2026-04-25 AI创业新闻
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency’s Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with malware called FIRESTARTER . FIRESTARTER, per CISA and the U.K.’s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access and control. It’s believed to be deployed as part of a “widespread” campaign orchestrated by an advanced persistent threat (APT) actor to obtain access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting now-patched security flaws such as - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests.
CVE-2025-20362 (CVSS score: 6.5) - An improper validation of user-supplied input vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests. “FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities,” the agencies said. In the investigated incident, the threat actors have been found to deploy a post-exploitation toolkit called LINE VIPER that can execute CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot. The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access and return to the compromised appliance as recently as last month.
A Linux ELF binary, FIRESTARTER can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs. The malware lodges itself into the device’s boot sequence by manipulating a startup mount list, ensuring it automatically reactivates every time the device reboots normally. The resilience aside, it also shares some level of overlap with a previously documented bootkit referred to as RayInitiator. “FIRESTARTER attempts to install a hook – a way to intercept and modify normal operations – within LINA, the device’s core engine for network processing and security functions,” according to the advisory.
“This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.” “Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.” Cisco, which is tracking the exploitation activity associated with the two vulnerabilities under the moniker UAT4356 (aka Storm-1849), described FIRESTARTER as a backdoor that facilitates the execution of arbitrary shellcode received by the LINA process by parsing specially crafted WebVPN authentication requests containing a “magic packet.” The exact origins of the threat activity are not known, although an analysis from attack surface management platform Censys in May 2024 suggested links to China. UAT4356 was first attributed to a campaign called ArcaneDoor that exploited two zero-day flaws in Cisco networking gear to deliver bespoke malware capable of capturing network traffic and reconnaissance. “To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device,” Cisco said . “In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted.” As mitigations until reimaging can be performed, the company is recommending that customers perform a cold restart to remove the FIRESTARTER implant.
“The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device,” it added. Chinese Hackers Shift From Individually Procured Infrastructure to Covert Networks The disclosure comes as the U.S., the U.K., and various international partners released a joint advisory about large-scale networks of compromised SOHO routers and IoT devices commandeered by China-nexus threat actors to disguise their espionage attacks and complicate attribution efforts. State-sponsored groups like Volt Typhoon and Flax Typhoon have been using these botnets, consisting of home routers, security cameras, video recorders, and other IoT devices, to target critical infrastructure sectors and conduct cyber espionage in a “low-cost, low-risk, deniable way,” per the alert. Complicating matters further is the fact that the networks are constantly updated, not to mention multiple China-affiliated threat groups might use the same botnet at the same time, making it challenging for defenders to identify and block them using static IP blocklists.
“Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale,” the agencies said. “Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic region as the target.” The findings underscore a common pattern seen in state-sponsored attacks: the targeting of network perimeter devices belonging to residential, enterprise, and government networks with an aim to either turn them into a proxy node or intercept sensitive data and communications. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
NASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software
The Office of Inspector General (OIG) of the U.S. National Aeronautics and Space Administration (NASA) has revealed how a Chinese national posed as a U.S. researcher as part of a spear-phishing campaign to obtain sensitive information from the space agency, as well as from government entities, universities, and private companies, in violation of export control laws. “For years, NASA employees and research collaborators thought they were simply sharing software with colleagues,” the OIG said in a Thursday release.
“Instead, they were emailing sensitive defense technology to a Chinese national who was impersonating U.S. engineers.” The individual linked to the campaign was outed as Chinese national Song Wu in September 2024, when the U.S. Department of Justice (DoJ) announced charges against him for orchestrating a multi-year campaign that stretched from January 2017 to December 2021 and involved targeting dozens of U.S. professors, researchers, and engineers.
Some of the victims of the campaign were employed at NASA, the Air Force, the Navy, the Army, and the Federal Aviation Administration, while the others worked at major universities and private sector firms. According to the 2024 indictment, Song was an engineer at the Aviation Industry Corporation of China (AVIC), a Chinese state-owned aerospace and defense conglomerate founded in 2008. In an attempt to obtain modeling software used for aerospace design and weapons development, Song and his co-conspirators are alleged to have conducted extensive research on their targets by masquerading as friends and colleagues to gain access to proprietary software and source code. The OIG said the scheme was successful in a handful of cases where victims shared the sensitive information with the imposter accounts managed by Song et al without realizing they were violating U.S.
export control laws. Song has been indicted on counts of wire fraud and 14 counts of aggravated identity theft, and faces a maximum sentence of 20 years in prison for each count of wire fraud. He also faces a two-year consecutive sentence if convicted of aggravated identity theft. The 40-year-old remains at large.
Adding Song to the U.S. Most Wanted List, the U.S. Federal Bureau of Investigation (FBI) said the specialized software could be used for industrial and military applications, including the development of advanced tactical missiles and aerodynamic design and assessment of weapons. “As phishing campaigns continue to become more sophisticated, there are common clues that can betray scammers and expose their export fraud schemes,” the OIG said.
“In Song’s case, he made multiple requests for the same software and did not justify why he needed it.” “Export control scammers also often suggest unusual payment methods (such as suspicious wire transfers); abruptly change the terms or source of payment; and use unconventional transfer methods to mask their identity and evade shipping restrictions.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Bridging the AI Agent Authority Gap: Continuous Observability as the Decision Engine
The AI Agent Authority Gap - From Ungoverned to Delegation As discussed in our previous article, AI agents are exposing a structural gap in enterprise security, but the problem is often framed too narrowly. The issue is not simply that agents are new actors. It is that agents are delegated actors. They do not emerge with independent authority.
They are triggered, invoked, provisioned, or empowered by existing enterprise identities: human users, machine identities, bots, service accounts, and other non-human actors. That makes Agent-AI fundamentally different from both people and software, while still being inseparable from both. This is why the AI Agent Authority Gap is really a delegation gap. Enterprises are trying to govern an emerging actor without first governing the identities that delegate authority to it.
Traditional IAM was built to answer a narrower question: who has access. But once AI agents are introduced, the real question becomes: what authority is being delegated, by whom, under what conditions, for what purpose, and across what scope? First Things First: Governing the Delegation Chain Before Agent AI The crucial point is sequencing. An enterprise cannot safely govern Agent-AI unless it first governs, as much as possible, the traditional actors that serve as its delegation source.
Human identities and traditional machine identities are already fragmented across applications, APIs, embedded credentials, unmanaged service accounts, and application-specific identity logic. This is the identity dark matter Orchid describes: authority that exists, operates, and often accumulates risk outside the view of managed IAM. If that dark matter remains unobserved, then the agent inherits an already broken authority model. The result is predictable: the agent becomes an efficient amplifier of hidden access, hidden permissions, and hidden execution paths.
So the bridge to safe Agent-AI adoption is not to start with the agent in isolation. It is first to reduce identity dark matter across the traditional actor estate, so it won’t be delegated or abused for the sake of efficiency. That means illuminating all human and traditional machine identities across the application environment, understanding how they authenticate, where credentials are embedded, how workflows actually execute, and where unmanaged authority sits. Orchid’s continuous observability model is the essential foundation for safe Agent AI implementation because it establishes a verified baseline of real identity behavior across managed and unmanaged environments, rather than relying on incomplete static policy assumptions.
