Иранские хакеры начали масштабную охоту на израильских чиновников и ученых

Компания F6 представила модуль активного сканирования для решения Attack Surface Management.

Почему крупнейший хостинг IT-проектов в мире перестал быть стабильным.

Пекин построил виртуальный мир, чтобы научиться ломать настоящий.

Математики предложили альтернативу методу Дейкстры для графов сверхбольшой размерности.

Для захвата контроля больше не требуются вирусы и уязвимости.

Злоумышленники используют настолько старые трюки, что о них успели забыть даже администраторы.

Мир готовится покорять Марс с железками в голове.

Рассказываем, как устроена экономика осознанного бездействия технологических гигантов.

Специалисты предупредили о появлении ИИ-вредоноса, нацеленного на Linux-системы.

Подсистема хранения отклонена из-за ошибок сборки и отсутствия тестирования.

Так, системы компании в 2025 году ежедневно обнаруживали около полумиллиона новых образцов вредоносного кода против 342 тысяч в 2019 году.

Среди них Дмитрий Галов особо выделелил Triada, количество заражений которым выросло в 4,5 раза за год, а также LunaSpy, который в 2025 году только появился.

Однако были и фундаментальные различия между атаками 10–15-летней давности и в 2025 году.

Впрочем, и в 1950-х, и в 1980-х, когда наблюдалось разочарование в ИИ, разрыв между ожиданиями и результатом был очень большим.

ВыводыВ целом в 2026 году стоит ожидать развития тенденций, заложенных в 2025 году, особенно в его второй половине.

Система работает, но практической ценности для SOC не даёт.

Это увеличивает время присутствия злоумышленника в инфраструктуре, масштабирует последствия инцидента и фактически превращает SIEM в дорогостоящий архив логов.

В итоге инцидент обнаружили не средства SIEM, а сторонний исследователь, заметивший украденные данные в GitHub.

Чем опасна эта ошибкаИспользование OOTB‑правил без адаптации снижает операционную эффективность SOC и повышает риск пропуска целевых атак.

Отсутствие интеграции SIEM с системами реагирования (SOAR)Нередко SIEM остаётся «пассивной» системой.

И для VPN, и для почты — 9 %.

Владимир Иванов: «Фишинг работает не на всех способах защиты, но там, где работает, он наиболее популярен».

Злоумышленнику можно не атаковать MFA в лоб, а проникнуть в сеть через уязвимости и, перехватив токен, захватить весь домен организации».

Дмитрий Грудинин рассказал, что в корпоративной среде СМС не рекомендуется по нескольким причинам: это дорого, ненадёжно и не работает универсально.

Ключевой тренд — переход к интеллектуальным и контекстно-зависимым системам, которые анализируют не только что предъявляет пользователь, но и как он это делает, в каких условиях и с какими рисками.

Исследователи выявили десятки расширений для Google Chrome, которые маскируются под приложения для блокировки рекламы и других функций, но на деле подменяют ссылки, воруют данные пользователей и токены ChatGPT.

ВведениеБраузер Google Chrome остаётся самым популярным на рынке, на него приходится более 70 % пользователей и на десктопах, и на смартфонах.

Но, как отмечают исследователи, основная функциональность приложения скрыта: оно автоматически подменяет ссылки в интернет-магазинах и получает доступ к данным.

Описание функциональности расширения в магазине Google Chrome Web Store.

Расширения с такой логикой легко масштабируются, злоумышленники могут применить один и тот же механизм к разным…

Основные угрозы для контейнерной инфраструктуры и методы защитыИспользование контейнеризации создаёт особые риски для информационной безопасности и требует применения специализированных средств защиты.

Обзор отечественных средств защиты контейнеризацииДля защиты контейнерных сред можно использовать специализированные решения, платформы управления, средства виртуализации или возможности некоторых ОС.

CrossTech Container SecurityВ 2025 году компания Crosstech Solutions Group представила рынку специализированный продукт для защиты контейнерных инфраструктур — CrossTech Container Security (CTCS).

Kaspersky Container SecurityПлатформа Kaspersky Container Security (KCS) создана для безопасности D…

Развитие регулирования КИИ и ГосСОПКАМодернизация нормативной базы в области безопасности КИИ и госсистемы обнаружения компьютерных атак стала центральным вектором изменений 2025 года.

В результате внесённых изменений в 187-ФЗ закреплены обязанности субъектов КИИ по переходу на доверенные программно-аппаратные комплексы в соответствии с ПП-1912, а также ориентация на использование отечественного ПО.

Также в Правилах категорирования в явном виде закреплены обязанности субъекта КИИ по учёту утверждённых отраслевых особенностей категорирования объектов КИИ.

Одновременно положения формируют предпосылки для пересмотра подходов к регулированию самописного ПО — ПО, разработанного для собственных н…

Российские системы виртуализации в 2026 году вышли на новый уровень, превратившись из инструментов импортозамещения в полноценные конкурентные решения.

По его мнению, виртуализация — это общий термин, который включает в себя частные и гибридные облака, платформы виртуализации и гиперконвергентные системы, где каждый ищет свою нишу.

Он подчеркнул необходимость взаимодействия как с ИТ-специалистами, так и с отделом безопасности.

Основным драйвером станет запрос на целостные экосистемы, а не на отдельные точечные решения».

Внимание рынка сместится с самой виртуализации на новые технологические горизонты — будь то расширение её возможностей или создание принципиально новых решений.

Роль ИИ в аналитике безопасности, будущее SOAR, эволюция SIEM и NDR, перспективы рынка коммерческих SOC в России на фоне импортозамещения.

Что такое классический SOC и почему он переживает кризисЦентр мониторинга безопасности (SOC) долгое время был основой корпоративных систем защиты.

Мировой рост внедрения ИИ в индустрию информационной безопасности с 2017 по 2030 годЭволюция инструментальной экосистемы: SIEM, NDR, EDRРеализация подхода Post-SOC требует фундаментальной перестройки всего технологического стека безопасности.

Это формирует уникальные сценарии развития как для вендоров, так и для компаний-заказчиков.

ВыводыТрансформация классических центров мониторинга безопасности в интегриров…

Итоги года и выводы, которые обязательно надо учесть.

В 2025 году компании всё чаще сталкивались с ситуацией, когда технический инцидент перерастал в юридический и репутационный кризис.

ТрендыТренд 2025 года — появление атак, выполненных практически полностью с помощью нейросетей (искусственного интеллекта) почти без участия человека.

ВыводыИтоги 2025 года показывают: веб-приложения стали одной из самых уязвимых точек цифрового бизнеса и одновременно самым быстрым каналом нанесения прямого финансового ущерба.

В условиях 2025 года инвестиции в зрелую защиту веб-приложений напрямую поддерживают устойчивость бизнеса.

Мифы и реальность удаления аккаунта в TelegramМиф первый: Аккаунт пользователя в Telegram можно восстановить после удаленияНа самом деле, если удалить аккаунт пользователя в сети Telegram, это будет окончательным и необратимым действием для него.

Недавно в пользовательских чатах прошло сообщение, что в Telegram возможна кража учётных данных пользователя (например, через фишинг).

Всё это время активная сессия злоумышленника якобы остаётся валидной, и Telegram не предоставляет возможности законному владельцу принудительно сбросить все активные сессии.

Однако убедиться в этом мы не смогли, потому что Telegram не позволяет прочитать описание проблемы в своей базе.

Создание закрытого частного об…

В конце 2025 года появились прогнозы, по которым в наступившем 2026 году стоит ждать значительного роста интереса к облачным сервисам со стороны российских компаний.

Однако темпы роста облачных сервисов существенно опережают мировые (29,5 % в России против 20 % в мире по итогам 2025 года).

Банк России также включил развитие облачных сервисов в приоритеты развития финтеха и запустил пилот «Банк в облаке».

2 и 3), причём как в рублёвом, так и в валютном выражении.

Это обстоятельство стало одним из основных драйверов роста для облачных сервисов в России и не только.

Он интересуется, почему же эти атаки продолжают быть успешными и что отрасли следует делать иначе.

При этом он подчёркивает, что в основе защиты веба и API лежит чёткое определение и распределение зон ответственности внутри компании.

Второй шаг — выбор инструментов следующего поколения, которые обеспечивают глубокий анализ и понимание поведения пользователей на всех уровнях, как в веб-интерфейсе, так и в API.

Потерять результат многолетней тонкой настройки политик WAF из-за аппаратного сбоя или человеческой ошибки — это не просто обидно, это прямая угроза бизнесу».

Необходимо выбирать инструменты, способные анализировать и выявлять паттерны поведения не только на уровне веб-интерфейса, но и…

Эксперты по кибербезопасности обсудили актуальные угрозы 2026 года и стратегии построения эффективной обороны — как противостоять массовым атакам и точечным взломам.

Повсеместная автоматизация, доступность хакерских сервисов в даркнете и интеграция искусственного интеллекта в атакующие и защитные инструменты стёрли грань между традиционными и продвинутыми угрозами.

Согласно современным стандартам, для фронтенда актуально более 70 специфических угроз, и для их эффективного выявления и нейтрализации требуются специализированные решения, ориентированные именно на безопасность клиентской части приложений.

