2026-07-14 AI创业新闻
CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that’s capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. “It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself,” security researcher Thijs Xhaflaire said in a report shared with The Hacker News. CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that’s distributed as a disk image file named “Werkbit.app.” Because both the disk image and binary are notarized and carry a valid developer ID (“Emil Grigorov (WWB7JA7AQV)”), it passes Gatekeeper checks.
The disk image itself originates from the domain “werkbit[.]io,” which was registered in June 2026. In an interesting twist, the download is gated behind a meeting PIN, meaning the installer is served only to those site visitors who arrive with the right code rather than everyone. The discovery of additional domains and shared backend infrastructure tied to the same operation points to CrashStealer being part of a larger, multi-platform campaign. Once mounted, the disk image presents the user with an installation setup screen that instructs them to right-click the app and choose “Open” to get them to run it.
Once launched, the “veltod” executable contacts a GitHub repository (“github.com/mgothiclove”) to retrieve a file named “sys.cache.” The file is then used to extract a curl command and pull a shell script, which acts as a downloader to fetch and stage the next payload (“CrashReporter.dmg”) and saves it to the “/tmp” directory. The malware, upon execution, establishes persistence as a LaunchAgent, resists analysis, presents a password prompt and validates the entered credential locally, unlocks the login keychain using the validated password, lists installed security and analysis tooling, before proceeding to collect browser data, cryptocurrency wallet extensions, password manager data, and keychain material. The complete list of data harvested is below - Credentials from Chromium-family browsers, including Google Chrome, Brave, Microsoft Edge, Opera and Opera GX, Vivaldi, Chromium, and Naver Whale Roughly 80 cryptocurrency wallet extensions, including MetaMask, Phantom, Coinbase, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, and Backpack 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass and RoboForm File from ~/Documents and ~/Downloads directories The harvested data is then packaged into a ZIP archive and exfiltrated to an attacker-controlled server (“179.43.166[.]242”). “CrashStealer’s delivery chain shows real care: rather than a bare, unsigned lure, the operators front the attack with a signed and notarized dropper that clears Gatekeeper before quietly fetching, re-signing and launching the payload,” Jamf said.
“What sets it apart from the commodity stealer crowd is less what it collects than how it is built: client-side AES-GCM encryption of the collected files, and an emphasis on analysis resistance through control-flow flattening, encrypted strings and layered anti-debugging.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
Google and Microsoft have pulled ModHeader , a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The analysis came from Stripe OLT , a UK security firm, which checked the code against Google’s own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit.
Its review covers the Chrome build and its roughly 900,000 users; third-party trackers put another 700,000 or so on Edge. Microsoft pulled the Edge listing on July 3, and Google removed the Chrome one a week later, on July 10. Version 7.0.18 (extension ID idgpnmonknjnojddfkpgkljpfnnfcklj) still edits HTTP headers as advertised. The same minified background code also contains a second system.
On first run, it builds a device fingerprint and loads a hardcoded encryption key. As you browse, it takes the domain from each page you open, encrypts it, and stores it locally, up to 1000 distinct domains. Once a day, a scheduler bundles the encrypted list with your fingerprint, posts it to api.stanfordstudies[.]com, and wipes the local copy. The upload time is offset per install, so browsers running it would not all beacon at once if the collector were switched on.
Separate teardowns, by HackIndex on version 7.0.18 and researcher Yunus Aydin on 7.0.17, describe the same pipeline. The collector runs only if your browser matches an entry on an internal allow-list, and that list ships empty. The check fails every time, so the pipeline stops before it collects a single domain. Populating that list is a small change, with no new permissions and no click from you, delivered as a routine update.
The hardcoded key, the endpoint URL, the scheduler, and the storage logic are already on the machine. Not everything was asleep. On install, update, and uninstall, the extension pinged a second domain, extensions-hub[.]com, with the product, version, and browser. And a script that runs on every page had already logged real request metadata to local storage in plain text, so that piece had clearly been running.
Automated checkers had rated ModHeader low risk, some as high as 95 out of 100. Each part of the design can frustrate a different kind of check. The data is encrypted, so a scanner sees ciphertext. The upload is gated off, so a sandbox sees nothing leave.
The malicious code is minified into a legitimate codebase. The endpoints had no established malicious reputation to flag. And a signed, popular extension reads as trusted. A store signature proves where a file came from, not what it does.
Where the domains lead Stripe OLT tied the domains to real, maintained infrastructure. stanfordstudies[.]com has no link to Stanford; it is a repurposed old domain fronting an OpenSearch back end, while extensions-hub[.]com is set up for advertising. The two API endpoints resolved to the same Amazon server at the time of analysis, which fits one operator without proving it. A handful of weak signals point loosely toward a Chinese-speaking operator: a Simplified Chinese locale, a “salt” marker written with the character 盐, and a China-origin mail provider.
The researchers name no group, and neither do we. The warning signs came earlier. ModHeader drew complaints for injecting ads into search results in 2023 and reportedly went ad-supported around then. Who took it over is unconfirmed, and the researchers make no claim about the original author.
ModHeader’s own site still publishes an ad plan that says it collects no user data , which is hard to square with a built-in browsing-history collector, even a switched-off one. The developer has not responded publicly to the findings as of publication. The Hacker News has contacted ModHeader for comment and put further questions to Stripe OLT, and will update this story with any response. In 2021, Brian Krebs described how popular extensions get quietly bought and turned into data pipes .
This resembles that pattern, now with encryption and a gate that keeps scanners from seeing the upload. This year alone, a run of Chrome extensions was caught collecting data under an “anonymous analytics” label , and a separate set impersonated Workday and NetSuite to steal session cookies. Header editors and cookie managers need broad access to work, and when trust breaks, the blast radius is wide. What to do If you have ModHeader, remove it from Chrome and Edge; your browser may have disabled it already.
Uninstalling clears its stored data, so the thing to double-check is that profile sync or a managed extension policy will not put it back. If you pasted secrets into it, API keys, bearer tokens, and session cookies, rotate them, since researchers found its header-history feature storing full HTTP headers on disk. For defenders, block and log stanfordstudies[.]com and extensions-hub[.]com at DNS and proxy, and search logs for the extension ID and any POST to api.stanfordstudies[.]com/app/log. Stripe OLT published ready-to-run KQL hunting queries for Defender and Sentinel.
The takedowns handle this one extension. The design is the part that should worry people: a complete, store-verified collector sat inside a trusted, popular tool, one apparently built to switch on once an ordinary update populated the empty list. The automated scanners rated it low risk, and the next tool built this way may look just as clean. The practical lesson is narrow: extension review has to watch for dormant code paths that testing never triggers, new call-home endpoints, and a capability a routine update can add after a change of hands.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That’s supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don’t file tickets. That’s the shape of this week.
Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too long. Fake installers, poisoned packages, systems left facing the open internet, and helpful little AI assistants running instructions that were never yours. The gap between “patch exists” and “already exploited” keeps shrinking, and nobody’s closing it.
None of it is exotic. That’s what wears you down. Same ordinary mistakes, just happening faster than we can keep up. Here’s the full mess, top to bottom.
⚡ Threat of the Week Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers — Progress urged customers to shut down Windows servers running Storage Zone Controllers, citing a credible external security threat. The company has temporarily disabled access to the affected accounts, a step it says it took “out of an abundance of caution” while it works with internal and external security experts. The exact nature of the threat is unknown. There are no indications of unauthorized access to any ShareFile accounts or data.
Where AI Security Is Actually Hiring in 2026 The AI security job market is no longer theoretical. SANS tracked hiring across 10 specific roles and mapped verified job data, salary ranges, and the skills required to get there. The three-tier framework gives your team a clear view of which roles to prioritize now and which to develop toward. Get the Free Guide ➝ 🔔 Top News Critical Zimbra Flaw Patched — Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution.
The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user’s session. It has yet to be assigned a CVE identifier. “The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened,” Zimbra said. “If exploited, it could allow access to mailbox information, session data, or account settings.” Jscrambler npm Package Compromised — The Jscrambler npm package was compromised to publish multiple versions containing a Rust-based information stealer designed to steal developer secrets from Windows, macOS, and Linux machines.
According to Jscrambler, the attack was pulled off using a compromised npm publishing credential. The activity overlaps with IronWorm , which was first documented by JFrog last month. “The malware has shed its Linux-only skin, deploying a three-platform CSI container to target macOS and Windows, expanding its persistence, and automating its own propagation via direct registry PUT operations,” the company said. New GigaWiper Backdoor Detailed — Microsoft shed light on a new post-compromise backdoor called GigaWiper that comes with three distinct destructive ways to render a machine inoperable: wipe the whole disk, overwrite the Windows drive, or run fake “ransomware” that encrypts files with a key it never saves.
In addition, it can take screenshots, record the screen, and launch a hidden VNC session. The malware artifacts are similar to another backdoor codenamed BLUERABBIT, which is assessed to be the work of an Iran-nexus threat actor. SHELLSTORM, a Modern Web Shell Access Brokerage Operation — More than 1.4 million domains have been targeted as part of a large-scale operation that exploited 27 CVEs in WordPress plugins to deploy web shells on compromised servers. The largest number of infections have been reported in Taiwan, the U.S., Germany, France, and the U.K.
The access provided by the web shell is then used to deliver the SNOWLIGHT dropper and the VShell backdoor. The activity has been codenamed SHELLSTORM. The activity is assessed to be the work of a Chinese or Chinese-speaking threat actor. HalluSquatting Can Trick AI Coding Assistants Into Installing Botnets — While artificial intelligence (AI) tools are prone to hallucinations, new research has detailed a new iteration of slopsquatting and phantom squatting called HalluSquatting.