From Observability to Authority: Dynamic Governance for Agent AI Once that traditional actor layer is observed, analyzed, and optimized, that output becomes the input for a real-time Agent-AI Delegation Authority layer.This is where Orchid’s model becomes more powerful than conventional IAM. Its telemetry is not just visibility or insight. It becomes a continuous feed into an authority engine that evaluates the authority profile of the delegator, the context of the target application, the intent behind the requested action, and the effective scope of execution. In other words, the agent should not be governed only by its own nominal permissions.
It should be governed continuously by the posture and intent of the actor delegating authority to it, plus the context of what the agent is trying to do. That creates a much stronger model for control. Think about it. A human delegator with weak posture, risky behavior, or excessive hidden access should not yield the same Agent-AI authority as a tightly governed delegator operating in a constrained workflow.
Likewise, a machine or service account with broad but poorly understood access should not be allowed to trigger an agent with unconstrained downstream actionability. Orchid’s role in this model is to continuously assess the delegator, the delegated actor, and the application path between them, then enforce authority accordingly. That is what turns observability into governance. This is also why the destination state is not just better individual auditing of human, machine, and agent AI actors.
It is dynamic sequential delegation control. Orchid can map each agent identity to the applications it touches, the workflows it can invoke, the intent patterns it exhibits, and the scope of its intended actions. It can then use the live observability feed to determine, in real time, whether that agent should be allowed to act, allowed only to recommend, constrained to a limited tool set, or stopped entirely. That is the ultimate meaning of closing the authority gap: not just knowing what an agent can access, but continuously determining what it is allowed to decide and execute at machine speed.
Closing Reminders AI agents are not just a new identity type. They are a delegated identity type. Their authority originates from traditional enterprise actors: humans, bots, service accounts, and machine identities. That means the problem of Agent-AI governance does not begin with the agent.
It begins with the delegation source. If enterprises cannot observe and govern the human and traditional machine identities that trigger agent actions, then they cannot safely govern the agent either. Orchid’s model makes that sequencing explicit: first reduce identity dark matter across the traditional actor estate, then use continuous observability, analysis, and audit of those delegators as the live input into a real-time Agent-AI Delegation Authority layer. In that model, the agent is governed not only by its nominal permissions but by the posture, intent, context, and scope of the actor delegating authority to it.
That is the missing bridge between traditional IAM and safe Agent-AI adoption. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. “Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets,” Kaspersky researcher Sergey Puzan said . “The infected apps are specifically engineered to hijack recovery phrases and private keys.” The 26 apps, collectively dubbed FakeWallet , mimic various popular wallets like Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. Many of these apps have since been taken down by Apple following disclosure.
There is no evidence that these apps were distributed via the Google Play Store. While malicious cryptocurrency wallets distributed in the past via bogus websites have abused iOS provisioning profiles to get users to install them, the latest crypto-theft scheme is an improvement in several ways. For starters, the apps are directly available for download from Apple’s App Store if a user has their Apple account set to China. These apps have icons that mirror the original but have intentional typos in their names (e.g., LeddgerNew) so as to trick unsuspecting users into downloading them.
In some cases, the app names and icons have no connection to cryptocurrency. Instead, they are used as placeholders to direct users to download the official wallet app through them, claiming they are “unavailable in the App Store” due to regulatory reasons. Kaspersky said it also identified several similar apps likely linked to the same threat actor that do not have the malicious features enabled, but have been found to mimic a benign service, such as a game, a calculator, or a task planner. Once launched, these apps open a link on the web browser and leverage enterprise provisioning profiles to install the wallet app on the victim’s device.
“The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet,” Puzan said. “In most cases, the malware is delivered via a malicious library injection, though we’ve also come across builds where the app’s original source code was modified.” The end goal of these infections is to look for mnemonic phrases from both hot and cold wallets, and exfiltrate them to an external server, allowing the operators to seize control of victims’ wallets and drain cryptocurrency assets or initiate fraudulent transactions. The seed phrases are captured either by hooking the code that’s responsible for the screen where the user enters their recovery phrase or serving a phishing page that instructs the victim to enter their mnemonics as part of a supposed verification step. It’s suspected the campaign could be the work of threat actors linked to the SparkKitty trojan campaign last year, given that some of the infected apps also come with a module to steal wallet recovery phrases using optical character recognition (OCR), and that both the campaigns appear to be the work of native Chinese speakers and specifically target cryptocurrency assets.
“The FakeWallet campaign is gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics,” Kaspersky said. MiningDropper Android Malware Framework Emerges The discovery comes as Cyble sheds light on a sophisticated Android malware delivery framework known as MiningDropper (aka BeatBanker) that combines cryptocurrency mining with information theft, remote access, and banking malware in attacks targeting users in India, as well as in Latin America, Europe, and Asia as part of a BTMOB RAT campaign. MiningDropper has been distributed via a trojanized version of the open-source Android application project Lumolight , with the campaigns using fake websites impersonating banking institutions and regional transport offices to propagate the malware. Once launched, it activates a multi-stage sequence to extract the miner and the trojan payloads from an encrypted assets archive present within the package.
“MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques,” Cyble said . “MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques.” “MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving threat actors flexibility in final payload delivery. This design allows the threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2
Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacking group known for its targeting of various entities in Taiwan, Hong Kong, and the Philippines. It’s assessed to be active since at least 2011. “The threat actors created a custom AdaptixC2 Beacon listener, leveraging GitHub as their command-and-control (C2) platform,” security researcher Yin Hong Chang said in an analysis.
It’s believed that Chinese-speaking individuals in Taiwan, and individuals in South Korea and Japan, are the targets of the campaign. The starting point of the attack is a ZIP archive containing military-themed document lures to launch the rogue version of SumatraPDF, which is then used to display a decoy PDF document, while simultaneously retrieving encrypted shellcode from a staging server to launch AdaptixC2 Beacon. To accomplish this, the backdoored SumatraPDF executable launches a slightly modified version of a loader codenamed TOSHIS , which is a variant of Xiangoop, a malware linked to Tropic Trooper, and has been used in the past to fetch next-stage payloads like Cobalt Strike Beacon or Merlin agent for the Mythic framework. The loader is responsible for activating the multi-stage attack, dropping both the lure document as a distraction mechanism and the AdaptixC2 Beacon agent in the background.The agent employs GitHub for C2, beaconing out to the attacker-controlled infrastructure to fetch tasks to be executed on the compromised host.
The attack moves to the next stage only when the victim is deemed valuable, at which point the threat actor deploys VS Code and sets up VS Code tunnels for remote access. On select machines, the threat actor has been found to install alternative, trojanized applications, likely in an attemptto better camouflage their actions. What’s more, the staging server involved in the intrusion (“158.247.193[.]100”) has been observed hosting a Cobalt Strike Beacon and a custom backdoor called EntryShell , both of which have been put to use by Tropic Trooper in the past. “Similar to the TAOTH campaign , publicly available backdoors are used as payloads,” Zscaler said.
