IT-корпорациям навязали правила игры, которые практически невозможно соблюсти.

Список устройств Apple, для которых вышли экстренные исправления.

Оказалось, что строить нейросети без китайского «железа» слишком дорого даже для Трампа.

Технологические гиганты долгое время игнорировали эту элементарную лазейку.

Блокировка по имени убивает доступ к данным по всей стране.

Почему ваш Apple ID внезапно потребовал доказательств, что вы — это не вы.

Anna’s Archive начала публикацию 300-терабайтного архива музыки, несмотря на безумный судебный иск.

Теперь даже случайный гость может стать полноправным хозяином ваших данных.

ВведениеКибербезопасность в России стремительно трансформируется из сугубо технической задачи в зону жёсткого правового и финансового риска для бизнеса.

Однако в 2026 году в силу вступает серия правок в статью 274.1 УК РФ, которая создаёт двухуровневую систему ответственности за киберинцеденты.

Уже в 2026 году в ходе проверок 700 объектов КИИ регуляторами ФСТЭК доля компаний с ненадлежащей системой защиты составила 64 %.

Работа с персоналом: заменить разовые инструктажи на постоянные программы осведомлённости с ежеквартальным тестированием на фишинг, чётко прописать зоны персональной ответственности за ИБ в должностных инструкциях.

Выводы2026 год знаменует завершение формирования в России ж…

Современный ransomware действует иначе: тихо, нативно и в тесной связке с легитимным поведением операционной системы.

Накопленные знания о принципах работы ransomware в сочетании с обратной связью от заказчиков позволили команде RedCheck перенести этот опыт на платформу Linux и предложить комплексный подход, основанный на традиционных инструментах администрирования Linux.

Эти механизмы вводят уровень изоляции, который не зависит ни от намерений администратора, ни от корректности настройки прав в файловой системе.

Бинарные файлы в /bin, /sbin и /usr/bin должны быть защищены от изменения не-root процессами, а каталог /boot — от любых операций записи.

ВыводыРазработанные командой RedCheck hard…

Так, системы компании в 2025 году ежедневно обнаруживали около полумиллиона новых образцов вредоносного кода против 342 тысяч в 2019 году.

Среди них Дмитрий Галов особо выделелил Triada, количество заражений которым выросло в 4,5 раза за год, а также LunaSpy, который в 2025 году только появился.

Однако были и фундаментальные различия между атаками 10–15-летней давности и в 2025 году.

Впрочем, и в 1950-х, и в 1980-х, когда наблюдалось разочарование в ИИ, разрыв между ожиданиями и результатом был очень большим.

ВыводыВ целом в 2026 году стоит ожидать развития тенденций, заложенных в 2025 году, особенно в его второй половине.

Система работает, но практической ценности для SOC не даёт.

Это увеличивает время присутствия злоумышленника в инфраструктуре, масштабирует последствия инцидента и фактически превращает SIEM в дорогостоящий архив логов.

В итоге инцидент обнаружили не средства SIEM, а сторонний исследователь, заметивший украденные данные в GitHub.

Чем опасна эта ошибкаИспользование OOTB‑правил без адаптации снижает операционную эффективность SOC и повышает риск пропуска целевых атак.

Отсутствие интеграции SIEM с системами реагирования (SOAR)Нередко SIEM остаётся «пассивной» системой.

И для VPN, и для почты — 9 %.

Владимир Иванов: «Фишинг работает не на всех способах защиты, но там, где работает, он наиболее популярен».

Злоумышленнику можно не атаковать MFA в лоб, а проникнуть в сеть через уязвимости и, перехватив токен, захватить весь домен организации».

Дмитрий Грудинин рассказал, что в корпоративной среде СМС не рекомендуется по нескольким причинам: это дорого, ненадёжно и не работает универсально.

Ключевой тренд — переход к интеллектуальным и контекстно-зависимым системам, которые анализируют не только что предъявляет пользователь, но и как он это делает, в каких условиях и с какими рисками.

Исследователи выявили десятки расширений для Google Chrome, которые маскируются под приложения для блокировки рекламы и других функций, но на деле подменяют ссылки, воруют данные пользователей и токены ChatGPT.

ВведениеБраузер Google Chrome остаётся самым популярным на рынке, на него приходится более 70 % пользователей и на десктопах, и на смартфонах.

Но, как отмечают исследователи, основная функциональность приложения скрыта: оно автоматически подменяет ссылки в интернет-магазинах и получает доступ к данным.

Описание функциональности расширения в магазине Google Chrome Web Store.

Расширения с такой логикой легко масштабируются, злоумышленники могут применить один и тот же механизм к разным…

Основные угрозы для контейнерной инфраструктуры и методы защитыИспользование контейнеризации создаёт особые риски для информационной безопасности и требует применения специализированных средств защиты.

Обзор отечественных средств защиты контейнеризацииДля защиты контейнерных сред можно использовать специализированные решения, платформы управления, средства виртуализации или возможности некоторых ОС.

CrossTech Container SecurityВ 2025 году компания Crosstech Solutions Group представила рынку специализированный продукт для защиты контейнерных инфраструктур — CrossTech Container Security (CTCS).

Kaspersky Container SecurityПлатформа Kaspersky Container Security (KCS) создана для безопасности D…

Развитие регулирования КИИ и ГосСОПКАМодернизация нормативной базы в области безопасности КИИ и госсистемы обнаружения компьютерных атак стала центральным вектором изменений 2025 года.

В результате внесённых изменений в 187-ФЗ закреплены обязанности субъектов КИИ по переходу на доверенные программно-аппаратные комплексы в соответствии с ПП-1912, а также ориентация на использование отечественного ПО.

Также в Правилах категорирования в явном виде закреплены обязанности субъекта КИИ по учёту утверждённых отраслевых особенностей категорирования объектов КИИ.

Одновременно положения формируют предпосылки для пересмотра подходов к регулированию самописного ПО — ПО, разработанного для собственных н…

Российские системы виртуализации в 2026 году вышли на новый уровень, превратившись из инструментов импортозамещения в полноценные конкурентные решения.

По его мнению, виртуализация — это общий термин, который включает в себя частные и гибридные облака, платформы виртуализации и гиперконвергентные системы, где каждый ищет свою нишу.

Он подчеркнул необходимость взаимодействия как с ИТ-специалистами, так и с отделом безопасности.

Основным драйвером станет запрос на целостные экосистемы, а не на отдельные точечные решения».

Внимание рынка сместится с самой виртуализации на новые технологические горизонты — будь то расширение её возможностей или создание принципиально новых решений.

Роль ИИ в аналитике безопасности, будущее SOAR, эволюция SIEM и NDR, перспективы рынка коммерческих SOC в России на фоне импортозамещения.

Что такое классический SOC и почему он переживает кризисЦентр мониторинга безопасности (SOC) долгое время был основой корпоративных систем защиты.

Мировой рост внедрения ИИ в индустрию информационной безопасности с 2017 по 2030 годЭволюция инструментальной экосистемы: SIEM, NDR, EDRРеализация подхода Post-SOC требует фундаментальной перестройки всего технологического стека безопасности.

Это формирует уникальные сценарии развития как для вендоров, так и для компаний-заказчиков.

ВыводыТрансформация классических центров мониторинга безопасности в интегриров…

Итоги года и выводы, которые обязательно надо учесть.

В 2025 году компании всё чаще сталкивались с ситуацией, когда технический инцидент перерастал в юридический и репутационный кризис.

ТрендыТренд 2025 года — появление атак, выполненных практически полностью с помощью нейросетей (искусственного интеллекта) почти без участия человека.

ВыводыИтоги 2025 года показывают: веб-приложения стали одной из самых уязвимых точек цифрового бизнеса и одновременно самым быстрым каналом нанесения прямого финансового ущерба.

В условиях 2025 года инвестиции в зрелую защиту веб-приложений напрямую поддерживают устойчивость бизнеса.

Мифы и реальность удаления аккаунта в TelegramМиф первый: Аккаунт пользователя в Telegram можно восстановить после удаленияНа самом деле, если удалить аккаунт пользователя в сети Telegram, это будет окончательным и необратимым действием для него.

Недавно в пользовательских чатах прошло сообщение, что в Telegram возможна кража учётных данных пользователя (например, через фишинг).

Всё это время активная сессия злоумышленника якобы остаётся валидной, и Telegram не предоставляет возможности законному владельцу принудительно сбросить все активные сессии.

Однако убедиться в этом мы не смогли, потому что Telegram не позволяет прочитать описание проблемы в своей базе.

Создание закрытого частного об…

В конце 2025 года появились прогнозы, по которым в наступившем 2026 году стоит ждать значительного роста интереса к облачным сервисам со стороны российских компаний.