The technique essentially involves registering legitimate-sounding resource names invented by an AI agent, registering them first, and then waiting for the assistant to run the malicious code embedded in the code. The attack pairs hallucinations with prompt injections to trick the agent into executing attacker-controlled instructions. ️🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.
Check the list, patch what you have, and hit the ones marked urgent first — From BRLY-2026-037 through BRLY-2026-042 (U-Boot), CVE-2026-50746, CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-55115, CVE-2026-54402, CVE-2026-55116 (Ubiquiti Unifi), CVE-2026-40138, CVE-2026-40139, CVE-2026-40140, CVE-2026-40141 (BeyondTrust Remote Support and Privileged Remote Access), CVE-2026-11405 (Tenda), CVE-2026-43499 aka GhostLock, CVE-2026-46215 (Linux Kernel), CVE-2026-53359 aka Januscape (KVM/x86), CVE-2026-52830 (fast-mcp-telegram), CVE-2026-57992 (Microsoft Edge), CVE-2026-11712, CVE-2026-11708, CVE-2026-11595 (IBM WebSphere Application Server), CVE-2026-12184 , CVE-2026-14355 (PHP), CVE-2026-52761 , CVE-2026-52747 (OWASP ModSecurity), CVE-2026-14898 (OpenAI Codex for macOS), CVE-2026-13753 (HP Deskjet 2800 Printer Series), CVE-2026-10706, CVE-2026-10708 (Adalo Database API), CVE-2026-15112, CVE-2026-15129 (Google Chrome), CVE-2026-12116, CVE-2026-14261 (Xerte Online Toolkit), CVE-2026-13461, CVE-2026-13462 (PayRange Android app), CVE-2026-0288 (Palo Alto Networks PAN-OS), CVE-2026-47291 (Microsoft Windows HTTP.sys), CVE-2026-15146 (GNU Wget), CVE-2026-31694 (Linux FUSE), CVE-2026-54432 (Roundcube webmail), CVE-2026-14544 ( HP Linux Imaging and Printing ), CVE-2026-13126, CVE-2026-57260, CVE-2026-57248, CVE-2026-57246 (Foxit PDF Reader and PDF Editor), CVE-2026-6896, CVE-2026-13320 (GitLab CE and EE), CVE-2025-14179 (pdo_firebird), and CVE-2025-14180 (PDO PostgreSQL) 🎥 Cybersecurity Webinars Learn to Kill a Rogue AI Agent Before It Leaks Your Secrets → Guardrails alone won’t save you. Okta Threat Intelligence Director Jeremy Kirk went hands-on with OpenClaw and watched agentic AI leak credentials, bypass safety controls, and turn into a live attack surface. In this webinar, he turns that into steps you can apply today: treat agents as first-class identities, enforce least-privilege access, use short-lived secrets, and hit the kill switch on shadow AI. Real attacks, real fixes.
Save your seat. Your Team Ships 50x More Code. Humans Can’t Review It Anymore → Frontier models like Mythos are compressing dev timelines past the point humans can review what humans build. Chainguard Field CISO John Sapp shows why that’s an architectural problem, not a velocity one: your attack surface is expanding in real time, adversaries have the same models, and CVE-based remediation breaks down at machine speed.
Leave with a secure-by-default strategy and the language to take it to your board. Save your seat. 📰 Around the Cyber World Compromising AI Gateways for Cryptomining — Threat actors have been observed compromising AI gateways such as LiteLLM Proxy connected to Amazon Bedrock services to deploy payloads that communicate with cryptomining infrastructure for unauthorized compute activity. Initial access to the LiteLLM Proxy EC2 instance is said to have been facilitated via internet-exposed SSH.
“While the ultimate impact in this case appeared to be unauthorized cryptomining, the incident is notable because of where it occurred,” Darktrace said . “The compromised asset sat at the intersection of cloud infrastructure, identity, and AI services. The incident demonstrates why organizations should treat AI infrastructure as part of their critical attack surface rather than as a standalone application tier.” Exploitation of CVE-2026-1207 Reported — Threat actors are actively exploiting a security flaw in Django (CVE-2026-1207), an SQL injection flaw that could result in remote code execution. “Observed exploitation volumes remain steady week-over-week, indicating sustained interest from threat actors,” CrowdSec said .
“Most observed attacks involve focused reconnaissance to identify vulnerable Django and PostGIS configurations, suggesting sophisticated targeting rather than broad spraying.” Multi-Stage Infection Leads to Node.js Backdoor — A malicious ZIP file containing a Windows shortcut (LNK) is being used to execute a hidden PowerShell command that downloads a legitimate node.exe binary and deploys a NodeJS-based backdoor. “The malware also uses the EtherHiding technique, leveraging the TON blockchain to retrieve its command-and-control (C2) address,” LevelBlue said . “The campaign begins with a spam email targeting the hospitality sector using booking-themed lures. The email contains a link hosted on Google Share, which is abused by the threat actor to make it look legit and also evade email security filtering.” Intrusions Exploit Citrix Bleed 2 — Threat actors are exploiting Citrix Bleed 2 ( CVE-2025-5777 ) to deploy the DragonForce ransomware.
“After gaining access, the attacker followed a consistent post-compromise pattern: escalate to SYSTEM through a registry-symlink/AppMgmt privilege-escalation trick, create rogue local admin accounts, and establish persistence with legitimate remote access tools like ScreenConnect and Zoho Assist,” Huntress said . “In the most advanced case, the operation ended with DragonForce ransomware deployment, which is why the blog’s main takeaway is urgent action: patch exposed NetScaler appliances, retain and review logs, terminate outstanding sessions, and audit for suspicious accounts and remote-management tooling.” The cybersecurity company said it observed half a dozen intrusions across unrelated organizations in the first half of 2026 using the same repeatable seven-step attack chain, indicating a highly standardized operator playbook rather than one-off compromises. Fake Chinese VPN Drops GoodPersonRAT — An MSI file masquerading as an installer for Kuailian VPN (aka LetsVPN) has been observed dropping and executing an encrypted RAT called GoodPersonRAT that provides attackers with complete control over a victim’s machine and its data. “Several features are implemented, such as full remote control, keylogging, browser manipulation, persistence, and auto-updating,” Threatdown said .
Fake Braintree NuGet Package Delivers Skimmer — A malicious .NET package named Braintree.Net has been found to impersonate Braintree’s legitimate Braintree SDK while deploying a multi-stage .NET implant that intercepts live payment card data, exfiltrates Braintree merchant API keys, and harvests host environment secrets upon assembly load. It also facilitates token theft, avoids sandboxes, and implements production-only gating. “This split behavior allows the attacker to deliberately target payment data in production, while environment reconnaissance casts a wider net,” Socket said. RedHook Android Malware Uses Wireless ADB for Shell Access — A resurfaced version of the RedHook Android trojan has incorporated new, sophisticated, and malicious functionalities, including autonomous privilege abuse, expanded command-and-control capabilities, and a robust persistence stack.
“While retaining core RAT functionalities, such as screen streaming and keylogging, the latest iterations demonstrate a sophisticated shift toward privilege abuse,” Group-IB said . “RedHook abuses Android’s ADB Wireless Debugging features to autonomously obtain shell-level access.” Recent activity indicates an expansion of targeting beyond Vietnam to include users in Indonesia, suggesting a broader regional focus across Southeast Asia. The malware is distributed via spoofed government and financial websites, but the malicious APK payloads are hosted on reputable cloud and development platforms, including AWS S3 Buckets and GitHub repositories, likely in an attempt to enhance delivery reliability. Phishing Campaign Targets Russian Aerospace Organizations — A spear-phishing campaign disguised as a legitimate business invoice targets aerospace organizations in Russia.
“The phishing email impersonates a legitimate Russian research institute associated with aerospace and aviation systems and is delivered using a spoofed domain designed to mimic the organization,” Seqrite Labs said . “The malicious email contains a password-protected attachment that ultimately deploys additional payloads on the victim’s system. Analysis indicates that the threat actor’s primary objective is to establish persistent remote access by silently configuring AnyDesk for unattended access, exfiltrating AnyDesk configuration data to an attacker-controlled email account, and implementing persistence mechanisms to retain long-term control of the compromised host.” The activity overlaps with previously documented campaigns attributed to Rare Werewolf (aka Librarian Ghouls), which is known to target organizations in Russia, Belarus, and Kazakhstan. Helix Data Extortion Crew Emerges — A new data extortion group called Helix is employing voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments.
Helix is said to have emerged from the BlackFile (aka UNC6671) and ShinyHunters (aka UNC6661) ecosystem. BlackFile has also splintered into Pink and Redact following its shutdown in April 2026. “In the kill chain, a single compromised identity served as the throughline from initial access to exfiltration. However, we have also observed what appears to be a tactical split,” ReliaQuest said .
“A first user is compromised through vishing and used for data exfiltration, quietly enumerating and bulk-downloading SharePoint libraries over a period of days. A second user is then compromised separately, often days or even weeks later, and appears to be used solely to deliver the extortion message internally via Microsoft Teams and email. The second account carries no exfiltration activity. It appears to exist in the operation for one purpose, which is to post the extortion demand inside the target’s own collaboration environment.” Microsoft Warns of Increase in Number of Windows Security Updates — Microsoft has warned customers to expect a spike in the number of security updates for Windows, as it uses AI techniques like MDASH to find more zero-day vulnerabilities.
