DAILY WORKFLOW ARCHIVE

2026-05-09 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-09 AI创业新闻

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that’s capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 . The malware family is assessed to be a major update of the Maverick , which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim’s contacts. The Maverick campaign is attributed to a threat cluster that Trend Micro calls Water Saci.

At the core of the attack chain is a loader with robust anti-analysis capabilities that deploys two embedded modules: a full-featured banking trojan and a worm component that uses WhatsApp and Microsoft Outlook for propagation. “The observed infection chain bundles a malicious MSI installer inside a ZIP file,” security researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus said . “These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder.” The malware leverages DLL side-loading against the application to launch a malicious DLL (“screen_retriever_plugin.dll”), which functions as a loader with a “comprehensive watchdog subsystem” that continuously keeps an eye out for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to sidestep detection. Specifically, the malicious DLL will only execute if it was loaded by either “logiaipromptbuilder.exe” (the Logitech program) or “tclloader.exe” (likely a reference to an executable used during testing).

It also removes any usermode hooks placed by endpoint security software within “ntdll.dll” by replacing the library and disables Event Tracing for Windows (ETW) telemetry. What’s more, the malware generates three fingerprints based on anti-debugging and anti-virtualization checks, system disk information checks, and language checks, using them to create an environment hash value that’s used to decrypt the embedded payload. The system language check ensures that the user’s default language is Brazilian Portuguese. “For example, if a debugger is present, it will produce an incorrect hash, so when the malware attempts to derive the decryption keys from the hash, the payload will not decrypt correctly, and TCLBANKER will stop executing,” Elastic explained.

The main component launched following these checks is the banking trojan that once again verifies if it’s running on a Brazilian system, and then proceeds to establish persistence using a scheduled task.Subsequently, it beacons out to an external server with an HTTP POST request containing basic system information. TCLBANKER also incorporates a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser’s address bar using UI Automation . This step targets popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi. The extracted URL is matched against a hard-coded list of targeted financial institutions.

If there is a match, it establishes a WebSocket connection to a remote server and enters into a command dispatch loop, enabling the operator to perform a broad range of tasks - Run shell commands Capture screenshots Start/stop screen streaming Manipulate clipboard Launch a keylogger Remotely control mouse/keyboard Manage files and processes Enumerate running processes List visible windows Serve fake credential-stealing overlays To conduct data theft, TCLBANKER relies on a Windows Presentation Foundation (WPF)-based full-screen overlay framework to conduct social engineering using credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Updates, all while hiding overlays from screen capture tools. In tandem, the loader invokes the worming module to propagate the trojan via spam and phishing messages at scale. It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions and an Outlook email bot that abuses Microsoft Outlook to send fake emails to the victim’s contacts. Like in the case of SORVEPOTEL , the WhatsApp worm retrieves a messaging template from the server and leverages the open-source project WPPConnect to automate the sending of messages to other users, while filtering out groups, broadcasts, and non-Brazilian numbers.

The Outlook agent, on the other hand, is an email spambot that abuses the victim’s installed Microsoft Outlook application to send phishing emails from the victim’s email address, thereby bypassing spam filters and giving the messages an illusion of trust. “TCLBANKER reflects a broader maturation happening across the Brazilian banking trojan ecosystem,” Elastic concluded. “Techniques that were once the hallmark of more sophisticated threat actors: environment-gated payload decryption, direct syscall generation, real-time social engineering orchestration over WebSocket, are now being packaged into commodity crimeware.” “The campaign inherits the trust and deliverability of legitimate communications by hijacking victims’ WhatsApp sessions and Outlook accounts. This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. “The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number,” ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News. “To unlock this supposed feature, users are asked to pay – but all they get in return is randomly generated data.” The list of identified apps is below - Call history : any number deta (calldetaila.ndcallhisto.rytogetan.ynumber) Call History of Any Number (com.pixelxinnovation.manager) Call Details of Any Number (com.app.call.detail.history) Call History Any Number Detail (sc.call.ofany.mobiledetail) Call History Any Number Detail (com.cddhaduk.callerid.block.contact) Call History Of Any Number (com.basehistory.historydownloading) Call History of Any Numbers (com.call.of.any.number) Call History Of Any Number (com.rajni.callhistory) Call History Any Number Detail (com.callhistory.calldetails.callerids.callerhistory.callhostoryanynumber.getcall.history.callhistorymanager) Call History Any Number Detail (com.callinformative.instantcallhistory.callhistorybluethem.callinfo) Call History Any Number detail (com.call.detail.caller.history) Call History Any Number Detail (com.anycallinformation.datadetailswho.callinfo.numberfinder) Call History Any Number Detail (com.callhistory.callhistoryyourgf) Call History Any Number (com.calldetails.smshistory.callhistoryofanynumber) Call History Any Number Detail  (com.callhistory.anynumber.chapfvor.history) Call History of Any Number (com.callhistory.callhistoryany.call) Call History Any Number Detail (com.name.factor) Call History Of Any Number (com.getanynumberofcallhistory.callhistoryofanynumber.findcalldetailsofanynumber) Call History Of Any Number (com.chdev.callhistory) Phone Call History Tracker (com.phone.call.history.tracke) Call History- Any Number Deta (com.pdf.maker.pdfreader.pdfscanner) Call History Of Any Number (com.any.numbers.calls.history) Call History Any Number Detail (com.callapp.historyero) Call History - Any Number Data (all.callhistory.detail) Call History For Any Number (com.easyranktools.callhistoryforanynumber) Call History of Numbers (com.sbpinfotech.findlocationofanynumber) Call History of Any Number (callhistoryeditor.callhistory.numberdetails.calleridlocator) Call History Pro (com.all_historydownload.anynumber.callhistorybackup) At least one of the flagged apps was published under the developer name “Indian gov.in” in an attempt to build a false sense of trust and unsuspecting trick users into downloading it.

However, this trick masks a nefarious motive where victims are asked to make a payment in order to view details of a phone number’s call and SMS history. Once the payment is made, users are served entirely fabricated phone numbers and names directly embedded into the source code. Evidence indicates that the activity may have been active since at least November 2025 . A second cluster of these apps has been found to prompt users to enter their email address to which the purported details of any phone number would be delivered to.

As in the prior case, no data is generated until a payment is made. The payments either rely on subscriptions via Google Play Store’s official billing system or via third-party apps that support Unified Payments Interface (UPI), an instant payment system widely used in India. Ironically, this list includes Google Pay, Walmart-backed PhonePe, and Paytm. A third method includes payment card checkout forms directly inside the apps.

The last two approaches are in violation of Google’s policy. In at least one case, the apps implemented an additional trick to convince the user to make a payment. Should they exit the app without making any payment, it displays a deceptive notification claiming that a call history for a certain phone number had been successfully sent to their email address. Clicking on the notification directly takes the user to a subscription screen.

The subscription plans vary across the app, ranging anywhere from about $6 to $80. Users who may have fallen prey to the scam should have had their subscriptions canceled after the apps were removed from the Google Play Store. What makes this activity notable is that the apps have a simple user interface and do not request any sensitive permissions. And to top it all, they do not even contain any functionality to retrieve call, SMS, or WhatsApp data.

“Users who subscribed via official Google Play billing may be eligible for refunds under Google’s refund policies,” ESET said. “Purchases made via third‑party payment apps or through direct payment card entry cannot be refunded by Google, leaving users dependent on external payment providers or developers.” The disclosure comes as Group-IB said bad actors have stolen an estimated $2 million from Indonesian users as part of a fraud campaign that involved posing as the country’s tax platform, CoreTax, and other trusted brands. The campaign, which began in July 2025, has been linked to a financially motivated threat cluster called GoldFactory . “The attack chain integrates phishing websites, social engineering (WhatsApp), malicious APK sideloading, and voice phishing (vishing) to achieve full device compromise and unauthorized transfer execution,” Group-IB said .