Однако темпы роста облачных сервисов существенно опережают мировые (29,5 % в России против 20 % в мире по итогам 2025 года).

Банк России также включил развитие облачных сервисов в приоритеты развития финтеха и запустил пилот «Банк в облаке».

2 и 3), причём как в рублёвом, так и в валютном выражении.

Это обстоятельство стало одним из основных драйверов роста для облачных сервисов в России и не только.

Он интересуется, почему же эти атаки продолжают быть успешными и что отрасли следует делать иначе.

При этом он подчёркивает, что в основе защиты веба и API лежит чёткое определение и распределение зон ответственности внутри компании.

Второй шаг — выбор инструментов следующего поколения, которые обеспечивают глубокий анализ и понимание поведения пользователей на всех уровнях, как в веб-интерфейсе, так и в API.

Потерять результат многолетней тонкой настройки политик WAF из-за аппаратного сбоя или человеческой ошибки — это не просто обидно, это прямая угроза бизнесу».

Необходимо выбирать инструменты, способные анализировать и выявлять паттерны поведения не только на уровне веб-интерфейса, но и…

Первый «велосипед» — скрипт для массового анализа и упрощённого вапалайзинга — был медленным, с кучей миссов и в итоге отправился в корзину.

У меня уже были инструменты для пентеста и для демонстрации атак.

Но я задумался: а как привлекать новичков?

Сейчас я в разработке визуальной новеллы, которая в игровой форме помогает новичкам определиться с профессией в IT.

Это немного, но это ядро заинтересованных специалистов.

На деле же все делается за один вечер, если следовать уже рабочей схеме и не собирать грабли.

3.1 Подготовка: установка Docker Для работы WireGuard в контейнере нам нужен Docker и Docker Compose.

Остальные параметры docker-compose.yml Описание сервиса services: vpn: image: linuxserver/wireguard container_name: vpn vpn - имя сервиса внутри compose-файла.

Для Docker -варианта: docker ps | grep nginx Ожидаем увидеть контейнер с именем nginx в статусе Up .

Для Docker : docker ps | grep <имя_сервиса> Для процесса на хосте: sudo systemctl status <имя_сервиса> Порт бэкенда открыт?

Специализируюсь на разработке и эксплуатации ML-платформ на базе Kubernetes и GPU.

Мы изучили доступные инструменты, попытались объединить их в одном Kubernetes-кластере, столкнулись с рядом ограничений — и в итоге пришли к архитектуре на базе Kubeflow и GPU-оператора.

Примеры разбиения: H100 80 GB:14 MIG 1g.10gb (для inference)4 MIG 2g.20gb (для training)2 MIG 4g.40gb (для heavy training)1 MIG 7g.80gb (для super-heavy training) 4.

Недоступность MIG Поды не могут переопределить MIG, если одна MIG становится недоступна, так как это физическая изоляция.

Можно переключиться на другую GPU, например, на GPU 1.

Первые судебные решения по Telegram и начало блокировокБумажные самолётики и согласованные акции в Москве и других городах России в поддержку Telegram2018–2019 годы.

Новые проблемы и ограничения TelegramГлавная ошибка российских регуляторов в борьбе с TelegramПочему РКН не победит и почему “заблокировать влияние извне” невозможно?

Первые судебные решения по Telegram и начало блокировок13 апреля 2018-го года Таганский суд удовлетворяет иск РКН и разрешает ограничить доступ к Telegram.

Открытая технологическая война РКН с TelegramС этого момента война РКН с Telegram приобретает затяжной характер - РКН продолжает попытки блокировки, Телеграмм технически адаптируется, а пользователи привыкают к…

А вот здесь уже полное прохождение за какую-либо фракцию или на одну из концовок.

Ну а теперь накладываем уровень на формат и получаем понимание того, что и как можем протестировать.

Вторые эффективны на тактическом и операционном уровнях: они моделируют ситуацию, близкую к реальной, позволяют проверить полноту инструкций и замерить время реагирования и восстановления.

Для компаний, только выстраивающих системный подход к тестированию реагирования и восстановления, избыточная детализация может стать помехой — сначала стоит освоить базовые форматы.

Отечественные стандарты и рекомендацииВ российской практике системные тестирования сквозного процесса реагирования и восстановления встречаются р…

Это быстро, привычно и не требует создания отдельных порталов, заполнения логинов-паролей и форм.

В какой-то момент мы поняли: либо мы научим Telegram жить по правилам SLA, либо сами перестанем в эти правила укладываться.

В статье расскажем, как мы поддерживаем пилотных и VIP-клиентов прямо в Telegram — без классического Service Desk, но с измеримым и контролируемым SLA.

При этом отказываться от Telegram мы не хотели, потому что клиенты его любят.

Мы не строили ещё один Service Desk и не заставляли клиентов менять привычки, а просто добавили слой логики, который превращает поток сообщений в управляемый процесс.

Кому будет полезноМатериал пригодится тем, кому в работе или в рамках хобби регулярно приходится отлаживать код на устройствах с китайскими ноунейм-чипами на архитектуре ARM.

Если ваш отладчик (J-Link, ST-Link или любой другой) не видит на чипе интерфейсы JTAG или SWD — или видит, но не может или не хочет подключаться — это руководство для вас.

Неудачная попытка подключения J-Link к чипу от вендора SigmaStarНеобходимое оборудованиеСразу отмечу: Arm DS не умеет работать с J-Link.

Вот полный список поддерживаемых типов:Список поддерживаемых отладчиковИз перечисленных у меня есть Tigard (для JTAG) и CMSIS-DAP-отладчик, сделанный на базе STM32F103C8T6 BluePill (для SWD).

В результате в окне Deb…

Пока вы не попробовали развернуть из него систему, копия находится в суперпозиции: она одновременно и работает, и нет.

Как правильно: Настройте автоматическую проверку контрольных сумм и, что еще важнее, периодическое тестовое восстановление.

Если ваша система DR умеет сама «поднимать» виртуальные машины из копий в изолированной сети для проверки — вы на правильном пути.

Система должна сама знать, что «дедуплицировать», что перенести в «холодное» хранилище, а что удалить по истечении срока давности.

О разнице между обычным бэкапом и DR, и почему первый часто бесполезен в энтерпрайзе, я уже писал здесь.

Разберёмся, что случилось за месяц и к чему это приведёт.

Грубо говоря, вайбкодинг — это когда я даю промпты ИИ и он мне код пишет.

Причина — всё та же: вайбкодинг на скорость и дефолты без защиты.

Публикация на arXiv «Vibe Coding Kills Open Source» изучает влияние вайбкодинга на экосистему OSS.

Мнение опытных — вкладывайте ИИ туда, где нужно ускорение и эксперименты, и где невысоки цены ошибок.

Например, при атаке на финансовую организацию с помощью Claude злоумышленники проанализировали похищенные финансовые данные, оценили финансовое состояние компании и на основании этого определили сумму выкупа.

Такой подход получил название «vibe hacking», по аналогии с подходом «vibe coding», который подразумевает упрощение разработки ПО с помощью ИИ.

4) Мошенники использовали Claude для создания анкет на сайтах знакомств и ведения переписок с жертвами для выманивания денег, а также для создания и поддержки сервиса по покупке и продаже украденных данных платежных карт.

Для того, чтобы понять, какие угрозы характерны для ИИ и как эффективно защищать ML-модели, надо разобраться с основными пон…

Эксперты из компании Koi Security обнаружили вредоносный аддон AgreeTo для Outlook.

Этот некогда легитимный инструмент для планирования встреч был взломан и превратился в фишинговый кит, с помощью которого похитили более 4000 учетных записей Microsoft.

Его разработал независимый издатель, и аддон размещался в магазине Microsoft Office Add-in Store с декабря 2022 года.

В результате, когда пользователь открывал AgreeTo в Outlook, вместо привычного интерфейса в боковой панели появлялась фейковая страница входа Microsoft.

В Koi Security подчеркивают, что это первая малварь, обнаруженная непосредственно в официальном магазине Microsoft, и первый вредоносный аддон для Outlook, использованный в ре…

Атака полностью происходит внутри мессенджера — через встроенные веб-приложения и социальную инженерию, без каких-либо внешних фишинговых сайтов.

Такая ссылка открывает встроенное в Telegram веб-приложение с полем для ввода пятизначного кода — это код добавления в аккаунт нового устройства, который привязывает его к учетной записи жертвы.

Если пользователь вводит цифры, злоумышленники получают доступ к его учетной записи.

После этого они рассылают то же сообщение от имени жертвы по всем групповым чатам, в которых она состоит.

Атака целиком реализована через Telegram и встроенное веб-приложение, то есть ни один сторонний ресурс не задействован.

Мы не будем писать вто­рой Metasploit с нуля, да и не смо­жем это­го сде­лать.