Первый и самый массовый — это автоматизированные сканирующие боты, которые многие компании…

В госсекторе и сфере критической информационной инфраструктуры (КИИ) эта доля, конечно, ниже, но в бизнесе и особенно среди индивидуальных пользователей удельный вес Windows превышает 90 %.

Будет как минимум не лишним знать код ошибки для обращения в службу технической поддержки.

Ошибки файловой системы или дисковых устройствО возникновении проблем с файловой системой свидетельствуют ошибки 0x00000023 (файловая система FAT), 0x00000024 (NTFS), и 0x0000004C (ошибки загрузки системного реестра).

Ошибки в работе драйверов, системных служб и библиотекОшибки с кодом 0×0000001E: KMODE_EXCEPTION_NOT_HANDLED с кодом исключения 0xC000026C является одной из самых распространённых.

Проблемы с видеосис…

В основе наших решений лежит метод квантового распределения ключей на боковых частотах фазовомодулированного оптического излучения КРКБЧ — subcarrier wave QKD (SCW-QKD).

Однако полученные результаты заложили физическую основу метода, который впоследствии стал известен как «квантовое распределение ключей на боковых частотах фазовомодулированного излучения».

Юрий Тарасович Мазуренко — автор идеи квантового распределения ключей на боковых частотах.

Этот подход заложил физическую основу метода квантового распределения ключей на боковых частотах фазово-модулированного излучения.

Сравнение ключевых этапов развития КРКБЧ/SCM-QKDДля наглядного сопоставления основных этапов развития метода квантовог…

Мы уже все понимаем, что блокировка Telegram будет в этом году.

Понятно, что не все смогут или захотят это, но тут либо VPN либо более гуманная альтернатива - MTProxy.

Все действия — те же, что и в официальной инструкции, только без рутинных шагов:Ставит зависимости, включая инструменты для проверки свободного порта.

Которую просто надо нажать в Telegram и он автоматически подхватит и подключит.

Если сервис уже настроен, он берёт порт и секрет из текущего systemd-юнита, обновляет конфиг и перезапускает сервис.

С прошлого дайджеста мы добавили еще 2 трендовые уязвимости:уязвимость, приводящая к удаленному выполнению кода, в Microsoft 365 и Microsoft Office - PT-2026-4775 (CVE-2026-21509);уязвимость, приводящая к раскрытию информации, в Desktop Window Manager - PT-2026-2658 (CVE-2026-20805).

Уязвимость, приводящая к удаленному выполнению кода, в Microsoft 365 и Microsoft Office💥 PT-2026-4775 (CVE-2026-21509, оценка по CVSS — 7,8, высокий уровень опасности)Уязвимость была экстренно исправлена 26 января вне регулярных Microsoft Patch Tuesday.

Уязвимость заключается в обходе функций безопасности OLE ( Object Linking and Embedding ) в Microsoft 365 и Microsoft Office.

⚙️ В Office 2021+ защита включаетс…

Данная статья посвящена более глубокому анализу EDR и AMSI, а также общему представлению концепции обходов данных механизмов безопасности.

Зачем нужен AMSI и как он работаетПопулярность и повсеместное использование скриптовых языков программирования привело к значительному росту безфайловых атак.

Установленные EDR могут проверять целостность библиотеки, и в обнаружения несоответствий отправлять алерты в системы мониторинга, и по итогу активная сессия терминала будет закрыта.

В общем случае операция Add‑Type оставляет на диске системы артефакты, да и в целом метод модификации памяти в современных системах может не работать, поэтому злоумышленники прибегают к способу “Отражения”.

Установка эт…

Мы регулярно общаемся с ИТ- и ИБ-командами, в том числе на пилотах и в ходе интервью на профильных мероприятиях.

Мы видим их не только в ритейле, но и в банках, финтехе, телекоме и e-commerce.

Потенциальные векторы утечки данных из non-prod (RnD, Dev/Test)Зачем разработчикам во время тестирования нужны «почти» реальные данные?

Поэтому во многих компаниях встречается такая практика, когда тестовые среды периодически «освежают» данными из production.

Часто утечка начинается не с атаки, а с желания сделать быстрее.

В этой статье разбираем, почему мы на это решились и как вы можете сделать так же, с пошаговыми примерами кода.

Цель атакующего не в том, чтобы перебрать пароль (они понимают, что это бесполезно).

Вместо нормальной защиты вы обслуживаете клубок экранирующих последовательностей, тогда как CrowdSec просто разбирает JSON «из коробки».

sudo cscli collections install crowdsecurity/linux sudo cscli collections install crowdsecurity/caddy-logs sudo systemctl reload crowdsecШаг 2: Настройка Caddy на JSON-логированиеПарсер Caddy в CrowdSec ожидает логи в JSON.

Движок CrowdSec на Go достаточно быстрый, чтобы на скромном сервере разбирать 10 000+ строк логов в секунду.

Всё красиво, пока к вашему серверу не придёт краулер и не попробует на него зайти.

Такое называется active probing, и это не теория, а реальная практика.

# Краулер делает: curl -v --resolve 1c.ru:443:<ваш_IP> https://1c.ru/ # mtg отвечает: # Connection reset / Timeout / Мусор # Вывод: это не 1c.ru.

Telemt не подменяет сертификаты, не генерирует фейки.

Выбираете любой свежий пост с прокси.

Россия же выбрала другой путь: дать ему свободу, но с чёткими ориентирами, где можно экспериментировать, а где — нельзя.

И это не просто очередной документ для галочки — это попытка найти баланс между инновациями и безопасностью.

Российский подход vs европейский AI Act: битва философийЕвропейский AI Act, принятый в 2024 году и вступающий в силу поэтапно до 2026-2027 годов, считается самым жёстким регулированием ИИ в мире.

Если банк использовал этот ИИ для принятия решений без человеческого контроля, хотя разработчик предупреждал о необходимости проверки — виноват банк.

Если кредитный менеджер увидел явно абсурдное решение ИИ, но одобрил кредит "потому что так сказала машина" — виноват менед…

Выяснилось, что китайская хак-группа UNC3886 проникла в сети всех четырех крупнейших операторов связи Сингапура: Singtel, StarHub, M1 и Simba.

Первые сигналы о странной активности власти получили летом, когда сами телекомы начали докладывать о подозрительных событиях в своих сетях.

Сообщается, что UNC3886 использовала комбинацию неназванных 0-day уязвимостей и кастомных руткитов для скрытного проникновения в сети и сохранения своих позиций.

При этом сингапурские власти заявляют, что хакеры не сумели получить доступ к пользовательским данным.

Напомним, что в конце 2024 года стало известно о похожей операции китайской группировки Salt Typhoon, в рамках которой хакеры скомпрометировали инфраст…

Депутаты Госдумы приняли в первом чтении законопроект, который закладывает основы работы единой базы идентификационных номеров мобильных устройств (IMEI).

По словам первого заместителя председателя комитета Госдумы по защите конкуренции Игоря Игошина, каждому устройству, ввозимому в РФ, будет присваиваться уникальный 15-значный IMEI-номер.

По его словам, в будущем в базу могут попасть не только телефоны, но также планшеты и ноутбуки.

При оформлении SIM-карты оператор будет обязан указывать в договоре IMEI устройства и вносить в базу информацию о связке SIM-карты с конкретным гаджетом.

Стоит отметить, что в январе 2026 года «Ведомости» сообщали, что в Минцифры предложили ввести уголовную отв…

Язы­ковые модели ста­новят­ся всё умнее — и, с точ­ки зре­ния регуля­торов, всё опас­нее.

К сло­ву, «нежела­тель­ным» может быть не толь­ко морали­заторс­тво, но и, к при­меру, типич­ный для LLM «слоп» — та самая веж­ливая водянис­тая чепуха, «сло­вес­ные кру­жева», которы­ми ней­рон­ки забива­ют кон­текст.

Но с «миними­заци­ей потерь» быс­тро воз­никли проб­лемы.

Век­торы отка­за в латен­тном прос­транс­тве час­то кор­релиру­ют с век­торами, отве­чающи­ми за здра­вый смысл и логичес­кие связ­ки.

Тог­да, в туман­ном прош­лом, наши далекие пред­ки обна­ружи­ли, что отказ модели — это впол­не кон­крет­ное нап­равле­ние, век­тор в прос­транс­тве акти­ваций.

Февральский «вторник обновлений» принес исправления для 58 уязвимостей в продуктах Microsoft, включая сразу шесть активно эксплуатируемых 0-day.

Как поясняют в Microsoft, новые сертификаты будут устанавливаться постепенно, только на те машины, которые демонстрируют стабильную работу после обновлений.

Что касается исправленных уязвимостей, напомним, что Microsoft относит к уязвимостям нулевого дня те проблемы, информация о которых была раскрыта публично до выхода патча, а также уязвимости, которые уже применяются в атаках.

CVE-2026-21510 — обход защитных механизмов в Windows SmartScreen и Windows Shell.

Отметим, что в обнаружении CVE-2026-21510 и CVE-2026-21514 приняли участие специалисты Go…

Документ включает около 20 мер по борьбе с кибермошенничеством, включая лимиты на количество карт — не более пяти карт в одном банке на одного человека и не более 20 у всех кредитных организаций суммарно.