At a high level, these attacks involve using social engineering to distribute the fake apps via WhatsApp, which, when installed, deploy Android malware such as Gigabud RAT , MMRat , and Taotie that are capable of harvesting sensitive data and downloading additional components. The stolen information is then used to conduct account takeover attacks and financial theft. “The malware infrastructure supporting this fraud campaign is not limited to a single impersonated service. The same infrastructure has been observed actively abusing more than 16 trusted brands, collectively targeting Indonesia’s broader population of approximately 287 million,” Group-IB said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

The hardest part of cybersecurity isn’t the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one “Patient Zero” infection. In 2026, hackers are using AI to make these “first clicks” nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down the whole company?

Register for the Webinar: The Patient Zero Playbook What is “Patient Zero”? In medicine, Patient Zero is the first person to carry a disease into a population. In cybersecurity, it’s the first device an attacker hits. Once they are “in,” they don’t stay there—they move fast to find your data, your passwords, and your backups.

What You Will Learn Thisisn’t a boring lecture. It is a technical deep dive into how modern breaches start and how to kill them instantly. We are covering: The AI Phish: How attackers use generative AI to bypass your current filters. The 5-Minute Window: Why the first few minutes of an infection determine if you’ll be in the news tomorrow.

Zero Trust in Action: How to isolate an infected device so the “virus” has nowhere to go. The Recovery Blueprint: What to do the second you realize you have a Patient Zero. Why You Can’t Miss This Most security tools are great at finding “known” viruses. But they struggle with stealthy, custom-made attacks designed specifically for your company.

This webinar shows you how to build a defense that assumes someone will click a bad link—and ensures that click doesn’t cost you millions. Secure Your Spot – Register Now ➜ Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers’ systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. “QLNX targets developers and DevOps credentials across the software supply chain,” Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware. “Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files. The compromise of these assets could allow the operator to push malicious packages to NPM or PyPI registries, access cloud infrastructure, or pivot through CI/CD pipelines.” The malware’s ability to systematically harvest a wide range of credentials poses a severe risk to developer environments.

A threat actor who successfully deploys QLNX against a package maintainer gains unauthorized access to their publishing pipeline, allowing the attacker to push poisoned versions that can lead to cascading downstream impacts. QLNX executes filelessly from memory, masquerades itself as a kernel thread (e.g., kworker or ksoftirqd), and is capable of profiling the host to detect containerized environments, wiping system logs to cover up the tracks, and setting up persistence using no less than seven different methods, including systemd, crontab, and .bashrc shell injection. Furthermore, it exfiltrates the collected data to an attacker-controlled infrastructure, and receives commands that make it possible to execute shell commands, manage files, inject code into processes, take screenshots, log keystrokes, establish SOCKS proxies and TCP tunnels, run Beacon Object Files (BOFs), and even manage a peer-to-peer (P2P) mesh network. Exactly how the malware is delivered is unclear.

However, once a foothold is established, it enters a primary operational phase by running a persistent loop that continuously attempts to establish and maintain communication with the command-and-control (C2) server over raw TCP, HTTPS, and HTTP. In total, QLNX supports 58 distinct commands that give the operators complete control of the compromised host. QLNX also comes with a Pluggable Authentication Module ( PAM ) inline-hook backdoor that intercepts plaintext credentials during authentication events, logs outbound SSH session data, and transmits the data to the C2 server. The malware also supports a second PAM-based credentials logger that’s automatically loaded into every dynamically linked process to extract the service name, username, and authentication token.

It employs a two-tiered rootkit architecture: a userland rootkit deployed through the Linux dynamic linker’s LD_PRELOAD mechanism to ensure that the implant’s artifacts and processes stay hidden. There also exists a kernel-level eBPF component that uses BPF subsystem to conceal processes, files, and network ports from standard userland tools such as ps, ls, and netstat upon receiving instructions from the C2 server. “The QLNX implant was built for long-term stealth and credential theft,” Trend Micro said. “What makes it particularly dangerous is not any single feature, but how its capabilities chain together into a coherent attack workflow: arrive, erase from disk, persist through six redundant mechanisms, hide at both userspace and kernel level, and then harvest the credentials that matter most.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments. The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. The patterns that emerge from this data tell a consistent story.

Threat actors are exploiting the predictable gaps created by constrained, severity-based security operations, and they are doing it systematically. Understanding where those gaps actually live requires looking at the full alert picture, starting with the category most teams have been conditioned to ignore. The 1% problem that adds up to one missed breach per week In this analysis of 25M alerts, nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. On endpoints specifically, that figure climbed to nearly 2%.

At enterprise scale, percentages like these are not noise. The average organization generates approximately 450,000 alerts per year. One percent of that is roughly 54 real threats annually, about one per week, that never get investigated under a traditional SOC or MDR model. Detection did not fail.

Triage economics just made investigation impossible. These are not theoretical risks sitting at the edge of an attacker’s wishlist. They are real compromises hiding in the category of alerts that operations teams have been trained to deprioritize. EDR “mitigated” does not mean clean Endpoint findings from the report deserve special attention because they challenge a foundational assumption in most security programs: that EDR remediation can be trusted at face value.

Of the 82,000 alerts that underwent live forensic memory scans, 2,600 had active infections. Of those confirmed compromised endpoints, 51% had already been marked as “mitigated” by the source EDR vendor. In over half of confirmed endpoint compromises detected through forensic analysis, the EDR had closed the ticket and declared the threat resolved. Without memory-level forensics, those infections remain invisible.

The tools most organizations rely on as their endpoint safety net are reporting clean on machines that are not clean. The malware families found running in memory during these scans include Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer, not obscure proof-of-concept tools, but the workhorses of active criminal and nation-state operations. Phishing has left your email gateway behind The phishing data in the report reflects a fundamental shift in attacker methodology that most email security architectures are not designed to catch. Less than 6% of confirmed malicious phishing emails contained attachments.

Most relied on links and language. More significantly, attackers have migrated their infrastructure onto platforms that are trusted by default: Vercel, CodePen, OneDrive, and even PayPal’s own invoicing system. One campaign documented in the report uses PayPal’s legitimate payment request infrastructure to send threat emails, with callback numbers embedded in the payment notes and Unicode homoglyphs to defeat signature-based detection. The sending domain passes every standard authentication check because the mail genuinely originates from PayPal.

Cloudflare Turnstile CAPTCHA has become a reliable signal of malicious intent: sites using it were consistently more likely to be phishing pages, while Google reCAPTCHA correlated with legitimate infrastructure. Attackers are using the mechanisms built to stop bots to stop automated security scanners instead. Four new techniques for bypassing email gateways were identified in the data: Base64 payloads hidden inside SVG image files, links embedded in PDF annotation metadata invisible to surface-level scanners, dynamically loaded phishing pages served through legitimate OneDrive shares, and DOCX files concealing archived HTML content containing QR codes. None of these is exotic.

They are operational techniques being used at scale. Cloud telemetry shows attackers playing long games Cloud alert data from the report shows a pronounced concentration around defense evasion and persistence tactics, with relatively few high-impact behaviors like lateral movement or privilege escalation appearing in the signal. Attackers are being both cautious and patient. The dominant pattern is long-term access.

Token manipulation, abuse of legitimate cloud features, andobfuscation to avoid triggering higher-severity detections. The goal is to remain present and undetected, not to make noise. AWS misconfigurations compound this risk quietly. S3 accounts for roughly 70% of all cloud control violations in the dataset, with the most common issues centered on access management, server logging, and cross-account restrictions.

These findings rarely trigger alerts. Most are classified as low severity. And they have been repeatedly exploited once attackers establish any foothold, dramatically accelerating what they can do next. Why traditional SOCs and MDRs cannot close this gap This is an operational and capacity problem that technology alone did not solve until recently.

Human analysts do not scale with alert volume. As telemetry expands across endpoint, cloud, identity, network, and SaaS, every SOC eventually hits the same ceiling. The only way to operate within budget is aggressive triage: automate most closures, investigate only what looks critical, and trust that severity labels reflect reality. The 2026 data shows that trust is misplaced at scale.