Для его импорта, как и дру­гих пакетов из стан­дар­тной биб­лиоте­ки, дос­таточ­но ука­зать толь­ко имя.

На­конец, точ­ка вхо­да в при­ложе­ние — фун­кция main , не при­нима­ющая аргу­мен­тов и не воз­вра­щающая зна­чений.

Стро­ки, как и в боль­шинс­тве язы­ков, обо­рачи­вают­ся в двой­ные кавыч­ки.

goВ Windows:mkdir hello cd hello notepad hello.

С конца 2025 года этот вредонос нацелен на деньги и данные банковских карт ведущих финансовых организаций в России.

Впервые Falcon появился летом 2021 года и был построен на базе другого Android-вредоноса — Anubis.

Летом 2022 года Falcon маскировался под приложения российских банков, а в 2025 году злоумышленники добавили малвари VNC-модуль для удаленного управления девайсом жертвы, а также возможность передавать украденные данные через Telegram.

Троян нацелен на более чем 30 приложений российских банков и инвестиционных фондов, госсервисов, операторов сотовой связи, маркетплейсов, социальных сетей и мессенджеров, включая зарубежные, магазинов приложений, популярных сервисов бесплатных объяв…

Разработчики Microsoft исправили уязвимость в «Блокноте» (Notepad) для Windows 11.

Теперь «Блокнот» умеет открывать и редактировать файлы в формате .md, а Markdown-ссылки в нем становятся кликабельными.

«Некорректная нейтрализация специальных элементов, используемых в командах, в приложении Windows Notepad позволяет неавторизованному злоумышленнику удаленно выполнить код», — сообщается в бюллетене безопасности Microsoft.

«Вредоносный код выполняется в контексте прав текущего пользователя, открывшего Markdown-файл, и дает атакующему те же привилегии, что у этого пользователя», — поясняют в компании.

«Блокнот» в Windows 11 обновляется через Microsoft Store, так что патч распространится автома…

Специалисты и СМИ обратили внимание, что из Национальной системы доменных имен (НСДИ) — DNS-инфраструктуры, созданной в рамках закона о «суверенном Рунете», — исчезли записи для YouTube, WhatsApp*, Facebook*, Instagram*, Facebook Messenger* и Tor Project.

Одновременно замедлять YouTube, Telegram и WhatsApp инфраструктура не может.

Одновременно “давить” YouTube, Telegram и вдобавок WhatsApp инфраструктура просто не выдерживает.

Как пояснили представители РКН, мессенджер игнорирует российское законодательство и не принимает реальных мер для противодействия мошенничеству и использованию его в преступных и террористических целях, а также не обеспечивает защиту персональных данных.

В отличие от …

Выяснилось, что китайская хак-группа UNC3886 проникла в сети всех четырех крупнейших операторов связи Сингапура: Singtel, StarHub, M1 и Simba.

Первые сигналы о странной активности власти получили летом, когда сами телекомы начали докладывать о подозрительных событиях в своих сетях.

Сообщается, что UNC3886 использовала комбинацию неназванных 0-day уязвимостей и кастомных руткитов для скрытного проникновения в сети и сохранения своих позиций.

При этом сингапурские власти заявляют, что хакеры не сумели получить доступ к пользовательским данным.

Напомним, что в конце 2024 года стало известно о похожей операции китайской группировки Salt Typhoon, в рамках которой хакеры скомпрометировали инфраст…

Депутаты Госдумы приняли в первом чтении законопроект, который закладывает основы работы единой базы идентификационных номеров мобильных устройств (IMEI).

По словам первого заместителя председателя комитета Госдумы по защите конкуренции Игоря Игошина, каждому устройству, ввозимому в РФ, будет присваиваться уникальный 15-значный IMEI-номер.

По его словам, в будущем в базу могут попасть не только телефоны, но также планшеты и ноутбуки.

При оформлении SIM-карты оператор будет обязан указывать в договоре IMEI устройства и вносить в базу информацию о связке SIM-карты с конкретным гаджетом.

Стоит отметить, что в январе 2026 года «Ведомости» сообщали, что в Минцифры предложили ввести уголовную отв…

Язы­ковые модели ста­новят­ся всё умнее — и, с точ­ки зре­ния регуля­торов, всё опас­нее.

К сло­ву, «нежела­тель­ным» может быть не толь­ко морали­заторс­тво, но и, к при­меру, типич­ный для LLM «слоп» — та самая веж­ливая водянис­тая чепуха, «сло­вес­ные кру­жева», которы­ми ней­рон­ки забива­ют кон­текст.

Но с «миними­заци­ей потерь» быс­тро воз­никли проб­лемы.

Век­торы отка­за в латен­тном прос­транс­тве час­то кор­релиру­ют с век­торами, отве­чающи­ми за здра­вый смысл и логичес­кие связ­ки.

Тог­да, в туман­ном прош­лом, наши далекие пред­ки обна­ружи­ли, что отказ модели — это впол­не кон­крет­ное нап­равле­ние, век­тор в прос­транс­тве акти­ваций.

Февральский «вторник обновлений» принес исправления для 58 уязвимостей в продуктах Microsoft, включая сразу шесть активно эксплуатируемых 0-day.

Как поясняют в Microsoft, новые сертификаты будут устанавливаться постепенно, только на те машины, которые демонстрируют стабильную работу после обновлений.

Что касается исправленных уязвимостей, напомним, что Microsoft относит к уязвимостям нулевого дня те проблемы, информация о которых была раскрыта публично до выхода патча, а также уязвимости, которые уже применяются в атаках.

CVE-2026-21510 — обход защитных механизмов в Windows SmartScreen и Windows Shell.

Отметим, что в обнаружении CVE-2026-21510 и CVE-2026-21514 приняли участие специалисты Go…

Документ включает около 20 мер по борьбе с кибермошенничеством, включая лимиты на количество карт — не более пяти карт в одном банке на одного человека и не более 20 у всех кредитных организаций суммарно.

Замминистра подчеркнул, что Минцифры и ЦБ «хорошо поработали» над проектом, учли «все чувствительные моменты».

Заместитель председателя ЦБ Герман Зубарев объяснял, что лимит в 20 карт выбрали на основе данных самих банков.

«Это достаточно для подавляющего большинства добропорядочных граждан, не создаст им неудобств, но поможет ограничить предложение карт на черном рынке для обналичивания похищенных денег», — пояснил Зубарев.

Глава ЦБ Эльвира Набиуллина добавляла, что мера не затронет обычн…

На прошлой неделе DeFi-платформа Step Finance сообщила о потере 40 млн долларов США в криптовалюте.

Блокчейн-аналитики из компании CertiK первоначально оценили потери Step Finance в 261 854 SOL (около 28,9 млн долларов), однако после расследования в Step Finance озвучили официальную сумму ущерба: 40 млн долларов США.

Как уже было сказано выше, часть средств удалось вернуть: около 3,7 млн долларов в активах Remora и 1 млн в других позициях.

Потери Step Finance значительны, но это лишь десятая часть от всех средств, похищенных у различных криптопроектов за январь 2026 года.

По данным аналитиков CertiK, за первый месяц года общий ущерб от хакерских атак составил 398 млн долларов США, из которы…

"The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.

Some of the other hacking crews that have integrated the tool into their workflows are as follows -UNC6418 (Unattributed), to conduct targeted intelligence gathering, specifically seeking out sensitive account credentials and email addresses.

(Unattributed), to conduct targeted intelligence gathering, specifically seeking out sensitive account credentials and email addresses.

UNC795 (China), to troubleshoot their code, conduct research, and develop web shells and scanners for PHP web …

Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.

Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released.

"That is because the malicious functionality was not introduced directly via the job interview repositories, but indirectly – through dependencies hosted on the npm and PyPI open-source package repositories."

More Malicious npm Packages Foun…

Threat activity this week shows one consistent signal — attackers are leaning harder on what already works.

Instead of flashy new exploits, many operations are built around quiet misuse of trusted tools, familiar workflows, and overlooked exposures that sit in plain sight.

Below is this week’s ThreatsDay Bulletin — a tight scan of the signals that matter, distilled into quick reads.

It’s recognizing misuse of legitimate access, spotting abnormal behavior inside trusted systems, and closing gaps that don’t look dangerous on the surface.

They’re fragments of a wider operating picture — one that keeps evolving week after week.

Organizations implementing Continuous Threat Exposure Management (CTEM) demonstrate 50% better attack surface visibility, 23-point higher solution adoption, and superior threat awareness across every measured dimension.

87% of security leaders recognize the importance of CTEM, but only 16% have translated that awareness into operational reality.

Security leaders understand the CTEM conceptually but struggle to sell its benefits in the face of organizational inertia, competing priorities, and budget constraints that force impossible tradeoffs.

The research makes it clear that attack surface complexity is not just a management challenge; it's a direct risk multiplier.