Замминистра подчеркнул, что Минцифры и ЦБ «хорошо поработали» над проектом, учли «все чувствительные моменты».

Заместитель председателя ЦБ Герман Зубарев объяснял, что лимит в 20 карт выбрали на основе данных самих банков.

«Это достаточно для подавляющего большинства добропорядочных граждан, не создаст им неудобств, но поможет ограничить предложение карт на черном рынке для обналичивания похищенных денег», — пояснил Зубарев.

Глава ЦБ Эльвира Набиуллина добавляла, что мера не затронет обычн…

На прошлой неделе DeFi-платформа Step Finance сообщила о потере 40 млн долларов США в криптовалюте.

Блокчейн-аналитики из компании CertiK первоначально оценили потери Step Finance в 261 854 SOL (около 28,9 млн долларов), однако после расследования в Step Finance озвучили официальную сумму ущерба: 40 млн долларов США.

Как уже было сказано выше, часть средств удалось вернуть: около 3,7 млн долларов в активах Remora и 1 млн в других позициях.

Потери Step Finance значительны, но это лишь десятая часть от всех средств, похищенных у различных криптопроектов за январь 2026 года.

По данным аналитиков CertiK, за первый месяц года общий ущерб от хакерских атак составил 398 млн долларов США, из которы…

Основатель мессенджера Павел Дуров прокомментировал ограничение работы Telegram в России.

10 февраля 2026 года Роскомнадзор (РКН) продолжил замедлять работу Telegram.

В ответ на происходящее Павел Дуров сообщил в своем Telegram-канале:«Россия ограничивает доступ к Telegram, пытаясь заставить своих граждан перейти на контролируемое государством приложение, созданное для слежки и политической цензуры.

Напомним, что Роскомнадзор начал ограничивать голосовые звонки в WhatsApp и Telegram еще в августе 2025 года, объясняя это борьбой с мошенниками и террористами.

В середине января пользователи уже жаловались на сбои в работе Telegram, однако тогда в РКН отрицали применение новых ограничительных м…

Инструмент анализирует все команды в командной строке перед выполнением и блокирует опасные URL.

Омографические атаки строятся на использовании омоглифов — графически одинаковых или похожих друг на друга символах, имеющих разное значение.

Инструмент подключается к шеллу пользователя (поддерживаются zsh, bash, fish и PowerShell) и проверяет каждую вставляемую команду.

Sheeki утверждает, что на проверку уходит меньше миллисекунды, то есть анализ происходит почти мгновенно.

Инструмент не модифицирует команды пользователя, не работает в фоне, не требует облачных подключений, API-ключей или аккаунтов и не передает никуда телеметрию.

В начале дня источники РБК в профильных ведомствах и ИТ-индустрии сообщили, что власти приняли решение начать работу по замедлению Telegram в России.

В ведомстве заявили СМИ, что Telegram продолжает игнорировать российское законодательство и не принимает реальных мер для противодействия мошенничеству и использованию его в преступных и террористических целях, а также не обеспечивает защиту персональных данных.

Депутат предложил Telegram создать отдельное юридическое лицо в России, «передать сюда лицензии на российские сегменты, совершенно спокойно здесь работать по российскому законодательству».

Напомним, что Роскомнадзор начал ограничивать голосовые звонки в WhatsApp и Telegram еще в август…

Уяз­вимость в W3 Total Cache шокиру­ет не толь­ко прос­тотой ата­ки, но и мас­шта­бами, ведь этот пла­гин для WordPress уста­нов­лен на мил­лионы сай­тов.

W3 Total Cache — один из самых извес­тных пла­гинов для WordPress, пред­назна­чен для кеширо­вания и повыше­ния про­изво­дитель­нос­ти сай­та.

W3 Total Cache под­держи­вает так называ­емые динами­чес­кие фраг­менты — спе­циаль­ные мар­керы mfunc и mclude , которые поз­воля­ют выпол­нять PHP-код или под­клю­чать фай­лы даже внут­ри пол­ностью закеши­рован­ной HTML-стра­ницы.

Дви­жок никак не защища­ет от инъ­екции, поэто­му в зоне рис­ка — любой сайт с пла­гином W3 Total Cache вер­сии ниже 2.18.13.

org/ plugin/ w3- total- cache.

Злоумышленники скомпрометировали официальные пакеты npm и PyPI криптовалютной биржи dYdX и распространили через них малварь.

Специалисты из компании Socket предупреждают, что атака затронула два ключевых пакета для взаимодействия с протоколом dYdX v4 — @dydxprotocol/v4-client-js в npm и dydx-v4-client в PyPI.

Вредоносный код встроен в ключевые файлы (registry.ts, registry.js для npm и account.py для PyPI), которые выполняются при штатном использовании библиотеки.

В официальном заявлении dYdX подчеркнула, что версии пакета dydx-v4-clients, размещенные в репозитории dydxprotocol на GitHub, не содержат малвари.

К примеру, в сентябре 2022 года npm-аккаунт сотрудника биржи был взломан, и атакующ…

Аналитики компании F6 обнаружили новую мошенническую схему, нацеленную на геймеров — злоумышленники запустили фальшивый маркетплейс цифровых товаров под вымышленным брендом Zadrotik.

На сайте «торгуют» лицензионными ключами, игровой валютой и подписками на популярные сервисы — от CS2 и Fortnite до ChatGPT и Spotify.

Цены варьируются от 810 рублей до 478 000 рублей за редкий скин Dragon Lore для CS2.

Кроме игровых предметов, злоумышленники предлагают годовую подписку на ChatGPT Plus за 6210 рублей, Spotify Premium на 12 месяцев за 1879 рублей и пополнение iTunes на 5000 рублей за 6229 рублей.

Скамеры размещают рекламные баннеры и оставляют комментарии под постами, маскируя их под «полезные с…

Китайская хак-группа Warlock (она же Gold Salem и Storm-2603) проникла в сеть SmarterTools и развернула вымогательское ПО на 30 почтовых серверах, работавших как в офисе компании, так и в дата-центре, где проходило QA-тестирование.

Патч для CVE-2026-24423 выпустили 15 января в версии 9511, то есть за две недели до взлома.

Стоит отметить, что помимо CVE-2026-24423, за последние три недели в SmarterMail нашли еще две серьезные проблемы.

CVE-2026-23760 (тоже 9,3 балла по шкале CVSS) позволяла удаленно выполнить код и в настоящее время тоже активно эксплуатируется злоумышленниками.

Cпециалисты пишут, что обычно группировка Warlock эксплуатирует уязвимости в SharePoint, Veeam, но теперь добавила…

Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild.

In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fake Microsoft login page, stealing over 4,000 credentials in the process.

The Outlook add-in in question is AgreeTo, which is advertised by its developer as a way for users to connect different calendars in a single place and share their availability through email.

"Office add-ins are fundamentally different from traditional software," Dardikman added.

It bears noting that the problem is not limited …

The campaigns are characterized by the use of malware families like Geta RAT, Ares RAT, and DeskRAT, which are often attributed to Pakistan-aligned threat clusters tracked as SideCopy and APT36 (aka Transparent Tribe).

After the lure document is displayed, the malware checks for installed security products and adapts its persistence method accordingly prior to deploying Geta RAT on the compromised host.

Running parallel to this Windows-focused campaign is a Linux variant that employs a Go binary as a starting point to drop a Python-based Ares RAT by means of a shell script downloaded from an external server.

Like Geta RAT, Ares RAT can also run a wide range of commands to harvest sensitive …

It's Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services.

Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition.

Elsewhere, Adobe released updates for Audition, After Effects, InDesign Desktop, Substance 3D, Bridge, Lightroom Classic, and DNG SDK.

"At the same time, these features have increased the complexity of a highly privileged software component in the TCB [Trusted Computing Base]."

Software Patches from Other Ven…

The issue is not the applications themselves, but how they are often deployed and maintained in real-world cloud environments.

Evidence of Active ExploitationThe exposed training environments identified during the research were not simply misconfigured.

Across the broader dataset of exposed training applications, approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms.

The presence of active crypto-mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.

Pentera Labs observed this deployment pat…

Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.

(CVSS score: 8.8) - A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-21513 (CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.

(CVSS score: 8.8) - A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.

A crafted file can silently bypass Windows security pro…

Cybersecurity researchers have disclosed details of a new botnet operation called SSHStalker that relies on the Internet Relay Chat (IRC) communication protocol for command-and-control (C2) purposes.

"These are low value against modern stacks, but remain effective against 'forgotten' infrastructure and long-tail legacy environments."

SSHStalker combines IRC botnet mechanics with an automated mass-compromise operation that uses an SSH scanner and other readily available scanners to co-opt susceptible systems into a network and enroll them in IRC channels.

Flare's investigation of the staging infrastructure associated with the threat actor has uncovered an extensive repository of open-source …

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft.

Once contact is established, the threat actor uses Calendly to schedule a 30-minute meeting with them.

The meeting link is designed to redirect the victim to a fake website masquerading as Zoom ("zoom.uswe05[.]us").