“The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,” the company said . “The fastest way to reduce customer exposure is to find issues before attackers can use them. Windows is expanding its ability across the platform to find issues earlier, accelerate the engineering work to fix them, strengthen validation, and deliver timely, high-quality updates that keep customers protected.” 🔧 Cybersecurity Tools Caeruleus → Praetorian has released Caeruleus, a free open-source toolkit that folds the whole Bluetooth Low Energy testing workflow into one Go binary. Running on Linux/BlueZ, it lets testers scan devices, read or write the GATT tree, capture notifications, fuzz characteristics, and run security checks, replacing the usual hcitool, gatttool, and bettercap mix.
Every command can output JSON for scripting and AI agents. PhantomFS → It is a free open-source Windows honeypot that uses the Projected File System (ProjFS) to project convincing decoy files, credentials, financials, and SSH keys, into a virtual directory that lives only in memory and never hits disk. The moment an attacker or insider opens one, it writes a Windows Event Log entry and fires a desktop Toast alert with the filename, timestamp, and process context, giving high-confidence detection with no tuning, ML, or cloud. Disclaimer: This is strictly for research and learning.
It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion The lesson this week is simple. Every shortcut we took to move faster is now a door someone else can walk through.
The package you trusted. The remote tool is left running. The AI that does whatever it reads. We built the shortcuts.
Someone else is using them. So patch the urgent stuff first, close the sessions you forgot were open, and go check what’s still facing the internet that shouldn’t be. None of it is exciting. It’s just the part nobody goes back to until it’s too late.
See you next week, if nothing breaks before then. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
The AI Security Starter Pack
New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack stealth memory injection and built a tool that writes the emails automatically.
The paper, “When Claws Remember but Do Not Tell,” landed on arXiv on 6 July 2026 . First, what these assistants do A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you.
Many of these agents can also act for you, reading your email, checking your calendar, and running small jobs on a schedule while you are away. OpenClaw , the open-source agent used as the study’s primary target, keeps this state in plain text files: some hold its standing instructions (AGENTS.md), some hold what it has learned about you (MEMORY.md). It pulls the core ones into the model’s context at the start of every session. Those notes are the whole point of the product.
They are also the target. The one-email attack The attacker does not need your password or your account. They send an email to someone whose agent is set up to check their inbox, which, for these assistants, is a routine job. Buried in that email is text aimed at the assistant, not you.
If the agent’s email skill takes the bait, three things happen in a row. The agent uses its own file tools to write the attacker’s false note into its persistent memory. Its visible reply says nothing about having done so. And later, in a fresh conversation, that false note changes what it tells you or does for you.
In one of the study’s test cases, the planted lie was that the user’s Zelle daily sending limit had been raised to $10,000. You do not catch the change for a few reasons. The assistant hides its behind-the-scenes steps by design, so the moment it edits a file never shows up in the chat. Few users ever open the raw memory files to read them.
And when the agent runs on a schedule in the background, it often sends no message at all, so there is nothing to notice. To make the poison stick, the tool aims it at the core files that load every session, so a single write is loaded into every later session instead of waiting to be pulled from a separate memory store. The attack is generated by a tool the researchers call MemGhost . Its makers trained an attacker model offline against a shadow copy of a personal agent, rewarding emails that got the memory saved while keeping the reply quiet.
At attack time, it writes the finished email in one shot, with no back-and-forth with the victim. Across 56 fresh test cases, MemGhost pulled off the full attack, planting a false memory, hiding it, then swaying the agent’s answers in a later session. It worked in 87.5% of background-mode runs against OpenClaw on GPT-5.4, and 71.4% against a Claude Code SDK agent on Sonnet 4.6. These were isolated benchmark runs, and they begin only after the email has already reached an inbox that the agent reads, so nothing here tests whether a real payload clears spam filtering or sender authentication first.
Success was generally lower in foreground-mode tests, where the user can see the reply. In background mode, it stayed above 80% on each of two other agent frameworks and on a vector-based memory store in place of the plain files. The team also built WhisperBench , a 108-case benchmark spanning risks from bad medical advice to money loss to security sabotage. Overview of the WhisperBench framework Crude versions of the trick mostly fail.
A blunt “save this quietly and say nothing” was caught or ignored by the strongest models almost every time; the trained generator is what pushed the numbers up. It also slipped past the defenses meant to stop this kind of attack. An input filter built to catch poisoned emails missed MemGhost’s message more than nine times in ten, and a model specially hardened to ignore instructions that arrive by email still followed the planted one about half the time. Even when the owner was made to ask outright, “tell me what you checked and what you did,” the attack stayed hidden about a quarter of the time on one model.
There is no quick patch to wait for. OpenClaw’s own security policy treats prompt injection on its own as out of scope for a fix, unless it also crosses an authorization, tool-policy, approval, or sandbox boundary. MemGhost crosses none of those, since it works through the agent’s own memory-write tool, and researchers keep demonstrating exactly this kind of injection against the framework . The study’s authors argue the real fix has to live inside the agent: tagging where a piece of information came from, asking the user before anything reaches durable memory, and logging every write.
Until those lands, the exposed setup is any agent that both reads untrusted mail and can write its own memory without asking. The blunt fix is to keep those two jobs apart. Failing that, limit what an email-triggered run can change, and check the memory files after anything suspicious arrives. OpenClaw confirmed that position to The Hacker News and pushed back on how the paper set up its agent.
Its security guidance tells operators to route untrusted email through a separate reader agent stripped of memory, file, and shell tools, passing only a summary to the main agent, which the paper did not test. It also argues model tier matters: the OpenClaw runs used GPT-5.4, a current frontier model, but the authors skipped Claude Opus 4.6 on cost, and OpenClaw pointed to HackMyClaw , a public challenge where thousands of injection emails failed to pry a secret from an Opus 4.6 agent. That test targeted data theft, not memory poisoning, so it does not directly answer the paper. OpenClaw said it is weighing memory-write controls for external content, including provenance, audit logs, and confirmation prompts, in the same direction the paper recommends.
The Hacker News has also reached out to the paper’s authors and will update this story with any response. The manual version came first In 2024, researcher Johann Rehberger showed the same move by hand against ChatGPT, planting instructions in its long-term memory through poisoned web content so it would keep leaking a user’s data across future chats. He called it SpAIware . OpenAI closed the data-leak path, but the ability to write memory from untrusted content stayed.
A year later, it reached a shipping product. EchoLeak (CVE-2025-32711), disclosed by Aim Security in June 2025, used one hidden-text email to make Microsoft 365 Copilot hand over internal company data when the user later asked it a normal question. Microsoft rated it critical and patched it, and no real-world abuse was reported. A later case study laid out how it slipped past Copilot’s filters.
Both showed that the content an AI reads can carry commands, delivered by an email anyone can send. What MemGhost adds is persistence: Rehberger’s version had to be planted by hand, and EchoLeak leaked data only in the moment it was asked, but here an automated payload turns one email into a false memory that stays put and steers sessions long after the message is gone. This is a lab result, not a break-in in progress. The researchers ran everything in sealed test environments with fake inboxes and fake users, and the paper documents lab testing only, not use against real people; they say they plan to disclose their findings, attack patterns, and the benchmark to the makers of the affected agents and models.
Stealth is held in the study partly because capable agents are built to keep their tool activity out of the chat. The one model that gave itself away did so by printing its intermediate steps in the reply, and the researchers expect detection to get harder as agents get better at working quietly. The real problem is plainer: a message from outside became a durable, trusted context inside the agent, with no visible moment where anyone approved it. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing , adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing lures that make use of legitimate email delivery infrastructure, such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid, to imitate a redirection chain that blends into regular email traffic before it ends in Forg365-controlled domains. “The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support,” ZeroBAC said . The email security company said the PhaaS kit is best understood as similar to the Kali365 (aka Octopi365 and Freedom365) and Sneaky 2FA ecosystem, reflecting the industrialization of the business model, which is now combining bringing together lure creation, delivery, evasion, token/session handling, and post-compromise operations under a subscription-based setup that allows even threat actors with little-to-no technical expertise to orchestrate phishing campaigns with minimal effort and at scale.
Attack chains using Forg365 have been observed using business document-themed or remittance approval lures to trick recipients into clicking on malicious links. The sender domain uses Amazon SES for delivery, while the message body contains SendGrid-hosted images or tracking resources. Customers who successfully complete Telegram registration utilize an operator panel accessible over the clearnet (“logfriend[.]com/login”), from where they can generate lures, set up campaigns, and manage captured tokens. “Forg365 includes a device-auth phishing branch that presents a Microsoft-styled verification code page and pushes the victim into a legitimate Microsoft Authentication Broker sign-in flow,” ZeroBAC explained.
“The victim sees real Microsoft authentication surfaces, but the code authorizes an attacker-controlled session.” For AitM phishing, the platform employs route tokens, session cookies, and traffic classification to determine whether to serve phishing content or a benign decoy. If a VPN connection is detected, the kit redirects to innocuous decoy content instead of exposing the phishing pages. A notable aspect of the Forg365 platform is that it offers an extension named ForgCookie for Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave that is designed for continued access to the compromised accounts. Described as an “automatic SSO cookie refresh for Microsoft services,” the add-on acts as an intermediary between the token acquisition and browser access by cycling through the steps listed below - Requests account data from the Forg365 backend Calls the cookie-generation endpoint for a selected account Clears Microsoft session cookies Injects the generated refresh-token credential cookie into the Microsoft login domain Triggers a silent OAuth flow Captures resulting Microsoft cookies across Microsoft domains Forg365’s extends beyond simple credential and token harvesting to facilitate a wide array of post-compromise actions, including monitoring for specific keywords in compromised email accounts and drafting a message response to a particular email thread using assistance from AI.