MDR providers face identical constraints. The human-scaled operating model means approximately 60% of alerts still go unreviewed whether handled in-house or outsourced. Adding more analysts moves the ceiling but does not eliminate it. SOAR platforms give you workflow automation but require your team to design every playbook and still do not replace investigative execution.

The deeper problem is the feedback loop that never closes. When low-severity alerts are never investigated, missed threats never surface. Detection rules that fail to catch real attacks never get corrected. The system does not self-improve because the inputs it would need to improve are never examined.

What changes when you investigate everything Investigating all 25 million alerts in the above-cited report required removing the constraint that has historically made full coverage impossible. Specifically, human analyst capacity is the bottleneck. In this dataset, Intezer AI SOC was used to triage and investigate, with less than 2% of alerts escalated to a human analyst, 98% verdict accuracy, and sub-minute median triage time across the full volume. The effects of full-coverage investigation are measurable.

When every alert receives forensic-grade analysis regardless of severity, triage outcomes are grounded in evidence rather than assumptions about what low-severity labels mean. Early-stage threats that produce only weak initial signals,get surfaced before they progress. Detection engineering also benefits directly, because every investigation generates feedback that can be looped back into rule tuning at the source. The practical result for human analysts is a shift in where their time is spent.

Escalations become less frequent and higher confidence, which means analysts engage at the point of decision rather than spending capacity on discovery and initial classification. For the broader organization, this translates into a security posture that improves continuously rather than one that holds steady while the threat landscape moves around it. To explore the full report and research findings, see the 2026 AI SOC Report for CISOs by Intezer . Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that’s being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called “darkworm.” The backdoor is designed as a Pluggable Authentication Module ( PAM )-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It’s also capable of harvesting credentials from all legitimate users who authenticate through the compromised system. “The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH,” Flare.io researcher Assaf Morag said in a technical report. “Allegedly this would remain persistent on Linux systems (x86_64).” PamDOORa is the second Linux backdoor targeting the PAM stack after Plague .

PAM is a security framework in Unix/Linux operating systems that grants system administrators the ability to incorporate multiple authentication mechanisms or update them (e.g., switching from passwords to biometrics) into an existing system through the use of pluggable modules without the need for rewriting existing applications. Because PAM modules typically run with root privileges , a compromised, misconfigured, or malicious module can introduce significant security risks and open the door to credential harvesting and unauthorized access. “Despite its strengths, the Pluggable Authentication Module’s (PAM) modularity introduces risks, as malicious modifications to PAM modules can create backdoors or steal user credentials, especially since PAM does not store passwords but transmits values in plaintext,” Group-IB noted in September 2024. “The pam_exec module, which allows the execution of external commands, can be exploited by attackers to gain unauthorized access or establish persistent control by injecting malicious scripts into PAM configuration files.” The Singaporean security vendor also detailed how it’s possible to manipulate PAM configuration for SSH authentication to execute a script via pam_exec, effectively allowing a bad actor to obtain a privileged shell on a host and facilitate stealthy persistence.

The latest findings from Flare.io show that PamDOORa, besides enabling credential theft, incorporates anti-forensic capabilities to methodically tamper with authentication logs to erase traces of malicious activity. Although there is no evidence that the malware has been put to use in real-world attacks, infection chains distributing the malware are likely to involve the adversary first obtaining root access to the host through some other means and deploying the PamDOORa PAM module to capture credentials and establish persistent access over SSH. After an initial asking price of $1,600 on March 17, 2026, the “darkworm” persona has since reduced it by almost 50% to $900 as of April 9, indicating either a lack of buyer interest or an intent to accelerate a sale. “PamDOORa represents an evolution over existing open-source PAM backdoors,” Morag explained.

“While the individual techniques (PAM hooks, credential capture, log tampering) are well-documented, the integration into a cohesive, modular implant with anti-debugging, network-aware triggers, and a builder pipeline places it closer to operator-grade tooling than the crude proof-of-concept scripts found in most public repositories.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions

Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026. “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability,” security researcher Hyunwoo Kim (@v4bel) said in a write-up.

“Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” The vulnerability currently does not have a CVE identifier, as the embargo is said to have been broken after detailed information and an exploit for the xfrm-ESP Page-Cache Write vulnerability were published publicly by an unrelated third-party. Successful exploitation of the flaw could allow an unprivileged local user to gain elevated root access on most Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. According to the researcher, the xfrm-ESP Page-Cache Write vulnerability was introduced in a source code commit made in January 2017, while the RxRPC Page-Cache Write vulnerability was introduced in June 2023.

Interestingly, the same January 17, 2017, commit was the root cause behind another buffer overflow ( CVE-2022-27666 , CVSS score: 7.8) that affected various Linux distributions. xfrm-ESP Page-Cache Write, which is rooted in the IPSec (xfrm) subsystem, provides attackers with a 4-byte store primitive like Copy Fail and overwrites a small amount in the kernel’s page cache. However, the exploit requires the unprivileged user to create a namespace, a step that’s blocked by Ubuntu through AppArmor . In such an environment, xfrm-ESP Page-Cache Write cannot be triggered.

That’s where the second exploit, RxRPC Page-Cache Write, comes in. “RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions,” Kim explained. “For example, the default build of RHEL 10.1 does not ship rxrpc.ko. However, on Ubuntu, the rxrpc.ko module is loaded by default.” “Chaining the two variants makes the blind spots cover each other.

In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” CloudLinx, in an advisory of its own, said the flaw resides in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path and is reachable via the XFRM user netlink interface.” “The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel (e.g., pipe pages attached via splice(2)/sendfile(2)/MSG_SPLICE_PAGES), the receive path decrypts directly over those externally-backed pages, exposing or corrupting plaintext that an unprivileged process still holds a reference to,” AlmaLinux said . Similar advisories have been released by other Linux distributions - Amazon Linux Red Hat Enterprise Linux Adding to the urgency is the release of a working proof-of-concept (PoC) that can be exploited to gain root in a single command. Until the patches are available, it’s advised to blocklist esp4, esp6, and rxrpc modules so they cannot be loaded - sudo sh -c “printf ‘install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n’ > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true” It’s worth mentioning here that Dirty Frag, despite sharing some overlaps with Copy Fail, can be exploited irrespective of whether the Linux kernel’s algif_aead module is enabled or not.

“Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available,” the researcher said. “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.” Update The xfrm-ESP Page-Cache Write vulnerability has been assigned CVE-2026-43284 and patched in mainline at f4c50a4034e6 . The RxRPC Page-Cache Write vulnerability has been assigned the identifier CVE-2026-43500, although no patch is available as of writing. “On hosts that do not run container workloads, the vulnerability allows a local user to elevate privileges to the root user,” Ubuntu said .

“In container deployments that may execute arbitrary third-party workloads, the vulnerability may additionally facilitate container escape scenarios, in addition to local privilege escalation on the host.” In an advisory, Google-owned Wiz described Dirty Frag as a vulnerability chain that combines two page-cache write primitives in the Linux kernel: one in the xfrm-ESP (IPsec) subsystem and another in RxRPC. “Both flaws allow modification of page-cache-backed memory that is not exclusively owned by the kernel, enabling corruption of sensitive files and ultimately privilege escalation,” researchers Merav Bar and Rami McCarthy said . “Unlike race-condition-based exploits, this bug class is deterministic and highly reliable, similar to previous vulnerabilities like Copy Fail and Dirty Pipe.” “To pull off this exploit, an attacker needs two things: access to specific vulnerable kernel interfaces and the ability to manipulate page-backed buffers (e.g., via splice()-related paths). However, there is a significant hurdle: the exploit usually requires high-level system permissions, such as CAP_NET_ADMIN.

This means exploitation is less likely in hardened containerized environments (e.g., Kubernetes with default seccomp profiles).” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows “a remotely authenticated user with administrative access to achieve remote code execution,” Ivanti said in an advisory released today. “We are aware of a very limited number of customers exploited with CVE-2026-6973.

Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340 , then your risk of exploitation from CVE-2026-6973 is significantly reduced.” It’s currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.

Also patched by Ivanti in EPMM are four other flaws - CVE-2026-5786 (CVSS score: 8.8) - An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access. CVE-2026-5787 (CVSS score: 8.9) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. CVE-2026-5788 (CVSS score: 7.0) - An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods. CVE-2026-7821 (CVSS score: 7.4) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.

“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products,” the company said . Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. “The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts,” SentinelOne security researcher Alex Delamotte said in a report published today. PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, aswell as move laterally within the compromised networks. It’s assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through credential theft, fraud, spam, extortion, or resale of stolen access.

The What makes this activity notable is that it shares significant targeting overlaps with TeamPCP , a threat actor that rose to prominence late last year by exploiting known security vulnerabilities (e.g., React2Shell ) and misconfigurations in cloud services to enlist the endpoints in an ever-expanding network for conducting data theft and other post-exploitation actions. At the same time, PCPJack lacks a cryptocurrency mining component, unlike TeamPCP. While it’s not known why this obvious monetization strategy was not adopted, the similarities between the two clusters indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with the group’s tradecraft. The starting point of the attack is a bootstrap shell script that’s used to prepare the environment – such as configuring the payload host – and download next-stage tooling, while simultaneously taking steps to infect its own infrastructure, terminate and remove processes or artifacts that are associated with TeamPCP, install Python, establish persistence, download six Python scripts, launch the orchestration script, and remove itself.

The six Python payloads are as follows - worm.py (written to disk as monitor.py), the main orchestrator that launches the purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting known flaws ( CVE-2025-55182 , CVE-2025-29927 , CVE-2026-1357 , CVE-2025-9501 , and CVE-2025-48703 ), and uses Telegram for command-and-control (C2) parser.py (utils.py), to handle credential extraction to categorize stolen keys and secrets lateral.py (_lat.py), to facilitate reconnaissance, harvest secrets, and enable lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services crypto_util.py (_cu.py), to encrypt credentials before exfiltration to the attacker’s Telegram channel cloud_ranges.py (_cr.py), to collect IP address ranges assigned to Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, and refresh the data every 24 hours cloud_scan.py (_csc.py), to run cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost. “When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a ‘PCP replaced’ field sent to the C2,” Delamotte said. This “implies a direct focus on the threat actor’s activities rather than pure cloud attack opportunism.” Further analysis of the threat actor’s infrastructure has uncovered another shell script (“check.sh”) that detects the CPU architecture and fetches the appropriate Sliver binary. It also scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI, and transmits them to an external server.

“Overall, the two toolsets are well developed and indicate that the owner values making code as a modular framework, despite some redundancies in behavior,” SentinelOne said. “This campaign does not [deploy miners], and it deliberately removes the miner functions associated with TeamPCP. Despite that, this actor has well-defined scopes for extracting cryptocurrency credentials.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it’s not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress.

Customers with Advanced Threat Prevention can also block exploitation attempts by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. In an advisory issued Wednesday, the network security company said it’s aware of limited exploitation of the flaw. It’s tracking the activity under the CL-STA-1132 , a suspected state-sponsored threat cluster of unknown provenance. “The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software.

Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process,” Palo Alto Networks Unit 42 said . The cybersecurity company said it has observed unsuccessful exploitation attempts against a PAN-OS device starting April 9, 2026, a week after which the attackers managed to successfully obtain remote code execution against the appliance and inject shellcode. As soon as initial access was achieved, the threat actors took steps to clear crash kernel messages, delete nginx crash entries and nginx crash records, and remove crash core dump files in an attempt to cover up the tracks. Post-exploitation activities conducted by the adversary included conducting Active Directory (AD) enumeration and dropping additional payloads like EarthWorm and ReverseSocks5 against a second device on April 29, 2026.

Both tools have been previously used by various China-nexus hacking groups. “Over the last five years, nation-state threat actors engaged in cyber espionage have increasingly focused their efforts on edge-network technological assets, including firewalls, routers, IoT devices, hypervisors and various VPN solutions, which provide high-privilege access while often lacking the robust logging and security agents found on standard endpoints,” Unit 42 said. “The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories

Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like some tired guy with a Telegram account and too much free time.

The worst part is how often this stuff still works. Meanwhile, AI tools are speeding up exploit hunting, browsers are keeping passwords sitting in memory for “performance reasons,” and even ransomware crews are pushing broken builds into the wild. Everybody’s scrambling to patch faster because attackers are automating faster. Anyway.

ThreatsDay’s rough this week. Let’s get into it. Credential theft campaign New MicroStealer Spotted A new stealer called MicroStealer has been observed targeting education and telecom sectors to steal sensitive data. It was first observed in the wild in December 2025.

“It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information,” ANY.RUN said . “It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers.” Location data crackdown FTC and Kochava Announce Settlement The Federal Trade Commission (FTC) and location data broker Kochava said they agreed to a settlement in which the company and its subsidiary Collective Data Solutions would be blocked from selling, sharing, or disclosing sensitive location data without consumers’ explicit consent. The company was found to be illegally obtaining and selling consumers’ yearly incomes, mobile device IDs, app usage, and nearly real-time geolocation data within 10 meters without their consent or awareness. While the proposed order does not impose a fine on Kochava, the company is required to establish a data retention schedule that will mandate consumers’ data be deleted in a predetermined time frame.

Quantum-safe email upgrade Proton Adds PQC Support in Proton Mail Proton has added support for post-quantum encryption as an optional feature in Proton Mail. “Once enabled, Proton Mail can generate and use post-quantum-ready keys for new encrypted emails to protect your personal messages and business communications against today’s threats and a future where current public-key cryptography may no longer be enough,” the Swiss privacy-focused company said . “Enabling PQC helps protect new encrypted emails going forward. It does not retroactively re-encrypt the emails already in your mailbox, for now.” Supply chain hardening pnpm 11 Rolls Out New Security Measures to Tackle Supply Chain Attacks pnpm 11 has been released with new supply chain protections in place, including defaulting the minimum release age to 24 hours to reduce the risk of installing compromised packages and blocking exotic sub-dependencies that resolve from non-standard sources, such as Git repositories or direct tarball URLs.

“Newly published package versions are not resolved until they are at least one day old. Teams can opt out by setting minimumReleaseAge: 0, but pnpm’s default posture now favors a built-in waiting period before fresh package releases enter installs,” Socket said . With most package compromise campaigns relying on automated installs to expand their reach, the new effort aims to reduce the risk of packages getting installed immediately after publication. AI age verification push Meta Plans to Use AI to Strengthen Underage Enforcement Meta said it’s deploying artificial intelligence (AI) tools to bolster its underage enforcement measures and remove people under 13 from its services like Facebook and Instagram.

Acknowledging that “knowing someone’s age online is a complex, industry-wide challenge,” the company said it’s using AI to analyze profiles for contextual clues, as well as scan photos and videos for physical cues to assess whether a user is under 13 on Instagram and Facebook. “We want to be clear: this is not facial recognition. Our AI looks at general themes and visual cues, for example, height or bone structure, to estimate someone’s general age; it does not identify the specific person in the image,” Meta said . “By combining these visual insights with our analysis of text and interactions, we can significantly increase the number of underage accounts we identify and remove.” North Korea-linked cybercrime case South Korean Court Upholds Jail Term for Man Who Hired N.

Korean Hacker South Korea’s highest court has upheld the one-year prison term for a man , identified as Oh Dae-hyun, who hired an unnamed North Korean cybercriminal to conduct attacks against rival game servers in exchange for a payment of more than $16,300 between October 2014 and March 2015. Per details revealed by NK News last November, the defendant operated an illegal online game server for Lineage and sought access to a file that would allow him to bypass the game’s security system and enable users to play the game at a lower cost. To obtain the file, the defendant is said to have communicated with a North Korean cyber actor via the Chinese messaging app QQ. The court also found Oh recruiting the same North Korean national to conduct distributed denial-of-service (DDoS) attacks on rival gaming servers.