For security leaders ope…

A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO.

Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026.

An estimated 346 exploitation sessions have originated from 193.24.123[.

"EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation," GreyNoise said.

"Organizations with internet-facing MDM, VPN concent…

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.

The vulnerability, tracked as CVE-2026-20700 (CVSS score: N/A), has been described as a memory corruption issue in dyld, Apple's Dynamic Link Editor.

Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," the company said in an advisory.

Last year…

Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.

In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process.

The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email.

"Office add-ins are fundamentally different from traditional software," Dardikman added.

It bears noting that the problem is not limited …

The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (aka Transparent Tribe).

After the lure document is displayed, the malware checks for installed security products and adapts its persistence method accordingly prior to deploying Geta RAT on the compromised host.

Running parallel to this Windows-focused campaign is a Linux variant that employs a Go binary as a starting point to drop a Python-based Ares RAT by means of a shell script downloaded from an external server.

Like Geta RAT, Ares RAT can also run a wide range of commands to harvest sensitive …

It's Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services.

Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition.

Elsewhere, Adobe released updates for Audition, After Effects, InDesign Desktop, Substance 3D, Bridge, Lightroom Classic, and DNG SDK.

"At the same time, these features have increased the complexity of a highly privileged software component in the TCB [Trusted Computing Base]."

Software Patches from Other Ven…

The issue is not the applications themselves, but how they are often deployed and maintained in real-world cloud environments.

Evidence of Active ExploitationThe exposed training environments identified during the research were not simply misconfigured.

Across the broader dataset of exposed training applications, approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms.

The presence of active crypto-mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.

Pentera Labs observed this deployment pat…

Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.

(CVSS score: 8.8) - A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-21513 (CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.

(CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.

A crafted file can silently bypass Windows security pro…

Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.

"These are low value against modern stacks, but remain effective against 'forgotten' infrastructure and long-tail legacy environments."

SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels.

Flare's investigation of the staging infrastructure associated with the threat actor has uncovered an extensive repository of open-source …

This is where dedicated leak sites, or data leak sites (DLSs), come in.

How do ransomware groups use data leak sites?

And that is, of course, the point – data leak sites are a coercion tool.

Data leak site of the Medusa ransomwarePressure by designEvery element of a leak site is designed to maximize psychological pressure.

World Leaks data leak siteBeyond extortionSome ransomware-as-a-service (RaaS) operators have expanded what leak sites do.

Scammers may impersonate the IRS or tax preparers via phone/email/text, using official logos or spoofing caller ID/sender domains.

The most common IRS scamsWith the above in mind, look out for the following most common IRS and tax return scams:Phishing/smishing/vishingEmails, texts and even phone calls purporting to come from tax authorities (e.g., IRS, state tax agencies and tax software companies).

Tax refundsThe IRS tax refund system offers several opportunities for scammers to make easy money.

Once again, they do so to get their hands on your cash and personal information.

For added security and peace of mind, switch on multifactor authentication (MFA) for any account used to access tax…

If you’re looking to buy or sell on the platform and want to stay clear of the scammers, read on.

Payment scamAs above, scammers (whether buyer or sellers) will often try to trick you into transacting via third-party cash app services.

In fact, they’re usually trying to log into your account and need the two-factor authentication code sent by OfferUp.

Bouncing checksA scammer pays for an item you’re selling via check, which bounces several days later, leaving you without the item and no payment.

OfferUp is great way to pick up bargains in your area, or make a little extra money from items you no longer need.

Fake appsMobile apps masquerading as official Winter Olympics apps may actually contain infostealing malware or other threats.

Staying safe from Winter Olympics scamsTo stay safe online, stick to the official Winter Olympics sites and don’t engage with unsolicited messages and too-goo-to-be-true deals.

Avoid clicking on links or opening attachments in unsolicited messages, even if they appear to be from legitimate Winter Olympics organizers/sponsors.

If you’re going to the event, download the official Olympics app for schedules, maps, and digital tickets.

The XXV Winter Olympic Games in Milano-Cortina is set to be a treat for sports fans around the world.

The trends that emerged in January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the yearThe year got off to a busy start, with January offering an early snapshot of the challenges that (not just) cybersecurity teams are likely to face in the months ahead.

It's therefore time for ESET Chief Security Evangelist Tony Anscombe to look back on some of the month's most impactful cybersecurity stories.

Here's some of what caught Tony's eye:What are some of the lessons businesses should take away from these incidents?

Be sure to check out the video, as well as watch the December 2025 edition of Tony's security news roundup for more news…

Key points of the report: ESET researchers identified new data-wiping malware that we have named DynoWiper, used against an energy company in Poland.

We attribute DynoWiper to Sandworm with medium confidence, in contrast to the ZOV wiper, which we attribute to Sandworm with high confidence.

However, since the start of Russia’s full-scale invasion of Ukraine, Sandworm has changed its tactics regarding targets in Poland.

In December 2025, we detected the deployment of a destructive malware sample, which we named DynoWiper, at an energy company in Poland.

Interestingly, during the analysis of the ZOV wiper incident, we identified a newer PowerShell script used to deploy the ZOV wiper.

The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations with specific “girls” – fake profiles probably operated via WhatsApp.

While we don’t know how the malicious app is distributed, we assume that this exclusivity tactic is used as part of the lure, with the purported access codes distributed along with the app.

GhostChat, the malicious app used in the campaign, poses as a dating chat platform with seemingly locked female profiles.

Once the app is installed, its operators can monitor, and exfiltrate sensitive data from, the victim’s device.

This action triggered ClickFix instructions, as seen in Figure 11, which led to the download and execu…

10 reasons your inbox is full of spam and/or scamsEmail spam can range from pesky, unsolicited missives sent in bulk to the downright dangerous and malicious (phishing messages and malware delivered via spam and also known as ‘malspam’).

They then post or sell that data on cybercrime forums/marketplaces, where others buy it for use in phishing emails.

If they manage to achieve a breakthrough that bypasses spam filters, expect unwanted messages to start flooding in.

What not to doIt’s also best practice never to:Avoid clicking on ‘unsubscribe’ or replying to a spam email, as this will verify your address to the sender.

Reset your email security settings or lower spam ‘sensitivity’ levels.

The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiperIn late 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years.

ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm.

Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper.

In their latest APT Activity Report, covering April to September 2025, ESET researchers noted that they spotted Sandworm conducting wiper attacks against targets in Ukraine on a regular basis.

ESET Research offer…

AI chatbots have become a big part of all of our lives since they burst onto the scene more than three years ago.

A similar share of parents is worried their kids think AI chatbots are real people.

Our children use generative AI (GenAI) in diverse ways.

Children are going through an incredible period of emotional and cognitive development, making them vulnerable in various ways.

The onus, therefore, is definitely on parents to get ahead of any threats through proactive monitoring and education.

Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step aheadApple Pay is clearly a hit with consumers.

Here are some common scams targeting Apple Pay users.

Top six scams targeting Apple Pay usersApple Pay scammers are usually after your financial information, your money or your Apple ID and logins/2FA codes.

Or it could be a fake story about how your Apple Pay account has been suspended, your card was added to Apple Pay or similar pretexts.

First, take a moment to recognize the most common red flags and Apple Pay scams, as listed above.

A full 25 percent of the top 1,000 most-used passwords are made up of nothing but numerals.

This is according to NordPass’ analysis, which is based on billions of leaked passwords and sheds light on password trends among people in 44 countries.

Same old, same oldUsing an easily-guessable password is tantamount to locking the front door of your house with a paper latch.

Weak, obvious, or reused passwords can expose not only individual employees, but entire organizations, their customers, and their partners.

But if your own passwords appear on either list above, improving your account security should be one of the most important of them.

It may be the most recent high-profile case of threat actors abusing LinkedIn to further their own nefarious goals.

It’s easy to get up and running: For threat actors, the potential ROI for attacks using LinkedIn is massive.

Account hijacking : Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

: Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

However, it would make sense to build LinkedIn threat scenarios of the sort described above into security awareness courses.

New legislation in Australia makes it illegal for those under 16 to have a social media account.

To avoid financial penalties, social media companies have scrambled to remove accounts they believe breach the legislation.

As 2026 has just begun, this also sparks a broader question for internet users and regulators alike: will this be the year the world rethinks identity online?

Unless an app or service is operated by a regulated company that requires identity verification, people are free to create accounts on many services using any identity they desire.

I am not suggesting that all services need to have verified users.

Contrary to popular belief, much of the dark web isn’t the den of digital iniquity that some commentators claim.

involve the large-scale theft of customer/employee information, which then usually appears for sale on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

Finally, sign up to identity protection services and sites like HaveIBeenPwned, which will alert you when any PII appears on the dark web.

Security teams track these threats closely, and confidence declines once incidents move beyond detection into response and containment.