Once the target joins the meeting, they are displayed a screen that resembles an actual Zoom meeting.

It also comes with the ability to record keystrokes, observe username and password inputs, and extract browser cookies.

The IT worker threat is a long-running operation mounted by North Korea in which operatives from the country pose as remote workers to secure jobs in Western companies and elsewhere under stolen or fabricated identities.

The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.

"Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques," blockchain analysis firm Chainalysis noted in a report published in October 2025.

"Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account."

"The businesses have been tricked…

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself.

"However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself."

Notably, the driver has been put to use by a threat actor known as Silver Fox in attacks designed to kill endpoint security tools prior to delivering ValleyRAT.

"The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that pa…

Rather than breaking in and burning systems down, today’s attackers increasingly behave like Digital Parasites.

The data in this year’s Red Report tells a quieter story, one that reveals where defenders are actually losing visibility.

The mechanics of the Digital Parasite remain unchanged: credential theft, stealthy persistence, abuse of trusted processes, and longer and longer dwell times.

While ransomware headlines still dominate the news cycle, the Red Report 2026 shows that, more and more, the real risk lies in silent, persistent compromise.

Download the Picus Red Report 2026 to explore this year’s findings and understand how modern adversaries are staying inside networks longer than ev…

This marks a recognition from leading capital markets of a new solution: ending the era of high false positive rates in security tools and making every alert genuinely actionable.

"In the traditional field of code security analysis, high false positive rates have long been a core pain point plaguing enterprise security teams.

Unlike traditional static analysis tools, ZAST.AI leverages advanced AI technology to perform deep code analysis on applications.

It can not only automatically generate Proof-of-Concept (PoC) code for exploiting vulnerabilities but also automatically execute and verify whether the PoC successfully triggers the vulnerability.

In the future, ZAST.AI will continue to deep…

SmarterTools confirmed last week that the Warlock (aka Storm-2603) ransomware gang breached its network by exploiting an unpatched SmarterMail instance.

"Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network," Curtis explained.

CVE-2026-23760 is an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by sending a specially crafted HTTP request.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that CVE-2026-24423 was being exploited in ransomware attacks.

"This pace of weaponization is consistent with ransomware operators rapidly analyzing vendor fi…

If you’re looking to buy or sell on the platform and want to stay clear of the scammers, read on.

Payment scamAs above, scammers (whether buyer or sellers) will often try to trick you into transacting via third-party cash app services.

In fact, they’re usually trying to log into your account and need the two-factor authentication code sent by OfferUp.

Bouncing checksA scammer pays for an item you’re selling via check, which bounces several days later, leaving you without the item and no payment.

OfferUp is great way to pick up bargains in your area, or make a little extra money from items you no longer need.

Fake appsMobile apps masquerading as official Winter Olympics apps may actually contain infostealing malware or other threats.

Staying safe from Winter Olympics scamsTo stay safe online, stick to the official Winter Olympics sites and don’t engage with unsolicited messages and too-goo-to-be-true deals.

Avoid clicking on links or opening attachments in unsolicited messages, even if they appear to be from legitimate Winter Olympics organizers/sponsors.

If you’re going to the event, download the official Olympics app for schedules, maps, and digital tickets.

The XXV Winter Olympic Games in Milano-Cortina is set to be a treat for sports fans around the world.

The trends that emerged in January offer useful clues about the risks and priorities that security teams are likely to contend with throughout the yearThe year got off to a busy start, with January offering an early snapshot of the challenges that (not just) cybersecurity teams are likely to face in the months ahead.

It's therefore time for ESET Chief Security Evangelist Tony Anscombe to look back on some of the month's most impactful cybersecurity stories.

Here's some of what caught Tony's eye:What are some of the lessons businesses should take away from these incidents?

Be sure to check out the video, as well as watch the December 2025 edition of Tony's security news roundup for more news…

Key points of the report: ESET researchers identified new data-wiping malware that we have named DynoWiper, used against an energy company in Poland.

We attribute DynoWiper to Sandworm with medium confidence, in contrast to the ZOV wiper, which we attribute to Sandworm with high confidence.

However, since the start of Russia’s full-scale invasion of Ukraine, Sandworm has changed its tactics regarding targets in Poland.

In December 2025, we detected the deployment of a destructive malware sample, which we named DynoWiper, at an energy company in Poland.

Interestingly, during the analysis of the ZOV wiper incident, we identified a newer PowerShell script used to deploy the ZOV wiper.

The campaign uses a malicious app posing as a chat platform that allows users to initiate conversations with specific “girls” – fake profiles probably operated via WhatsApp.

While we don’t know how the malicious app is distributed, we assume that this exclusivity tactic is used as part of the lure, with the purported access codes distributed along with the app.

GhostChat, the malicious app used in the campaign, poses as a dating chat platform with seemingly locked female profiles.

Once the app is installed, its operators can monitor, and exfiltrate sensitive data from, the victim’s device.

This action triggered ClickFix instructions, as seen in Figure 11, which led to the download and execu…

10 reasons your inbox is full of spam and/or scamsEmail spam can range from pesky, unsolicited missives sent in bulk to the downright dangerous and malicious (phishing messages and malware delivered via spam and also known as ‘malspam’).

They then post or sell that data on cybercrime forums/marketplaces, where others buy it for use in phishing emails.

If they manage to achieve a breakthrough that bypasses spam filters, expect unwanted messages to start flooding in.

What not to doIt’s also best practice never to:Avoid clicking on ‘unsubscribe’ or replying to a spam email, as this will verify your address to the sender.

Reset your email security settings or lower spam ‘sensitivity’ levels.

The attack involved data-wiping malware that ESET researchers have now analyzed and named DynoWiperIn late 2025, Poland’s energy system faced what has been described as the “largest cyberattack” targeting the country in years.

ESET Research has now found that the attack was the work of the notorious Russia-aligned APT group Sandworm.

Meanwhile, the attack on Poland’s power grid in the last week of December involved data-wiping malware that ESET has now analyzed and named DynoWiper.

In their latest APT Activity Report, covering April to September 2025, ESET researchers noted that they spotted Sandworm conducting wiper attacks against targets in Ukraine on a regular basis.

ESET Research offer…

AI chatbots have become a big part of all of our lives since they burst onto the scene more than three years ago.

A similar share of parents is worried their kids think AI chatbots are real people.

Our children use generative AI (GenAI) in diverse ways.

Children are going through an incredible period of emotional and cognitive development, making them vulnerable in various ways.

The onus, therefore, is definitely on parents to get ahead of any threats through proactive monitoring and education.

Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step aheadApple Pay is clearly a hit with consumers.

Here are some common scams targeting Apple Pay users.

Top six scams targeting Apple Pay usersApple Pay scammers are usually after your financial information, your money or your Apple ID and logins/2FA codes.

Or it could be a fake story about how your Apple Pay account has been suspended, your card was added to Apple Pay or similar pretexts.

First, take a moment to recognize the most common red flags and Apple Pay scams, as listed above.

A full 25 percent of the top 1,000 most-used passwords are made up of nothing but numerals.

This is according to NordPass’ analysis, which is based on billions of leaked passwords and sheds light on password trends among people in 44 countries.

Same old, same oldUsing an easily-guessable password is tantamount to locking the front door of your house with a paper latch.

Weak, obvious, or reused passwords can expose not only individual employees, but entire organizations, their customers, and their partners.

But if your own passwords appear on either list above, improving your account security should be one of the most important of them.

It may be the most recent high-profile case of threat actors abusing LinkedIn to further their own nefarious goals.

It’s easy to get up and running: For threat actors, the potential ROI for attacks using LinkedIn is massive.

Account hijacking : Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

: Fake LinkedIn (phishing) pages, infostealers, credential stuffing and other techniques can be used to help threat actors takeover users’ accounts.

However, it would make sense to build LinkedIn threat scenarios of the sort described above into security awareness courses.

New legislation in Australia makes it illegal for those under 16 to have a social media account.

To avoid financial penalties, social media companies have scrambled to remove accounts they believe breach the legislation.

As 2026 has just begun, this also sparks a broader question for internet users and regulators alike: will this be the year the world rethinks identity online?

Unless an app or service is operated by a regulated company that requires identity verification, people are free to create accounts on many services using any identity they desire.

I am not suggesting that all services need to have verified users.

Contrary to popular belief, much of the dark web isn’t the den of digital iniquity that some commentators claim.

involve the large-scale theft of customer/employee information, which then usually appears for sale on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

If you unwittingly click through and enter your information on a phishing site, it could end up being sold on the dark web.

Finally, sign up to identity protection services and sites like HaveIBeenPwned, which will alert you when any PII appears on the dark web.

Indeed, credential stuffing is the digital equivalent of someone discovering a skeleton key that opens your house, office, and safe – all in one sweep.

While credential stuffing is by no means new, several trends have exacerbated the problem.

Here’s the scale at which credential stuffing attacks can be conducted:In 2022, PayPal reported that nearly 35,000 customer accounts were compromised via credential stuffing.

How to protect your organizationThese days, credential stuffing is also a primary vector for account takeover, fraud, and large-scale data theft across industries, including retail, finance, SaaS, and health care.

