads the chat_template and renders it with jinja2.Environment() The SSTI payload executes arbitrary Python code on the server It’s worth noting that CVE-2026-5760 falls under the same vulnerability class as CVE-2024-34359 (aka Llama Drama, CVSS score: 9.7), a now-patched critical flaw in the llama_cpp_python Python package that could have resulted in arbitrary code execution. The same attack surface was also rectified in vLLM late last year ( CVE-2025-61620 , CVSS score: 6.5).

“To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates,” CERT/CC said. “This will prevent the execution of arbitrary Python code on the server. No response or patch was obtained during the coordination process.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More

Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code.

Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust. There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory.

Attackers lean on real tools and normal workflows instead of custom builds. Some cases hint at supply-chain spread, where one weak link reaches further than expected. Go through the whole recap. The pattern across access, execution, and control only shows up when you see it all together.

⚡ Threat of the Week Vercel Discloses Data Breach —Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to “certain” internal Vercel systems. The incident originated from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, which was used by an employee at the company, it added. “The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive,’” the company said. It’s currently not known who is behind the incident, but a threat actor using the ShinyHunters persona has claimed responsibility for the hack.

Context.ai also disclosed a March 2026 incident involving unauthorized access to its AWS environment. However, it has since emerged that the attacker also likely compromised OAuth tokens for some of its consumer users. Furthermore, Hudson Rock uncovered that a Context.ai employee was compromised with Lumma Stealer in February 2026, raising the possibility that the infection may have triggered the “supply chain escalation.” 99% of What AI Found Is Still Unpatched. See the Defensive Answer Anthropic’s Mythos weaponized bugs that survived decades of human review.

Atlassian’s CISO, Frost & Sullivan, and leaders from Kraft Heinz and Glow Financial Services show how autonomous validation discovers what’s exploitable, proves controls hold, and re-validates fixes. Register for Free ➝ 🔔 Top News Law Enforcement Operation Brings Down DDoS-for-Hire Operation —Law enforcement agencies across Europe, the U.S., and other partner nations cracked down on the commercial DDoS-for-hire ecosystem, targeting both operators and customers of services used to target websites and knock them offline. As part of the effort, authorities took down 53 domains, arrested four people, and sent warning notifications to thousands of criminal users. The U.S.

Justice Department said court-authorized actions were undertaken to disrupt Vac Stresser and Mythical Stress. The actions are a persistent cat-and-mouse game, as booted services often reappear under new names and domains despite repeated takedowns. While these disruptions tend to have short-term results, the resilience of the criminal activity indicates that arrests need to be combined with infrastructure seizures, financial disruption, and user deterrence for lasting impact. Newly Discovered PowMix Botnet Hits Czech Workers —An active malicious campaign is targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025.

“PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections,” Cisco Talos said. The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution, while establishing persistence by means of a scheduled task. At the same time, it verifies the process tree to ensure that another instance of the same malware is not running on the compromised host. AI-Driven Pushpaganda Exploits Google Discover to for Ad Fraud —A novel ad fraud scheme has been found to leverage search engine poisoning (SEO) techniques and artificial intelligence (AI)-generated content to push deceptive news stories into Google’s Discover feed and trick users into enabling persistent browser notifications that lead to scareware and financial scams.

The Pushpaganda campaign has been found to target the personalized content feeds of Android and Chrome users. “This operation, named for push notifications central to the scheme, generates invalid organic traffic from real mobile devices by tricking users into subscribing to enabling notifications that presented alarming messages,” HUMAN Security said. Google has since rolled out fixes and algorithmic updates to address the issue. Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT —A social engineering campaign has abused Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors.

Elastic Security Labs is tracking the activity under the name REF6598. It employs elaborate social engineering tactics through LinkedIn and Telegram to breach both Windows and macOS systems by tricking victims into opening a cloud-hosted vault in Obsidian. PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its C2 server. On macOS, the attack is used to deliver an unspecified payload.

CPUID Downloads Hijacked to Serve STX RAT —Unknown threat actors hijacked the official CPUID download page to serve trojanized installers that ultimately led to the deployment of STX RAT, a remote access trojan with infostealer capabilities. The attack did not compromise CPUID’s original signed binaries, the threat actors served their own trojanized packages via redirect. “The threat actor compromised the official CPUID download page to serve a trojanized package, employing DLL sideloading as the initial execution vector followed by a layered, five-stage in-memory unpacking chain designed to evade detection,” Cyderes said . “The use of a timestomped compilation timestamp, reflective PE loading, and exclusively in-memory payload execution demonstrates a deliberate effort to hinder forensic analysis and bypass traditional security controls.” 108 Malicious Chrome Extensions Steal Google and Telegram Data —A cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited.