“The result is a platform that lowers the skill threshold while increasing operational consistency. Less experienced affiliates can use prebuilt templates, while more capable operators can customize landing pages, rotate infrastructure, manage tokens, generate cookie material, and monitor compromised accounts,” ZeroBAC said. The disclosure coincides with the discovery of various campaigns that have been found to employ phishing kits for credential theft - Sending fake Microsoft account activity alerts from a legitimate-but-compromised third-party SaaS sender account to direct users to Sneaky 2FA-style phishing pages to launch a redirection chain that leads to the final phishing host, but not before performing checks to decide whether the visitor is a real user. Using phishing emails that direct recipients to a website hosted on Canva, which then triggers the device code phishing flow to hijack Microsoft accounts using the Kali65 phishing kit .
The kit supports over 33 different lures, a payout pipeline, and a desktop application called OctoLink Live (aka Kali365 Live) that abuses the stolen token to launch a Chromium browser session and open the victim’s mailbox in OWA, OneDrive, SharePoint, or admin.microsoft.com. The platform also offers a tool known as OctoLink Sender to mass-send phishing emails from the breached account to other contacts, a technique called lateral phishing. Phishing campaigns using Kali365 have also distributed phishing pages impersonating Russia’s MAX messenger, indicating an attempt to single out users in Russia. “A phishing operator who can convert MAX account takeovers into propagation has access to one of the largest installed messaging bases in the Russian-speaking world,” Arctic Wolf said .
Sending emails mimicking the IRS and Social Security Administration, alongside Adobe, Microsoft, DocuSign, and Dropbox, to deliver legitimate remote access software like ConnectWise ScreenConnect as part of phishing campaigns using a PhaaS kit called The Quarry that’s developed, maintained, and sold by a lone operator named RockyBelling. The price of the kit ranges anywhere between $500 and $3,000. This includes tools like Rocky Gmail Sender (a bulk email tool), Rocky Email Sorter (to sort email addresses by domain across Gmail, Yahoo, Hotmail, and AOL), and VioletRAT. Sending SMS messages impersonating the U.S.
Postal Service (USPS) and UPS to trick victims into visiting a phishing page that prompts users to enter their personal and financial information under the pretext of a failed package delivery and scheduling a new delivery. “Underneath the deception, the kit captures data in real time,” Censys said. “It opens a WebSocket back to its origin and streams the victim’s card data keystroke-by-keystroke, runs a server-side BIN lookup on the card number, and pushes routing decisions (retry, PIN prompt, OTP prompt, kill-switch) back into the victim’s browser while they type.” Using fake bid proposal workflows to take over Google accounts using a framework called Nyasher . The redirection chain incorporates a “press-and-hold” verification page to filter out automated scanners and bots, before navigating to a blob URL.
“The final page displayed a Google sign-in interface but was not reachable as a normal hosted HTML document,” ZeroBAC said. “It existed as a browser-created object URL.” Using bogus Google Partners and Google Premier Partner enrollment workflows in phishing emails to redirect recipients to a fake Google sign-in page designed to capture credentials in real time as part of a campaign codenamed GPPStorm . Using a legacy email alias to target a user’s inbox and launch a device code phishing flow that uses the EvilTokens kit. “The kit was reached through a Mailjet tracking link, then a compromised WordPress site, then a CAPTCHA interstitial, then the Cloudflare Workers host,” ZeroBAC said .
“Three live infrastructure hops between the email body and the kit, none of which is the kit itself.” To counter these threats, it’s recommended to block device code authentication unless it’s required, review mailbox artifacts after device code events for any signs of unusual activity, audit mail-flow rules, and decommission legacy aliases that no longer correspond to active employees. “The campaign succeeded in reaching the inbox because the recipient organization still maintained an active forwarding relationship from a pre-acquisition namespace into a current mailbox,” ZeroBAC noted. “The attacker used a still-resolvable historical identity to deliver mail that, from the SEG’s point of view, looked like normal forwarded correspondence. From the user’s point of view, the message landed in their working inbox with no visible cue that it had taken an indirect path.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Meta Files Patent for AI That Can Listen All Day and Track How You’re Feeling
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would check in only at set times. None of these ships in a product today, and Meta has not announced one; a filing like this stakes a claim on an idea long before anyone commits to building it.
The application, US 2026/0182881 , was filed by Meta Platforms in December 2025 and published on July 2. It names a single inventor, Lachlan Dunn , and traces back to a provisional filing from December 2024. The patent-analysis site Patentlyze flagged the filing first. Its title pairs two ideas, emotional state analysis and real-time fitness coaching.
The claims show the first is the one that matters: of the 20, the three independent ones cover emotional analysis on its own, while workout coaching appears only in the dependent claims that build on them. What the patent describes A device records your speech across the day. It could be smart glasses, a phone, a smartwatch, headphones, or a smart home speaker, the patent says. The device transcribes it, and an AI trained to read mood goes to work on both the words and the way you say them: your tone, your pace, a sigh, a laugh.
It tags each stretch of audio with an emotional read, matches that read to the context around it, and over a set period, a day or a month, builds a summary of your patterns. The system does not just label you stressed. It points back to the words behind each reading, what the patent calls a citation. In one example, an anger reading arrives with the exact harsh words you used.
One figure logs a single person across a day: passive language on a morning video call from home, a laugh with a friend at dinner, a sigh at 9:15 PM caught by a smart home speaker. In that figure, the speech patterns are “time stamped and logged on servers,” and the system hands the user an example readout like this: “You sigh most frequently before bed, and you’re happiest when with friends. You’ve expressed more gratitude this month.” The filing reaches well past your voice. It can fold in biometric and eye-tracking signals, using pupil size, blink rate, even eye moisture to flag stress or crying.
It can also watch how you use your devices, down to the posts you view or like, your screen time, and how fast you switch between apps. All of it feeds one emotional profile. The patent’s other half is a workout coach. Smart glasses watch your form in a mirror and talk you through the set, telling you to sink deeper into a squat, then cheering you on for a few more reps.
The coach reads your mood, too. If it senses you are tired or discouraged, it eases off. If it decides you have energy to spare and are slacking, the patent says it may “admonish” you. The patent claims no human coach could match its precision or keep it up all day.
We have been here before The ambition is not new. Amazon put voice mood-reading into its Halo wearable in 2020. Its Tone feature listened to your pitch and pace and told you how you came across through the day, calm, frustrated, and the like, and it processed those samples on your phone and deleted them , never touching the cloud. It drew scrutiny anyway: in December 2020, Senator Amy Klobuchar pressed federal health regulators over Halo’s collection of voice-tone and body-scan data, calling it unusually intrusive.
Amazon shut the whole line down in 2023 , though it never tied that to privacy. The gap with Meta’s filing is not really storage: the patent keeps the work on-device in some versions and logs to servers in others. It is reach. Tone reads your mood from your voice alone; Meta’s system also reads your eyes and your phone.
Regulators have their own doubts about whether reading emotions this way even works, and they have started drawing lines. Since February 2025, the EU’s AI Act has banned AI that infers people’s emotions in workplaces and schools, except for medical or safety reasons, with fines up to 35 million euros or 7% of a company’s global turnover, whichever is more. Its drafters flagged the thin science directly: emotional expression varies from person to person, culture to culture, and moment to moment. That ban stops at consumer tools, though.
A separate rule arriving in August 2026 will make systems that read emotions from biometric signals disclose that they are doing so. Whether a voice-first coach counts is arguable; one that also reads pupils and blink rate would fall more squarely inside that biometric line. The Hacker News has reached out to Meta for comment on whether the application reflects any product plans and how such a system would handle user data, and will update this story with any response. The workout coach is one use.
Underneath it is a running log of everything the system decided you felt, keyed to where you were and what you were doing. Amazon’s mood-reading listened to your voice alone, and it got pulled in 2023. Meta’s reaches into your eyes and your phone too, and the only thing keeping it out of your life is that no one has built it yet. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations.
But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest. On the flight home, I picked up a book I had not touched in a few years.
Daniel Kahneman’s Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond its starting point.
The book’s central argument is that the human mind is not one thing. It is two systems operating in parallel, often in tension. System 1 is the brain that runs automatically. It recognizes patterns instantly, reads a room in seconds, and keeps you alive without conscious effort.
It is fast, associative, and unconscious. According to Kahneman’s research, 95% of all human cognition happens here, running quietly in the background like an operating system you never see. System 2 is the brain you engage with for hard things. Evaluating a contract, working through a problem with no obvious answer, and making a judgment call under pressure.
It is slow, logical, effortful, and it accounts for the remaining 5% of our thinking. It can override System 1 when System 1 is wrong. But it has limited capacity. You cannot run it at full power all day.
When it gets exhausted, System 1 takes over regardless. Kahneman’s core insight is not that one system is better. It is that the errors humans make are almost always the result of applying the wrong system to the wrong job. Deliberate thinking applied to things that should be automatic burns people out and still misses things.