Importantly, many organizations are embracing passwordless authenti…

A massive wave of exploitation attempts has followed the disclosure of CVE-2026-1281, a critical pre-authentication Ivanti EPMM vulnerability, the Shadowserver Foundation has warned.

“On February 9, Defused Cyber reported a campaign deploying dormant in-memory Java class loaders to compromised EPMM instances at the path /mifs/403.jsp.

The implants require a specific trigger parameter to activate, and no follow-on exploitation was observed at the time of their report,” Greynoise noted.

Ivanti, with the help of the Dutch National Cyber Security Center (NCSC-NL) has released a detection script to help customers find evidence of exploitation in their Ivanti EPMM environment.

NCSC-NL warned that…

Microsoft has begun updating Secure Boot certificates originally issued in 2011 to ensure that Windows devices continue to verify boot software as older certificates reach the end of their lifecycle and begin expiring in June 2026.

How Secure Boot certificate updates workFor most individuals and businesses that allow Microsoft to manage updates, the new certificates will install automatically with monthly Windows updates, requiring no additional action.

Some device manufacturers may also require a firmware update before the system can apply the new Secure Boot certificates delivered via Windows update.

For devices that are not covered by automatic updates, Microsoft advises organizations to…

CodeHunter is expanding its behavioral intent technology beyond traditional malware analysis to address supply chain risk and security decision-making across the software development lifecycle (SDLC).

Originally built to overcome the limitations of signature-based malware detection, CodeHunter has focused from the outset on analyzing what software does, not just what it looks like.

The result is a Behavioral Intent Profile (BIP), a deterministic, explainable record of how an artifact is expected to behave and whether that behavior introduces security, operational, or compliance risk.

Rather than replacing existing security tools, CodeHunter operates as an out-of-band analysis layer, integra…

Kong has announced Kong Context Mesh, a product that automatically discovers enterprise APIs, transforms them into agent-consumable tools, and deploys them with runtime governance.

Context Mesh allows them to reuse that investment to power agents instead of starting from scratch,” said Marco Palladino, CTO of Kong.

“The challenge is that agents are only as good as the enterprise context they can reach.

However, enterprise context is scattered across APIs, event streams, and applications, each with different schemas, credentials, and access rules.

Kong Context Mesh is designed to help close that gap by turning existing API infrastructure into agent-ready connectivity.

Microsoft has plugged 50+ security holes on February 2026 Patch Tuesday, including six zero-day vulnerabilities exploited by attackers in the wild.

The “security feature bypass” zero-daysAmong the zero-days fixed are three vulnerabilities that allow attackers to bypass a security feature.

CVE-2026-21513 affects the MSHTML/Trident browser engine for the Microsoft Windows version of Internet Explorer, and CVE-2026-21514 affects Microsoft Word.

The latter can be triggered by a malicious Office file crafted to bypass OLE mitigations in Microsoft 365 and Microsoft Office.

(If this sounds familiar, it’s because Microsoft recently fixed a similar flaw with an emergency update due to in-the-wild at…

Microsoft security researchers discovered a growing trend of AI memory poisoning attacks used for promotional purposes, referred to as AI Recommendation Poisoning.

The analysis observed attempts to steer AI assistants through embedded prompts designed to change how sources are remembered and recommended.

When selected, these links executed automatically in the user’s AI assistant, and in some cases were also delivered through email,” the researchers noted.

Hovering over links before clicking can help identify destinations pointing to AI assistant domains, particularly when links are embedded in “Summarize with AI” buttons.

AI assistant memory settings provide visibility into stored informat…

These capabilities, however, also create new security risks.

In this paper, we introduce CHAI (Command Hijacking against embodied AI), a new class of prompt-based attacks that exploit the multimodal language interpretation abilities of Large Visual-Language Models (LVLMs).

CHAI embeds deceptive natural language instructions, such as misleading signs, in visual input, systematically searches the token space, builds a dictionary of prompts, and guides an attacker model to generate Visual Attack Prompts.

We evaluate CHAI on four LVLM agents; drone emergency landing, autonomous driving, and aerial object tracking, and on a real robotic vehicle.

By exploiting the semantic and multimodal reasonin…

Other fiction magazines have also reported a high number of AI-generated submissions.

Others have met the offensive of AI inputs with some defensive response, often involving a counteracting use of AI.

Science seems likely to become stronger thanks to AI, yet it faces a problem when the AI makes mistakes.

In general, we believe writing and cognitive assistance, long available to the rich and powerful, should be available to everyone.

And that may mean embracing the use of AI assistance in these adversarial systems, even though the defensive AI will never achieve supremacy.

This is amazing:Opus 4.6 is notably better at finding high-severity vulnerabilities than previous models and a sign of how quickly things are moving.

Security teams have been automating vulnerability discovery for years, investing heavily in fuzzing infrastructure and custom harnesses to find bugs at scale.

But what stood out in early testing is how quickly Opus 4.6 found vulnerabilities out of the box without task-specific tooling, custom scaffolding, or specialized prompting.

Fuzzers work by throwing massive amounts of random inputs at code to see what breaks.

When we pointed Opus 4.6 at some of the most well-tested codebases (projects that have had fuzzers running against them for years,…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

I Am in the Epstein FilesOnce.

Someone named “Vincenzo lozzo” wrote to Epstein in email, in 2016: “I wouldn’t pay too much attention to this, Schneier has a long tradition of dramatizing and misunderstanding things.” The topic of the email is DDoS attacks, and it is unclear what I am dramatizing and misunderstanding.

Rabbi Schneier is also mentioned, also incidentally, also once.

As far as either of us know, we are not related.

Posted on February 6, 2026 at 3:43 PM • 0 Comments

It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.

The document is written by the government, and is opposing the return of Natanson’s devices.

The FBI raided Natanson’s home as part of its investigation into government contractor Aurelio Perez-Lugones, who is charged with, among other things, retention of national defense information.

The government believes Perez-Lugones was a source of Natanson’s, and provided her with various pieces of classified information.

While executing a search warrant for his mobile phone, investigators reviewed Signal messages between …

Backdoor in Notepad++Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users.

Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2.

Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers.

Make sure you’re running at least version 8.9.1.

Posted on February 5, 2026 at 7:00 AM • 0 Comments

US Declassifies Information on JUMPSEAT Spy SatellitesThe US National Reconnaissance Office has declassified information about a fleet of spy satellites operating between 1971 and 2006.

I’m actually impressed to see a declassification only two decades after decommission.

Posted on February 4, 2026 at 7:02 AM • 0 Comments

Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year.

It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience.

While that means someone can access their data if they forget their password, or if repeated failed attempts to login lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants.

AI Coding Assistants Secretly Copying All Code to ChinaThere’s a new report about two AI coding assistants, used by 1.5 million developers, that are surreptitiously sending a copy of everything they ingest to China.

Maybe avoid using them.

Posted on February 2, 2026 at 7:05 AM • 0 Comments

A new species of squid.

pretends to be a plant:Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor—a behavior never documented in cephalopods.

They captured the bizarre scene while studying the depths of the Clarion-Clipperton Zone (CCZ), an abyssal plain in the Pacific Ocean targeted for deep-sea mining.

The team described the encounter in a study published Nov. 25 in the journal Ecology, writing that the animal appears to be an undescribed species of whiplash squid.

It was very novel and very puzzling.”

From an Anthropic blog post:In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations.

This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations.

Sonnet 4.5 ac…

The US Supreme Court is considering the constitutionality of geofence warrants.

Police probing the crime found security camera footage showing a man on a cell phone near the credit union that was robbed and asked Google to produce anonymized location data near the robbery site so they could determine who committed the crime.

They did so, providing police with subscriber data for three people, one of whom was Chatrie.

Police then searched Chatrie’s home and allegedly surfaced a gun, almost $100,000 in cash and incriminating notes.

Chatrie’s appeal challenges the constitutionality of geofence warrants, arguing that they violate individuals’ Fourth Amendment rights protecting against unreasona…

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet.

]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week.

The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corpor…

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software.

“Today’s Windows patches remove agrsm64.sys and agrsm.sys.

This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time.

In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet.

All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

]to Discord server vanished, Synthient’s website was hit with a DDoS at…

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address.

A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

“It was often a chain of redirects — one or two domains outside p…

Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software.

This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities.

Despite releasing a lower-than-normal number of security updates these past few months, Microsoft patched a whopping 1,129 vulnerabilities in 2025, an 11.9% increase from 2024.

The zero-day flaw patched today is CVE-2025-62221, a privilege escalation vulnerability affecting Windows 10 and later editions.

For anyone seeking a more granular breakdown of the security updates Microsoft pushed today, check out the roundup at the SANS In…

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

What followed was a textbook example of how modern romance scams can operate.

But rather than hiding in the darkness like some shadowy criminal, Dr. Abhulimhen presented himself as a globe-trotting philanthropist and businessman, rubbing shoulders with powerful Nigerian officials and international figures.

The FBI's Internet Crime Complaint Center consistently ranks romance scams amongst the costliest forms of cybercrime, whilst UK victims lost over £92 million to romance fraud in 2023 alone.

Whether Ikeji or Dr. Abhulimhen will face justice remains unclear.