The extensions provide the expected functionality to avoid raising red flags, but malicious code running in the background connects to the threat actor’s C2 server to perform the nefarious activities. At the center of the campaign is a backend hosted on a Contabo virtual private server (VPS), with multiple subdomains handling session hijacking, identity collection, command execution, and monetization operations. There is evidence indicating a Russian malware-as-a-service (MaaS) operation, based on the presence of a payment and monetization portal in its C2 infrastructure. OpenAI Launches GPT-5.4-Cyber —OpenAI announced a new model, GPT-5.4-Cyber, specifically designed for use by digital defenders.

Artificial intelligence (AI) companies have repeatedly warned that more capable AI models could create an opening for bad actors to exploit vulnerabilities and security gaps in software with new speed and intensity. Unlike Anthropic, which said its new Claude Mythos model is only being privately released to a small number of trusted organizations due to concerns that it could be exploited by adversaries, OpenAI said “the class of safeguards in use today sufficiently reduce cyber risk enough to support broad deployment of current models,” but hinted at the need for more advanced protections in the long term. Defending critical software has long depended on the ability to find and fix vulnerabilities faster than attackers can exploit them. GPT-5.4-Cyber has a lower refusal boundary for legitimate cybersecurity work than standard GPT-5.4.

It adds capabilities aimed at advanced defensive workflows, including binary reverse engineering. “We don’t think it’s practical or appropriate to centrally decide who gets to defend themselves,” OpenAI stated. “Instead, we aim to enable as many legitimate defenders as possible, with access grounded in verification, trust signals, and accountability.” The use of AI for vulnerability discovery and analysis means that the barrier to entry for attackers is collapsing. Bad actors could ask an AI model to analyze differences between two versions of a binary and generate an exploit at a faster rate.

Rob T. Lee, chief of research at the SANS Institute, said the debut of Mythos and GPT-5.4-Cyber is “nothing more than one vendor trying to one-up another,” adding, “We need to start benchmarking how one AI model is able to find code vulnerabilities over another and how quickly they are doing it. There are real risks at stake here.” At the same time, researchers from AISLE and Xint found that it’s possible to replicate Mythos’s results with smaller, cheaper models. “The critical variable in AI vulnerability discovery is not the model alone,” Xint said.

“It is the structured system that decides where to look, validates that findings are real and exploitable, eliminates false positives, and delivers actionable remediation.” 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-20184 (Cisco Webex Services), CVE-2026-20147 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2026-20180, CVE-2026-20186 (Cisco Identity Services Engine), CVE-2026-33032 (nginx-ui), CVE-2026-32201 (Microsoft SharePoint Server), CVE-2026-27304 (Adobe ColdFusion), CVE-2026-39813, CVE-2026-39808 (Fortinet FortiSandbox), CVE-2026-40176, CVE-2026-40261 (Composer), CVE-2025-0520 (ShowDoc), CVE-2026-22039 ( Kyverno ), CVE-2026-27681 (SAP Business Planning and Consolidation and Business Warehouse), CVE-2026-34486 , CVE-2026-29146 (Apache Tomcat), CVE-2026-40175 (Axios), CVE-2026-32196 (Microsoft Windows Admin Center), CVE-2026-20204 (Splunk Enterprise), CVE-2026-20205 (Splunk MCP Server) CVE-2026-6296, CVE-2026-6297, CVE-2026-6298, CVE-2026-6299, CVE-2026-6358 , CVE-2026-5873 (Google Chrome), CVE-2026-34078 (Tails), CVE-2026-34622 (Adobe Acrobat Reader), CVE-2026-33413 (etcd), CVE-2026-1492 (User Registration & Membership plugin), CVE-2026-23818 (HPE Aruba Networking Private 5G Core On-Prem), CVE-2025-54236 (Magento), CVE-2026-26980 (Ghost CMS), CVE-2026-40478 ( Thymeleaf ), CVE-2026-41242 ( protobufjs ), CVE-2026-40871 ( Mailcow ), CVE-2026-5747 (AWS Firecracker), and CVE-2025-50892 (eudskacs.sys). 🎥 Cybersecurity Webinars The Force Awakens in AppSec: Rethinking Mythos & Organizational Defenses at AI Speed → This webinar explores how AI-powered hacking is making traditional security patching too slow to be effective.