Security teams often receive more alerts than they can address, which delays response and increases uncertainty during active incidents.

Respondents report stronger confidence in automation where processes are well defined.

Exposure management links to maturityOrganizations with more mature security programs show stronger exposure management practices.

The research connects stronger exposure management practices with improved resilience and reduced disruption across environments.

Here’s a look at the most interesting products from the past week, featuring releases from Armis, Black Duck, Portnox, and SpecterOps.

Armis Centrix brings unified, AI-driven application security to the SDLCArmis has announced Armis Centrix for Application Security, which unifies application security across an organization’s software development lifecycle.

BloodHound Scentry helps organizations reduce identity risk and close attack pathsSpecterOps has announced BloodHound Scentry, a new service designed to help customers accelerate their APM practice and reduce identity risk.

BloodHound Scentry combines the power of BloodHound Enterprise with SpecterOps tradecraft experts and practitioners …

In 2025, Microsoft added support for rich-text formatting (Markdown rendering and editing) to Notepad, and with this addition, it opened a new attack surface.

“An attacker could trick a user into clicking a malicious link inside a Markdown file opened in Notepad, causing the application to launch unverified protocols that load and execute remote files,” Microsoft said.

And although exploitation depends on the victim opening the Markdown file and Ctrl-clicking the link, such interaction is routinely achieved through social engineering (as demonstrated in these examples).

The fixCVE-2026-20841 was flagged by appsec engineer Cristian Papa, security researcher Alasdair Gorniak, and a bug hunter…

Black Duck has announced the availability of a set of enhanced Black Duck Polaris Platform integrations across all major source code management (SCM) platforms, including GitHub, GitLab, Azure DevOps, and Bitbucket.

The Polaris Platform is an integrated, software-as-a-service application security platform powered by the static application security testing, software composition analysis, and dynamic application security testing engines.

Apply AI‑powered application security with Black Duck Signal.

“Development and Security teams need application security that is integrated, automated, and frictionless across their platforms and code repositories.

No other solution combines the breadth of SCM…

That gap is the focus of a new open source benchmark from 1Password called the Security Comprehension and Awareness Measure, or SCAM.

The benchmark tests whether AI agents behave safely during real workflows, including opening emails, clicking links, retrieving stored credentials, and filling out login forms.

Gemini 2.5 Flash produced the most critical failures, averaging about 20 per run.

A short “skill file” reduced failuresAfter baseline testing, 1Password gave each model a short “security skill” document designed to improve how agents assess risk during routine tasks.

Several models recorded zero critical failures across repeated runs, including all three Claude models and Gemini 3 Flas…

3D Printer SurveillanceNew York is contemplating a bill that adds surveillance to 3D printers:New York’s 2026­2027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state.

I get the policy goals here, but the solution just won’t work.

It’s the same problem as DRM: trying to prevent general-purpose computers from doing specific things.

Cory Doctorow wrote about it in 2018 and—more generally—spoke about it in 2011.

Posted on February 12, 2026 at 7:01 AM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

These capabilities, however, also create new security risks.

In this paper, we introduce CHAI (Command Hijacking against embodied AI), a new class of prompt-based attacks that exploit the multimodal language interpretation abilities of Large Visual-Language Models (LVLMs).

CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts.

We evaluate CHAI on four LVLM agents; drone emergency landing, autonomous driving, and aerial object tracking, and on a real robotic vehicle.

By exploiting the semantic and multimodal reasonin…

Other fiction magazines have also reported a high number of AI-generated submissions.

Others have met the offensive of AI inputs with some defensive response, often involving a counteracting use of AI.

Science seems likely to become stronger thanks to AI, yet it faces a problem when the AI makes mistakes.

In general, we believe writing and cognitive assistance, long available to the rich and powerful, should be available to everyone.

And that may mean embracing the use of AI assistance in these adversarial systems, even though the defensive AI will never achieve supremacy.

This is amazing:Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving.

Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale.

But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of the box without task-specific tooling, custom scaffolding, or specialized prompting.

Fuzzers work by throwing massive amounts of random inputs at code to see what breaks.

When we pointed Opus 4.6 at some of the most well-tested codebases (projects that have had fuzzers running against them for years,…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

I Am in the Epstein FilesOnce.

Someone named “Vincenzo lozzo” wrote to Epstein in email, in 2016: “I wouldn’t pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things.” The topic of the email is DDoS attacks, and it is unclear what I am dramatizing and misunderstanding.

Rabbi Schneier is also mentioned, also incidentally, also once.

As far as either of us know, we are not related.

Posted on February 6, 2026 at 3:43 PM • 0 Comments

It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.

The document is written by the government, and is opposing the return of Natanson’s devices.

The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information.

The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information.

While executing a search warrant for his mobile phone, investigators reviewed Signal messages between …

Backdoor in Notepad++Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.

Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2.

Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers.

Make sure you’re running at least version 8.9.1.

Posted on February 5, 2026 at 7:00 AM • 0 Comments

US Declassifies Information on JUMPSEAT Spy SatellitesThe US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006.

I’m actually impressed to see a declassification only two decades after decommission.

Posted on February 4, 2026 at 7:02 AM • 0 Comments

Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year.

It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience.

While that means someone can access their data if they forget their password, or if repeated failed attempts to login lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants.

AI Coding Assistants Secretly Copying All Code to ChinaThere’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.

Maybe avoid using them.

Posted on February 2, 2026 at 7:05 AM • 0 Comments

A new species of squid.

pretends to be a plant:Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor—a behavior never documented in cephalopods.

They captured the bizarre scene while studying the depths of the Clarion-Clipperton Zone (CCZ), an abyssal plain in the Pacific Ocean targeted for deep-sea mining.

The team described the encounter in a study published Nov. 25 in the journal Ecology, writing that the animal appears to be an undescribed species of whiplash squid.

It was very novel and very puzzling.”

From an Anthropic blog post:In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations.

This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations.

Sonnet 4.5 ac…

The US Supreme Court is considering the constitutionality of geofence warrants.

Police probing the crime found security camera footage showing a man on a cell phone near the credit union that was robbed and asked Google to produce anonymized location data near the robbery site so they could determine who committed the crime.

They did so, providing police with subscriber data for three people, one of whom was Chatrie.

Police then searched Chatrie’s home and allegedly surfaced a gun, almost $100,000 in cash and incriminating notes.

Chatrie’s appeal challenges the constitutionality of geofence warrants, arguing that they violate individuals’ Fourth Amendment rights protecting against unreasona…

I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network …

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet.

]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week.

The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corpor…

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software.

“Today’s Windows patches remove agrsm64.sys and agrsm.sys.

This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time.

In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet.

All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

]to Discord server vanished, Synthient’s website was hit with a DDoS at…

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address.

A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

“It was often a chain of redirects — one or two domains outside p…

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

A 29-year-old Polish man has been charged in connection with a data breach that exposed the personal details of around 2.5 million customers of the popular Polish e-commerce website Morele.net.

The high-profile breach of Morele.net, whose international equivalents include the likes of Best Buy, Newegg, and Amazon, sent shockwaves through Poland's online retail sector.

The investigation into the data breach had originally been shelves after police failed to identify a suspect, but authorities claim that the trail never went entirely cold.

Unfortunately for the site's users who had their information breached, fraudsters weaponised the stolen data immediately.

Victims reported receiving SMS me…

All this and more is discussed in episode 454 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Iain Thomson.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

What followed was a textbook example of how modern romance scams can operate.

But rather than hiding in the darkness like some shadowy criminal, Dr. Abhulimhen presented himself as a globe-trotting philanthropist and businessman, rubbing shoulders with powerful Nigerian officials and international figures.

The FBI's Internet Crime Complaint Center consistently ranks romance scams amongst the costliest forms of cybercrime, whilst UK victims lost over £92 million to romance fraud in 2023 alone.

Whether Ikeji or Dr. Abhulimhen will face justice remains unclear.

But at least one fake prince has discovered that his Nigerian mansion offers rather less sanctuary than he had hoped.

24-year-old Rui-Siang Lin operated Incognito Market under the alias "Pharaoh" from October 2020 until March 2024, facilitating over $105 million in illegal drug sales to more than 400,000 customers across the globe.

Things turned deadly in January 2022 when Lin allowed the sale of opiates on Incognito Market.

In March 2024, Lin abruptly shut down Incognito Market without warning, stealing at least US $1 million in user deposits.

In May 2024, Lin was arrested when he flew into New York's JFK Airport en route to Singapore, and subsequently pleaded guilty to drugs-related charges and money laundering.

US District Judge Colleen McMahon has now given Lin a 30-year prison sentence, describing Inc…

Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about – especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting.

All this, and much more, in episode 453 of Smashing Security with cybersecurity veteran Graham Cluley and special guest Tricia Howard.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed."