Automatic thinking applied to things that genuinely need deliberation produces confident mistakes. I landed, opened my laptop, and wrote one sentence to myself. “This is exactly what is wrong with how most security teams are designing their AI architecture right now.” The numbers are not a coincidence Kahneman says humans run System 1 for 95% of their cognition and System 2 for 5%. Research based on analysis of more than 25 million enterprise alerts found that 98% of alerts can be resolved autonomously with less than 2% actually warranting human review.
This is almost identical to Kahneman’s ratio. The SOC that performs well is not some new invention. It is the architecture that mirrors how the best decision-making minds actually operate. Fast, automatic processing for the overwhelming majority of inputs, and deliberate human judgment reserved for the small fraction that genuinely needs it.
The CISO I was sitting with was building a SOC with one brain. His team was asking System 2 to do System 1 work, and then asking System 2 again to do what it is actually good at, on whatever energy was left over. No wonder they were covering only a fraction of their alerts. No wonder the analysts were exhausted.
No wonder the real threats hiding in the low-severity pile were never found. According to research on over 25 million alerts , an enterprise with 450K alerts per year can expect 54 real threats to be hidden in exactly those alerts, the ones that look like noise, the ones that never make it to the front of the queue. The fast SOC brain for the 98% of alerts The bulk of SOC alert triage is a System 1 problem. Is this file known to be malicious?
Does this login match historical behavior? Has this IP ever appeared in a case we already closed? These are not questions that need lengthy deliberation. They need answers, at machine speed, for every alert, around the clock.
When human analysts are forced to do this work, the same thing happens that happens when you make people perform System 2 tasks all day. They slow down, they simplify, and eventually they start skipping. They triage only what looks urgent. The 54 threats hiding in the low-severity pile stay hidden, not because anyone chose to ignore them, but because there are 4,000 alerts behind them and the team’s cognitive capacity ran out.
The autonomous brain of the SOC needs to work the way System 1 works. Continuously, without prompting, below the threshold of human attention. It applies deep, forensic-grade investigation to 100% of signals. Memory scans, file analysis, cross-signal correlation across endpoint, identity, network, and cloud.
It closes the cases that are clearly noise and surfaces the cases that genuinely need a human, with all the evidence already assembled. It does not ask for permission. It produces verdicts. This is what an AI SOC does.
It investigates everything, reaches verdicts at 98% accuracy in under two minutes, and hands the human team the 2% that actually warrants their attention. The slow SOC brain for 2% of alerts System 2 is where Claude, Codex, and Cursor belong in a SOC. Not because they are slow, but because the work they are best suited for is genuinely deliberate. Complex case analysis.
Detection rule engineering. Incident reporting. Threat hunting based on an industry briefing. Work that requires synthesis, judgment, and the ability to combine forensic findings with the business context that only the analyst has.
This is where the AI co-pilot framing makes sense, but only when the co-pilot is not also being asked to manage the runway. When a Claude agent picks up an escalated case, it should not start from a raw alert. It should start from a fully assembled investigation with all the forensic analysis completed, the related signals correlated, and the recommended response drafted. The analyst applies judgment to a curated, evidence-backed case.
They are not validating whether the alert was worth looking at. They are doing the work that actually needs a human mind. When System 2 gets that kind of input, something changes. What used to be an afternoon of pivoting between consoles becomes a short, focused exchange.
The analyst stops grinding the queue and starts doing the work they were actually hired to do. And here is the part that I think the market has not fully appreciated yet. Every judgment the slow brain makes, feeds back into the fast brain. Every tuning rule written in Claude, every case closed with a new context, makes the autonomous layer more accurate the following month.
The two systems are compound. They make each other better over time. The two failure modes playing out right now Kahneman spent a career documenting what happens when humans use the wrong cognitive system for a problem. The security industry is running both failure modes simultaneously, at scale.
The first is the classic one. Keeping human analysts in the System 1 role. Manual triage of hundreds of alerts a day, burning cognitive capacity on work that should be automated. The team’s System 2 is exhausted before it ever gets to the cases that actually need it.
Coverage suffers. Threats are missed. The team adds headcount and the problem scales linearly rather than being solved. The second failure mode is the one the current AI wave is producing.
Deploying a frontier AI platform directly against raw detection data and calling it an AI SOC. This is also System 2 doing System 1 work, just faster and more expensively. The agent still needs a human to initiate each investigation. At real alert volumes, the economics do not hold.
Running a frontier model against every alert at current token costs is not viable in production. Teams quietly start skipping the low-priority ones. The 54 missed threats remain missed. The problem is not solved.
It is rebranded. The SOC architecture that actually mirrors the brain The SOC that succeeds in 2026 runs both systems correctly. The fast brain covers everything automatically. It is purpose-built for forensic investigation at scale, not a general-purpose language model.
It does not wait for prompts. It does not skip low-severity alerts because the queue is long. It produces verdicts across 100% of signals and feeds the slow brain with fully assembled cases. The slow brain runs on top of that foundation.
Claude, Cursor, Codex, etc. receive escalated cases with all the context attached. Analysts supervise rather than triage. And because both brains share the same knowledge base, every decision made in the AI workspace makes the autonomous layer smarter.
There is also a strategic implication here that I think the market has not fully processed. Enterprises that outsource alert investigation to an MDR provider do not own the knowledge layer that builds up from that investigation. The detection rules, case history, triage logic, and organizational context all accumulate inside the vendor’s platform. When you want to connect Claude or Codex to your security operations, you are trying to run System 2 on a foundation you do not own.
The slow brain has nothing to work from. Bringing investigation in-house is not just a cost or coverage decision. It is the prerequisite for making an analyst copilot actually useful. Every alert investigated, every case resolved, every rule tuned accumulates inside your own instance.
The faster System 1 builds that foundation, the more powerful System 2 becomes. Kahneman’s insight was that the best decision-makers are not those who think faster or think harder. They are those who know which mode the moment calls for, and have designed their lives so that each system is applied to the right problems. Security teams that get this right in 2026 will not be the ones with the most analysts or the most powerful language model.
They will be the ones who designed a SOC where the fast brain handles everything it should, and the slow brain is freed to do what it is meant to. AI executes. Humans supervise. And when the architecture is right, supervising is the best part of the job.
Found this article interesting? Learn more here. Note: This article has been expertly written and contributed by Lital Asher-Dotan, CMO at Intezer. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. “The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt,” Huntress researchers Jevon Ang and Dray Agha said . The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the “C:\ProgramData" folder. The incident took place in early June 2026.
This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered code that features multiple methods to find a Domain Controller, and beautified console output using cyan, green, red, and yellow. Huntress described the bespoke PowerShell script as “highly aggressive” and “noisy,” making use of a “five-step cascading fallback mechanism” to enable reconnaissance and discovery. It’s titled “100% Working AD Information Gathering Script - FULLY FIXED,” suggesting a back-and-forth with a large language model (LLM).
Once the primary Domain Controller is located, it initiates a data collection routine to systematically harvest AD users, computers, groups, organizational units (OUs), and trusts, and store the details in a staging directory. About 30 minutes later, the attacker moved to deploy a s5cmd , a legitimate tool used for bulk file operations, along with SharpShares , a C#-based network shares enumeration utility, to look for user-accessible data repositories. In the final stage, the data is said into CSV files, archived, and exfiltrated to a remote server, but not before creating an HTML file summarizing the data theft in the form of an Active Directory Inventory Report. “It’s likely a ‘helpful’ inject from the LLM that the attacker simply went along with, rather than being intentionally authored into the script,” the researchers explained.
The development is yet another sign that threat actors are augmenting their arsenal with vibe-coded malware generated with assistance from AI models, even if the technology isn’t being abused in ways not seen before. What it does change is that it lowers the barrier to entry for cybercrime, permitting less-skilled actors to come up with highly capable, evasive tooling with minimal effort. “The underlying attack chain still resembles the tried-and-tested smash-and-grab playbook we’ve seen for years,” Huntress said. “This core methodology has remained consistent, but it is now being selectively augmented by AI.
This hybrid approach prioritises aggression and speed over stealth, allowing threat actors to execute highly damaging campaigns faster than ever.” AI as a Force Multiplier In a report published last week, Sygnia revealed that AI-enabled attackers do not necessarily need novel malware or zero-days, but that the real shift lies in the fact that cyber intrusions can be orchestrated at a speed and scale faster and bigger than defenders can contain them. The incident response company said it observed an AI-assisted cloud attack that progressed from initial access to broad compromise within a span of about 72 hours against a large Amazon Web Services (AWS)-based environment. The end goal of the activity is assessed to be financially motivated, with the attacker using the access to the victim’s cloud infrastructure for use as leverage for extortion. “The threat actor repeatedly leveraged newly acquired credentials to restart discovery, secrets harvesting, persistence, and impact activities,” it said .
“The attack relied on familiar cloud techniques rather than novel malware or zero-days.” “The threat actor was not exploiting a single misconfiguration; they were chaining weaknesses across application services, AWS resources, source-control repositories, CI/CD workflows, runtime components, and data stores, while rapidly executing credential discovery, secrets harvesting, cloud enumeration, deployment-pipeline abuse, runtime modification, database access, and operational disruption.” The attacker, per Sygnia, entailed repeated attempts to establish persistence on the compromised hosts, obtaining the access key to one of the AWS accounts through shortcomings in an internet-facing application. Each new access was followed by renewed enumeration, additional secret collection, persistence attempts by creating access keys and IAM users, and data exfiltration. At the same time, several attacker-created artifacts were masked as a pentest or a red teaming exercise. To further exert pressure on victims, the attacker performed a series of actions - Denying access to S3 buckets Limiting ECS services or containers to a maximum capacity of zero Creating ACL rules to block network access Purging SQS queues “The significance was not that AI introduced new attack techniques, as every observed action mapped to long-established adversary behaviors, but that it reduced the time and effort required to operationalize those techniques across a complex environment,” Sygnia pointed out.