It focuses on the “patch gap”— the dangerous time between a bug being found and fixed—and offers a new way to prioritize vulnerabilities based on real-world risk. The session provides practical strategies for security leaders to defend against automated, high-speed attacks. The Rise of the Agent: Moving to Autonomous Exposure Validation → This webinar explores how “agentic” AI is changing security testing by using autonomous AI agents to simulate real-world attacks. Unlike traditional scanners, these tools continuously find and validate which security gaps are actually reachable by hackers.

The session focuses on moving from slow, manual checks to automated exposure validation to stay ahead of AI-driven threats. 📰 Around the Cyber World Vect Partners with BreachForums and TeamPCP —Dataminr revealed that the Vect ransomware group has formalized partnerships with the BreachForums cybercrime marketplace and TeamPCP hacking group. The partnership will allow BreachForums members to deploy ransomware and will use the victims of TeamPCP’s supply chain attacks to attack organizations that are in a vulnerable state. “Between the two partnerships, Vect will lower the barrier to entry for ransomware actors, incentivize group members to carry out attacks, and exploit pre-existing breaches to broaden impact,” the company said .

“The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass dark web forum mobilization represents an unprecedented model of industrialized ransomware deployment.” MuddyWater Targets Global Organizations via Microsoft Teams —The Iranian hacking group known as MuddyWater has been observed using targeted social engineering to approach targets via Microsoft Teams by masquerading as IT support staff to trick them into running a botnet malware called Tsundere (aka Dindoor). “A notable aspect of this intrusion was the abuse of Deno, a legitimate JavaScript and TypeScript runtime typically used for backend application development,” CyberProof said . “The attacker leveraged deno.exe to execute a highly obfuscated, Base64‑encoded payload – tracked as DINODANCE – directly in memory, minimizing on-disk artifacts and complicating detection.” Once decoded, the malware establishes C2 communications with a remote server, exfiltrating basic host metadata such as username, hostname, and operating system details. Multi-Stage Intrusion Drops Direct-Sys Loader and CGrabber Stealer —An attack chain involving ZIP archives distributed through GitHub user attachment URLs is abusing DLL side-loading to deliver a malware loader called Direct-Sys Loader, which performs anti-analysis checks and then drops CGrabber.

The malware, for its part, avoids infecting machines running in the Commonwealth of Independent States (CIS) countries and collects browser credentials, crypto wallet data, password manager data, and a broad range of application artifacts. “By skipping execution on machines in those regions, they reduce the risk of attracting attention from local law enforcement and avoid targeting their own infrastructure or allies,” Cyderes said . “The Direct-Sys Loader and CGrabber Stealer represent a cohesive, multi-stage, stealth-focused malware ecosystem engineered with advanced detection-evasion capabilities.” Russian Hackers Target Ukrainian Agencies —Threat actors linked to Russia broke into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months,” Reuters reported , citing data from Ctrl-Alt-Intel . The espionage activity also targeted officials in Romania, Greece, Bulgaria, and Serbia.

Speaking to The Record, Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) confirmed that local government agencies were targeted in a long-running hacking campaign that it has been tracking since 2023, with the attacks weaponizing flaws in Roundcube webmail software to run malicious code as soon as a specially crafted message is opened. The campaign is believed to be the work of APT28 (aka Fancy Bear). Infostealer Lookup Services are Changing Cybercrime —Hudson Rock revealed that infostealer lookup services, some accessible via a simple search on Google, are rapidly fueling a new era of initial access, shifting how cyber attacks begin and transforming a complex hacking process into a simple, automated transaction. “These platforms have effectively turned billions of compromised credentials and active session cookies into a highly searchable, low-cost commodity available to the masses,” it said .

“Because this data is so easily accessible, organizations can no longer afford to be reactive.” AdaptixC2 Detailed —Kaspersky has detailed the inner workings of an open-source command-and-control (C2) framework known as AdaptixC2, which has seen increased adoption by bad actors over the past year. Written in Go and C++, AdaptixC2 is designed for post-exploitation and stealthy interaction with its malicious agents deployed on compromised systems. It also employs diverse network communication and post-exploitation techniques to get around traffic monitoring tools and minimize its footprint. “Unlike many general-purpose C2 platforms, AdaptixC2 focuses on advanced agent-to-C2 communication and specific evasion techniques designed to bypass modern security tools, including EDR and NDR solutions,” the company said .