The seizure banner comes complete with a cheeky addition - a winking Masha from the popular Russian children's TV cartoon series "Masha and the Bear."

Many infamous ransomware groups, such as ALPHV/BlackCat, Qilin, DragonForce, and RansomHub would use the RAMP platform to promote their operations.

Following the seizure of RAMP, another of the forum's alleged operators, confirmed the takedown in a posting on another hacking forum.

As Flare reports, "Stallman" has indicated that the cybercriminal activity conducted through RAMP would continue through other channels.

Imagine the scene. It's a cold Monday morning in Moscow. You walk out to your car, coffee in hand, ready to face the day. You press the button to unlock your car, and ... nothing happens. You try again. Still nothing. The alarm starts blaring. You can't turn it off. Read more in my article on the Fortra blog.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Joe Tidy.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Police in Hungary and Romania have arrested four young men suspected of making hoax bomb threats and terrorising internet users through SWATting and doxing attacks.

SWATting is a particularly underhand way of making someone else's day a misery – without having to leave your home.

Secondly, the phone numbers were spoofed when making threatening calls to police, effectively directing emergency services to their door.

Hungarian police are keen to underline that SWATting and doxing are serious criminal offences that endanger lives, and are not harmless pranks.

"The police emphasise that swatting and doxing are serious crimes that endanger the lives of others and are not a joke," reads the press…

Security researchers have uncovered at least 16 malicious Chrome extensions masquerading as handy ChatGPT productivity tools.

Instead, they hook into the Chrome browser, and intercept outgoing data that contains users' authentication details.

My advice is to check if you have installed any ChatGPT-related browser extensions recently, and remove any that you have concerns over.

The security researchers who uncovered the malware campaign have listed the names of the extensions that have been identified so far (although, of course, it is possible that more have been used - or could still be):ChatGPT folder, voice download, prompt manager - ChatGPT ModsChatGPT voice download, TTS download - Cha…

In episode 85 of The AI Fix, Graham discovers that Silicon Valley has the solution to your pet’s mental health crisis, and Mark explains why AI godfather Yann LeCun thinks the entire AI industry is wrong about LLMs.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive c…

It has just been a few weeks since we reported on the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.

In light of the latest data breach to impact ESA, the December 2025 incident doesn't look too bad.

Furthermore, this latest breach reportedly involves data that might be more concerning - such as operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space.

As a consequence of this latest incident, ESA has now confirmed that a criminal investigation is underway.

Some have suggested that poor cybersecuri…

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Ray [REDACTED]Host:Graham Cluley:@grahamcluley.com @ *protected email* / grahamcluleyGuest:Ray Redacted:@rayredacted.comEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Blu…

The UK's National Cyber Security Centre (NCSC) has issued a warning about the threat posed by distributed denial-of-service (DDoS) attacks from Russia-linked hacking groups who are reported to be continuing to target British organisations.

The denial-of-service attacks are typically not highly sophisticated, but can still successfully cause disruption to IT systems, and cost organisations a significant amount of time and money as they attempt to respond or recover.

The most obviously visible symptom of a basic denial-of-service attack can be that a website is no longer accessible, as hackers flood it with unwanted traffic, making it impossible for legitimate users to reach the resource.

As …

А те, кто не приехал, посмотрят соревнования по телевидению и на стримингах: по данным платформ, рейтинги трансляций уже самые высокие с 2014 года.

Рассказываем, как избежать проблем в виде фальшивых билетов, несуществующего мерча и поддельных трансляций, сохранить свои деньги и персональные данные.

С их помощью злоумышленники выуживают у фанатов платежные данные, чтобы либо перепродать их, либо обчистить счета сразу.

Итог: шоу не будет, как минимум злоумышленники использовали вас для арбитража трафика, а как максимум — получили доступ к вашему счету.

Тактика защитыМошенники обманывают любителей спорта годами, а их доходы напрямую зависят от качества мимикрии под официальные порталы.

Мы разберем самые яркие примеры фишинговых и спамерских схем прошлого года, а полный отчет «Спам и фишинг в 2025 году» читайте на Securelist.

После знакомства и непродолжительного общения в дейтинг-сервисах новая пассия приглашала жертву в театр или кино и присылала ссылку на покупку билетов.

Вишенкой на торте водителю предлагалось оплатить «пошлину по замене прав» в 1200 крон (больше $125) — так мошенники получали и персональные данные, и реквизиты банковской карты, и деньги.

Нейросетевые мошенникиРазумеется, скамеры не остались в стороне и от бума искусственного интеллекта.

Хайп сей ложь, да в нем намекКак и раньше, в 2025 году мошенники мгновенно подхватывали любые инфоповоды и оперативн…

Очень скоро Clawdbot по настоянию Anthropic из-за созвучности с Claude был переименован сначала в Moltbot, a затем, еще через несколько дней, — в OpenClaw.

Риски безопасности: исправляемые и не оченьОдновременно с тем, как OpenClaw захватывал соцсети, эксперты по кибербезопасности хватались за голову: количество уязвимостей, содержащихся в OpenClaw, превосходило все возможные предположения.

Проблема в том, что в Интернете в открытом доступе находятся сотни неправильно настроенных административных интерфейсов OpenClaw.

Например, как мы недавно писали в посте Джейлбрейк в стихах: как поэзия помогает разговорить ИИ, промпт в стихах существенно снижает эффективность защитных ограничений языковы…

Наведя в них порядок и сформировав общий словарь, CISO и совет директоров значительно улучшат свои коммуникации и в конечном счете повысят защищенность организации.

Руководство может одобрить покупку решения zero trust, не понимая, что это лишь часть долгосрочной комплексной программы со значительно большим бюджетом.

Руководители бизнес-подразделений могут принимать риски ИБ, не имея полного представления об их потенциальном воздействии.

Управляемые активы и поверхность атакиРаспространенное и опасное заблуждение касается охвата защиты и общей видимости, которая есть у ИТ и ИБ.

Зачастую именно эти «невидимые» для компании активы становятся точкой входа для атаки, потому что ИБ не может защи…

За последние два месяца были обнаружены сразу три уязвимости, эксплуатация которых позволяет обходить аутентификацию в продуктах Fortinet с использованием механизма FortiCloud SSO.

Эти уязвимости позволяют злоумышленникам с учетной записью FortiCloud логиниться в чужие аккаунты FortiOS, FortiManager, FortiAnalyzer, FortiProxy и FortiWeb, если на устройстве включена функция SSO.

Правила уже доступны клиентам для скачивания в репозитории KUMA; название пакета: [OOTB] FortiCloud SSO abuse package – ENG.

По мере появления новых отчетов об атаках мы планируем дополнять новой информацией правила с пометкой IOC.

Дополнительные рекомендацииМы также рекомендуем использовать правила из пакета FortiCl…

В наши дни технологии создания поддельных видео- и голосовых сообщений стали доступны каждому, и мошенники активно осваивают технологии дипфейков.

Ранее мы уже рассказывали, как отличить настоящее фото или видео от фейка и отследить его происхождение до момента съемки или генерации.

Теперь давайте разберем, как злоумышленники создают и используют дипфейки в реальном времени, как распознать подделку без сложной экспертизы и защитить себя и близких от «атаки клонов».

Как делают дипфейкиИсходный материал для дипфейков мошенники собирают из открытых источников — вебинаров, публичных видео в соцсетях и каналах, онлайн-выступлений.

«Мама, нужны деньги прямо сейчас, я попал в аварию»; «Нет времени…

У разных вендоров наполнение такой базы может сильно отличаться как по объему, так и по качеству.

Динамическая атрибуция — выявление TTP методом динамического анализа конкретных файлов c последующим сопоставлением множества обнаруженных TTP с TTP известных группировок.

Динамическая атрибуцияВыявление TTP в процессе динамического анализа проще в реализации, такая функциональность уже давно является неотъемлемой функциональностью всех современных «песочниц».

Тот, кто касается хобота, считает, что это удав, тот кто трогает туловище, уверен, что это стена, и так далее.

Результат атрибуции проверяется на ложноположительные связи с базой в миллиард легитимных файлов; при совпадении с любым из них…

Надеяться исключительно на средства защиты учетных записей и парольные политики — не вариант.

И в очередном обновлении мы продолжили развитие системы в том же направлении, добавив использование ИИ-подходов.

Сейчас же в новой версии SIEM c новым коррелятором появилась возможность реализовать детектирование угона учетной записи при помощи одного специализированного правила.

Поэтому в версии 4.2 мы сделали еще один шаг в сторону практичности и адаптивности платформы.

Новый коррелятор и, как следствие, повышение устойчивости платформыВ релизе 4.2 мы представили бета-версию нового корреляционного движка (2.0).