“The threat actor repeatedly converted newly obtained access into tailored action. For each new access key, the actor appeared to quickly determine the associated permissions, reachable resources, and most valuable next steps.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080 , was still sitting in the readable .bash_history . From that one lapse, French security firm Lexfo lifted the operator’s entire toolkit and pivoted through it to two more phishing operators, three campaigns in all. Each ran a custom fork of the open-source Evilginx proxy , cloned from public GitHub.
The largest of the three had been running for more than a year, its victims overwhelmingly corporate mailboxes. The three got past MFA in two mechanically different ways, one by proxying the live login , one by abusing a legitimate Microsoft sign-in flow. The two need different defenses, which is the part that matters most if you run Microsoft 365. Directory listing on a working attack server is close to a full confession.
The listing exposed phishing configs, credential-harvesting logs, RMM installers, combolists, backup archives, and the operator’s own Telegram session files. Behind it ran an Evilginx adversary-in-the-middle proxy and a SimpleHelp remote console on the same host, at 185.163.204[.]7 in Budapest, cataloged in late April 2026 during a routine internet scan. The bash history and a set of public repos pointed straight at the operator: an Egyptian actor the firm tracks as codemado , active in VoIP and hacking forums since 2018, now running a Microsoft 365 AiTM platform on picis[.]net and monetizing access through a bulk mailer he wrote called MaDoO Blaster . His campaign went live on April 20 and kept running past the day the directory was found on April 30, with fresh subdomains and a renewed wildcard certificate turning up weeks later.
His own bot logged captures against two corporate M365 accounts, one French, one North American. The repeated captures of the same accounts from different IPs are consistent, the firm says, with the operator refreshing stolen tokens as they aged out. Where the kits came from codemado did not build the framework he runs. He cloned it, and his bash history shows him comparing kits side by side.
The server held four Evilginx variants pulled from two other GitHub developers, and both turned out to be active operators in their own right. The first, red-queen , comes from a Nigerian operator the report calls mail-argenta, and it shows how much polish gets bolted onto a public framework. His fork renames the crossorigin and integrity HTML attributes to defeat Subresource Integrity checks and adds a URL-rewriting engine to http_proxy.go to dodge path-based detection. It pre-fills the victim’s email address to cut abandonment.
It also sets a one-year TTL, 31,536,000 seconds, on the captured Microsoft session cookies. The report says an intercepted login can then outlast a password reset and, without a CAE-capable Conditional Access policy, stay usable for months. A pre-compiled evilginx2.exe is committed to the repo, so a buyer never has to build anything. One captured M365 cookie sitting in the repo carried an expiration date of June 30, 2027.
mail-argenta got caught the way his own victims do. The firm found his email and a password in infostealer logs, the kind of harvested-credential data his phishing panels exist to produce. That leaked password matched the one hardcoded as the MySQL password in his Kraken panel and reused across his accounts. The quiet one The third fork, black-queen , logged far more captures than the other two, and it never touches a password.
Its author, whom the researchers could not identify past the handle saroula01 , built it around Microsoft’s OAuth device code flow, a legitimate sign-in path meant for input-constrained devices. The attack generates a real device code, wraps it in an Authenticator-themed lure page, and tells the target to enter it at the genuine microsoft.com/devicelogin . The victim signs in on a real Microsoft page and clears MFA themselves. saroula01’s backend polls the token endpoint and takes the token the moment they do.
Calling this “MFA bypass” misses how it works: nothing gets bypassed. The lure page is Authenticator-themed and attacker-built, but the device code and the Microsoft page where the victim finishes are genuine, so the MFA prompt the victim satisfies is real. A passkey or FIDO2 key does not help either, because the victim clears it on genuine Microsoft infrastructure while authorizing the attacker’s session; the origin binding that stops Evilginx passes cleanly when the origin really is Microsoft. Microsoft documented the technique in February 2025 , in a campaign it assessed with medium confidence as Russia-aligned .
It has since spread well past state-backed use, into campaigns hitting hundreds of Microsoft 365 organizations . saroula01’s version ran quietly for over a year. The firm counted 218 distinct captured accounts in the campaign’s Telegram bot logs across a dozen countries between June 2025 and July 2026, around 94 percent of them corporate mailboxes. Those are logged captures, not scan targets.
A token file briefly committed to the repo and then deleted, still readable in the git history, held 97 live Microsoft tokens tied to three of those victims, every one set to autoRefresh and some refreshed as many as 25 times. The framework was keeping the sessions alive on its own. Both phishing domains, picis[.]net and romnor[.]ca, were offline when The Hacker News checked ahead of publication, though the report’s timeline shows picis[.]net still provisioning new subdomains as late as May 2026. The Lexfo CTI team told THN that the domains had already gone offline before it took any action, and reads that as the operators rotating infrastructure or pulling back rather than a coordinated takedown, though it cannot confirm which.
The three connect, loosely, to something larger. In June 2026, SOCRadar documented a phishing-as-a-service ecosystem it named The Quarry , run by a developer it calls RockyBelling and, by its count, sold to close to 200 operators. MaDoO Blaster shows up promoted inside The Quarry’s Telegram channel as a third-party tool, flagged independently in both writeups, which the report frames as a supplier relationship, not membership in it. Whether mail-argenta or saroula01 has any direct tie cannot be shown from the artifacts.
Their kits sat on public GitHub, and anyone could have taken them. Built with help The report found signs of AI-assisted development across all three operations, though they vary in strength. saroula01 left two git commits co-authored by Claude models. mail-argenta committed an instructions.txt that is a verbatim save of an AI coding session, references to earlier prompts and all, documenting how the URL-rewriting feature got built.
codemado’s is thinner: one of his scripts credits CyberNeurova , a paid “uncensored” code-generation API, the report says, which advertises itself with the prompt “Build me a keylogger in Python.” Two of the three put a model directly in the code; the third is a credit line, and none of them shows how much of each build the model did. It is not confined to these three either. Microsoft has separately documented device-code phishing built on AI-driven backend automation and generative-AI lures. The Hacker News asked the report’s authors how much of the tooling AI actually produced across the three operations.
The Lexfo CTI team said the Evilginx forks carried only minor changes to the core, and that the clearer signs of AI use sat in the glue code around them, the scripts and phishlets, several of which read as direct model output. It was less the framework itself, the team said, than the code built around it. What defenders can actually do The two techniques do not share a fix. Phishing-resistant MFA, FIDO2, or passkeys still shut down the Evilginx side by binding the sign-in to the real domain.
It does not stop device code abuse. For that, the lever is Conditional Access. Microsoft’s own line is to block device code flow wherever possible . A handful of setups genuinely need it, mostly input-constrained hardware like Teams room devices and some command-line tools.
Inventory that uses the sign-in logs, blocks the flow everywhere else, and tests the policy in report-only mode before enforcing. Layer IP-based Conditional Access location policies and Continuous Access Evaluation on top, so that on supported Microsoft 365 workloads, a stolen token seen from outside your allowed ranges gets reevaluated instead of riding out its lifetime. For detection, the report flags refresh-token grants from the Microsoft Office client ID d3590ed6-52b3-4102-aeff-aad2292ab01c in Entra sign-in logs as worth watching, where that desktop client is not in normal use; cross-check them against unfamiliar source IPs. The same Microsoft guidance flags a catch: a session that started with device code flow stays tagged on later refreshes even when the current event no longer shows it, so hunt on the sign-in’s Original transfer method field, not just the live authentication protocol.
On endpoints, hunt for the RMM tooling these operators drop for persistence ; codemado’s kit reaches for XEOX, so start with the agent at C:\Program Files (x86)\XEOX\xeox-agent_x64.exe and scheduled tasks matching XEOXAgentWatchdog . The domains and IPs are in the report, but that infrastructure rotates, so treat it as containment, not a fix. The Hacker News also asked Microsoft about the abuse of its device code flow, and had received no response by the time of publication. This story will be updated with any reply.
None of this took much: three operators, none of whom built the frameworks they ran, stood up working campaigns off public repositories, kits that sell for a few hundred dollars, and a model helping with the custom parts. The report reads that the barrier to a working campaign has fallen to near zero, and the Lexfo CTI team expects this class of attack to become significantly more common over the coming months. One cheap ecosystem now supplies two ways around MFA, and that is the part that outlasts any single campaign here: a shop hardened against reverse-proxy phishing is still open to device-code abuse. Blocking that second path is one Conditional Access policy, no passkey rollout adds for you, and it exists only once someone writes it.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939
- A vulnerability in the iCagenda extension for Joomla that allows the upload of arbitrary files via the file attachment feature, leading to PHP code upload and execution. CVE-2026-56291
- A vulnerability in the Balbooa Forms extension for Joomla that allows the upload of arbitrary files, leading to remote code execution.
According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 is said to have been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. It resides in the “Submit an Event” form functionality, which lets users propose events for the calendar. “We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to,” mySites.guru said . The flaw impacts the following versions - 4.x versions up to and including 4.0.7 Legacy 3.x versions from 3.2.1 up to and including 3.9.14 JoomliC has since released updates to address the issue in iCagenda versions 4.0.8 and 3.9.15.