“The framework provides the flexibility to develop custom agents while also including standard agent implementations in Go and C++ for Windows, macOS, and Linux. Additionally, it supports a modular approach to extending its functionality.” Adware Update Delivers EDR Killer —In an unusual attack, a browser-hijacking adware family rolled out a multi-phase update that attempted to disable security software on infected hosts. The adware is signed by Dragon Boss Solutions LLC, a U.A.E.-based company that claims to conduct search monetization research and has promoted modified versions of the Chrome browser (e.g., Chromstera, Chromnius, and Artificius). “The signed software silently fetches and executes payloads capable of killing antivirus products, all while running with SYSTEM privileges,” Huntress said .

The antivirus killing capability was observed starting in late March 2025, although the loader and updater components date back to late 2024. “The operation uses an off-the-shelf software update mechanism to deploy these MSI and PowerShell-based payloads. Establishing WMI persistence disables security applications and blocks reinstallation of protective software,” it added. The MSI installer, downloaded from a fallback update server, performs reconnaissance, queries for installed security products, and runs a PowerShell script (“ClockRemoval.ps1”) to terminate running processes, disable antivirus services by tampering with the Windows Registry, delete installation directories, and force deletion when uninstallers fail.

What’s significant is that the update mechanism can be modified to deploy any payload. To make matters worse, the primary update domain baked into the operation to retrieve the MSI installer – chromsterabrowser[.]com – was left unregistered, meaning any threat actor could have registered the domain for as little as $10 and push malicious updates, turning an adware infection into a potential supply chain compromise. The domain has since been sinkholed. That said, 23,565 unique IP addresses connected to the sinkhole during a 24-hour monitoring period.

The infections are concentrated around the U.S., France, Canada, the U.K., and Germany. These included universities, OT networks, government entities, primary and secondary educational institutions, healthcare organizations, and multiple Fortune 500 companies. India Will Not Require Smartphone Makers to Preload Aadhaar App —The Indian government will no longer require smartphone makers like Apple and Samsung to preload devices with a state-owned biometric identification app, Reuters reported . India’s IT ministry reviewed the proposal and “is not in favour of mandating the pre-installation of the Aadhaar App on smartphones,” UIDAI said in a statement.

The Aadhaar request was the sixth time in two years the government has sought pre-installation of state apps on phones, according to industry communications. Smartphone makers flagged concerns about device security and compatibility when they received the Aadhaar preload proposal, and also flagged higher production costs as they ‌would have ⁠been required to run separate manufacturing lines for India and export markets. SQL Injection Campaign Targets Payment Services —An active SQL injection campaign is operating through attacker infrastructure located in Canada. The campaign has targeted 35 websites, with confirmed successful SQL injection exploitation and data exfiltration affecting three organizations operating in the payment, real estate, and developer service sectors.

Attacker-side artifacts indicate coordinated and deliberate exploitation rather than opportunistic scanning. QEMU Abused for Defense Evasion —Threat actors are abusing QEMU , an open-source machine emulator and virtualizer, to hide malicious activity within virtualized environments. “Attackers are drawn to QEMU and more common hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware because malicious activity within a virtual machine (VM) is essentially invisible to endpoint security controls and leaves little forensic evidence on the host itself,” Sophos said . Two clusters of activity have been detected: STAC4713, which has used QEMU as a covert reverse SSH backdoor to deliver tooling and harvest domain credentials with the end goal of likely deploying Payouts King ransomware (likely tied to former BlackBasta affiliates) after obtaining initial access via exploitation of known security flaws in SolarWinds Web Help Desk, and STAC3725, which exploits Citrix Bleed 2 (aka CVE-2025-5777) for obtaining a foothold and installs ScreenConnect for persistent remote access.

The threat actors then deploy a QEMU VM to install additional tools for conducting enumeration and credential theft. “Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos said. Fake Adobe Reader Site Drops ScreenConnect —Threat actors are using fake Adobe Acrobat Reader website lures to lure victims into installing ConnectWise’s ScreenConnect. The attack chain was detected in February 2026.