В этом месте обеспокоенные технологиями родители уже могут вспомнить о нашумевшем случае с ChatGPT, когда ИИ от OpenAI довел подростка до самоубийства.

Как исследователи тестировали ИИ-игрушкиИсследование, результаты которого мы разберем ниже, подробно рассказывает о рисках для детской психики, связанных с «дружбой» с умной игрушкой.

Miko 3, как и Grok, всегда слушает происходящее вокруг и активируется при обращении — примерно так же, как это работает у голосовых ассистентов.

Исследователи также отмечают, что ИИ-медведь не побуждал «ребенка» делиться личными переживаниями, не обещал хранить секреты и не создавал иллюзию приватного общения.

С другой стороны, производители этой игрушки не даю…

Удобную методичку по этому вопросу выпустил некоммерческий проект OWASP, разрабатывающий рекомендации по безопасной разработке и внедрению ПО.

Злоумышленники используют методы промпт-инъекций или поддельные данные, чтобы перенастроить агента на выполнение вредоносных действий.

Злоумышленник отправляет промпт, который под предлогом тестирования кода заставляет агента с возможностью «вайб-кодинга» загрузить команду с помощью curl и передать ее на вход bash.

Такой «отравленный» контекст искажает дальнейшие рассуждения агента и выбор инструментов.

Используйте внешние шлюзы безопасности (intent gates) для проверки планов и аргументов агента на соответствие жестким правилам безопасности перед их …

На самом деле происходит не установка из магазина приложений, а загрузка приложения в пакете APK.

В России проблема «левых» загрузок усложняется тем, что многие повседневные приложения, в первую очередь банковские, более недоступны в Google Play.

«Прямой NFC» — мошенник связывается с жертвой в мессенджере и уговаривает скачать приложения якобы для подтверждения личности в банке.

Права, которые и в самом деле нужны приложению такого класса, прекрасно подходят для перехвата данных и махинаций с посещаемыми веб-сайтами.

), перенаправлять пользователя на сайты с рекламой и запускать прямо на телефоне прокси, чтобы злоумышленники могли попадать на любые сайты от лица жертвы.

Это связано с тем, что знания ИИ не хранятся в виде отдельных фрагментов, которые можно легко удалить.

Как и на каких моделях проводилось исследование?

При этом в промптах изменялась исключительно стилистика подачи: никаких дополнительных техник атаки, стратегий обфускации или адаптаций под конкретные модели в эксперименте не использовалось.

Исследователи протестировали 1200 промптов на 25 разных моделях — как в прозаическом, так и в поэтическом варианте.

Если следовать этому методу оценки, то поэзия увеличивает вероятность ответа на небезопасный промпт в среднем на 35%.

Чтобы сопрячь со смартфоном новую гарнитуру, поддерживающую эту технологию, достаточно включить ее и поднести к смартфону.

Вредоносное устройство — обычный смартфон или ноутбук атакующего — транслирует запросы Google Fast Pair и пытается соединиться с BT-устройствами в радиусе 14 метров.

Эта функция, Google Find Hub, аналогична FindMy от Apple, и создает такие же риски несанкционированной слежки, как и вредоносные AirTag.

Тем, кто пользуется Android-смартфонами и сопрягал с ними свою уязвимую гарнитуру с помощью Fast Pair, этот вариант атаки не грозит, ведь они сами записаны как владельцы устройства.

Вероятнее всего, обновленные смартфоны больше не транслируют положение аксессуаров, угнанны…

Хотя первопричина ошибки проста и понятна, ее устранение потребует обширных и систематизированных усилий, причем как от государств и международных структур, так и от конкретных организаций и частных лиц.

В ряде случаев, впрочем, возможно более короткое «путешествие во времени» — в точку 0, то есть в 1970 год.

Злонамеренная эксплуатация Y2K38Командам ИТ и ИБ стоит относиться к Y2K38 не как к простой программной ошибке, а как к уязвимости, которая может приводить к различным сбоям, включая отказ в обслуживании.

В базах данных тоже мозаика: тип TIMESTAMP в MySQL фундаментально ограничен 2038 годом и требует миграции на DATETIME, в то время как стандартные типы timestamp в PostgreSQL безопасны.…

Today we are announcing the availability of a new custom-tuned Foundation-Sec-8B-1.1-Instruct model that powers a key integration between Cisco Foundation AI and the Splunk AI Assistant in Security in Splunk Enterprise Security.

The Splunk AI Assistant in Security is available to all Enterprise Security customers on the Splunk-hosted AWS cloud.

In this release, the Splunk AI Assistant in Security summary skill is powered by a custom-tuned Foundation-Sec-8B-1.1-Instruct model.

How This Works in Splunk Enterprise SecuritySplunk Enterprise Security uses skill routing to send requests to the best model for each task.

How the Summary Skill WorksWhen the Splunk‑hosted model is selected, the Splun…

The latest release of Cisco’s Secure Firewall comes as today’s cyberthreats are more complex, elusive, and fast evolving than ever before.

Key observability features in Cisco Secure Firewall 10.0Simplified decryption and QUIC visibilityWith most threats now concealed within encrypted traffic, Cisco Secure Firewall 10.0 significantly simplifies the decryption process.

Sign up for the Cisco Secure Firewall Test Drive, an instructor-led, 4-hour hands-on course where you’ll experience the Cisco firewall technology in action and learn about the latest security challenges and attacker techniques.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLin…

You can test drive these capabilities today with Secure Firewall Test Drive, an instructor led course that will guide you through the Secure Firewall and its powerful roles in cybersecurity for your organization.

The new simplified decryption experience in Cisco Secure Firewall version 10.0 simplifies the steps required to enable and manage encryption.

Advanced loggingTo enhance the already robust set of information available for logged connections within Cisco Secure Firewall and Cisco Secure Network Analytics, a new log type has been created and made searchable.

Take a hands-on look at Cisco Secure Firewall 10.0Want to dive deeper into Cisco firewalls?

Sign up for the Cisco Secure Firewal…

Gartner predicts that by the end of this year, 40% of enterprises will run AI agents in production, up from less than 5% today.

The Limits of Traditional Security in an Agentic WorldThe challenge with AI agents is that they break the security paradigm we’ve relied upon as a security community over the last two decades.

Security that Understands Intent, SASE for AI EraWe’re announcing a fundamental shift in how we handle “intent” through our security architecture.

We are effectively moving security from the “block/allow” era to the “See the Intent, Secure the Agent” era.

An intelligent, autonomous firewall built for the AI era, protecting data centers, cloud workloads, and edge deployments.

SASE for the AI Era: Fast, Secure, and Ready for AISASE for the AI era is not just about moving security to the cloud.

Cisco SASE brings together Cisco SD-WAN and Cisco Secure Access, into a single platform, tuned for distributed AI.

Simpler, Secure AI OperationsCisco SASE for the AI era unifies performance and security into a single operating system—so AI can scale without adding complexity.

The outcome is what organizations are looking for: predictable AI performance, consistent protection everywhere AI runs, simpler operations, and the confidence to adopt AI faster and more safely.

Visit Cisco SASE to learn how Cisco is transforming how AI runs across the enterprise — securely, predictab…

Below are the Cisco XDR integrations used at Black Hat Europe, enabling analysts to rapidly investigate Indicators of Compromise (IOCs) with a single search.

Our thanks to alphaMountain.ai, Pulsedive and StealthMole for full donating full licenses to Cisco, for use in the Black Hat Europe 2025 NOC.

Below you can see the integrations in XDR at Black Hat Europe, including in production, in beta and in development.

At Black Hat Europe 2024, Ivan Berlinson connected Cisco XDR with Splunk to integrate Corelight NDR detections.

You can read the other blogs from our colleagues at Black Hat Europe.

This allowed Black Hat security analysts to initiate an immediate analysis of any incident by selecting “Ask Cisco Foundation AI to Analyze the incident” directly from the incident view.

For additional information, please refer to the following resources:You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

We work with other official providers to bring the hardware, software and engineers to build and secure the Black Hat Europe network: Arista, Corelight, Jamf and Palo Alto Networks.

Since 2016, Cisco has protected the Black Hat Europe network, beginning with automated malware analysis using Threat Grid.

New for Black Hat Europe, we integrated Arista CloudVision and CV-CUE into Duo Directory SSO.

Learn More About Cisco at Black Hat EuropeExplore deeper insights into innovation, threat hunting, and integrations by diving into our Black Hat Europe blogs, where we highlight advanced SOC practices, Cisco XDR and Splunk Enterprise Security collaborations, and the latest security cloud innovations…

Cisco XDR served as a Tier-1 & 2 detection and response platform for Cisco engineers and analysts working in the Black Hat Europe 2025 NOC/SOC.

We also ingested logs into Splunk from our partner Palo Alto Networks and Corelight, correlating in Incidents via Cisco XDR.