Site owners are advised to check for suspicious PHP files in the “images/icagenda/frontend/attachments/” folder and remove them. MySites.guru said it also observed zero-day exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. It has been patched in version 2.4.1. “Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type,” it said .
“An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have.” The vulnerability was discovered by mySites.guru on July 8, 2026, following a live attack on one of its customers. It has shared the following indicators of compromise - Look in the Balbooa Forms upload folder (by default “images/baforms/uploads”) for any file that is not an image or document, especially anything ending in PHP Check the Joomla user list for suspicious administrator accounts Audit the set for recently modified or unfamiliar PHP files across the site In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until July 13, 2026, to implement the fixes in their networks. Australia Warns of Global Campaign Targeting Vulnerable CMS Systems The disclosure comes as the Australian Cyber Security Centre (ACSC) issued an alert warning of a global exploitation campaign targeting various vulnerabilities in content management systems (CMS) and plugins. “As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy web shells, leveraging various vulnerabilities affecting CMS software and plugins,” the agency said .
“These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialization.” Once deployed, the web shells serve as conduits for remote access and control of the targeted web servers. Some of the identified security vulnerabilities are listed below - Sneeit Framework ( CVE-2025-6389 ) WPBookit (WordPress) ( CVE-2025-7852 ) Gravity Forms (WordPress) ( CVE-2025-12352 ) Craft CMS ( CVE-2025-32432 ) Ninja Forms (WordPress) ( CVE-2026-0740 ) MaxSite CMS ( CVE-2026-3395 ) Breeze Cache (WordPress) ( CVE-2026-3844 ) WavePlayer (WordPress) ( CVE-2025-12057 ) MetInfo CMS ( CVE-2026-29014 ) Joomla JCE ( CVE-2026-48907 ) “This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations,” ACSC said, adding “advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published . If you or one of your build systems pulled it in that window, the payload has already run with whatever access your install process had.
None of this is in the prior release, 8.13.0. The package diff shows two new files under dist/: setup.js, a small loader, and intro.js. Despite the name, intro.js is not JavaScript but a roughly 7.8MB container packing three gzip-compressed native binaries, one each for Linux, Windows, and macOS. On install, setup.js picks the binary for the host operating system, writes it under a random name in the system temp directory, marks it executable, and launches it detached with its output hidden.
The added files are in the published package, but nowhere in jscrambler’s public source. StepSecurity and SafeDep both pulled and analyzed the release, and both report no matching commit, tag, or pull request for 8.14.0 in the GitHub repository. Its latest tag is still 8.13.0. The version was pushed straight to npm under a legitimate maintainer account, bypassing the project’s normal release flow.
That points to a compromised npm account or build pipeline. Which of the two has not been established. The payload is a Rust infostealer, built for all three platforms, that sweeps a developer machine for secrets and ships them to a drop server over TLS, according to Socket’s updated analysis and a statement to The Hacker News. The target list is broad and aimed at developers: cloud credentials from AWS, Azure, and Google Cloud, including the metadata endpoints CI runners use; cryptocurrency wallets and seed phrases from MetaMask, Phantom, and Exodus; the Bitwarden password manager vault; browser-stored passwords and cookies; and Discord, Slack, Telegram, and Steam sessions.
It also goes after something newer: the config files for AI coding tools, including Claude Desktop, Cursor, Windsurf, VS Code, and Zed, where API keys and Model Context Protocol server credentials tend to sit. The binaries do more than steal. On Linux, the payload links the kernel’s BPF library and can load an eBPF program straight into the kernel from memory. That is a foothold in the kernel, not the userspace file access that the rest of the stealer relies on.
StepSecurity and SafeDep both flagged the capability, though what the eBPF does is still being pulled apart. The Windows and macOS builds add anti-debugging checks, and the stealer wires in persistence to survive a reboot: a hidden Windows scheduled task set to relaunch every minute, and a macOS LaunchAgent that reloads on login. Its command-and-control details stay encrypted in the binary and never surfaced in static analysis. StepSecurity’s runtime monitoring caught the dropped binary reaching out to two hard-coded IP addresses and to Tor infrastructure, the first network indicators published for the campaign.
jscrambler is a build-time tool, installed as a development dependency or run from CI. Those environments hold what the stealer collects: cloud keys, deploy tokens, and source code that a build or CI process can reach. Source: Step Security The package sees about 15,800 downloads a week, and how many pulled the compromised version is not yet known. That is a far smaller footprint than the packages hit in the big npm compromises of the past year, which pull billions of downloads a week between them.
For a stealer aimed at build machines, though, reach was never the point. The access is. The Shai-Hulud worm ran from an install hook to steal tokens and spread through hundreds of packages that September. The widely used chalk and debug packages were taken over through a phished maintainer account and used to reroute crypto payments.
In March, a hijacked account pushed a cross-platform trojan into Axios , an HTTP library with more than 83 million weekly downloads. What makes the timing here sharp is that npm had just moved against this exact route: npm 12 shipped on July 8, three days before this release, with dependency install scripts off by default . On npm 12, a preinstall hook like this one does not run unless someone approves it. Older clients still run them automatically.
Version 8.15.0 has since replaced it at the top of npm’s version list , published from the same maintainer account and showing none of the malware alerts 8.14.0 tripped: no install script, no bundled binary. But 8.14.0 was not pulled. It is still on npm, so any lockfile or command pinned to it keeps installing the stealer. Only the main CLI package was hit; the jscrambler plugins for webpack, gulp, Metro, and grunt stayed on their clean June releases, with no install hooks.
What to do now Get off 8.14.0. Move to 8.15.0, or pin to 8.13.0 for a release from before the incident, and clear jscrambler@8.14.0 from lockfiles and caches. Work out whether you installed 8.14.0. Check lockfiles and package-manager logs for jscrambler@8.14.0, and CI records for any run of dist/setup.js, from July 11 on.
The loader drops its payload under a random name in the temp directory, so there is no fixed binary name to grep for; line up install timestamps against Node child processes and temp-directory execution instead. On Windows, check Task Scheduler for hidden tasks; on macOS, inspect ~/Library/LaunchAgents for unfamiliar plists. If 8.14.0 ran on a machine, treat every secret it could reach as stolen, not just exposed. Rotate cloud keys, npm and GitHub tokens, and AI-tool and MCP API keys; revoke Discord, Slack, browser, and Bitwarden sessions; and move any crypto out of wallets on that host.
Block the two command-and-control IPs listed below. The cleanup was fast, but a stealer does its work in the seconds after install. A build pinned to 8.14.0, on an older client that runs install scripts, still runs the payload. And on any machine that already ran it, the secrets were gone before 8.15.0 ever reached the top of the list.
- Indicators of compromise
- Malicious package: jscrambler@8.14.0. SHA-256 hashes for the added files and their decompressed payloads:
- dist/setup.js: a742de963f14a92d24ebcbc7b44ac867e23a20d31d1b0094a13a4f83287f4e60
- dist/intro.js: a41a523ef9517aab37ed6eea0ec881821bdcb7aefcb5c5f603adc7907f868c86
- Linux payload: fbbcf4d8f98168f78f5c0c47a9ae56d59ec8ac84a7c9ca6b797fedfb8d62d2bd
- Windows payload: b7ca95d1b23c8e67416a25cedf741de0917c2096bbc9d24649eea7853d054903
- macOS payload: c8fd47d36bdf7c825378593ab82ed8c24d1dc52e26b507812393e24e1d5201fd
- Network endpoints StepSecurity observed at runtime. The two IPs are the direct attacker endpoints; the binary also reaches Tor infrastructure, likely for connectivity or routing:
- C2 IP: 37.27.122[.]124
- C2 IP: 57.128.246[.]79
- Tor infrastructure: check.torproject[.]org, archive.torproject[.]org
- On-host artifacts: a randomly named hidden file in the system temp directory, of the form .{random} or .{random}.exe on Windows, plus a hidden Windows scheduled task or a macOS LaunchAgent for persistence. Update: More Malicious Releases, and Jscrambler Confirms a Compromised npm Credential
- Jscrambler has confirmed the cause
- the attacker published the packages using a compromised npm publishing credential.
Socket now ties five malicious jscrambler versions to the same actor, pushed over about three hours, and all carrying the same cross-platform infostealer described above. They are 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0. Jscrambler’s advisory lists four of them and does not mention 8.18.0, so treat all five as suspect until the two accounts agree. Version 8.15.0, published between the first two, is on neither list and appears clean.
The delivery method changed partway through. Socket reports that 8.14.0, 8.16.0, and 8.17.0 run the malware from a preinstall hook, the same route as the first release. In 8.18.0 and 8.20.0, the dropper was moved into the package’s main code and CLI, so it fires when the package is imported or run, and npm install –ignore-scripts does not stop it. Jscrambler’s advisory describes only the preinstall vector.
Jscrambler says the intrusion was limited to the jscrambler package for its Code Integrity product and did not reach its other products. It revoked and rotated its publishing credentials and secrets, hardened its publishing pipeline, and deprecated the malicious releases, though deprecation still leaves them installable by exact version. Its forensic investigation is ongoing. Both Jscrambler and Socket point to 8.22.0 as the clean release to move to.
If you installed any affected version, upgrade to 8.22.0 and audit the workstation or CI runner that pulled it, rotating the credentials listed in the steps above. Jscrambler says npm currently reports zero downloads of the malicious versions but cautions that the count lags by hours and is still being verified, so it is not yet proof that nothing ran. Update: JFrog Ties the Payload to IronWorm and Finds a Self-Propagation Routine The malware does not just steal. It is built to spread itself.