“The attack uses .NET reflection to keep payloads in memory only, which helps it evade signature-based defenses and hinder forensic examination,” Zscaler ThreatLabz said . “A VBScript loader dynamically reconstructs strings and objects at runtime to defeat static analysis and sandboxing. Auto-elevated Component Object Model (COM) objects are abused to bypass User Account Control (UAC) and run with elevated privileges without user prompts.” The attack employs an in-memory .NET loader that’s responsible for launching ScreenConnect. Nearly 6M Hosts Use FTP —Censys said it observed about 5,949,954 hosts running at least one internet-facing FTP service, down from over 10.1 million in 2024, which amounts to a decline of 40% in two years.

Of these, nearly 2.45 million hosts had no evidence of encryption. “Over 150,000 IIS FTP services return a 534 response, indicating TLS was never set up,” Censys said. “For most use cases, FTP can be replaced without significant disruption. If FTP must remain, enabling Explicit TLS is a configuration change, not a protocol upgrade, and both Pure-FTPd and vsftpd support it natively.” Malformed APKs Bypass Detections as New Android RATs Emerge —Threat actors are increasingly using malformed APKs , which refer to Android packages that can be installed and run on Android but are intentionally broken by using unsupported compression methods, header manipulation, or false password protection, to bypass static analysis tools and delay detection.

Cleafy has released an open-source tool called Malfixer to detect and fix malformed APKs. The development comes as Zimperium flagged four new Android malware families, RecruitRat, SaferRat, Astrinox (aka Mirax), and Massiv , that are capable of harvesting sensitive information and facilitating unauthorized financial transactions. In all, campaigns distributing these malware families target over 800 applications across the banking, cryptocurrency, and social media sectors. RecruitRat leverages recruitment-related social engineering and fraudulent job-seeking platforms for initial access.

SaferRat is distributed through fake websites that claim to offer free access to premium streaming platforms and legitimate video streaming software. All four banking trojans abuse the native Session Installation API to bypass Android’s sideloading restrictions and request accessibility services permissions to carry out their malicious activities. Over 200 PrestaShop Stores Expose Installer —More than 200 PrestaShop online stores have left their installation folder exposed online, allowing attackers to abuse the behavior to overwrite database configuration, gain admin access, and execute arbitrary code on the server. According to Sansec , the affected stores span 27 countries, including France, Italy, Poland, and the Czech Republic.

Another set of 15 stores has been found to expose the Symfony Profiler, which is enabled when PrestaShop runs in debug mode. How to Contain a Domain Compromise via Predictive Shielding —Microsoft detailed an attack chain in which a threat actor targeted a public sector organization in June 2025, methodically progressing from one state of the attack lifecycle to the next, starting with dropping a web shell following the exploitation of a file-upload flaw in an internet-facing Internet Information Services (IIS) server. The attacker then performed reconnaissance, escalated their privileges, leveraged the compromised IIS service account to reset the passwords of high-impact identities, and deployed Mimikatz to harvest credentials. Then, the threat actor abused privileged accounts and remotely created a scheduled task on a domain controller to capture NTDS snapshots.

The attacker also planted a Godzilla web shell on the Exchange Server and leveraged their privileged context to alter mailbox permissions, allowing them to read and manipulate all mailbox contents. The threat actor subsequently used Impacket to enumerate the role assignments and other activities that were flagged and blocked by Microsoft Defender. “The threat actor then launched a broad password spray from the initially compromised IIS server, unlocking access to at least 14 servers through password reuse,” Microsoft said. “They also attempted remote credential dumping against a couple of domain controllers and an additional IIS server using multiple domain and service principals.” After Microsoft Defender’s predictive shielding was enabled in late July 2025, the attacker’s attempts to sign in to Microsoft Entra Connect servers were blocked.

The campaign stopped on July 28, 2025. Cargo Theft Malware Actor Conducts Remote Access Campaigns —In November 2025, Proofpoint detailed a threat actor that used compromised load boards to gain access to trucking companies with the end goal of freight diversion and cargo theft. New research from the enterprise security company has revealed that the attacker abused multiple remote access tools like ScreenConnect, Pulseway, and SimpleHelp to establish persistence to a controlled decoy environment, with attempts made to identify financial access, payment platforms, and cryptocurrency assets to conduct freight fraud and broader financial theft. The actor maintained access for more than a month.