However, at Black Hat conferences, these tools are intentionally off-limits except for some critical event assets.

You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

For nearly a decade, Cisco has secured Black Hat events with Umbrella DNS security.

While Secure Access delivers comprehensive protection including secure web gateway, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and remote browser isolation, we focused its power on where Black Hat needed it most: DNS-layer security and visibility.

At Black Hat Europe, our monitoring confirmed the campaign’s continued activity, though at notably lower volumes.

You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Sum…

This is his first time accompanying us to the Black Hat Network Operations Center (NOC), so naturally, we discuss his impressions.

You can read the other blogs from our colleagues at Black Hat Europe.

About Black HatBlack Hat is the cybersecurity industry’s most established and in-depth security event series.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

For more information, please visit the Black Hat website.

This is the reality for the Cisco Event SOC team at major conferences like RSAC™ Conference, Black Hat, and Cisco Live.

We are thrilled to announce the launch of our new Cisco Event SOCs website and the release of our comprehensive Reference Architecture & Operations Guide.

What You Will Find on the WebsiteVisiting the new Cisco Event SOCs hub gives you a front-row seat to our operations.

The Guide: A Blueprint for ResilienceThe centerpiece of this launch is the Cisco Event SOCs: A Reference Architecture & Operations Guide.

Visit the website today to explore the architecture and download the full Cisco Event SOCs: A Reference Architecture & Operations Guide.

Imagine a future where today’s most secure data, from financial records to national secrets, could be instantly deciphered.

Powerful quantum computers known as cryptographically relevant quantum computers (CRQC) will compromise public-key cryptography, putting encrypted data and secure communications at risk.

The Hidden Risk: Trust CollapseBeyond data confidentiality lies a more systemic and immediate quantum risk: foundational trust breakdown.

While securing network traffic is paramount, a truly quantum-safe posture requires more than protecting data in transit.

In our next blog, we’ll dive deeper into each pillar, starting with Secure Communications and turning to Secure Products.

The UK’s Cyber Security & Resilience Bill and Government Cyber Action Plan mark a pivotal moment in our collective approach to digital resilience.

At Cisco, we’re honored to serve as an ambassador for their Software Security Code of Practice, a voluntary initiative that addresses one of the most pressing challenges facing both public and private sectors: securing the software supply chain.

Strengthening Resilient InfrastructureOur ambassador role is a natural extension of our commitment to secure software development and resilient infrastructure.

We can no longer afford to treat software security as an afterthought or a competitive differentiator.

The Software Security Code of Practice prov…

The Cisco Foundation AI team introduces a novel approach to information retrieval designed to tackle the shortcomings of current search.

At its core, our framework empowers compact models (from 350M – 1.2B parameters) to:Learn diverse search strategies: Through a process of observing and learning from various search behaviors, the framework models understand how to approach different types of queries.

Through a process of observing and learning from various search behaviors, the framework models understand how to approach different types of queries.

Refine queries based on feedback: The system learns to adjust its search queries dynamically, incorporating insights from previously retrieved …

The strategic SIEM buyer’s guide outlines what decision‑makers should look for as they build a future‑ready security operations center (SOC).

Illustration of Microsoft’s AI-first, end-to-end security platform architecture that delivers these essentials by unifying critical security functions and leveraging advanced analytics.

Read The strategic SIEM buyer’s guide for the full analysis, vendor considerations, and detailed guidance on selecting an AI‑ready platform for the agentic era.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

AI governance cannot live solely within IT, and AI security cannot be delegated only to chief information security officers (CISOs).

1Microsoft Data Security Index 2026: Unifying Data Protection and AI Innovation, Microsoft Security, 2026.

2026 Data Security Index:A 25-minute multinational online survey was conducted from July 16 to August 11, 2025, among 1,725 data security leaders.

Questions centered around the data security landscape, data security incidents, securing employee use of generative AI, and the use of generative AI in data security programs to highlight comparisons to 2024.

One-hour in-depth interviews were conducted with 10 data security leaders in the United States and Unit…

Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call AI Recommendation Poisoning.

How AI memory worksModern AI assistants like Microsoft 365 Copilot, ChatGPT, and others now include memory features that persist across conversations.

AI Memory Poisoning occurs when an external actor injects unauthorized instructions or “facts” into an AI assistant’s memory.

Attack discovery: AI Recommendation Poisoning in the wildDuring our research, we identified real-world cases of AI memory poisoning being used for promotional purposes.

AI Recommendation Poisoning is real, it’s spreading, and the tools to deploy it…

Yet safety alignment is only as robust as its weakest failure mode.

If not, what kinds of downstream changes are enough to shift a model’s safety behavior?

Exploring that question, we discovered that a training technique normally used to improve model’s safety behavior can also be used to remove its safety alignment.

Alignment dynamics extend beyond language to diffusion-based image modelsThe same approach generalizes beyond language models to unaligning safety-tuned text-to-image diffusion models.

Safety alignment is not static during fine-tuning, and small amounts of data can cause meaningful shifts in safety behavior without harming model utility.

The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization.

Technical detailsThe Microsoft Defender Research Team identified active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD).

Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.

Microsoft Defender XDR detectionsMicrosoft Defender provides pre-breach and post-breach coverage for this campaign.

Tactic Observed activity Microsoft Defen…

The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization.

Technical detailsThe Microsoft Defender Research Team identified active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD).

Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.

Microsoft Defender XDR detectionsMicrosoft Defender provides pre-breach and post-breach coverage for this campaign.

Tactic Observed activity Microsoft Defen…

In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign.

This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality.

This script leverages pythonw.exe to execute the malicious Python payload covertly, avoiding visible console windows and reducing user suspicion.

]com/scl/fi/znygol7goezlkhnwazci1/a1.zip URL Adversary hosted python payload 158[.]247[.]252[.

ReferencesThis research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai and Kaustubh Mangalwedhekar.

That gap is where cyberattackers operate most effectively, and it is the gap that Operation Winter SHIELD is designed to address as a collaborative effort across the public and private sector.

Why Operation Winter SHIELD mattersOperation Winter SHIELD is a nine-week cybersecurity initiative led by the FBI Cyber Division beginning February 2, 2026.

That perspective aligns with what we see through Microsoft Threat Intelligence and Microsoft Incident Response.

Operation Winter SHIELD offers an opportunity to drive systematic improvement to one control area at a time.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

That gap is where cyberattackers operate most effectively, and it is the gap that Operation Winter SHIELD is designed to address as a collaborative effort across the public and private sector.

Why Operation Winter SHIELD mattersOperation Winter SHIELD is a nine-week cybersecurity initiative led by the FBI Cyber Division beginning February 2, 2026.

That perspective aligns with what we see through Microsoft Threat Intelligence and Microsoft Incident Response.

Operation Winter SHIELD offers an opportunity to drive systematic improvement to one control area at a time.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.

Detecting whether an LLM has been poisoned is inherently challenging because backdoored models behave normally under almost all conditions.

We therefore break the problem into two questions:First, do backdoored models behave in ways that are systematically different from clean models?

We find that trigger tokens tend to “hijack” the attention of backdoored models, creating a distinctive double triangle pattern.

Language models tend to memorize parts of their training data, and backdoor…

Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.

Detecting whether an LLM has been poisoned is inherently challenging because backdoored models behave normally under almost all conditions.

We therefore break the problem into two questions:First, do backdoored models behave in ways that are systematically different from clean models?

We find that trigger tokens tend to “hijack” the attention of backdoored models, creating a distinctive double triangle pattern.

Language models tend to memorize parts of their training data, and backdoor…

Why AI changes the security landscapeAI security versus traditional cybersecurityAI security introduces complexities that go far beyond traditional cybersecurity.

Loss of granularity and governance complexityAI dissolves the discrete trust zones assumed by traditional SDL.

Multidisciplinary collaborationMeeting AI security needs requires a holistic approach across stack layers historically outside SDL scope, including Business Process and Application UX.

What’s new in SDL for AIMicrosoft’s SDL for AI introduces specialized guidance and tooling to address the complexities of AI security.

Microsoft SDL for AI can help you build trustworthy AI systemsEffective SDL for AI is about continuous im…

Why AI changes the security landscapeAI security versus traditional cybersecurityAI security introduces complexities that go far beyond traditional cybersecurity.

Loss of granularity and governance complexityAI dissolves the discrete trust zones assumed by traditional SDL.

Multidisciplinary collaborationMeeting AI security needs requires a holistic approach across stack layers historically outside SDL scope, including Business Process and Application UX.

What’s new in SDL for AIMicrosoft’s SDL for AI introduces specialized guidance and tooling to address the complexities of AI security.

Microsoft SDL for AI can help you build trustworthy AI systemsEffective SDL for AI is about continuous im…

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…