But at least one fake prince has discovered that his Nigerian mansion offers rather less sanctuary than he had hoped.

24-year-old Rui-Siang Lin operated Incognito Market under the alias "Pharaoh" from October 2020 until March 2024, facilitating over $105 million in illegal drug sales to more than 400,000 customers across the globe.

Things turned deadly in January 2022 when Lin allowed the sale of opiates on Incognito Market.

In March 2024, Lin abruptly shut down Incognito Market without warning, stealing at least US $1 million in user deposits.

In May 2024, Lin was arrested when he flew into New York's JFK Airport en route to Singapore, and subsequently pleaded guilty to drugs-related charges and money laundering.

US District Judge Colleen McMahon has now given Lin a 30-year prison sentence, describing Inc…

Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about – especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting.

All this, and much more, in episode 453 of Smashing Security with cybersecurity veteran Graham Cluley and special guest Tricia Howard.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

The FBI has seized control of RAMP, a notorious cybercrime online forum that bragged to be "the only place ransomware allowed."

The seizure banner comes complete with a cheeky addition - a winking Masha from the popular Russian children's TV cartoon series "Masha and the Bear."

Many infamous ransomware groups, such as ALPHV/BlackCat, Qilin, DragonForce, and RansomHub would use the RAMP platform to promote their operations.

Following the seizure of RAMP, another of the forum's alleged operators, confirmed the takedown in a posting on another hacking forum.

As Flare reports, "Stallman" has indicated that the cybercriminal activity conducted through RAMP would continue through other channels.

Imagine the scene. It's a cold Monday morning in Moscow. You walk out to your car, coffee in hand, ready to face the day. You press the button to unlock your car, and ... nothing happens. You try again. Still nothing. The alarm starts blaring. You can't turn it off. Read more in my article on the Fortra blog.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veteran Graham Cluley, joined this week by special guest Joe Tidy.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Police in Hungary and Romania have arrested four young men suspected of making hoax bomb threats and terrorising internet users through SWATting and doxing attacks.

SWATting is a particularly underhand way of making someone else's day a misery – without having to leave your home.

Secondly, the phone numbers were spoofed when making threatening calls to police, effectively directing emergency services to their door.

Hungarian police are keen to underline that SWATting and doxing are serious criminal offences that endanger lives, and are not harmless pranks.

"The police emphasise that swatting and doxing are serious crimes that endanger the lives of others and are not a joke," reads the press…

Security researchers have uncovered at least 16 malicious Chrome extensions masquerading as handy ChatGPT productivity tools.

Instead, they hook into the Chrome browser, and intercept outgoing data that contains users' authentication details.

My advice is to check if you have installed any ChatGPT-related browser extensions recently, and remove any that you have concerns over.

The security researchers who uncovered the malware campaign have listed the names of the extensions that have been identified so far (although, of course, it is possible that more have been used - or could still be):ChatGPT folder, voice download, prompt manager - ChatGPT ModsChatGPT voice download, TTS download - Cha…

In episode 85 of The AI Fix, Graham discovers that Silicon Valley has the solution to your pet’s mental health crisis, and Mark explains why AI godfather Yann LeCun thinks the entire AI industry is wrong about LLMs.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive c…

It has just been a few weeks since we reported on the Christmas cyber attack suffered by the European Space Agency (ESA), and the situation has already become worse.

In light of the latest data breach to impact ESA, the December 2025 incident doesn't look too bad.

Furthermore, this latest breach reportedly involves data that might be more concerning - such as operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space.

As a consequence of this latest incident, ESA has now confirmed that a criminal investigation is underway.

Some have suggested that poor cybersecuri…

All this, and much more, in this episode of the “Smashing Security” podcast with Graham Cluley, and special guest Ray [REDACTED]Host:Graham Cluley:@grahamcluley.com @ *protected email* / grahamcluleyGuest:Ray Redacted:@rayredacted.comEpisode links:Sponsored by:Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Blu…

The UK's National Cyber Security Centre (NCSC) has issued a warning about the threat posed by distributed denial-of-service (DDoS) attacks from Russia-linked hacking groups who are reported to be continuing to target British organisations.

The denial-of-service attacks are typically not highly sophisticated, but can still successfully cause disruption to IT systems, and cost organisations a significant amount of time and money as they attempt to respond or recover.

The most obviously visible symptom of a basic denial-of-service attack can be that a website is no longer accessible, as hackers flood it with unwanted traffic, making it impossible for legitimate users to reach the resource.

As …

Oh, and AI has managed to crack some famously unsolved maths problems in minutes, and Grok gains access to all of the Pentagon’s networks?

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Очень скоро Clawdbot по настоянию Anthropic из-за созвучности с Claude был переименован сначала в Moltbot, a затем, еще через несколько дней, — в OpenClaw.

Риски безопасности: исправляемые и не оченьОдновременно с тем, как OpenClaw захватывал соцсети, эксперты по кибербезопасности хватались за голову: количество уязвимостей, содержащихся в OpenClaw, превосходило все возможные предположения.

Проблема в том, что в Интернете в открытом доступе находятся сотни неправильно настроенных административных интерфейсов OpenClaw.

Например, как мы недавно писали в посте Джейлбрейк в стихах: как поэзия помогает разговорить ИИ, промпт в стихах существенно снижает эффективность защитных ограничений языковы…

Наведя в них порядок и сформировав общий словарь, CISO и совет директоров значительно улучшат свои коммуникации и в конечном счете повысят защищенность организации.

Руководство может одобрить покупку решения zero trust, не понимая, что это лишь часть долгосрочной комплексной программы со значительно большим бюджетом.

Руководители бизнес-подразделений могут принимать риски ИБ, не имея полного представления об их потенциальном воздействии.

Управляемые активы и поверхность атакиРаспространенное и опасное заблуждение касается охвата защиты и общей видимости, которая есть у ИТ и ИБ.

Зачастую именно эти «невидимые» для компании активы становятся точкой входа для атаки, потому что ИБ не может защи…

За последние два месяца были обнаружены сразу три уязвимости, эксплуатация которых позволяет обходить аутентификацию в продуктах Fortinet с использованием механизма FortiCloud SSO.

Эти уязвимости позволяют злоумышленникам с учетной записью FortiCloud логиниться в чужие аккаунты FortiOS, FortiManager, FortiAnalyzer, FortiProxy и FortiWeb, если на устройстве включена функция SSO.

Правила уже доступны клиентам для скачивания в репозитории KUMA; название пакета: [OOTB] FortiCloud SSO abuse package – ENG.

По мере появления новых отчетов об атаках мы планируем дополнять новой информацией правила с пометкой IOC.

Дополнительные рекомендацииМы также рекомендуем использовать правила из пакета FortiCl…

В наши дни технологии создания поддельных видео- и голосовых сообщений стали доступны каждому, и мошенники активно осваивают технологии дипфейков.

Ранее мы уже рассказывали, как отличить настоящее фото или видео от фейка и отследить его происхождение до момента съемки или генерации.

Теперь давайте разберем, как злоумышленники создают и используют дипфейки в реальном времени, как распознать подделку без сложной экспертизы и защитить себя и близких от «атаки клонов».

Как делают дипфейкиИсходный материал для дипфейков мошенники собирают из открытых источников — вебинаров, публичных видео в соцсетях и каналах, онлайн-выступлений.

«Мама, нужны деньги прямо сейчас, я попал в аварию»; «Нет времени…

У разных вендоров наполнение такой базы может сильно отличаться как по объему, так и по качеству.

Динамическая атрибуция — выявление TTP методом динамического анализа конкретных файлов c последующим сопоставлением множества обнаруженных TTP с TTP известных группировок.

Динамическая атрибуцияВыявление TTP в процессе динамического анализа проще в реализации, такая функциональность уже давно является неотъемлемой функциональностью всех современных «песочниц».

Тот, кто касается хобота, считает, что это удав, тот кто трогает туловище, уверен, что это стена, и так далее.

Результат атрибуции проверяется на ложноположительные связи с базой в миллиард легитимных файлов; при совпадении с любым из них…

Надеяться исключительно на средства защиты учетных записей и парольные политики — не вариант.

И в очередном обновлении мы продолжили развитие системы в том же направлении, добавив использование ИИ-подходов.

Сейчас же в новой версии SIEM c новым коррелятором появилась возможность реализовать детектирование угона учетной записи при помощи одного специализированного правила.

Поэтому в версии 4.2 мы сделали еще один шаг в сторону практичности и адаптивности платформы.

Новый коррелятор и, как следствие, повышение устойчивости платформыВ релизе 4.2 мы представили бета-версию нового корреляционного движка (2.0).

В этом месте обеспокоенные технологиями родители уже могут вспомнить о нашумевшем случае с ChatGPT, когда ИИ от OpenAI довел подростка до самоубийства.

Как исследователи тестировали ИИ-игрушкиИсследование, результаты которого мы разберем ниже, подробно рассказывает о рисках для детской психики, связанных с «дружбой» с умной игрушкой.

Miko 3, как и Grok, всегда слушает происходящее вокруг и активируется при обращении — примерно так же, как это работает у голосовых ассистентов.

Исследователи также отмечают, что ИИ-медведь не побуждал «ребенка» делиться личными переживаниями, не обещал хранить секреты и не создавал иллюзию приватного общения.