At least one ScreenConnect instance is said to have leveraged a third‑party signing‑as‑a‑service provider to re-sign the installer with a valid but fraudulent code‑signing certificate. “This reconnaissance focused on identifying financial access – such as banking, accounting, tax software, and money transfer services – as well as transportation‑related entities, including fuel card services, fleet payment platforms, and load board operators,” the company said . “The latter activity was likely designed to support crimes against the transportation industry, including cargo theft and related financial fraud.” British National Pleads Guilty to Scattered Spider Campaign —Tyler Robert Buchanan, who was extradited from Spain to the U.S. last April following his arrest in the European nation in June 2024, pleaded guilty to hacking a dozen companies and stealing at least $8 million in digital assets.

He pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. “From September 2021 to April 2023, Buchanan and other individuals conspired to conduct cyber intrusions and virtual currency thefts,” the U.S. Justice Department said . “The victims and intended victims included interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing (BPO) and information technology (IT) suppliers, cloud communications providers, virtual currency companies, and individuals.” Buchanan and his co-conspirators conducted SMS phishing attacks targeting a victim company’s employees, tricking them into clicking on bogus links that exfiltrated their credentials via a phishing kit to an online Telegram channel under their control.

The stolen data was then used to access the accounts, gather confidential company information, and siphon millions of dollars’ worth of virtual currency after conducting SIM swapping attacks. 🔧 Cybersecurity Tools Cirro → It is an open-source tool designed to help security experts find hidden risks in cloud environments. It works by collecting data about people, their permissions, and the digital resources they use, then turning that information into a visual map. By showing how these different pieces are connected, the tool makes it easier to spot “attack paths”—the step-by-step routes a hacker could take to move through a system and reach sensitive data.

While it is currently focused on Azure, it is built to be flexible so users can add other platforms over time. Janus → It is an open-source tool designed to help security teams track technical failures during operations. It automatically pulls logs from command-and-control (C2) platforms like Mythic and Cobalt Strike to identify where tools failed or commands were blocked. By organizing these “friction points” into reports, Janus helps teams see exactly where their workflow slows down and what tasks need to be improved or automated.

Disclaimer: This is strictly for research and learning. It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion That wraps this week’s recap.

Most of it isn’t loud, but it shows how easy it is for trusted paths to turn into entry points and for normal activity to hide real access. Keep an eye on the basics. Check what you trust, watch how things run, and don’t ignore the small changes. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Why Most AI Deployments Stall After the Demo

The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds.

It feels like the beginning of a new era for your team. But most AI initiatives don’t fail because of bad technology. They stall because what worked in the demo doesn’t survive contact with real operations. The gap between a controlled demonstration and day-to-day reality is where teams run into trouble.

Most AI product demos are built to highlight potential, not friction. They use clean data, predictable inputs, carefully crafted prompts, and well-understood use cases. Production environments don’t look like that. In real operations, data is messy, inputs are inconsistent, systems are fragmented, and context is incomplete.

Latency matters. Edge cases quickly outnumber ideal ones. This is why teams often see an initial burst of enthusiasm followed by a slowdown once they try to deploy AI more broadly. What actually breaks in production Once AI moves from demo to deployment, a few specific challenges tend to emerge.

Data quality becomes a real issue. In security and IT environments, data is often spread across multiple tools with different formats and varying levels of reliability. A model that performs well on clean demo data can struggle when fed noisy or incomplete inputs. Latency becomes visible.

A model that feels fast in isolation can introduce meaningful delays when embedded in multi-step workflows running at scale. Edge cases start to matter. Production workflows include exceptions, unusual scenarios, and unpredictable user behavior. Systems that handle common cases well can break down quickly when confronted with real-world complexity.

Integration becomes a limiting factor. Most operational work requires coordinating across multiple systems. If an AI tool can’t connect deeply into those workflows, its impact stays limited regardless of how capable the underlying model is. Governance is where enthusiasm runs out Beyond technical challenges, governance has become one of the biggest reasons AI initiatives stall .

With general-purpose AI tools now widely accessible, organizations are grappling with serious questions around data privacy, appropriate use cases, approval processes, and compliance requirements. Many teams discover that while AI experimentation is easy, operationalizing AI safely requires clear policies and controls. Without them, even promising initiatives get stuck in review cycles or fail to scale. When done properly, governance transcends its goal of preventing misuse.