“While Cobalt Strike Beacon and Mythic Merlin were previously used, the threat actor has now shifted to AdaptixC2.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy , an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. “A server-side request forgery (SSRF) vulnerability exists in LMDeploy’s vision-language module,” according to an advisory published by the project maintainers last week. “The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources.” The shortcoming affects all versions of the toolkit (0.12.0 and prior) with vision language support.
Orca Security researcher Igor Stepansky has been credited with discovering and reporting the bug. Successful exploitation of the vulnerability could permit an attacker to steal cloud credentials, reach internal services that aren’t exposed to the internet, port scan internal networks, and create lateral movement opportunities. Cloud security firm Sysdig, in an analysis published this week, said it detected the first LMDeploy exploitation attempt against its honeypot systems within 12 hours and 31 minutes of the vulnerability being published on GitHub. The exploitation attempt originates from the IP address 103.116.72[.]119.
“The attacker did not simply validate the bug and move on. Instead, over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint,” it said . The actions undertaken by the adversary, detected on Apr 22, 2026, at 03:35 a.m. UTC, unfolded over 10 distinct requests across three phases, with the requests switching between vision language models (VLMs) such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B to likely avoid raising any suspicion - Target AWS IMDS and Redis instances on the server.
Test egress with an out-of-band (OOB) DNS callback to requestrepo[.]com to confirm the SSRF vulnerability can reach arbitrary external hosts, followed by enumerating the API surface. Port scan the loopback interface (“127.0.0[.]1”) The findings are yet another reminder of how threat actors are closely watching new vulnerability disclosures and exploiting them before downstream users can apply the fixes, even in cases where no proof-of-concept (PoC) exploits exist at the time of the attack. “CVE-2026-33626 fits a pattern that we have observed repeatedly in the AI-infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are being weaponized within hours of advisory publication, regardless of the size or extent of their install base,” Sysdig said. “Generative AI (GenAI) is accelerating this collapse.
An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit.” WordPress Plugins and Internet-Exposed Modbus Devices Targeted The disclosure comes as threat actors have also been spotted exploiting vulnerabilities in two WordPress plugins – Ninja Forms – File Upload ( CVE-2026-0740 , CVSS score: 9.8) and Breeze Cache ( CVE-2026-3844 , CVSS score: 9.8) – to upload arbitrary files to susceptible sites, which result in arbitrary code execution and complete takeover. Unknown attackers have also been linked to a global campaign targeting internet-exposed, Modbus-enabled programmable logic controllers (PLCs) from September to November 2025 that spanned 70 countries and 14,426 distinct targeted IPs, most of which are located in the U.S., France, Japan, Canada, and India. A subset of these requests has been found to emanate from sources geolocated to China. “The activity blended large-scale automated probing with more selective patterns that suggest deeper device fingerprinting, disruption attempts, and potential manipulation paths when PLCs are reachable from the public internet,” Cato Networks researchers said .
“Many source IPs had low or zero public reputation scores, consistent with fresh or rotating scanning hosts.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware
A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. “As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization,” Google-owned Mandiant said in a report published today. UNC6692 has been attributed to a large email campaign that’s designed to overwhelm a target’s inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem.
It’s worth noting that this combination of bombarding a victim’s email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates . Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. In a report published last week, ReliaQuest revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, and then weaponize it to drop additional payloads. “From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026,” ReliaQuest researchers John Dilgen and Alexa Feminella said . “This activity demonstrates that a threat group’s most effective tactics can long outlive the group itself.” The attack chain detailed by Mandiant, on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once it’s clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
The phishing page is named “Mailbox Repair and Sync Utility v2.1.5.” The script is designed to perform initial reconnaissance, and then install SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser by launching it in headless mode along with the “–load-extension” command line switch . “The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes,” Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair said. “The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning.
Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.” The phishing page is also designed to serve a Configuration Management Panel with a prominent “Health Check” button that, when clicked, prompts users to enter their mailbox credentials for ostensibly authentication purposes, but, in reality, is used to harvest and exfiltrate the data to another Amazon S3 bucket. The SNOW malware ecosystem is a modular toolkit that works together to facilitate the attacker’s goals. While SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution, SNOWGLAZE is a Python-based tunneler to create a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control (C2) server. The third component is SNOWBASIN, which operates as a persistent backdoor to enable remote command execution via “cmd.exe” or “powershell.exe,” screenshot capture, file upload/download, and self-termination.
It runs as a local HTTP server on ports 8000, 8001, or 8002. Some of the other post-exploitation actions carried out by UNC6692 after gaining initial access are as follows - Use a Python script to scan the local network for ports 135, 445, and 3389 for lateral movement, establish a PsExec session to the victim’s system via the SNOWGLAZE tunneling utility, and initiate an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server. Utilize a local administrator account to extract the system’s LSASS process memory with Windows Task Manager for privilege escalation. Use the Pass-The-Hash technique to move laterally to the network’s domain controllers using the password hashes of elevated users, download and run FTK Imager to capture sensitive data (e.g., Active Directory database file) and write it to the \Downloads folder, and exfiltrate it using the LimeWire file upload tool.
“The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers,” the tech giant said. “A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.” The disclosure comes as Cato Networks detailed a voice phishing-based campaign that leverages similar help desk impersonation on Microsoft Teams to guide victims into executing a WebSocket-based trojan dubbed PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server. “This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still lead to the same outcome: staged PowerShell execution followed by a WebSocket backdoor,” the cybersecurity company said .
“Defenders should treat collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams and screen-sharing controls, and hardening PowerShell.” The abuse of Microsoft Teams while impersonating IT or help desk personnel to social engineer victims into granting attackers remote access has not gone unnoticed by Microsoft, which warned that threat actors are initiating cross-tenant communications via the collaboration platform to establish interactive control via Quick Assist or other remote support tools to enable malicious code execution. Once initial access is obtained, the attackers perform reconnaissance, drop payloads to facilitate outbound encrypted connections to command-and-control (C2) infrastructure, deploy a fallback remote access channel using Level RMM to ensure persistence even if the original artifacts are detected and removed, and finally exfiltrate data using the file‑synchronization tool Rclone. “This access pathway might be used to perform credential-backed lateral movement using native administrative protocols such as Windows Remote Management (WinRM), allowing threat actors to pivot toward high-value assets including domain controllers,” the tech giant said. “In observed intrusions, follow-on commercial remote management software and data transfer utilities such as Rclone were used to expand access across the enterprise environment and stage business-relevant information for transfer to external cloud storage.
This intrusion chain relies heavily on legitimate applications and administrative protocols, allowing threat actors to blend into expected enterprise activity during multiple intrusion phases.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Bitwarden CLI , the command-line interface for the password manager Bitwarden, has reportedly been compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign , according to findings from JFrog and Socket. “The affected package version appears to be @bitwarden/cli@2026.4.0 , and the malicious code was published in ‘bw1.js,’ a file included in the package contents,” the application security company said . “The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.” In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.” Specifically, the malicious code is executed by means of a preinstall hook, resulting in the theft of local, CI, GitHub, and cloud secrets. The data is exfiltrated to the domain “audit.checkmarx[.]cx” and to a GitHub repository as a fallback if the primary method fails.