Per court documents, the North Korean national is a head of the development team at a trading company under the Workers’ Party of Korea. The company is also believed to have been involved in the creation and sale of DDoS attack programs and cyberterrorism tools to generate revenue for Pyongyang. Critical ICS security flaws Vulnerabilities in Eclipse BaSyx V2 Two security vulnerabilities have been disclosed in Eclipse BaSyx V2 that pose a severe risk to industrial environments. The vulnerabilities in question are CVE-2026-7411 (CVSS score: 10.0), an unauthenticated path traversal flaw that could be exploited to write arbitrary files, leading to code execution, and CVE-2026-7412 (CVSS score: 8.6), a blind SSRF flaw that forces the BaSyx server to act as a proxy and execute HTTP POST requests to arbitrary internal or external targets.

The issues have been patched in version 2.0.0-milestone-10. “By chaining or utilizing these flaws, an external attacker can completely bypass network segmentation,” Mohamed Lemine Ahmed Jidou, security researcher and founder of AegisSec, told The Hacker News. “The compromised Digital Twin server can be weaponized to pivot internally and send unauthorized commands directly to isolated Programmable Logic Controllers (PLCs) and industrial sensors, posing a direct threat to physical manufacturing lines.” Critical MOVEit exposure <100 Exposed MOVEit Automation Instances Found Attack surface management platform Censys said it has observed less than 100 exposed MOVEit Automation web admin interfaces globally, with nearly two-thirds of hosts located in the U.S. The development comes in the aftermath of CVE-2026-4670 (CVSS score: 9.8), a critical authentication bypass flaw in MOVEit Automation that could potentially result in CVE-2026-4670 is a critical authentication bypass vulnerability in MOVEit Automation that could result in unauthorized access, administrative control, and data exposure.

Broken ransomware encryption VECT 2.0 Encryptor Weaknesses A new analysis of VECT 2.0 ransomware binaries has uncovered multiple critical flaws in both full and intermittent encryption modes, making data recovery impossible even if a ransom payment is made. “VECT’s FULL encryptor contains an insufficient memory allocation flaw that restricts successful encryption to files 32 KB or smaller,” Halcyon said . “VECT’s intermittent mode discards the nonces for all encrypted segments except the final one, retaining only the last 12-byte nonce in the file footer. The decryption algorithm requires the unique nonce for each segment, all segments preceding the final block are cryptographically unrecoverable by the victim and the attacker alike.” What’s more, a race condition vulnerability exists in the multi-threaded encryption implementation that causes files to be renamed with the .vect extension without their contents being encrypted.

In some cases, the contents of one file is saved and renamed as a different file name, or two different files are encrypted and saved with the same name, potentially resulting in the loss of one file. “These issues collectively undermine the reliability and repeatability of the Vect2.0 encryption and renaming logic,” Halcyon said. Oracle accelerates patching Oracle Shifts to Monthly Patch Cycle for Critical Flaws Oracle said it will supplement the quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities, citing the increased pace of AI-assisted vulnerability disclosures stemming from the adoption of AI models like Anthriopic Mythos to aid with code analysis, security testing, and vulnerability detection. Several vendors like Microsoft, SAP, Adobe, andGoogle (for Android) already release patches on a monthly cadence, most of which occur on the second Tuesday of each month.

Oracle’s release cycle, however, will be on the third Tuesday of each month. The first monthly Critical Security Patch Updates (CSPUs) will arrive on May 28, 2026. “CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release,” Oracle said. “Security depends on identifying vulnerabilities quickly and applying fixes just as quickly.” Global smishing surge Scammers Use Fake Text Messages to Steal Data Scammers are sending tens of thousands of fraudulent text messages to mobile users across 12 countries, impersonating transport authorities, toll operators, and parking services, as part of a new mass smishing campaign, per Bitdefender Labs.

The active campaign, called Operation Road Trap, has been active since December 2025. More than 79,000 fraudulent messages have already been detected in 40 distinct SMS scam campaigns. Countries targeted include the U.S., Canada, Australia, New Zealand, France, Spain, Colombia, Brazil, India, the U.K., Ireland, and Luxembourg. “All messages share a common goal: to persuade recipients to pay a fake fine, hand over sensitive information, or install spyware,” the company said .

“At this stage, there’s no confirmed link tying these campaigns together, beyond a shared theme of messages about unpaid tolls, parking violations, or traffic fines.” The activity has not been attributed to a specific threat actor or group. Encrypted backup hardening Meta Announces Updates for End-to-End Encrypted Backups Meta has updated its infrastructure used for protecting end-to-end encrypted backups for WhatsApp and Messenger using a hardware security module (HSM)-based Backup Key Vault with two updates: over-the-air fleet key distribution for Messenger and a commitment to publishing evidence of secure fleet deployments. “The vault is deployed as a geographically distributed fleet across multiple datacenters, providing resilience through majority-consensus replication,” Meta said . “To verify the authenticity of the HSM fleet, clients validate the fleet’s public keys before establishing a session.

In WhatsApp, these keys are hardcoded into the application. To support Messenger – where new HSM fleets need to be deployed without requiring an app update – we built a mechanism to distribute fleet public keys over the air as part of the HSM response.” Fake ManageWP ads Malvertising Campaign Targets ManageWP Guardio has detailed a phishing campaign that’s delivered through Google sponsored search results and aims to steal credentials for ManageWP, GoDaddy’s WordPress admin platform, using an adversary-in-the-middle (AitM) phishing page. “The ad click first hits a cloaker, then flips real users to a fake ManageWP login while too easily dodging Google’s inspection of who authorized this sponsored search result,” Guardio said . “Attacker gets real-time login attempts to Telegram and controls it all from their C2.

They log in to the victims’ accounts on their end while orchestrating a fake login flow on the victim’s screen.” NuGet supply chain threat Malicious NuGet Packages Steal Data Five malicious NuGet packages published under the account bmrxntfj have been found to typosquat widely used Chinese .NET UI and infrastructure libraries. “Each package grafts a .NET Reactor protected infostealer payload onto a decompiled copy of a legitimate open source library,” Socket said . “The stealer targets saved credentials across 12 browsers, 8 desktop cryptocurrency wallets, 5 browser wallet extensions and exfiltrates to a newly-registered C2 domain.” The packages, IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, and IR.OscarUI,have been collectively downloaded approximately 65,000 times. Critical Salesforce flaws Security Flaws Disclosed in Salesforce Marketing Cloud Details have emerged about five now-patched, critical vulnerabilities in Salesforce Marketing Cloud that could be exploited to leak the entire contacts DB via a template injection and even access all emails ever sent using the service.

The vulnerabilities have been assigned the identifiers: CVE-2026-22585 , CVE-2026-22586 , CVE-2026-22582 , CVE-2026-22583 , and CVE-2026-2298 . The issues were fixed by Salesforce on January 24, 2026, following responsible disclosure by Searchlight Cyber. There is no evidence that the flaws were exploited to obtain unauthorized access to or misuse of customer data. Rust malware aviation campaign Aviation Sectors Targeted in Operation Silent Rotor Unmanned Aerial Systems (UAS) and aviation sectors in Russia, Tajikistan, Central Asia, Europe, and the Middle East are the target of a new campaign that uses spear-phishing lures to deliver ZIP archives containing a Rust-based executable (along with multiple decoy documents), which displays one of the lure documents, fingerprint the system, and contacts an attacker-controlled domain to fetch and execute a next-stage payload.