С другой стороны, производители этой игрушки не даю…

Удобную методичку по этому вопросу выпустил некоммерческий проект OWASP, разрабатывающий рекомендации по безопасной разработке и внедрению ПО.

Злоумышленники используют методы промпт-инъекций или поддельные данные, чтобы перенастроить агента на выполнение вредоносных действий.

Злоумышленник отправляет промпт, который под предлогом тестирования кода заставляет агента с возможностью «вайб-кодинга» загрузить команду с помощью curl и передать ее на вход bash.

Такой «отравленный» контекст искажает дальнейшие рассуждения агента и выбор инструментов.

Используйте внешние шлюзы безопасности (intent gates) для проверки планов и аргументов агента на соответствие жестким правилам безопасности перед их …

На самом деле происходит не установка из магазина приложений, а загрузка приложения в пакете APK.

В России проблема «левых» загрузок усложняется тем, что многие повседневные приложения, в первую очередь банковские, более недоступны в Google Play.

«Прямой NFC» — мошенник связывается с жертвой в мессенджере и уговаривает скачать приложения якобы для подтверждения личности в банке.

Права, которые и в самом деле нужны приложению такого класса, прекрасно подходят для перехвата данных и махинаций с посещаемыми веб-сайтами.

), перенаправлять пользователя на сайты с рекламой и запускать прямо на телефоне прокси, чтобы злоумышленники могли попадать на любые сайты от лица жертвы.

Это связано с тем, что знания ИИ не хранятся в виде отдельных фрагментов, которые можно легко удалить.

Как и на каких моделях проводилось исследование?

При этом в промптах изменялась исключительно стилистика подачи: никаких дополнительных техник атаки, стратегий обфускации или адаптаций под конкретные модели в эксперименте не использовалось.

Исследователи протестировали 1200 промптов на 25 разных моделях — как в прозаическом, так и в поэтическом варианте.

Если следовать этому методу оценки, то поэзия увеличивает вероятность ответа на небезопасный промпт в среднем на 35%.

Чтобы сопрячь со смартфоном новую гарнитуру, поддерживающую эту технологию, достаточно включить ее и поднести к смартфону.

Вредоносное устройство — обычный смартфон или ноутбук атакующего — транслирует запросы Google Fast Pair и пытается соединиться с BT-устройствами в радиусе 14 метров.

Эта функция, Google Find Hub, аналогична FindMy от Apple, и создает такие же риски несанкционированной слежки, как и вредоносные AirTag.

Тем, кто пользуется Android-смартфонами и сопрягал с ними свою уязвимую гарнитуру с помощью Fast Pair, этот вариант атаки не грозит, ведь они сами записаны как владельцы устройства.

Вероятнее всего, обновленные смартфоны больше не транслируют положение аксессуаров, угнанны…

Хотя первопричина ошибки проста и понятна, ее устранение потребует обширных и систематизированных усилий, причем как от государств и международных структур, так и от конкретных организаций и частных лиц.

В ряде случаев, впрочем, возможно более короткое «путешествие во времени» — в точку 0, то есть в 1970 год.

Злонамеренная эксплуатация Y2K38Командам ИТ и ИБ стоит относиться к Y2K38 не как к простой программной ошибке, а как к уязвимости, которая может приводить к различным сбоям, включая отказ в обслуживании.

В базах данных тоже мозаика: тип TIMESTAMP в MySQL фундаментально ограничен 2038 годом и требует миграции на DATETIME, в то время как стандартные типы timestamp в PostgreSQL безопасны.…

И самое «веселое» тут то, что отвечать приходится не только за свой периметр, но и, фигурально выражаясь, «за того парня».

И в отчете четко написано, кто не только обещает, но и реально делает.

Не редкость, но и не массовая фича — только семь производителей кроме нас ее поддерживают.

И что это пустая трата денег, и что это никому не нужно.

Мы задали этот тренд, мы его возглавили, и мы будем его тащить дальше.

Но куда большую тревогу вызывает характер контента в этих базах.

Сайт компании, помимо прочего, дает возможность использовать инструменты для генерации изображений и контента с помощью ИИ.

Эти инструменты позволяли пользователям генерировать картинки по текстовому описанию, редактировать загруженные фотографии и выполнять различные визуальные манипуляции, включая создание откровенного контента и подстановку лиц.

Именно с этими инструментами была связана утечка, а база данных содержала результаты их работы, включая сгенерированные и отредактированные с помощью ИИ изображения.

Часть изображений заставила исследователя предположить, что они были загружены в ИИ в качестве референсов для создани…

You can test drive these capabilities today with Secure Firewall Test Drive, an instructor led course that will guide you through the Secure Firewall and its powerful roles in cybersecurity for your organization.

The new simplified decryption experience in Cisco Secure Firewall version 10.0 simplifies the steps required to enable and manage encryption.

Advanced loggingTo enhance the already robust set of information available for logged connections within Cisco Secure Firewall and Cisco Secure Network Analytics, a new log type has been created and made searchable.

Take a hands-on look at Cisco Secure Firewall 10.0Want to dive deeper into Cisco firewalls?

Sign up for the Cisco Secure Firewal…

Gartner predicts that by the end of this year, 40% of enterprises will run AI agents in production, up from less than 5% today.

The Limits of Traditional Security in an Agentic WorldThe challenge with AI agents is that they break the security paradigm we’ve relied upon as a security community over the last two decades.

Security that Understands Intent, SASE for AI EraWe’re announcing a fundamental shift in how we handle “intent” through our security architecture.

We are effectively moving security from the “block/allow” era to the “See the Intent, Secure the Agent” era.

An intelligent, autonomous firewall built for the AI era, protecting data centers, cloud workloads, and edge deployments.

SASE for the AI Era: Fast, Secure, and Ready for AISASE for the AI era is not just about moving security to the cloud.

Cisco SASE brings together Cisco SD-WAN and Cisco Secure Access, into a single platform, tuned for distributed AI.

Simpler, Secure AI OperationsCisco SASE for the AI era unifies performance and security into a single operating system—so AI can scale without adding complexity.

The outcome is what organizations are looking for: predictable AI performance, consistent protection everywhere AI runs, simpler operations, and the confidence to adopt AI faster and more safely.

Visit Cisco SASE to learn how Cisco is transforming how AI runs across the enterprise — securely, predictab…

Below are the Cisco XDR integrations used at Black Hat Europe, enabling analysts to rapidly investigate Indicators of Compromise (IOCs) with a single search.

Our thanks to alphaMountain.ai, Pulsedive and StealthMole for full donating full licenses to Cisco, for use in the Black Hat Europe 2025 NOC.

Below you can see the integrations in XDR at Black Hat Europe, including in production, in beta and in development.

At Black Hat Europe 2024, Ivan Berlinson connected Cisco XDR with Splunk to integrate Corelight NDR detections.

You can read the other blogs from our colleagues at Black Hat Europe.

This allowed Black Hat security analysts to initiate an immediate analysis of any incident by selecting “Ask Cisco Foundation AI to Analyze the incident” directly from the incident view.

For additional information, please refer to the following resources:You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social MediaLinkedInFacebookInstagram

We work with other official providers to bring the hardware, software and engineers to build and secure the Black Hat Europe network: Arista, Corelight, Jamf and Palo Alto Networks.

Since 2016, Cisco has protected the Black Hat Europe network, beginning with automated malware analysis using Threat Grid.

New for Black Hat Europe, we integrated Arista CloudVision and CV-CUE into Duo Directory SSO.

Learn More About Cisco at Black Hat EuropeExplore deeper insights into innovation, threat hunting, and integrations by diving into our Black Hat Europe blogs, where we highlight advanced SOC practices, Cisco XDR and Splunk Enterprise Security collaborations, and the latest security cloud innovations…

This is his first time accompanying us to the Black Hat Network Operations Center (NOC), so naturally, we discuss his impressions.

You can read the other blogs from our colleagues at Black Hat Europe.

About Black HatBlack Hat is the cybersecurity industry’s most established and in-depth security event series.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

For more information, please visit the Black Hat website.

For nearly a decade, Cisco has secured Black Hat events with Umbrella DNS security.

While Secure Access delivers comprehensive protection including secure web gateway, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and remote browser isolation, we focused its power on where Black Hat needed it most: DNS-layer security and visibility.

At Black Hat Europe, our monitoring confirmed the campaign’s continued activity, though at notably lower volumes.

You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Sum…

Cisco XDR served as a Tier-1 & 2 detection and response platform for Cisco engineers and analysts working in the Black Hat Europe 2025 NOC/SOC.

We also ingested logs into Splunk from our partner Palo Alto Networks and Corelight, correlating in Incidents via Cisco XDR.

However, at Black Hat conferences, these tools are intentionally off-limits except for some critical event assets.

You can read the other blogs from our colleagues at Black Hat Europe.

Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more.

This is the reality for the Cisco Event SOC team at major conferences like RSAC™ Conference, Black Hat, and Cisco Live.

We are thrilled to announce the launch of our new Cisco Event SOCs website and the release of our comprehensive Reference Architecture & Operations Guide.