The entire series of actions is listed below - It launches a credential stealer that targets developer secrets, GitHub Actions environments, and artificial intelligence (AI) coding tool configurations, including Claude, Kiro, Cursor, Codex CLI, and Aider. The stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx. If GitHub tokens are found, the malware weaponizes them to inject malicious Actions workflows into repositories and extract CI/CD secrets. “A single developer with @bitwarden/cli@2026.4.0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every CI/CD pipeline the developer’s token can reach,” StepSecurity said .
While the malicious version is no longer available for download from npm, Socket said the compromise follows the same GitHub Actions supply chain vector identified in the Checkmarx campaign. As part of the effort, threat actors have been found abusing stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run, and uses harvested npm credentials to push malicious versions of the package to read the malware to downstream users. According to security researcher Adnan Khan, the threat actor is said to have used a malicious workflow to publish the malicious bitwarden CLI. “I believe this is the first time a package using NPM trusted publishing has been compromised,” Khan added .
Bitwarden CLI Attack Chain | Source: OX Security It’s suspected that the threat actor known as TeamPCP is behind the latest attack aimed at Checkmarx. As of writing, TeamPCP’s X account has been suspended for violating the platform’s rules. OX Security, in a breakdown of the attack, said it identified the string “Shai-Hulud: The Third Coming” in the package, suggesting this could likely be the next phase of the supply chain attack campaign that came to light last year. Reference to the “Shai-Hulud: The Third Coming” “The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers around the world.
User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don’t flag data being sent there,” Moshe Siman Tov Bustan, Security Research Team Lead at OX Security, said. “This makes the risk significantly more dangerous: anyone searching GitHub can potentially find and access those credentials. At that point, sensitive data is no longer in the hands of a single threat actor – it’s exposed to anyone.”
Like in the case of the Checkmarx incident, the stolen data is exfiltrated to public repositories created under victim accounts using a Dune-themed naming scheme in the same format “
“The shared tooling strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution,” Socket said. “This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign’s public posture.” When reached for comment, Bitwarden confirmed the incident and said it stemmed from the compromise of its npm distribution mechanism following the Checkmarx supply chain attack, but emphasized that no end-user data was accessed as part of the attack. The entire statement shared with The Hacker News is reproduced verbatim below - The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised.
Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately. The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data. Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time.
A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident. Per a breakdown of the attack published by Endor Labs, Bitwarden’s GitHub repository uses “checkmarx/ast-github-action,” which was one of the artifacts that was compromised in the Checkmarx supply chain incident. The application security vendor described the malicious Bitwarden CLI as one of the “more capable npm supply chain payloads” published to date. “It combines a multi-cloud credential harvester targeting six distinct secret surfaces, a self-propagating npm worm that re-infects all packages a victim token can publish, a GitHub commit dead-drop C2 channel with RSA-signed command delivery, authenticated-encryption exfiltration that survives repository seizure, shell RC persistence, and a novel module that specifically targets authenticated AI coding assistants,” Endor Labs researcher Kiran Raj said.
Additional analyses of the attack are listed below - Aikido Security GitGuardian Mend.io SafeDep “Every payload, from the CanisterSprawl worm to the trojanized KICS scanner to the xinference stealer , was engineered to do one thing: extract credentials from the environments where developers and pipelines operate,” GitGuardian said . “The question every affected team should be asking right now isn’t just ‘did this package run in my environment?’ It’s: what secrets were accessible if it did, and have they been rotated?” (The story was updated after publication to include additional insights.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy.
Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work, giving attackers easy access. AI tools are also part of the problem now.
They trust bad input and take real actions, which makes the damage bigger. Then there are quieter issues. Apps take data they should not. Devices behave in strange ways.
Attackers keep testing what they can get away with. No noise. Just ongoing damage. Here is the list for this week’s ThreatsDay Bulletin.
State-backed crypto heist North Korea Likely Behind KelpDAP $290M Crypto Heist Inter-blockchain communication protocol LayerZero has revealed that North Korean threat actors tracked TraderTraitor may have been behind the recent hack of decentralized finance (DeFi) project KelpDAO, resulting in the theft of $290 million. “The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions,” LayerZero said. KelpDAO, in a post on X, said, “Two RPC nodes hosted by LayerZero were compromised. A simultaneous DDoS attack was launched against the third RPC node.
- This was an attack on LayerZero’s infrastructure. Kelp’s own systems were not involved in building or operating that infrastructure.” Meanwhile, the Arbitrum Security Council has
- temporarily frozen
- the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. In an analysis published today, Chainalysis
- said
- “Crucially, this was not a smart contract hack, but a sophisticated attack on off-chain infrastructure. The attackers compromised internal RPC nodes and DDoS’d external nodes to feed false data to a single-point-of-failure verification network (a 1-of-1 DVN setup).
This tricked the Ethereum contract into releasing funds based on a phantom token ‘burn’ on the source chain.” It’s worth noting that TraderTraiter was attributed to the mega Bybit hack in early 2025 that led to the theft of $1.5 billion in digital assets. Recently, Lazarus Group was also linked to the $285 million theft from the Drift Protocol. Active RCE exploits MajorDoMo Flaws Come Under Exploitation Separately, VulnCheck has warned of attacks attempting to exploit two flaws in MajorDoMo, a smart home automation platform. While CVE-2026-27175 is a critical command injection vulnerability that started seeing exploitation on April 13, CVE-2026-27174 allows unauthenticated remote code execution via the PHP console in the admin panel and was first detected on April 18.
“CVE-2026-27175 was exploited to drop a PHP webshell that delivers persistent backdoor access,” VulnCheck said . “CVE-2026-27174 saw exploitation that ended in a Metasploit php/meterpreter/reverse_tcp staged payload.” Other vulnerabilities that have witnessed exploitation efforts include CVE-2025-22952 , an SSRF in Elestio Memos, and CVE-2024-57046 , an authentication bypass in NETGEAR DGN2200 routers. Supply chain malware surge New Malicious Packages Discovered A number of malicious packages have been discovered in the npm registry: ixpresso-core , forge-jsx , @genoma-ui/components, @needl-ai/common, rrweb-v1 , cjs-biginteger, sjs-biginteger, bjs-biginteger , @fairwords/websocket, @fairwords/loopback-connector-es, @fairwords/encryption , js-logger-pack , and @kindo/selfbot . These packages come with features to steal sensitive data from compromised hosts, perform system reconnaissance, andimplant an SSH backdoor by injecting the attacker’s public key into ~/.ssh/authorized_keys, deliver an information stealer, and spread the XWorm remote access trojan (RAT).
The packages published under the “@fairwords” scope have also been found to self-propagate to all npm packages using the victim’s token and attempt cross-ecosystem propagation to PyPI via .pth file injection. New versions of js-logger-pack have since been found to leverage the Hugging Face repository to poll for updates and use it as a data-theft destination. Also detected was the compromise of @velora-dex/sdk (version 9.4.1) to decode and execute a Base64 payload that fetches a shell script from a remote server that, in turn, downloads and persists a Go-based remote access trojan called minirat on macOS systems. Another legitimate package to be compromised was mgc (versions 1.2.1 through 1.2.4), which was injected with a dropper that detects the operating system and fetches a platform-specific RAT from a GitHub Gist to exfiltrate valuable data.