The activity, codenamed Operation Silent Rotor, has not been attributed to any known threat actor. “The campaign uses realistic aviation-related documents to gain the victim’s trust, with content linked to the ‘Unmanned Aviation 2026’ forum in Moscow,” Seqrite Labs said . “The delivered malware is a Rust-based executable that collects system information, communicates with a remote server over encrypted HTTPS, and downloads a second-stage payload for execution.” Stealthy Vidar infection chain Multi-Stage Campaign Drops Vidar Stealer A new multi-stage malware campaign has employed layered obfuscation and trusted Windows components to achieve stealthy execution and persistence, ultimately leading to the deployment of Vidar Stealer. The initial infection vectors for Vidar have leveraged various methods to deceive unsuspecting users: fake CAPTCHA or ClickFix pages, free game cheats, legitimate-but-compromised sites, and fake or trojanized GitHub repositories disguised as legitimate utilities, cracked software, or leaked development tools.

In one case detailed by Point Wild, the entry point is a Go-compiled dropper binary that extracts and deploys a VBScript file, which contains embedded PowerShell code to continue the infection chain. “The PowerShell script connects to a remote IP-based server and downloads the next-stage payload, which is delivered in JPEG and TXT file formats used as disguised carriers for malicious content or staged payload data rather than conventional executables,” the company said . “These files are further processed to retrieve or reconstruct the final payload, ultimately leading to Vidar execution.” Silent AI model downloads Google Chrome May Download a 4GB Model Weights File A new analysis from web privacy expert Alexander Hanff has found that Google Chrome installs a 4GB on-device AI model file to disk without users’ consent. It is a weights file associated with Gemini Nano.

If a user deletes the file, it’s automatically re-downloaded unless the “on-device AI” setting is turned off. Google noted in October 2025 that the “Gemini Nano model is automatically deleted if the device’s free disk space drops below a certain threshold” and is “purged if an enterprise policy disables the feature, or if a user hasn’t met other eligibility criteria for 30 days.” The company also said the on-device AI model is used for scam detection, tab organization, and summarization. Last month, the researcher detailed the various browser fingerprinting techniques (e.g., WebGL, WebGPU, CNAME cloaking , link decoration, and canvas fingerprinting, among others) used by online trackers and how Chrome doesn’t do anything to block them. In all, Chrome ships with over 30 active fingerprinting vectors, 23 distinct storage and tracking mechanisms, no native CNAME cloaking protection, and no fingerprinting defenses of any kind.

It’s worth mentioning that Google
abandoned
its plans to deprecate third-party tracking cookies in Chrome after a six-year effort called Privacy Sandbox. Edge memory exposure
Microsoft Edge Stores Passwords in Cleartext, But It’s Not as Severe as It Sounds
An attacker with administrative privileges can gain access to Microsoft Edge user passwords even when they’re not in use by taking advantage of the fact that the browser stores them in cleartext in process memory. An attacker could
exploit
this behavior to
create a memory dump
of Edge’s “browser” sub-task via the Windows Task Manager. Security researcher Tom Jøran Sønstebyseter Rønning, who revealed the issue,
said
“When you save passwords in Edge, the browser decrypts every credential at startup and keeps them, resident in process memory.

This happens even if you never visit a site that uses those credentials. At the same time, Edge requires you to re-authenticate before showing those same passwords in the Password Manager UI – yet the browser process already has them all in plaintext.” Further testing has revealed that Edge is the only Chromium-based browser that exhibits this behavior, which Microsoft has described as by design to speed up the sign-in process. Unlike Edge, other browsers built on Chromium encrypt credentials only when needed, instead of keeping all passwords in memory at all times. It’s worth noting that to pull off a successful attack, a threat actor must have already compromised the device by some other means.

A similar method to extract cleartext credentials directly from Chromium’s memory was demonstrated by CyberArk in 2022. As VX-Underground noted in a post on X: “This method is interesting, I like the research performed, however, it isn’t something super critical. If you’re using this method in an enterprise environment, then that company has been completely compromised down to the bone, and they’ve got much larger issues.” 72-hour patch mandate U.S. Mulls Cutting Patch Deadlines to 3 Days for Exploited Flaws U.S.

cybersecurity officials are considering sharply shorter deadlines for fixing critical flaws in government IT systems, amid concerns bad actors could exploit them using artificial intelligence tools, Reuters reported . Under the new proposal, the deadline for patching vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog would be slashed from three weeks to three days. According to a Flashpoint study , the time between vulnerability disclosure and exploitation has plunged 94% over the past five years. The time to exploit (TTE) dropped from 745 days in 2020 to just 44 days last year, dramatically reducing the time security and IT teams have to patch.

This phenomenon has exacerbated in recent months, with threat actors attempting to exploit newly disclosed flaws within 24 hours of public disclosure . “At face value, three days is aggressive. Traditional patching workflows involve change control, testing, and stakeholder sign-off, and compressing them into 72 hours runs counter to how most enterprises actually operate,” Ryan Dewhurst, watchTowr’s head of threat intelligence, told The Hacker News. “But the trend over recent months has been unambiguous.

Exploitation of emerging threats is accelerating, and industry data consistently shows high-impact vulnerabilities being weaponized far faster than a 3-day window would allow. CISA’s shift to a 3-day deadline is a candid acknowledgment of how little time defenders actually have, balanced against the operational realities that still make patching complex. The uncomfortable truth: if you need three days, you’re already operating behind the threat.” SEBI flags AI cyber risks India’s SEBI Issues Alert on Advanced AI Tools for Vulnerability Discovery The Securities and Exchange Board of India (SEBI) has released an advisory, stating the emergence of tools like Mythos “may give rise to heightened risk exposure by enabling identification and potential exploitation of existing vulnerabilities using speed and scale,” adding “it may also introduce concerns relating to data confidentiality, application integrity, and reliability of outputs.” SEBI said it’s also establishing a cyber task force to examine the cybersecurity risks posed by AI models and devise a mitigation strategy, facilitate threat intelligence sharing, flag vulnerabilities that could impact the securities markets, and review third-party vendors for their cybersecurity posture. AI-fueled cyber race Anthropic CEO Warns of Narrow Window to Fix Flaws Anthropic CEO Dario Amodei has warned that AI has created a narrow window of about six to 12 months for organizations across the world to fix tens of thousands of software vulnerabilities found by its AI model before Chinese AI catches up.The development comes as advanced AI models like Anthropic Mythos are being used to find vulnerabilities in widely used software.This includes the discovery of over 270 flaws in Mozilla Firefox , some of which went undetected for years.

According to Axios and Bloomberg , the U.S. National Security Agency has been testing the Mythos model despite the Pentagon’s insistence that the company poses a supply chain risk. An evaluation of Mythos and OpenAI GPT-5.5 has since revealed that both models are capable of solving multi-step cyber attack simulations end-to-end, demonstrating their growing offensive cyber skills. But the emergence of these models, albeit in a limited preview, has also raised concerns that it could outpace current cybersecurity defenses, turbocharge exploit development, and expose weaknesses faster than they can be fixed.

The worries stem from the dual-use nature of these systems, as the same capability that helps defenders identify hundreds of flaws can be turned against them if they end up in the wrong hands. Late last month, Bloomberg reported that a “small group of unauthorized users” had had access to Mythos through a third-party contractor that works for Anthropic since the day the model was officially announced. “These capabilities, however guardrailed, will not stay contained. Similar advances will appear across other major AI labs, Chinese models, and open source models,” Palo Alto Networks said .

“Attackers will find the seams in those guardrails. They will use advanced AI to discover zero-day vulnerabilities at scale, generate exploits in near real time, and develop autonomous attack agents unlike anything the industry has faced.” Android banking malware spike Android Malware Driven Financial Fraud Surges 67% A new analysis from Zimperium has uncovered that Android malware-driven financial transactions have increased 67% year-on-year. The mobile security company said it tracked 34 active malware families targeting 1,243 financial brands across 90 countries in 2025. TsarBot , Copybara , and HOOK are the top three malware families that collectively target more than 60% of the global banking and fintech apps analyzed.