It becomes a framework that lets teams move quickly and confidently, with appropriate oversight built in from the start. What determines whether AI actually delivers Teams that successfully move beyond the demo tend to share a few habits. They test AI against real workflows rather than idealized scenarios, using real data, real processes, and real constraints. They evaluate performance under realistic conditions, measuring accuracy under load, monitoring latency, and understanding how the system behaves when inputs vary.

They prioritize integration depth, because AI operating in isolation rarely has much impact. And they pay close attention to the cost model, since AI usage can scale quickly and without visibility into consumption, costs can become a blocker. Perhaps most importantly, they invest in governance early. Clear policies, guardrails, and oversight mechanisms help teams avoid delays and build confidence in their deployments.

A practical checklist before you commit If you’re evaluating AI tools, a few steps can help surface limitations before they become blockers: run proofs of concept on high-impact, real-world workflows; use realistic data during testing; measure performance across accuracy, latency, and reliability; assess integration depth with your existing stack; and clarify governance requirements upfront. These aren’t complicated steps, but they make a significant difference in whether a promising demo leads to meaningful production deployment. Access the IT and security field guide to AI adoption . The bottom line AI has real potential to change how security and IT teams work.

But success depends less on the sophistication of the model and more on how well it fits into real workflows, integrates with existing systems, and operates within a clear governance framework. Teams that recognize this early are far more likely to move from experimentation to lasting impact. Looking for a structured approach to evaluating AI tools in practice? The IT and security field guide to AI adoption walks through selection criteria, evaluation questions, and a step-by-step process for finding solutions that hold up beyond the demo.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

Cybersecurity researchers have discovered a critical “by design” weakness in the Model Context Protocol’s ( MCP ) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. “This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories,” OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar said in an analysis published last week. The cybersecurity company said the systemic vulnerability is baked into Anthropic’s official MCP software development kit (SDK) across any supported language, including Python, TypeScript, Java, and Rust. In all, it affects more than 7,000 publicly accessible servers and software packages totaling more than 150 million downloads.

At issue are unsafe defaults in how MCP configuration works over the STDIO (standard input/output) transport interface, resulting in the discovery of 10 vulnerabilities spanning popular projects like LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot - CVE-2025-65720 (GPT Researcher) CVE-2026-30623 (LiteLLM) - Patched CVE-2026-30624 (Agent Zero) CVE-2026-30618 (Fay Framework) CVE-2026-33224 (Bisheng) - Patched CVE-2026-30617 (Langchain-Chatchat) CVE-2026-33224 (Jaaz) CVE-2026-30625 (Upsonic) CVE-2026-30615 (Windsurf) CVE-2026-26015 (DocsGPT) - Patched CVE-2026-40933 (Flowise) These vulnerabilities fall under four broad categories, effectively triggering remote command execution on the server - Unauthenticated and authenticated command injection via MCP STDIO Unauthenticated command injection via direct STDIO configuration with hardening bypass Unauthenticated command injection via MCP configuration edit through zero-click prompt injection Unauthenticated command injection through MCP marketplaces via network requests, triggering hidden STDIO configurations “Anthropic’s Model Context Protocol gives a direct configuration-to-command execution via their STDIO interface on all of their implementations, regardless of programming language,” the researchers explained. “As this code was meant to be used in order to start a local STDIO server, and give a handle of the STDIO back to the LLM. But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed.” Interestingly, vulnerabilities based on the same core issue have been reported independently over the past year. They include CVE-2025-49596 (MCP Inspector), CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio), and CVE-2025-54136 (Cursor).

Anthropic, however, has declined to modify the protocol’s architecture, citing the behavior as “expected. While some of the vendors have issued patches, the shortcoming remains unaddressed in Anthropic’s MCP reference implementation, causing developers to inherit the code execution risks. The findings highlight how AI-powered integrations can inadvertently expand the attack surface. To counter the threat, it’s advised to block public IP access to sensitive services, monitor MCP tool invocations, run MCP-enabled services in a sandbox, treat external MCP configuration input as untrusted, and only install MCP servers from verified sources.

“What made this a supply chain event rather than a single CVE is that one architectural decision, made once, propagated silently into every language, every downstream library, and every project that trusted the protocol to be what it appeared to be,” OX Security said. “Shifting responsibility to implementers does not transfer the risk. It just obscures who created it.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.