AI prompt injection surge 10 Indirect Prompt Injection Payloads Flagged Forcepoint has detected 10 new indirect prompt injection (IPI) payloads targeting artificial intelligence (AI) agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft, and AI denial-of-service attacks. “Regardless of the specific payload technique or attacker intent, every case follows the same fundamental sequence: the attacker poisons web content, hides the payload from human view, waits for an AI agent to ingest the page, exploits the LLM’s inability to distinguish trusted instructions from attacker-controlled content, and triggers a real-world action with a covert exfiltration return channel back to the attacker,” the company said . Covert browser data access Claude Desktop Grants Additional Permissions to Itself The Claude desktop app has been found granting itself permission to access web browser data, even if some browsers haven’t even been installed on a user’s computer, web privacy expert Alexander Hanff said. The app has been spotted placing configuration files in preset locations for Chromium-based browsers like Brave, Google Chrome, Microsoft Edge, and Vivaldi.
The Native Messaging manifest files pre-authorize Claude to interact with the browser even before the user installs it. The issue has been described as a case of dark pattern that violates privacy laws in the E.U. Hardware display protection U.K. NCSC Unveils SilentGlass The U.K.
National Cyber Security Centre (NCSC) has unveiled a new technology called SilentGlass that’s designed to protect video connections from cyber attacks. “SilentGlass, a plug-and-play device, actively blocks anything unexpected or malicious between HDMI and Display Port connections and screens,” NCSC said . “Already successfully deployed on Government estates, SilentGlass is now available for anyone to buy and use. It has been approved for use in the most high-threat environments.” Passkeys replace passwords NCSC Endorses Passkeys In a related development, the NCSC also endorsed passkeys as the default authentication standard and the “first choice of login” for access to all digital services.
“Passkeys are a newer method for logging into online accounts, which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password,” NCSC said . “This makes passkeys quicker and easier to use and harder for cyber attackers to compromise.” It also said the majority of cyber harms to individuals begin with criminals stealing or compromising login details, which makes passkey adoption a “huge leap” in boosting resilience to phishing attacks. More than 50% of active Google services users in the U.K. are said to be already using passkeys.
Backdoor sabotage claims Iran Claims U.S. Used Backdoors to Disable Networking Equipment During War Reports from Iranian media have claimed that hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran, despite the country being cut off from the global internet. “The most striking and suspicious aspect of this incident is its precise timing and the lack of access to the international internet at that moment,” Iranian news website Entekhab said . “This disruption occurred at a time when international gateways were effectively blocked or inaccessible; therefore, attributing this chain collapse to ‘a simple cyber attack from beyond the borders’ is not only unconvincing but also reveals the traces of deep-seated sabotage embedded within the equipment.” The report hypothesizes the presence of hidden firmware backdoors or rogue implants within compromised devices, creating a dormant botnet that’s activated when a certain event occurs without the need for internet access.
The other possibility is a supply chain compromise. “If the chips or installation files of Cisco and Juniper products are compromised before entering the country, even replacing the operating system will not solve the problem, because the root of the problem is embedded in the hardware and read-only memory (ROM),” the report said. These arguments have found purchase in China, whose state media agency Xinhua called U.S.-made equipment the “real trojan horse.” The disclosure comes as DomainTools revealed that the various hacktivist personas adopted by Iran, such as Homeland Justice, Karma, and Handala , “constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles.” Ransomware infighting escalates Krybit Ransomware Hacks 0APT Site The Krybit ransomware group has hacked the website of rival ransom group 0APT after the latter threatened to dox Krybit’s members. According to security firm Barricade , 0APT leaked the complete database of the Krybit ransomware operation, including victim records, plaintext credentials, Bitcoin wallets, encryption tokens, and a 56MB exfiltration file inventory.
In return, Krybit has hit back by compromising 0APT’s server within 48 hours, defacing their data leak site, and publishing source code, bash history, Nginx logs, and system files. To rub salt into the wound, the group listed 0APT as victim #1 on their own leak site. Stealth malware-as-a-service New FUD Crypt Cryptor Service There is a new cryptor-as-a-service platform called FUD Crypt (fudcrypt[.]net). “For $800 to $2,000 per month, subscribers upload an arbitrary Windows executable and receive a multi-stage deployment package that attempts automatic DLL sideloading, in-memory AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tamper via Group Policy on Enterprise builds,” Ctrl-Alt-Intel said .
Formbook phishing surge Phishing Campaigns Deliver Formbook Malware Two different phishing campaigns targeting Greek, Spanish, Slovenian, Bosnian, Latin, and Central American companies are using different techniques to deliver Formbook malware. “FormBook is a data-stealing malware that targets Windows systems, primarily distributed through phishing emails with malicious attachments,” WatchGuard said . “It collects sensitive information like login credentials, browser data, and screenshots, using advanced evasion techniques to avoid detection.” Stealth .NET execution abuse Operation PhantomCLR Targets Middle East and EMEA A highly sophisticated, multi-stage post-exploitation framework has been observed targeting organizations in the Middle East and EMEA financial sectors. “The threat actor leverages a legitimate, digitally signed Intel utility (IAStorHelp.exe) by abusing the .NET AppDomainManager mechanism, effectively turning a trusted binary into a stealthy execution container,” CYFIRMA said .
“This approach allows malicious code to be executed within a trusted environment. It bypasses conventional security controls without modifying the original signed binary.” Because AppDomainManager hijacking enables stealth execution within a trusted signed binary, it allows malicious code to run without modifying the original executable, effectively bypassing code-signing trust controls. The attack begins with a phishing email containing a ZIP archive, which contains an LNK file masquerading as a PDF document to execute “IAStorHelp.exe.” It’s currently not known who is behind the campaign, but the level of sophistication, modular design, and operational discipline suggest capabilities consistent with advanced threat actors. RAT plus adware bundle New Campaign Distributes RAT and Adware A new malware campaign is spreading both a remote access trojan and adware together, allowing attackers to establish persistent access and make financial profits.
The attack has been found to leverage a loader to deliver Gh0st RAT trojan and CloverPlus adware, an unwanted software designed to install advertising components and change browser behavior, such as startup pages and pop-up ads, per Splunk . macOS stealth execution abuse Living-off-the-Land in macOS In a new analysis, Cisco Talos revealed that bad actors can bypass security controls in Apple macOS by repurposing native features like Remote Application Scripting (RAS) for remote execution and abusing Spotlight metadata (Finder comments) to stage payloads in a way that evades static file analysis. “Because Finder is scriptable over RAE, the comment of a file on a remote machine can be set via the “eppc://” protocol. By Base64 encoding a payload locally, a multi-line script can be stored within this single string field.
The make new file command handles the creation of the target file, ensuring that no pre-existing file is required,” Talos said . “The payload resides entirely within the Spotlight metadata, a location that remains largely unexamined by standard endpoint detection and response (EDR) solutions. This creates a stealthy staging area where malicious code can persist on the disk without triggering alerts associated with suspicious file contents.” In addition, attackers can move toolkits and establish persistence using built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP operating entirely outside the visibility of standard SSH-based telemetry. In some cases, adversaries can also bypass built-in restrictions by using Terminal as a proxy for execution, encoding payloads in Base64 and deploying them in stages.