“The U.S. has the highest concentration of targeted apps globally, with 162 banking applications under active targeting, up from 109 in 2023,” the company said . “Nearly half of the malware families analyzed have financial extortion capabilities, including ransomware capabilities, allowing attackers to encrypt files on the device.” Major cybercrime prosecutions Recent Law Enforcement Actions Bryan Fleming, the founder of the surveillance tool pcTattletale, was sentenced to time served and a $5,000 fine for operating stalkerware that allowed users to secretly keep tabs on victims. This case marks the first federal conviction of a spyware developer in more than a decade and signals a potential shift in how the government prosecutes creators of intrusive tracking technology.

Fleming pleaded guilty earlier this January. pcTattletale shut down in 2024 after suffering a data breach. Other actions announced by the U.S. Department of Justice include the indictment of Jonathan Spalletta , a Maryland resident, in connection with theft of more than $50 million from decentralized cryptocurrency exchange Uranium Finance in 2021, leading to its shutdown; the extradition of Gavril Sandu , a Romanian national, to the U.S.

for his alleged role in a voice phishing scheme; and the sentencing of Latvian national Deniss Zolotarjovs , a member of the Karakurt group, to 102 months in prison for his involvement in a series of ransomware attacks and extort payments from more than 54 companies. Zolotarjovs was extradited to the U.S. in August 2024. Hijacked .edu subdomains Attack Hijacks University Domains to Host Spam and Porn Bad actors have been observed taking over subdomains for the Massachusetts Institute of Technology, Harvard, Stanford, Johns Hopkins, and dozens of other universities to post explicit porn spam that Google indexed under the trusted “.edu” domains.

The attack was carried out by hijacking DNS records that the universities had abandoned. Fake AI app malware wave Searches for Claude and Antigravity Lead to Stealer Malware Malvertising campaigns on Google Search are using lures for Antigravity to direct users to a fake website that serves a trojanized installer designed to deliver a stealer malware capable of harvesting sensitive data from the compromised system. Similar campaigns have leveraged Google Ads to serve fake landing pages for Claude to deliver MacSync infostealer on macOS. The activity has been codenamed Claude Fraud .

In another campaign spotted by Malwarebytes, fake websites impersonating legitimate services like Proton VPN, code hosting platforms, and free web hosting providers such as onworks[.]net are being used to stage malicious payloads that deliver a new Rust-based infostealer dubbed NWHStealer. “Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks,” the company said. A new evolution of the Browser runtime to distribute the stealer. The use of fake websites as lures has been observed in two other campaigns: a fake website promoting a tool called TradingClaw that acts as a delivery vehicle for a stealer codenamed Needle Stealer and a typosquatting website impersonating Slack that’s used to drop a modified installer.

The executable, besides launching a working copy of Slack, sets up a HVNC session for remote attackers to browse, access accounts, and interact with the system. That’s the week. Same internet, new fires. Patch what you can, double-check what you install, and don’t trust random ads pretending to be tools.

See you next ThreatsDay. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Day Zero Readiness: The Operational Gaps That Break Incident Response

Having an incident response retainer, or even a pre-approved external incident response firm, is not the same as being ready for an incident. A retainer means someone will answer the phone. Operational readiness determines whether that team can do meaningful work the moment they do. That distinction matters far more than many organizations realize.

In the first hours of a security incident, attackers are not waiting for your identity team to provision emergency accounts, for legal to decide whether an outside firm can access sensitive systems, or for someone to figure out who owns the EDR console. Every delay gives the attacker more uninterrupted time in your environment. Every hour lost to logistics increases the likelihood of deeper compromise, broader impact, and more expensive recovery. The same is true internally.

An organization may have an incident response plan, a capable security team, and a list of escalation contacts, yet still be unprepared to respond under pressure. Readiness is not measured by what exists on paper. It is measured by how quickly responders, internal or external, can gain visibility, understand what the attacker has already touched, and make informed decisions. On Day Zero, responders are not asking for unlimited control.

They are asking for visibility first and authority second. Without visibility, containment decisions are made blindly, timelines cannot be reconstructed, and the true scope of the compromise remains unknown while the response team debates access and approvals. This guide outlines what responders need on Day Zero, where organizations most often fall short, and how to ensure your internal team and external IR partner can begin effective work immediately when an incident is declared. What determines response speed Whether the first responders are internal security staff, an external retainer firm, or both working in parallel, they need access to the same core systems.

Internal teams may already have some of that access. External responders usually do not unless it has been prepared in advance. Not all access is equally urgent. Identity comes first, because identity reveals the blast radius.

It shows how the attacker got in, which credentials are compromised, how privilege may have changed, and where the attacker is likely to move next. Cloud, endpoint, and logging access are all critical, but without identity visibility, responders are building a timeline on guesswork. Identity and authentication access Modern attacks run on identity. Stolen credentials, abused tokens, misconfigured privileges, and compromised sessions are now central to how attackers gain persistence and move laterally.

If responders cannot see identity activity, they cannot explain the initial compromise, trace privilege escalation, or identify which accounts are already unsafe to trust. For external IR firms, identity access is often the first major bottleneck. Organizations delay access while teams debate permissions, search for the right administrator, or attempt to create accounts during the incident itself. During that delay, responders are effectively blind to the attacker’s movement.

On Day Zero, responders need read and investigative access to the identity provider, directory services, SSO platforms, and federation layers. They need visibility into authentication logs, MFA events, token issuance, session activity, privileged accounts, service accounts, and recent permission changes. They also need a defined path for urgent actions such as credential resets, token invalidation, or temporary restrictions on privileged users. Cloud and SaaS access In cloud environments, attacker activity often looks normal unless responders can see it in context.

It may appear as API calls, configuration changes, new role assignments, service account abuse, or use of legitimate automation. Without immediate access, critical evidence may disappear before it is reviewed. On Day Zero, responders need read access to relevant cloud accounts, subscriptions, and SaaS platforms. They need visibility into audit logs, control plane activity, IAM and RBAC configurations, compute workloads, storage access patterns, serverless functions, service accounts, and secrets management.

Delays in cloud access are especially damaging because some telemetry is ephemeral. If it is not captured quickly, it may be gone permanently. Endpoint and EDR access Endpoint telemetry often provides the clearest picture of attacker behavior, especially in the early stages of an investigation. Process execution, command-line activity, credential dumping, persistence mechanisms, and lateral movement frequently show up first in the EDR.

Without direct access, responders are forced to rely on screenshots, summaries, or findings relayed through internal teams who are already under pressure. That is not a serious investigation. It is a game of telephone during a crisis. On Day Zero, responders need investigator-level access to EDR tools, visibility into process and network activity, the ability to query historical telemetry across hosts, and the authority to isolate systems or initiate containment when needed.

If those permissions are not ready in advance, valuable time is lost, and the risk of misunderstanding grows. Logging and monitoring access Logs are how responders reconstruct the full story of an attack, not just what happened after detection, but what happened before it. Too often, organizations discover that their retention periods are designed for compliance or cost efficiency rather than investigation. Fourteen days of retention is common.

Ninety days should be the minimum baseline. If an attacker has been active for six weeks before detection, a 14-day window means the initial access event, early reconnaissance, and much of the lateral movement may already be gone. Responders need access to centralized SIEM or log aggregation tools, firewall and IDS/IPS logs, VPN and remote access logs, email security logs, cloud and SaaS audit trails across all relevant tenants. If those logs are incomplete, siloed, or overwritten, responders are forced to make high-stakes decisions with partial evidence.

Access must be real, not theoretical Access is only useful if it can be activated immediately. If access depends on a chain of approvals, manual setup, or first-time configuration, it will fail when the pressure is highest. Operational readiness means required accounts already exist across identity, cloud, EDR, and logging systems. MFA enrollment must already be completed.

Permissions must already be approved and mapped to responder roles. The team responsible for enabling access must know exactly how to do it and must have practiced the procedure before. On Day Zero, access should function like a switch: predefined, controlled, and fast to activate. Anything else is a delay, and in incident response, delay always benefits the attacker.