JFrog , which analyzed the same five releases, identifies the payload as IronWorm , a Rust infostealer it documented a month earlier and ties to the Shai-Hulud lineage. JFrog says the payload hunts for npm tokens in environment variables and files such as .npmrc, checks them against the registry, picks packages with high download counts, and injects a malicious setup.mjs preinstall script into their tarballs, and publishes the infected versions straight to registry.npmjs.org through a raw HTTP PUT, without ever calling the npm client. It confirmed the routine in the code. It does not say the worm managed to publish anything through a stolen token.
Where the analyses overlap, they agree. JFrog lists the same five versions, 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0, including the 8.18.0 that Jscrambler’s advisory left out, and its payload hashes and the two command-and-control IPs match the indicators already published. The target list is wider than the first reports showed. Alongside cloud keys and wallets, JFrog says the stealer reaches for VPN configuration files, the 1Password and Bitwarden vaults, Tor hidden-service keys, and, pointedly, the install folders of red-team frameworks such as Metasploit, Sliver, and Havoc.
That last target points at security researchers and penetration testers. The malware runs its own Tor client to carry its command channel, which accounts for the Tor addresses in the earlier indicators. For bulk theft, though, JFrog says it uploads stolen data straight to temp.sh, a public file host, over a direct connection that leaks the victim’s real IP. Add temp.sh and the propagation script setup.mjs to the indicators worth watching.
If you ran an affected version, the npm token rotation in the steps above also removes the credential this worm needs to spread. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. “At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and biometric records,” Aleksandar Milenkoski, principal threat researcher at SentinelOne SentinelLABS, said in a report published this week. The activity targeted network appliances and servers hosting web applications that manage biometric records, hotel and tenant registrations linked to national identity records, criminal case files, and personnel records. The China-nexus threat actor is also said to have compromised one of these web applications to deploy a custom implant masquerading as a portal update.
The application in question, named Complaint Management System (CMS), serves police staff and citizens, thereby putting both categories of users within the attacker’s orbit. SentinelOne said it detected compromised infrastructure associated with several other Pakistani law enforcement organizations, including the Khyber Pakhtunkhwa Police, the Islamabad Police, and the Punjab Safe Cities Authority (PSCA). Four different threat clusters have been flagged, each deploying a unique malware family: PlugX, ShadowPad, Cobalt Strike, and Remcos RAT. The use of Remcos RAT has been linked to an India-nexus threat actor, while the PlugX, ShadowPad, and Cobalt Strike clusters are built on shared or commodity tooling and may each involve more than one operator.
That having said, the deployment of both PlugX and ShadowPad , the latter of which is considered a successor to PlugX, is traditionally associated with Chinese nation-state hacking groups. “The victimology we observed for PlugX (between 27 February and 28 September 2024) and ShadowPad (between 3 August and 1 December 2024) reinforces this assessment,” the cybersecurity company said. “Beyond Pakistani law enforcement, victimology for PlugX and ShadowPad includes government, foreign affairs, defense, nongovernmental, and research entities across South, Southeast, Central, and East Asia, the Arabian Peninsula, and Southeast Europe, consistent with China-aligned collection.” The Remcos-related intrusion set is assessed to share infrastructure and tactical overlaps with a hacking group known as Mysterious Elephant (aka APT-C-08, APT-K-47, and TAG-179), which, in turn, has commonalities with India-nexus adversaries such as SideWinder, Confucius, and Bitter. Attack chains have been found to employ lures related to Pakistani law enforcement, displaying a decoy document that purports to contain an operational plan for the repatriation of illegal foreigners, including Afghan Citizen Card (ACC) holders.
The Cobalt Strike activity cluster’s ties to China-nexus threat actors is based on the fact that traffic to the attacker-controlled command-and-control (C2) server (“142.171.183[.]8”) extends beyond Pakistani law enforcement to government, academic, telecommunications, and non-governmental entities across South, East, and Southeast Asia, the Middle East, and South America – a victimology profile consistent with China-aligned hackers. Among those targeted are Tibetan Buddhist organizations in Taiwan, which have long been targeted by China for cyber espionage . Further examination of the activity aimed at Balochistan Police has uncovered the compromise of the following assets that took place between June 2, 2024, and April 9, 2026 - Two network appliances Web servers hosting several Balochistan Police web applications associated with the Smart Police Station digitalization initiative A Fortinet FortiMail appliance that had served as the agency’s primary inbound email gateway One of the infected applications is the Complaint Management System (“cms.balochistanpolice.gov[.]pk”), which is used for registering, tracking, and resolving citizen complaints. Two distinct variants of an implant called “cms_plugin.exe” have been uploaded to the site in connection with the operation - A Rust stager that’s designed to download an additional payload from “193.42.25[.]65” and execute it.
The exact nature of the next stage is unknown, but the samples display a message “Update Complete! Please refresh the page” upon execution, mimicking a CMS portal update. A .NET executable that masquerades as “ 360Safe.exe ,” a legitimate binary used by Qihoo 360 Total Security, to reflectively load an assembly implementing an AsyncRAT client. The activity is notable because it has drawn both a “partner and an adversary of Pakistan” to the same victim for intelligence gathering, likely fueled by geopolitical motives.
“When multiple cyberespionage actors operate against law enforcement institutions of a single state, the convergence itself is a signal of target value,” Milenkoski explained. “What draws them is a particular kind of institution: one that holds the government’s internal security picture, what it knows about the threats inside its borders, and how it acts against them.” “The compromise of the Complaint Management System web application adds a second dimension to the activity against Balochistan Police, extending the threat actor’s reach beyond the initially compromised environment. By hosting implants in a portal used by both citizens and law enforcement personnel, the threat actor turned a tool built to make policing in Pakistan more accessible and accountable to the public into a malware delivery mechanism.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user’s session. It has yet to be assigned a CVE identifier. “The update fixes a security issue in the Classic Web Client where a specially crafted email could run malicious code when the email is opened,” Zimbra said .
“If exploited, it could allow access to mailbox information, session data, or account settings.” XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. This allows attackers to inject and execute malicious JavaScript in victims’ browsers, which can result in session hijacking, credential theft, and account compromise. Stored XSS, or persistent XSS, is a type of XSS flaw where the injected script is permanently stored on the target servers in a database in the form of a seemingly harmless comment or a forum post, causing any site visitor to be compromised as soon as the page containing the JavaScript is loaded on their web browser. Although Zimbra makes no mention of the vulnerability being exploited in the wild, XSS flaws in Zimbra have been an attack magnet for years, with bad actors attempting to weaponize such vulnerabilities as far back as December 2021.
Last October, a stored XSS flaw in the Classic Web Client ( CVE-2025-27915 , CVSS Score: 5.4) was alleged to have been exploited as a zero-day in attacks targeting the Brazilian military, although Zimbra told The Hacker News at the time that it found no evidence to back it up. Other XSS flaws that have been exploited by threat actors include CVE-2023-37580 and CVE-2024-27443 . Given its high potential for abuse, users are recommended to update to Zimbra Collaboration Suite version 10.1.19 for optimal protection. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat
Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a “credible external security threat.” The company has temporarily disabled access to the affected accounts, a step it says it took “out of an abundance of caution” while it works with internal and external security experts. It says it has no indication of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat. What Progress has not said is what the threat is or who is behind it. The order became public when a customer posted the company’s email to Reddit’s r/sysadmin on July 10.
Progress confirmed the disruption on its status page, listing Storage Zone Controller customers as “not operational” and the incident as under investigation as of a 12:12 p.m. EDT update. Only the Storage Zone Controller is affected, not standard cloud-only ShareFile accounts. The controller is a server that a company runs itself, so files can stay on its own storage while it still uses ShareFile’s cloud to share and manage them.
The controller usually sits at the network’s edge, reachable from the internet. That exposure makes it both useful and a target. Ordering customers to take it fully offline, rather than just patch it, is a notable step. That choice is itself a tell.
If a fix for this threat existed, Progress would be telling customers to apply it; the shutdown order suggests there is none yet. That usually means a newly found flaw the company is racing to close, though the same step would also fit a threat a patch cannot address, such as stolen keys or a problem on Progress’s own side. Its statement that no accounts or data were accessed is careful wording, too, and does not rule out trouble on the controllers themselves. What to do now Follow the shutdown order first.
Keep the affected controllers offline until Progress says what the threat is and when it is safe to restart. Separately, confirm your version is current: 5.12.4 or later on the 5.x line, or a 6.x release. That closes the flaws fixed earlier this year, but Progress has not said it clears the current threat, so do not treat it as permission to restart. If a controller is reachable from the internet, handle it as a possible incident.
Preserve the logs and start your incident-response process, then check for unfamiliar .aspx files in the web folders and storage paths you did not set. A clean-looking server is not proof that it is clean. ShareFile has faced this before. In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller (CVE-2023-24489).
CISA flagged it as actively exploited , and Citrix cut unpatched controllers off from the ShareFile cloud, the same access block Progress has now imposed. Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, whose 2023 zero-day was exploited by the Clop group and hit more than 2,700 organizations. The Storage Zones Controller also had two critical flaws that watchTowr disclosed in April and Progress patched in March, though the company has not connected the current threat to them, and neither has been reported as exploited. The central question is still unanswered: Progress has pulled these systems offline and is working with outside experts, but has not said what the threat is or when customers can safely bring them back online.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.