LLM agent testing framework Terrarium Framework for Evaluating Multi-Agent Systems A group of academics has released a hackable, modular, and configurable open-source framework called Terrarium for studying and evaluating decentralized LLM-based multi-agent systems (MAS). “As the capabilities of agents progress (e.g., tool calling) and their state space expands (e.g., the internet), multi-agent systems will naturally arise in unique and unexpected scenarios,” the researchers said , adding it acts as “an isolated playground for studying agent behavior, vulnerabilities, and safety. It enables full customization of the communication protocol, communication proxy, environment, tool usage, and agents.” AI data privacy purge Clarifai Deletes OkCupid Data According to Reuters , AI company Clarifai said it has deleted 3 million profile photos taken from dating site OkCupid in 2014. It follows a settlement reached last month between the U.S.
Federal Trade Commission (FTC) and Match Group, OkCupid’s owner. Clarifai is said to have certified the data deletion to the FTC on April 7, 2026, and deleted any models that trained on the data. The company also emphasized that it hadn’t shared the data with third parties. The FTC opened the investigation in 2019, after The New York Times reported that Clarifai had built a training database using OkCupid dating profile photos.
The behavior was a direct violation of OkCupid’s privacy policy, although Clarifai was not accused of wrongdoing. Zero-credential RCE chain Active Exploitation of CVE-2026-34197 VulnCheck said it’s seeing active exploitation of the Apache ActiveMQ Jolokia remote code execution chain that strings together CVE-2026-34197 and CVE-2024-32114 . “CVE-2024-32114 removes authentication from the Jolokia endpoint entirely on ActiveMQ versions 6.0.0 through 6.1.1,” VulnCheck’s Jacob Baines said . “Combined with CVE-2026-34197, that is zero-credential RCE.” Stealth phishing lure Spike in Phishing Using Empty Email Subject Lines There has been a surge in phishing emails utilizing empty subject lines as a way to lure users to actually click and open the email without the usual warning cues.
Known as silent subject or null subject phishing, the technique is designed to exploit blind spots in email defenses, as it allows such emails to bypass security filters that rely on analyzing the subject lines for specific keywords that may indicate potential phishing or scam. “Emails with empty subject lines evade user suspicion by exploiting human curiosity,” CyberProof said . “The primary objective of a silent subject campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especially focusing on high-value or VIP users.” Industrial-scale SIM farms ProxySmart as a SIM Farm-as-a-Service A Belarus-based turnkey solution is assisting SIM farm operators in supporting cybercrime on an industrial scale. Infrawatch said that it identified 87 instances of ProxySmart control panels in 17 countries that are linked to at least 24 commercial proxy providers and 35 cellular providers.
The footprint spans 94 phone farm locations, distributed across 19 U.S. states, as well as countries in Europe and South America. ProxySmart provides an end-to-end platform for operating and monetizing mobile proxy infrastructure, including farm management, device control, customer provisioning, retail proxy sales, and payment handling. It’s accessible via a web-based control panel that’s self-hosted by the farm operator.
Devices in the farms are either physical Android phones or USB 4G/5G modems. The phones are enrolled via an unsigned Android APK package downloaded from the ProxySmart website, with SMS send and receive capability included. Modems are managed through ModemManager, an open-source USB dongle management tool. The ProxySmart service is written in Python and obfuscated using PyArmour.
“ProxySmart is publicly associated with a Belarus-based vendor footprint and offers an end-to-end stack for operating and monetizing a physical farm, including device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures,” the company said . “Technical analysis indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.” SIM farms enable a range of cybercrime activity such as smishing, premium-rate number fraud, bot sign-ups, and one-time password interception. In response to the findings, ProxySmart disputed its characterization as a SIM farm, stating it’s a “data-path proxy management platform” and that its mobile proxy infrastructure “underpins a wide range of legitimate commercial and research activity” including advertising verification, brand protection, price monitoring, and anti-fraud model training, among others. Telegram under CSAM probe Ofcom Probes Telegram for CSAM Ofcom, the U.K.’s independent communications regulator, has launched an investigation into Telegram under the country’s Online Safety Act to examine whether the platform is being used to share child sexual abuse material (CSAM) and is doing enough to combat the threat.
“We received evidence from the Canadian Centre for Child Protection regarding the alleged presence and sharing of child sexual abuse material on Telegram, and carried out our own assessment of the platform,” Ofcom said . “In light of this, we have decided to open an investigation to examine whether Telegram has failed, or is failing, to comply with its duties in relation to illegal content.” In a statement shared with The Record, Telegram said it “categorically denies Ofcom’s accusations,” adding it has “virtually eliminated the public spread of CSAM on its platform through world-class detection algorithms and cooperation with NGOs.” Earlier this year, Ofcom also commenced a probe into X to determine whether the service is taking necessary steps to take down illegal content, including non-consensual intimate images and CSAM. EU cracks disinfo ops E.U. Sanctions Pro-Russian Organizations for Disinformation The European Union imposed sanctions on two pro-Russian organizations accused of spreading disinformation and supporting the Kremlin’s hybrid influence operations against Europe and Ukraine.
The measures target Euromore and the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad (Pravfond). The move is part of the E.U.’s broader effort to counter Russian information and influence operations targeting Europe since the start of Moscow’s full-scale invasion of Ukraine in 2022. The E.U. has imposed sanctions on 69 individuals and 19 entities linked to Russian hybrid warfare.
Bot farm dismantled Ukraine Dismantles Bot Farm Ukrainian authorities have dismantled a bot farm that’s alleged to have supplied thousands of fake social media accounts to Russian intelligence services for use in disinformation campaigns against Ukraine. The suspected organizer of the network has been detained in the northern city of Zhytomyr, and nearly 20,000 fraudulent online profiles that were used in information operations have been blocked. The suspect is believed to have sold more than 3,000 fake Telegram accounts each month to Russian clients. The accounts were created using Ukrainian mobile phone numbers and then advertised on online platforms used by pro-Russian actors.
If convicted, the suspect faces up to six years in prison. Malicious extensions surge StealTok Campaign Steals User Data More than 130,000 users have downloaded and installed malicious Chrome and Edge extensions that, while offering the promised functionality, also implement covert tracking, remote configuration capabilities, and data collection mechanisms.The 12 extensions posed as tools to download TikTok videos and were available through the official Chrome and Edge stores. The activity has been codenamed StealTok. The extensions have been found to use remote configuration to bypass store review.
“Beyond privacy concerns, the use of remote configuration endpoints introduces a significant security risk, enabling post-installation behavior changes that bypass marketplace review mechanisms,” LayerX said . Joomla SEO spam backdoor PHP Backdoor Targets Joomla Sites to Inject SEO Spam In a new campaign spotted by Sucuri, threat actors are planting a new PHP-based backdoor on Joomla sites to inject SEO spam. The injected script acts as a remote loader to send information about the infected website and awaits further instructions from an attacker-controlled server. “Attackers inject malicious code that silently serves spam content to visitors and search engines, all without the site owner knowing,” Sucuri said .