What You Will Find on the WebsiteVisiting the new Cisco Event SOCs hub gives you a front-row seat to our operations.

The Guide: A Blueprint for ResilienceThe centerpiece of this launch is the Cisco Event SOCs: A Reference Architecture & Operations Guide.

Visit the website today to explore the architecture and download the full Cisco Event SOCs: A Reference Architecture & Operations Guide.

Imagine a future where today’s most secure data, from financial records to national secrets, could be instantly deciphered.

Powerful quantum computers known as cryptographically relevant quantum computers (CRQC) will compromise public-key cryptography, putting encrypted data and secure communications at risk.

The Hidden Risk: Trust CollapseBeyond data confidentiality lies a more systemic and immediate quantum risk: foundational trust breakdown.

While securing network traffic is paramount, a truly quantum-safe posture requires more than protecting data in transit.

In our next blog, we’ll dive deeper into each pillar, starting with Secure Communications and turning to Secure Products.

The UK’s Cyber Security & Resilience Bill and Government Cyber Action Plan mark a pivotal moment in our collective approach to digital resilience.

At Cisco, we’re honored to serve as an ambassador for their Software Security Code of Practice, a voluntary initiative that addresses one of the most pressing challenges facing both public and private sectors: securing the software supply chain.

Strengthening Resilient InfrastructureOur ambassador role is a natural extension of our commitment to secure software development and resilient infrastructure.

We can no longer afford to treat software security as an afterthought or a competitive differentiator.

The Software Security Code of Practice prov…

The Cisco Foundation AI team introduces a novel approach to information retrieval designed to tackle the shortcomings of current search.

At its core, our framework empowers compact models (from 350M – 1.2B parameters) to:Learn diverse search strategies: Through a process of observing and learning from various search behaviors, the framework models understand how to approach different types of queries.

Through a process of observing and learning from various search behaviors, the framework models understand how to approach different types of queries.

Refine queries based on feedback: The system learns to adjust its search queries dynamically, incorporating insights from previously retrieved …

Foundation-sec-8B-Reasoning is an 8-billion-parameter reasoning model purpose-built for cybersecurity workflows.

Elevating Security ReasoningEffective cybersecurity analysis requires deep, multi-layered reasoning.

Generic reasoning models can assist, but they may lack the ability to understand the specific logic and structure of security workflows.

The model is built to support security workflows that demand logical reasoning, including tasks like threat modeling, attack path analysis, risk evaluation, and security architecture review.

To explore how Foundation-sec-8b-Reasoning can be applied across real-world security workflows, check out the use case cookbook on our public Github reposito…

AI governance cannot live solely within IT, and AI security cannot be delegated only to chief information security officers (CISOs).

1Microsoft Data Security Index 2026: Unifying Data Protection and AI Innovation, Microsoft Security, 2026.

2026 Data Security Index:A 25-minute multinational online survey was conducted from July 16 to August 11, 2025, among 1,725 data security leaders.

Questions centered around the data security landscape, data security incidents, securing employee use of generative AI, and the use of generative AI in data security programs to highlight comparisons to 2024.

One-hour in-depth interviews were conducted with 10 data security leaders in the United States and Unit…

Microsoft security researchers have discovered a growing trend of AI memory poisoning attacks used for promotional purposes, a technique we call AI Recommendation Poisoning.

How AI memory worksModern AI assistants like Microsoft 365 Copilot, ChatGPT, and others now include memory features that persist across conversations.

AI Memory Poisoning occurs when an external actor injects unauthorized instructions or “facts” into an AI assistant’s memory.

Attack discovery: AI Recommendation Poisoning in the wildDuring our research, we identified real-world cases of AI memory poisoning being used for promotional purposes.

AI Recommendation Poisoning is real, it’s spreading, and the tools to deploy it…

Yet safety alignment is only as robust as its weakest failure mode.

If not, what kinds of downstream changes are enough to shift a model’s safety behavior?

Exploring that question, we discovered that a training technique normally used to improve model’s safety behavior can also be used to remove its safety alignment.

Alignment dynamics extend beyond language to diffusion-based image modelsThe same approach generalizes beyond language models to unaligning safety-tuned text-to-image diffusion models.

Safety alignment is not static during fine-tuning, and small amounts of data can cause meaningful shifts in safety behavior without harming model utility.

The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization.

Technical detailsThe Microsoft Defender Research Team identified active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD).

Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.

Microsoft Defender XDR detectionsMicrosoft Defender provides pre-breach and post-breach coverage for this campaign.

Tactic Observed activity Microsoft Defen…

The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization.

Technical detailsThe Microsoft Defender Research Team identified active, in-the-wild exploitation of exposed SolarWinds Web Help Desk (WHD).

Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.

Microsoft Defender XDR detectionsMicrosoft Defender provides pre-breach and post-breach coverage for this campaign.

Tactic Observed activity Microsoft Defen…

In January 2026, Microsoft Defender Experts identified a new evolution in the ongoing ClickFix campaign.

This updated tactic deliberately crashes victims’ browsers and then attempts to lure users into executing malicious commands under the pretext of restoring normal functionality.

This script leverages pythonw.exe to execute the malicious Python payload covertly, avoiding visible console windows and reducing user suspicion.

]com/scl/fi/znygol7goezlkhnwazci1/a1.zip URL Adversary hosted python payload 158[.]247[.]252[.

ReferencesThis research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kandalai and Kaustubh Mangalwedhekar.

That gap is where cyberattackers operate most effectively, and it is the gap that Operation Winter SHIELD is designed to address as a collaborative effort across the public and private sector.

Why Operation Winter SHIELD mattersOperation Winter SHIELD is a nine-week cybersecurity initiative led by the FBI Cyber Division beginning February 2, 2026.

That perspective aligns with what we see through Microsoft Threat Intelligence and Microsoft Incident Response.

Operation Winter SHIELD offers an opportunity to drive systematic improvement to one control area at a time.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

That gap is where cyberattackers operate most effectively, and it is the gap that Operation Winter SHIELD is designed to address as a collaborative effort across the public and private sector.

Why Operation Winter SHIELD mattersOperation Winter SHIELD is a nine-week cybersecurity initiative led by the FBI Cyber Division beginning February 2, 2026.

That perspective aligns with what we see through Microsoft Threat Intelligence and Microsoft Incident Response.

Operation Winter SHIELD offers an opportunity to drive systematic improvement to one control area at a time.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.

Detecting whether an LLM has been poisoned is inherently challenging because backdoored models behave normally under almost all conditions.

We therefore break the problem into two questions:First, do backdoored models behave in ways that are systematically different from clean models?

We find that trigger tokens tend to “hijack” the attention of backdoored models, creating a distinctive double triangle pattern.

Language models tend to memorize parts of their training data, and backdoor…

Our research highlights several key properties of language model backdoors, laying the groundwork for a practical scanner designed to detect backdoored models at scale and improve overall trust in AI systems.

Detecting whether an LLM has been poisoned is inherently challenging because backdoored models behave normally under almost all conditions.

We therefore break the problem into two questions:First, do backdoored models behave in ways that are systematically different from clean models?

We find that trigger tokens tend to “hijack” the attention of backdoored models, creating a distinctive double triangle pattern.

Language models tend to memorize parts of their training data, and backdoor…

Why AI changes the security landscapeAI security versus traditional cybersecurityAI security introduces complexities that go far beyond traditional cybersecurity.

Loss of granularity and governance complexityAI dissolves the discrete trust zones assumed by traditional SDL.

Multidisciplinary collaborationMeeting AI security needs requires a holistic approach across stack layers historically outside SDL scope, including Business Process and Application UX.

What’s new in SDL for AIMicrosoft’s SDL for AI introduces specialized guidance and tooling to address the complexities of AI security.

Microsoft SDL for AI can help you build trustworthy AI systemsEffective SDL for AI is about continuous im…

Why AI changes the security landscapeAI security versus traditional cybersecurityAI security introduces complexities that go far beyond traditional cybersecurity.

Loss of granularity and governance complexityAI dissolves the discrete trust zones assumed by traditional SDL.

Multidisciplinary collaborationMeeting AI security needs requires a holistic approach across stack layers historically outside SDL scope, including Business Process and Application UX.

What’s new in SDL for AIMicrosoft’s SDL for AI introduces specialized guidance and tooling to address the complexities of AI security.

Microsoft SDL for AI can help you build trustworthy AI systemsEffective SDL for AI is about continuous im…

We provide comprehensive detection coverage through Microsoft Defender XDR and actionable guidance to help organizations detect, mitigate, and respond to these evolving threats.

Due to this, Microsoft Defender Experts observed multiple Python-based infostealer campaigns over the past year.

These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

]carrd.co URL Used in make network connection and subsequent redirection in (PXA Stealer: Campaign 2) hxxps://erik22jomk77[.

We provide comprehensive detection coverage through Microsoft Defender XDR and actionable guidance to help organizations detect, mitigate, and respond to these evolving threats.

Due to this, Microsoft Defender Experts observed multiple Python-based infostealer campaigns over the past year.

These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

]carrd.co URL Used in make network connection and subsequent redirection in (PXA Stealer: Campaign 2) hxxps://erik22jomk77[.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…