Communication under breach conditions Access problems receive the most attention in readiness discussions, but communication failures are just as damaging. Even with perfect technical visibility, an incident response breaks down quickly if teams cannot coordinate, make decisions, and share sensitive information securely. Assume normal channels may be compromised During an active breach, organizations should assume that email, chat platforms, and internal collaboration tools may no longer be private. If the attacker has access to those systems, then discussions about containment, investigative findings, and next steps may also be visible.

That applies to internal conversations and communication with an external IR firm. Sharing credentials, containment plans, or investigative conclusions over a compromised channel can give the attacker visibility into your response in real time. Establish out-of-band communication Every organization needs an out-of-band communication method that is separate from corporate identity, production email, and the internal network. This could be a dedicated secure messaging platform, a preconfigured encrypted group, or a structured phone-based process.

The specific tool matters less than the requirements. The channel must be independent of the compromised environment. It must include internal responders and external retainer contacts. It must support secure sharing of sensitive information.

Most importantly, it must be tested. A communication channel that has never been used is not a response plan. It is an experiment being conducted in the middle of a crisis. Designate an incident manager Every response needs a single point of coordination.

This is not necessarily the most senior person in the room. It is the person with the clearest operational ownership and the authority to keep the response aligned. The incident manager coordinates activity across security, IT, legal, leadership, and external responders. They control information flow, maintain a consistent picture of scope and status, and serve as the primary interface to the IR firm.

Without that role, organizations drift into fragmented communication, conflicting instructions, and slow decision-making. Define stakeholder notification paths Who gets notified, when, and by whom should never become a live debate during an incident. Notification tiers need to be defined in advance. Internal escalation thresholds, executive updates, legal and regulatory decision-making, customer communications, and external messaging all need clear ownership.

Organizations should also define exactly what information is shared with the IR firm on initial contact, who acts as the consistent liaison, and how updates are handled. Poor communication is not just inconvenient. It measurably slows containment and increases damage. Building a pre-approved IR access policy A pre-approved incident response access policy exists to eliminate decision-making overhead at the worst possible moment.

When an incident is declared, the question of who can access what should already be answered. What the policy should define The most common failure in IR access policies is vagueness. A statement such as “responders will be granted appropriate access upon incident declaration” is not an operational policy. It is a placeholder that guarantees confusion later.

An effective policy should clearly define who can declare an incident and trigger emergency procedures. This should not require a full executive chain. A CISO, security leader, or designated on-call authority should be empowered to make that call. It should define who can approve temporary access for external responders without reopening procurement, legal review, or vendor onboarding.

Those controls matter, but they are not built for incident timelines unless pre-cleared. It should specify the scope of access by responder role, such as IR investigator or IR lead, rather than negotiating permissions during a live event. It should also define time-boxed access, with a clear review and revocation cadence, and designate who is responsible for removing access once the incident stabilizes. Finally, it should require post-incident cleanup, access validation, and governance review.

Governance should catch up after stabilization, not slow down the first hours of investigation. Pre-created accounts and tested workflows Policy is only as good as the workflows behind it. If the accounts do not exist, the permissions have not been validated, or the identity team has never enabled them under realistic conditions, then the organization does not have a capability. It has documentation.

Dormant IR accounts should be created in advance across the identity provider, EDR, SIEM, and cloud tenants. They should be disabled by default, with a documented and tested enable procedure. MFA enrollment should already be complete. Hardware tokens or secure authentication workflows should be assigned before an incident occurs.

Role assignments should also be pre-approved. Enabling emergency access should be a single action, not the beginning of a conversation. Background checks and legal friction Background checks are a common friction point, especially in regulated sectors. The issue is not whether checks are appropriate.

It is when they are enforced. If background checks are first raised during an active incident, the organization has already failed the readiness test. Reputable IR firms handle vetting, certifications, and internal controls during onboarding. Those conversations belong in the retainer setup phase, not in the first hours of a breach.

The same is true of legal approval. If legal needs to decide in real time whether external responders can access production systems or regulated data, the response will slow immediately. Those decisions should be resolved before the incident. A practical Day Zero readiness checklist Organizations can test readiness by asking simple, operational questions.

Can a dormant IR account be enabled and used to pull authentication logs within 30 minutes? Is a scoped read-only cloud role already defined, and are audit logs enabled across all relevant tenants? Does the EDR platform have an investigator role that an external responder can use immediately, with access to at least 30 days of historical telemetry? Can an external responder query the SIEM directly, and does retention cover at least 90 days across identity, endpoint, network, and cloud sources?

Who can authorize host isolation, VPN shutdown, credential rotation, or account suspension, and has that authority been exercised in an exercise? If any of these questions produce hesitation, uncertainty, or the phrase “we’ll figure it out during an incident,” then that area is not ready. For organizations with an IR retainer , additional questions matter. Are dormant accounts already created for retainer responders?

Is MFA preconfigured? Are legal approvals complete? Does the IR firm have current contact information for the incident manager, CISO, and identity lead? Is there an established out-of-band channel that includes the IR firm?

Has the full activation workflow been tested in a tabletop exercise from initial call through working access? If several of these answers are no, the retainer is a contract, not an operational capability. What organizations commonly overlook Even mature organizations with strong security tooling and formal plans routinely discover important gaps only after a real incident begins. Backups are a common example.

Many organizations know backup jobs are completing, but have not verified that backups are isolated from the environment that an attacker has already compromised. If the same credentials, networks, or service accounts can reach backup infrastructure, attackers may be able to destroy recovery options before deploying ransomware. A backup that has never been restored, and never been tested for isolation, is still an assumption. Containment authority is another frequent gap.

Teams may know whether a system should be isolated or credentials should be rotated, but no one has explicit authority to disrupt operations. As the decision moves through leadership, legal, finance, or business operations, the attacker remains active. Prepared organizations decide in advance which systems can be shut down immediately, who can authorize those actions, and how emergency decisions will be escalated when necessary. Short or fragmented logging retention is also common.

Logs may exist but only for seven to fourteen days, or they may be scattered across tools and teams with no centralized access. In those cases, the organization can often see what is happening now but not how it started. Untested response plans are equally dangerous. Many plans look complete in a binder and fail in practice because people do not know their roles, approvals take too long, and critical steps have never been exercised.

Testing does not need to be elaborate. It needs to be realistic, cross-functional, and honest about what breaks. Finally, many organizations lack a current asset inventory or network map. Systems are deployed outside formal processes, cloud resources are spun up without central registration, and ownership is unclear.

Responders cannot investigate what they do not know exists. Untracked assets are not just documentation gaps. They are blind spots that attackers actively exploit. A readiness exercise you can run now Most of the recommendations in this guide can be tested this week with the people and systems already in place.

Start with access. Create dormant IR accounts and measure how long it takes to enable them. Attempt to pull 90 days of authentication logs. Ask your EDR administrator to create or validate an external investigator role.

Confirm cloud audit logging is enabled across all relevant tenants and that a scoped read-only role can be activated immediately. Then test the response itself. Run a tabletop exercise in which the IR firm has just been called in. Measure how long it takes before they can access identity logs, endpoint telemetry, and cloud audit trails.

Test whether the incident manager can be reached and whether the out-of-band channel can be established quickly. Run a containment decision through the approval chain and time it. Whatever fails in that exercise will fail the same way during a real incident. The difference is that during a real breach, the attacker is operating inside that gap while the organization is still figuring it out.

Conclusion Readiness is not a policy document, a signed retainer, or a successful audit. It is the result of practical decisions made before an incident begins: access provisioned, authority clarified, communication paths tested, and operational gaps closed before an attacker can exploit them. The organizations that contain incidents quickly are rarely the ones with the most impressive slide decks. They are the ones who did the unglamorous work in advance.

They created the accounts, tested the workflows, validated the logs, practiced the decisions, and ensured that when the call came in, the response could begin immediately. That is the real meaning of Day Zero readiness: not just having help available but being prepared to use it the moment it matters most. Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.