“The goal is simple: abuse the site’s reputation to push traffic towards products the attacker wants to promote.” Post-exfiltration data trade Criminal Platform Leak Bazaar Peddles Stolen Data with a Twist A new service called Leak Bazaar has been promoted on the Russian-speaking TierOne forum that claims to process data stolen from extortion and ransomware attacks and turn it into “something more legible, more selective and precise, and making it marketable for the general population to ingest.” It’s advertised by a user named Snow, who joined the forum on March 3, 2026. “What Leak Bazaar is really offering is not a DLS or Data or Dedicated Leak Site in the conventional sense, but a post-exfiltration service layer,” Flare said . “It is trying to reassure both suppliers and buyers that the platform can solve the most frustrating part of data theft, which is that a large percentage of exfiltrated material is too noisy, too unstructured, or too cumbersome to use without additional labor.” RDP scanning concentration Just 21 IP Addresses Behind About 50% of All RDP Scanning GreyNoise has disclosed that a small cluster of 21 IP addresses is now responsible for generating nearly half of all the RDP scanning traffic on the public internet. The addresses are registered to ColocaTel (AS213438), a company based in the Seychelles.
According to the threat intelligence firm, mass internet scanning activity is now preceding vendor vulnerability disclosures more frequently than before, with 49% of surges arriving within 10 days of disclosure and 78% within 21 days.In a related development, security researcher Morgan Robertson revealed that almost three-quarters of Perforce P4 source code management servers connected to the internet are misconfigured and leaking source code and sensitive files. “The default Perforce settings allow unauthenticated users to create accounts, list existing users, access passwordless accounts, and, until version 2025.1, allowed syncing repositories remotely; potentially exposing intellectual property across more than a dozen sectors, including gaming, healthcare, automotive, finance, and government,” Robertson said . “Action is recommended for all Perforce administrators to ensure security hardening, including setting stronger authentication requirements, disabling automatic account creation, and raising security levels.” Emerging threat groups surge New Threat Actors in the Wild Various new hacktivist, data extortion, and ransomware crews have been spottedin the wild. These include Harakat Ashab al-Yamin al-Islamia , World Leaks , Lamashtu , Payouts King , BravoX , Black Shrantac , NBLOCK , Ndm448 , Chip , Ransoomed , and Zollo .
None of this is new. That is the problem. Old paths still open, basic checks still skipped, and trust still given where it should not be. Attackers are not doing anything magical, they are just faster and less careful because they do not need to be.
The fixes are known but ignored. Patch early, check what you install, limit access, and stop trusting inputs by default. Most of the damage comes from things that were easy to prevent. Same story next week.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
[Webinar] Mythos Reality Check: Beating Automated Exploitation at AI Speed
Imagine a world where hackers don’t sleep, don’t take breaks, and find weak spots in your systems instantly. Well, that world is already here. Thanks to AI, attackers are now launching automated, large-scale exploits faster than ever before. The time you have to fix a vulnerability before it gets attacked is shrinking to zero.
We call this the Collapsing Exploit Window , and it means your standard patching routine is officially too slow. If you are fighting AI-speed attacks with manual-speed defenses, your systems are at a breaking point. It’s time to rethink everything. Join our highly anticipated webinar featuring expert guest Ofer Gayer, Vice President of Product at Miggo Security, and learn how to beat the bots at their own game: Mythos and the Collapsing Exploit Window: Rethink Vulnerability Prioritization at AI Speed .
Here is exactly what you will walk away with: The Truth About Mythos: We are cutting through the hype. Learn what Mythos actually represents and why it matters to your daily security. The AI Attack Wave: See exactly how AI is helping attackers discover and exploit vulnerabilities at lightning speed. The Deadly Patch Gap: Understand why the gap between a new threat and your patch is widening, and why the old way of fixing things is broken forever.
Your New AppSec Blueprint: Stop guessing. Get real, practical steps to prioritize real-world risks, including expert secrets on virtual patching. 👤 Who needs to be there? CISOs, AppSec Leaders, and Security Architects.
If you are in charge of keeping the gates locked and you know legacy vulnerability management isn’t cutting it anymore—this is for you. Stop letting automated exploits outpace your team. Learn how to secure your organization in the age of AI. 📅 Claim your spot right now before it’s too late.
Register now. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Project Glasswing Proved AI Can Find the Bugs. Who’s Going to Fix Them?
Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can . Mythos Preview, the model that led to Project Glasswing, found vulnerabilities across every major operating system and browser. Some of these bugs had survived decades of human audits, aggressive fuzzing, and open-source scrutiny.
One had been sitting for 27 years in OpenBSD, generally considered to be one of the world’s most secure operating systems. It’s tempting to file this under “ AI lab says their AI is too dangerous, “ the same playbook OpenAI ran with GPT-2. Not so fast; there’s a material difference this time. Mythos didn’t just find individual CVEs.
It chained four independent bugs into an exploit sequence that bypassed both the browser renderer and the OS sandboxing It performed local privilege escalation in Linux through race conditions It built a 20-gadget ROP chain targeting FreeBSD’s NFS server, distributed across packets. Claude Opus 4.6, Anthropic’s previous frontier model, failed at autonomous exploit development almost entirely. Mythos hit a 72.4% success rate in the Firefox JS shell . This isn’t theoretical, nor some new three-to-five-year prediction.
This is about to be a real-world engineering reality. Why Project Glasswing Exposes the Real Cybersecurity Gap Here’s the number that should keep security leaders awake at night: fewer than 1% of the vulnerabilities found by Mythos were patched . Let that sink in for a moment. The most powerful vulnerability discovery engine ever built ran against the world’s most critical software, and the ecosystem couldn’t absorb the output.
Glasswing solved the finding problem. Nobody solved the problem of fixing. Why Defenders Can’t Keep Up: Calendar Speed vs. Machine Speed This is the structural issue the cybersecurity industry has been circling for years.
AI just made it impossible to ignore. Defenders operate on calendar speed . They: Gather intelligence Build a campaign Simulate the threats Mitigate Repeat That cycle takes about four days on a good day . Attackers, especially those now leveraging LLMs at every stage of their operation, are moving at machine speed .
For an up-to-the-minute take, David B. Cross, CISO at Atlassian, will be speaking at the Autonomous Validation Summit on May 12 about what this looks like from the inside, why periodic testing can’t keep pace with adversaries that operate autonomously, and what defenders should be doing instead. AI-Powered Attacks Are Already Autonomous Earlier this year, a threat actor deployed a custom MCP server hosting an LLM as part of their attack chain against FortiGate appliances. The AI handled everything: Automated backdoor creation Internal infrastructure mapping fed directly to the model Autonomous vulnerability assessment, and AI-prioritized execution of offensive tools for domain admin access.
The result? 2,516 organizations across 106 countries were compromised in parallel. The entire chain, from initial access through credential dumping to data exfiltration, was autonomous. The only human involvement was reviewing the results afterward.
AI-based Vulnerability Discovery Is Outpacing Remediation The gap between attacker speed and defender speed isn’t new. What’s new is that a small but worrisome gap just became a canyon. Autonomous systems like AISLE discovered 13 out of 14 OpenSSL CVEs in recent coordinated releases, bugs that had survived years of human review. XBOW became the top-ranked hacker on HackerOne in 2025, surpassing all human participants.
The median time from disclosure to weaponized exploit dropped from 771 days in 2018 to single-digit hours by 2024. By 2025, the majority of exploits will be weaponized before being publicly disclosed. Now add Mythos-class discovery to this picture. You don’t get a safer world automatically.
You get a tsunami of legitimate findings that still require human verification , organizational process, business continuity considerations, and patch cycles that haven’t fundamentally changed in a decade. How to Build a Mythos-Ready Security Program The instinct after Glasswing is to ask: “How do we find more bugs?” That’s actually the wrong question. The right one is: “When thousands of exploitable vulnerabilities land on your desk tomorrow morning, can your program actually process them? “ For most organizations, the honest answer is no.
And the reason isn’t a lack of tools or talent; it’s a structural dependency on periodic , human-initiated processes that were designed for a world where vulnerabilities trickled in, not one where they arrived in a tsunami. We can’t fix every vulnerability. We can’t apply every hardening option. That’s not defeatism , that’s the pragmatic starting point for any security program that actually works.
The question that matters isn’t “is this CVE critical?” but “ is this vulnerability exploitable in my environment, right now, given what I have deployed? “ A Mythos-ready security program needs three fundamental pieces. First: Signal-Driven Validation Over Scheduled Testing When a new threat emerges, when an asset changes, or when a configuration drifts, defenses need to be tested against that specific change in that moment. Not during the next quarterly pentest.
Not when someone can find an open calendar slot. The entire concept of “scheduled validation” assumes a stable threat landscape, and today, that assumption is dead on arrival . Second: Environment-Specific Context Over Generic CVSS Scores Glasswing will produce an avalanche of CVEs. Yet most vulnerability management programs are still prioritized by CVSS scores.
This context-free metric tells you how bad a bug could be in theory , not whether it’s exploitable in your specific infrastructure , given your controls and business risk. When the volume of findings suddenly goes from hundreds to thousands , context-free prioritization won’t just slow you down; it’ll break your process entirely . Third: Closed-Loop Remediation Without a Manual Handoff The current model can’t survive in a world where adversaries exploit CVEs within hours of disclosure. You know the drill: Scanner finds a bug Analyst triages it The ticket goes to a different team Someone patches it weeks later Nobody re-validates That chain of manual handoffs is exactly where the system disintegrates.
- If the cycle from finding to fix to re-validation can’t run without humans shuttling tickets between queues, it clearly isn’t running anywhere near machine speed. This isn’t about buying more tools. It’s about defenders leveraging their
- one asymmetric advantage
- you know your organization’s topology, attackers don’t . That’s a significant advantage, but only if you can act on it at machine speed.
How Autonomous Exposure Validation Closes the Gap — and Where Picus Comes in This is the part where I’m going to be really transparent about who’s writing this. At Picus Security, we build a platform for Autonomous Exposure Validation . So, full disclosure, I have a perspective here that comes with an inherent bias. Take it accordingly.
What Glasswing crystallized for us, and for a lot of the CISOs we’ve been speaking with, is that the validation step within any exposure management program just became the most critical bottleneck. Finding vulnerabilities is about to get radically easier and more efficient Patching them is going to remain painfully slow. The only lever you can pull in between is knowing which ones actually matter to your environment. That’s validation.
From Four Days to Three Minutes: How Agentic Workflows Change the Cycle We built Picus Swarm, the AI team powering autonomous, real-time validation, to compress the traditional four-day cycle into minutes. It’s a set of AI agents that work together to do what used to require handoffs between four separate teams: A researcher agent ingests and vets threat intelligence. A red teamer agent maps it against your environment to generate a safety-checked attacker playbook. A simulator agent executes across your actual endpoints and cloud, gathering telemetry and proof data.
A coordinator agent bridges findings to remediation, opening tickets, triggering SOAR playbooks, pushing indicators of attack to your EDR, and re-validating after fixes land. Every action is traceable and auditable, andevery agent operates within guardrails you define. The whole chain, from a new CISA alert to validated, remediation-ready findings, runs in about three minutes. When a Mythos-class model drops thousands of findings on your organization, you need something that can immediately tell you which of these are exploitable in your environment.
Which controls would hold, which would fail, and what’s the vendor-specific fix? The Uncomfortable Truth Project Glasswing is going to be measured by one metric: how many vulnerabilities get patched before they get exploited. Not how many are found, not how impressive the exploit chains are, but whether the ecosystem can digest what AI is about to produce. Visibility alone has never been enough, 83% of cybersecurity programs still show no measurable results.
What’s changing the equation is closing the gap between seeing and proving: knowing whether a potential vulnerability would actually compromise your environment. That’s validation. And in a post-Glasswing world, it’s the only thing standing between a flood of discoveries and a flood of breaches. We’re hosting the Autonomous Validation Summit on May 12 & 14 with Frost & Sullivan, featuring practitioners from Kraft Heinz and Glow Financial Services, along with our CTO, Volkan Erturk.
Together, we’ll be taking a deeper dive into this specific problem. » Register here. Note: This article was written by Sıla Özeren Hacıoğlu , Security Research Engineer at Picus Security. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper . “The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal,” Slovakian cybersecurity company ESET said in a report shared with The Hacker News. “GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration.” The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. GopherWhisper is assessed to be active at least since November 2023.
Besides LaxGopher, some of the other malware families part of the threat actor’s arsenal are Golang-based tools to receive instructions from the C&C server, execute them, and send the results back. Also used by the threat actor is a file collection tool to gather files of interest and exfiltrate them in compressed format to the file[.]io file sharing service and a C++ backdoor that offers remote control over compromised hosts. Telemetry data from ESET shows that about 12 systems associated with the Mongolian governmental institution were infected by the backdoors, with C&C traffic from the attacker-controlled Discord and Slack servers indicating dozens of other victims. Exactly how GopherWhisper obtains initial access to the target networks is currently not known.
But a successful foothold is followed by attempts to deploy a wide range of tools and implants - JabGopher , an injector that executes the LaxGopher (“whisper.dll”) backdoor. LaxGopher , a Go-based backdoor that uses Slack for C2 to execute commands via “cmd.exe” and publish the results back to the Slack channel, as well as download additional malware. CompactGopher , a Go-based file collection utility dropped by LaxGopher to filter files of interest by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx.), compress them into ZIP files, encrypt the archives using AES-CFB-128, and exfiltrate them to file[.]io. RatGopher , a Go-based backdoor that uses a private Discord server to receive C&C messages, execute commands, and publish the results back to the configured Discord channel, as well as upload and download files from file[.]io.
SSLORDoor , a C++-based backdoor that uses OpenSSL BIO for communication via raw sockets on port 443 to enumerate drives, perform file operations, and run commands based on C&C input via “cmd.exe.” FriendDelivery , a malicious DLL that serves as a loader and injector for BoxOfFriends. BoxOfFriends , a Go-based backdoor that uses the Microsoft Graph API to craft draft emails for C2 using hard-coded credentials, with the earliest Outlook account created for this purpose (“barrantaya.1010@outlook[.]com”) created on July 11, 2024. “Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were being sent during working hours, i.e., between 8 a.m. and 5 p.m., which aligns with China Standard Time,” ESET researcher Eric Howard said.
“Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.